Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back
Back

Professional Service Companies Face Significant Cyber Risk

Written by: Cameron G. Shilling

Published in the New Hampshire Business Review (2/9/17)

Cyber attacks and costly accidental losses of sensitive personal and financial information are no longer confined to retailers like Target or Sony or banks and investment houses like JP Morgan. Professional service companies – like accountants, lawyers, financial advisors, and insurance agencies – are prime targets for hackers and are experiencing disproportionately damaging breaches from employee mistakes.

Clients entrust their professional service providers with the most sensitive information about themselves and their family members, including financial and investment account data, tax returns, personal and business income, corporate and legal strategies, estate planning and family law materials, social security numbers, and driver’s license and other governmental identification numbers.  While housing these highly valuable repositories of sensitive information, professional service firms commonly have fewer resources than larger companies, and have devoted far less attention to their cyber vulnerabilities.  Consequently, hackers recognize them as easy targets that generate significant yields of this prized information, and accidental losses of such information by employees can have disastrous effects.

Breaches of professional service companies can result in grave damage because the lost data is so immediately and directly useful for financial and identity theft, and their clients are commonly wealthy individuals and profitable businesses with well-funded accounts and valuable identities and credit.  Though hurtful to the clients, such breaches can be catastrophic – even a killer – for a professional service company, which relies heavily on its reputation in the community and the trust of its clients for its welfare and future business.

To reduce the vulnerability to a cyber breach and mitigate the damage that results if such a breach does occur, every professional services company should engage in the following five step data security risk management process:

1.Retain an experienced data security attorney to conduct a comprehensive data security risk assessment of the company’s physical, technological and administrative infrastructure.

2.Prepare a risk assessment and vulnerabilities report, and implement a strategy to remediate the company’s data security vulnerabilities, including obtaining appropriate cyber liability insurance.

3.Create and implement a written data security policy, and formalize business practices and procedures that address cyber risks.

4.Train all employees about the data security policies, practices and procedures, as well as common cyber threats faced by the company.

5.Conduct periodic reassessments and updated employee trainings.

Risk Assessment: Step one involves identifying the information the company has that is legally protected, for example, under state data security laws or federal laws or regulations such as HIPAA, the Gramm-Leach-Bliley Act, Securities and Exchange Commission regulations, and Federal Trade Commission regulations.  It is critical to do so because the fines imposed by regulators for failure to comply are significant – commonly several hundred thousand dollars or more for a moderate breach, increasing to over a million dollars for a larger breach.  The legally protected information is mapped through its lifecycle (e.g., from receipt and creation, through use and transmission, to disposal and destruction), and areas of non-compliance or risk are identified using the legal requirements and standards of applicable laws and regulations.  This is a highly collaborative process between the managers of the company, competent IT professionals (inside or outside the business, or both), and legal counsel experienced with this area of the law and qualified to understand technological, physical and administrative security matters.

Assessment and Vulnerabilities Report and Remediation:  Step two flows from the areas of non-compliance and risk identified in the assessment.  Priority is assigned to items that are relatively easy to remedy, that do not comply with applicable law, or that embody significant risk.  The company creates a timeline for addressing the issues, then identifies and implements solutions for those vulnerabilities.  Remediating vulnerabilities frequently depends on the availability and affordability of technological, physical or administrative solutions.  As a result, it is common for a professional services company to require a year or more to properly address all vulnerabilities identified in an initial assessment.  In addition, it is critical for professional services companies to obtain cyber liability insurance appropriately tailored to their particular businesses, as such insurance can cover a large portion of the direct costs incurred when responding to a breach.

Data Security Policy: The data security policy, and the formalized practices and procedures, are created from the information gathered during the risk assessment and the remedies implemented or anticipated for the vulnerabilities.  Policies, practices and procedures created in the absence of a comprehensive risk assessment are pure guesswork, and do not comply with state or federal law or accepted practice.  No two companies’ policies, practices or procedures are the same because no two businesses are the same, and there is no boilerplate for this process.

Employee Training: The fourth step is an integral component of data security compliance.  Employees handle protected data on a daily basis, and therefore need to be taught about data security generally as well as the company’s specific policies, practices and procedures.  Likewise, properly trained employees know better how to avoid breaches, how to recognize an actual or potential breach, and how to properly respond in such circumstances.

Reassessment and Retraining: Security reassessments and periodic retraining are required and natural for any company committed to data security compliance.  Reassessments are used to address vulnerabilities from new or different technology, changed physical or administrative systems, or novel external threats.  Also, as a business becomes data security aware, it frequently identifies previously unknown vulnerabilities and adopts remedies that enhance security beyond the measures implemented after the initial risk assessment and report.

Professional services companies are prime targets for cyber attacks as well as disproportionately vulnerable to damage from data loss due to employee mistakes, because of the repositories of valuable sensitive personal and financial information entrusted to them.  Following the five steps outlined above will enable a professional service firm to reduce its vulnerability to a cyber breach and mitigate the damage that results if such a breach occurs.

Cameron G. Shilling is a Director at McLane Middleton, P.A., where he is the Chair of the firm’s Privacy and Data Security Group.  In his 20 plus years as an attorney, Cam has managed, litigated and resolved numerous data security, technology and complex litigation matters throughout New England and around the country.  His depth and breadth of experience in data security includes managing risk assessments, preparing and implementing written data security policies, training executives, managers and employees, addressing day-to-day security issues, and investigating and remediating breaches.  Cam’s expertise also includes privacy matters, creating and implementing information use policies, terms of use agreements and social media policies, advising clients about workplace and consumer privacy, and handling data privacy claims asserted against companies.  Kevin Lin, an associate in the practice, also contributed to this article.  They can be reached at [email protected].

Integrity and trust

At McLane Middleton we establish and maintain long-standing relationships with our clients to help us better achieve their unique goals over time. This approach to building trust requires that our esteemed lawyers and professionals use their broad, in-depth knowledge and work together with integrity to ascertain sound resolutions to legal matters for their clients.

Strength in numbers

McLane Middleton is made up of more than 105 attorneys who represent a broad range of clients throughout the region, delivering customized solutions. As a firm we are recognized as having the highest legal ability rating. The firm is rated Preeminent by Martindale Hubbell and is recognized as one of the nation's leading law firms in Chambers USA. Our attorneys are distinguished leaders in their respective practice areas.

Meet Our People

Commitment and collaboration

McLane Middleton's versatile group of attorneys and paralegals become trusted authorities on each case through collaboration. We work with our clients to learn their individual needs first and foremost and, together, we develop comprehensive solutions to their specific legal matters. This approach helps us exceed our clients' expectations efficiently and effectively, client by client, case by case.

Practice Areas

A history of excellence

McLane Middleton was established in 1919 in New Hampshire, and has five offices across two states. However, deep historical roots don't allow you to become innate. Our firm is organized, technological, and knowledgeable. Our history means we are recognized. But our reputation is built on the highest quality of service and experience in very specific areas of law.

The Firm

Intelligence paired with action

Our team continuously seeks opportunities to enhance their professional development and put key learnings to action. The pursuit of further insight guides us to volunteer service opportunities, speaking engagements, and teaching roles. Our lawyers are sought after thought leaders across their industries, and recipients of leadership awards throughout the region.