Risk Update

Risk Update — DQ Attempt Denied, Client Security and Professional Responsibility Considerations

Posted Dan Bressler

Steven W. Teppler is a partner and chair of the privacy and cybersecurity practice group and chief cybersecurity legal officer at Mandelbaum Barrett writes: “The Expanding Universe of Attorney Cyber Liability” —

  • “Law firms face unprecedented cybersecurity threats, increasing in number and severity, which can result in significant liabilities. The legal profession, especially in New Jersey, is grappling with growing responsibilities to protect client data, third-party data, and employee information, all while complying with complex regulations. Breaches in cybersecurity not only expose firms to legal and financial repercussions but can also result in violations of professional responsibility.”
  • “Law firms have become attractive targets for cybercriminals due to the highly sensitive information they manage, including trade secrets, financial data, health care and other personal information. The American Bar Association’s 2023 annual Cybersecurity Tech Report consistently highlights law firms’ vulnerabilities, noting that many are ill-prepared to defend against sophisticated cyberattacks. These attacks typically include phishing schemes, ransomware, and data breaches, all of which can expose a firm to liability.”
  • “The duty of confidentiality is fundamental to the lawyer-client relationship. Rule 1.6 of the New Jersey Rules of Professional Conduct (RPC) requires lawyers to protect client information. If a lawyer’s failure to implement adequate cybersecurity measures results in a data breach, this could lead to a breach of confidentiality and potential malpractice claims.”
  • “Liability becomes even more complex when a breach affects third-party data belonging to a client’s clients. For example, a law firm representing a corporation may have access to sensitive customer data or intellectual property. If this information is exposed during a breach, both the client and its customers or business partners could file lawsuits, expanding the firm’s liability.”
  • “For instance, a firm representing a health care provider may have access to patient data subject to HIPAA protections (See 45 C.F.R. Section 160.101 et seq.). A breach involving personal health information (PHI) could trigger regulatory investigations, civil penalties, and lawsuits from affected individuals. The concept of ‘downstream liability’ is gaining traction, with courts increasingly willing to entertain claims from third parties whose data was compromised due to a firm’s cybersecurity failures.”
  • “To protect against such risks, law firms should take these steps:
    • “Adopt comprehensive cybersecurity measures, such as encryption, secure communications, and regular employee training on data protection protocols.”
    • “Negotiate indemnification clauses in engagement letters, particularly when handling third-party data.”
    • “Encourage clients to adopt their own strong cybersecurity practices to reduce the firm’s overall risk profile.”
  • “Provide clear communication with clients about cybersecurity practices to help limit liability in the event of a breach. For example:”
  • “Cybersecurity Policies in Engagement Letters: Include a section in the engagement letter that outlines the firm’s cybersecurity policies and procedures. Informing clients upfront about how their data is handled sets clear expectations and may help limit liability if a breach occurs.”
  • “Example: ‘Our firm uses industry-standard encryption protocols to secure client data in transit and at rest. We also employ two-factor authentication and regularly update our systems to protect against potential threats.'”
  • “Cybersecurity Protocol Discussions During Client Meetings: During initial client meetings, lawyers should discuss the specific data security measures relevant to the client’s case, especially if sensitive or regulated data (such as health care information or financial records) is involved. This can include informing clients about the secure platforms the firm uses for document sharing and case management.”
  • “Example: ‘For this matter, we will be using a secure cloud-based platform for document sharing, which complies with HIPAA standards due to the sensitive nature of the information. We will also assign limited access to specific team members to further protect your data.'”
  • “Breach Notification Procedures: Clients should be informed about how they will be notified in the event of a cybersecurity breach. This ensures transparency and helps maintain client trust in a worst-case scenario. It also shows the firm’s preparedness to address any potential issues swiftly.”
  • “Example: ‘In the unlikely event of a data breach, we have a rapid response plan in place. We will notify you within 24 hours of detecting a breach, provide an assessment of the potential impact, and outline the steps we are taking to address the situation.'”
  • “Law firm employees, whether through negligence or malicious intent, can be a major source of cybersecurity risk. The rise of hybrid work arrangements has increased the chances that insider threats will compromise a firm’s data security. For example, an employee might inadvertently leak sensitive client information through unsecured email, or a malicious insider could steal confidential data for personal gain.”
  • “To address these risks, law firms should implement strict policies on data access, secure device use, and data transmission. These policies typically include data access controls, multi-factor authentication and encrypted data transmission.”
  • “Law firms must navigate an increasingly complex landscape of cybersecurity and data privacy regulations. New Jersey’s Data Breach Notification Law requires prompt disclosure of any breaches involving personally identifiable information (PII) N.J. Stat. Ann. Section 56:8-163—66 (2005); as amended (2019), and firms serving clients across multiple jurisdictions must comply with various state and federal laws, such as HIPAA and the Gramm-Leach-Bliley Act. (Pub. L. No. 106-102 (1999).”
  • “Failure to comply with these laws can result in significant financial penalties and reputational damage. Law firms must conduct regular compliance audits and work closely with cybersecurity experts to ensure their policies meet the latest regulatory requirements.”
  • “Violations of the New Jersey RPC related to cybersecurity breaches or exposure can lead to disciplinary actions by the New Jersey Supreme Court’s Office of Attorney Ethics. Depending on the severity of the violation, sanctions can range from a formal reprimand to suspension or even disbarment. Specifically, a lawyer who negligently fails to safeguard client data may receive a public reprimand, but a pattern of negligence or intentional disregard for cybersecurity obligations could result in more severe penalties, including suspension or disbarment.”

Shipman & Goodwin Atty Dodges DQ In Waste Permit Case” —

  • “A Connecticut Superior Court judge has refused to disqualify Shipman & Goodwin LLP attorney Joseph P. Williams from a lawsuit that started as a dispute over a $3 million transfer station performance bond, finding he is not a necessary witness to the remaining issues in the case.”
  • “Judge Sheila A. Ozalis on Thursday [11/21] turned away Country Holding Co. LLC’s Sept. 23 motion to remove Williams as trial counsel for defendants Covanta Projects of Wallingford LLC and Covanta Energy LLC in litigation first brought in August 2021 arising from the sale of a waste-to-energy facility in Wallingford. Country Holding argued that Williams was involved in a ploy to force it to settle, leading to the facility’s closure in February amid the litigation.”
  • “Country Holding alleged that the transfer station closed because of an agreement between the Covanta parties and an entity called Country Disposal Services LLC, which held the permit to operate the facility from the state Department of Energy and Environmental Protection, or DEEP. Country Disposal allegedly agreed not to turn over the permit to Country Holding without Covanta’s approval, and Covanta demanded a settlement, the disqualification motion said.”
  • “‘A necessary witness is not just someone with relevant information; a necessary witness is someone who has material information no one else can provide,’ the ruling said. ‘It is clear to this court that attorney Williams is not a necessary witness on this subject matter, as the representatives or Country, Covanta and Country Disposal that participated in such discussions could easily provide such testimony.'”
  • “In its Oct. 7 objection to disqualifying Williams, Covanta said, ‘Country’s grievance is with the substance of the settlement proposal, not attorney Williams’ transmission of that proposal in his capacity as counsel, who had no personal knowledge beyond conveying his client’s proposal.'”
  • “During a Nov. 7 oral argument, Williams’ co-counsel Alison P. Baker, also of Shipman & Goodwin, said that removing him from trial would discourage other litigants from trying to settle claims and argued that his testimony would be protected by the litigation and attorney-client privileges.”
  • “‘The court notes that at no time during the course of this case, prior to the entry of new counsel for Country, while the firm of Cummings and Lockwood was representing Country, did it raise the issue that attorney Williams was a necessary witness for trial and should be disqualified,’ the ruling said. ‘There is no reasonable basis that this court can find for Country to have waited until the eve of trial to have made this motion to disqualify and finds that the disqualification of attorney Williams would render a substantial hardship on Covanta.'”
  • “The judge pointed out that Williams has served as counsel for Covanta since before the litigation started, and represents the entities on Country Holding’s appeal of her summary judgment decision. He also negotiated a settlement between Covanta, as guarantor, and the five municipalities to ‘compensate them for Country’s breaches of disposal agreements,’ according to the ruling.”