Cyberattacks constantly generate headlines.
A hack of Sony Pictures last year severely damaged the company and, more recently, it was revealed that more than 21 million Social Security numbers were compromised by an external theft of data held by the federal Office of Personnel Management.
But while attacks from the outside can have devastating consequences for victims, including various legal implications, so too can internal breaches of confidential information.
Inside jobs are also more likely than external ones, which has prompted some local law firms to offer practices that help companies combat internal threats to sensitive data.
“The chances of an external hack where information is stolen or used for cyberblackmail, for example, is a lot less than having your own staff do something stupid, inadvertent or willful that causes you damage,” said Madeline Cahill, a partner at Cahill & Campitiello.
Cahill’s Carlsbad-based firm assists a variety of companies in preventing and responding to inside breaches by working with in-house employees and outside consultants.
She tells clients that a critical prevention strategy is respecting and understanding the power of technology in a workplace and knowing how it changes rapidly.
Cahill also emphasizes that closely monitoring employees’ use of company technology can reduce the chances of a breach or other misuse of company property.
“Human beings by nature are very conflict averse and we like to believe that when we work with people we can trust them,” Cahill said. “So employers like to focus on possible outsider threats because it's more comfortable than facing the potential of an insider threat.”
In May, Higgs Fletcher & Mack in San Diego launched a privacy and information security practice group.
One feature of the group's work is helping clients develop proper internal privacy policies for data they collect and store.
Jim Eischen, a Higgs partner, said a very active area for the practice is helping clients make sure medical information is protected as required by the Health Insurance Portability and Accountability Act, known as HIPAA.
If a business maintains HIPAA-protected data, it must complete an internal risk assessment outlining how it is going to keep the information confidential, such as by limiting the employees who have access.
Eischen, a founding member of the practice group, said his firm often assists clients with completing the risk reviews. He also recommends similar assessments be undertaken to ensure compliance with laws beyond HIPAA.
“We feel like it is very responsible on part of all businesses large and small to take data privacy seriously, to have an internal assessment done and to figure out the privacy laws and other laws that apply,” he said.
The risk a company can face when internal information that was supposed to remain private is released was on display recently in a matter involving New York Giants defensive end Jason Pierre-Paul.
ESPN was able to obtain medical records indicating he had his right index finger amputated after a fireworks accident July 4th.
The health care workers and the organization responsible for the leak of the information could face a variety of penalties, including substantial civil liability.
When internal information is improperly accessed, or illegally disseminated as in the case of the New York Giants player, organizations also must contemplate a variety of disciplinary actions against the employees responsible.
Cahill and Eischen agreed that is one reason why firms that practice in the area of internal data security must also possess employment law expertise.
Cahill has many years of experience as an employment lawyer, which she says also comes in handy when clients notice employees using company technology for inappropriate purposes besides accessing confidential information.
In addition to its privacy and information security group, Higgs has a deep bench of labor attorneys it can turn to aid clients responding to internal breaches, Eischen said.
“I do think it is very important to have multidisciplinary teams dealing with those types of (issues),” he said.
Firms with practice groups in the area said quick access to experienced litigators is also needed.
Cahill & Campitiello partner Larry Campitiello can step in to address the implications of an internal breach or other workplace matters.
“If a client has had data stolen or is experiencing disruptive behaviors in the workplace relating to data security, he goes into court to get the matter resolved,” said Cahill.
She expects that in the next few years there will be an increase in litigation in the field, especially against lawyers who failed to keep a client’s information private due to missing or lax data security protocols and systems.
Cahill said attorneys in those situations will likely face malpractice claims for breach of client confidentiality and breach of their responsibility to keep certain information privileged.
Eischen said Higgs has a team of litigators ready to assist his practice group's clients.
He anticipates more whistleblower claims will be filed against employers by employees who believe adverse actions were taken against them for raising concerns with respect to data privacy.