Data Security 101 For Law Firms!

By | March 31, 2015

As a title insurance firm, data security and the protection of non-public information are both key components of our privacy pledge to clients and partners, much as it is for companies across the business spectrum!

But with the prevalence and ever-increasing sophistication of the bad guys when it comes to trying to infiltrate the technology and information storage area of firms, cyber-security is no longer simply a buzzword but it is one of the keys to maintaining an ongoing concern.

The frightening truth is as any occupier of a C-Suite position in a larger firm, managing partner in a law firm or the owner of a small firm knows, a company can be one cyber-infiltration away from having a major problem that may be difficult to recover from.

In an interview with Legaltech Scott Vernick, a partner with Fox Rothschild, discusses among other things ‘the current state of cyber-attacks, building a data privacy plan from scratch, and more‘!

In addition Scott will be a ‘Data Breach 911’ panelist at InsideCounsel’s 15th Annual SuperConference, to be held May 11-13 in Chicago.

Legaltech News: It seems that every other day we’re hearing about another major cyberattack. Are data breaches truly becoming more prevalent, and if so, what about the current marketplace is making companies so vulnerable to attack?

Scott Vernick: Data breaches have plagued companies for years, and no U.S. sector is beyond the reach of cyberattacks. In 2014 alone, breaches hit household names hard: Target, Home Depot, Community Health Systems, the U.S. Postal Service and, of course, Sony. 2015 may be the year of the healthcare data breach—see Anthem and Premera. These days, there are two types of companies—those that have been hacked and those that don’t know that they’ve been hacked. The accumulation of vast amounts of potentially valuable data, aggressive and inventive cybercriminals and an inattention to data security have combined to create a ripe environment for attacks.

LTN: Most companies have a data privacy plan these days, but for companies starting on the ground floor, where’s the best place to begin?

SV: A comprehensive data security audit is a must. For in-house counsel, whether your business is large or small, this means knowing what data you collect, who has access to it and how long it’s kept. As a next step, businesses should develop and implement outward-facing and internal privacy policies that address, among other considerations, the collection, access, storage, transfer and disposal of proprietary, confidential and otherwise sensitive data. These policies should reflect current federal and state regulations, along with applicable regulations in other countries. Further, every company should develop an incident response plan to address cyberattacks, which includes an interdisciplinary first response team to implement the plan.

LTN: If you’re a GC, who’s a part of your data privacy team? Who are the people you want to have available to turn to both before and after something goes wrong?

SV: Data privacy and breach response plans used to be relegated to the IT department. A big “take-away” from recent cyber-attacks is the need for collaborative teams that include information technology (particularly information security), relevant business heads, compliance, human resources and public/investor relations. Outside legal counsel can be instrumental in developing a strategy for breach notification, regulatory investigations and litigation.

LTN: What’s one key element of a data privacy plan that many in-house counsel seem to forget?

SV: A data privacy policy is not the same as a breach response plan—and post-breach is a critical time for a company’s reputation. Potential “fall-out” needs to be addressed comprehensively and thoughtfully using what I call “managed transparency.” Be upfront with regulators, consumers, employees and shareholders, and do that in a timely way, not months after a breach. The recent launch of information-sharing platforms that enable companies to cross-share cyber-crime information complicates the planning process. Companies need to address use of these platforms in privacy plans before employees participate or post. Sharing the wrong information could violate federal, state or industry regulations. Even worse, the information-sharing platforms could be targeted by cyber-criminals, resulting in the exposure of privileged company information.

LTN: Some in-house counsel are still slow to get on the data privacy bandwagon, seeing it as an IT issue or something that isn’t worth the time. What would be your argument to a GC that he/she should take a hands-on approach with data privacy?

SV: My response to any GC with that belief would be to show him or her a letter from a state attorney general—or, as in some cases, the attorneys general of multiple states—mandating responses to detailed questions as a result of a data breach. I would tell the GC that not knowing whether my company’s data is secure—whether firewalls are working or if there have been small-scale hackings—would keep me awake at night. I’d say that, based on my experience, a company’s monthly IT security assessment is, next to its financial report, the most critical piece of information a GC can have. And then I’d ask whether they are ready to respond to that letter, whether they know how secure their data is and if they read their company’s last data security assessment.


Michael Haltman, President of Hallmark Abstract Service, New York.

HAS is a provider of title insurance in New York State for residential and commercial real estate transactions.

And, for anyone either buying a property or refinancing, remember that although your attorney will likely recommend a title insurance provider you always have the right to choose your own (click here to learn more)!

If you have any questions you can reach Michael by email at

Leave a Reply

Your email address will not be published.