Massachusetts businesses are on pace to report a record number of data breaches in 2014.
The revelation can be added to a litany of recent jarring developments that Bay State lawyers say have their clients taking privacy and data security more seriously, fueling growth in the practice area.
“Over the last year and a half, that message has been much better received than in the past,” said Cynthia J. Larose, chairwoman of the privacy and security practice at Boston’s Mintz, Levin, Cohn, Ferris, Glovsky & Popeo. “The importance of it is going all the way up to the board room, and when directors start asking questions, management pays attention.”
In the past decade, Larose said, her firm has gone from “no one doing this work — or me just doing it as part of my tech practice — to having six lawyers who spend at least 50 to 60 percent of their time doing this work.”
Businesses sent 333 data breach notifications to the Massachusetts Attorney General’s Office in the first quarter of the year, according to statistics posted to the AG’s website. At that clip, the office would receive 1,332 data breach notifications by year’s end, surpassing the 1,174 it received in 2013 by more than 13 percent.
Globally, a recent report by data security firm SafeNet found that more than 200 million digital records were breached during the first quarter of this year.
The Massachusetts notifications are required by state law whenever an organization that owns or licenses data that includes personal information of a Massachusetts resident learns of a breach of security, or that personal information of a resident was acquired by or used by an unauthorized person or used for an unauthorized purpose. They have increased in number every year since 2008, when there were just 384.
While some breaches were minor, others have compromised the personal information of hundreds of thousands of people. The 4,684 data breaches reported from 2008 through 2013 affected about 4.75 million Massachusetts consumers, according to the AG’s Office.
In addition to the risk of identity theft and other headaches for those whose information is exposed, data breaches also present a number of legal issues for infiltrated companies, particularly in Massachusetts.
Lynne B. Barr, chairwoman of the banking and consumer financial services practices at Goodwin Procter in Boston, said Massachusetts has one of the most rigorous information security laws in the country.
Many of the state notification requirements are tied to whether notice must be given under federal law, Barr explained, noting that the federal rules require a finding of likelihood that stolen data would be misused before notification is required of financial institutions.
“Our breach statute treats any unauthorized access to the relevant information as a breach requiring notice,” she said. “We have instances where if you’re a bank in Illinois, you’re not giving notice, whereas here you would even if you don’t see a likelihood of misuse of the information. We struggle with that all the time.”
Chapter 93H and its accompanying regulations, 201 CMR 17.00, require entities that store or use personal information to have written, regularly audited plans for protecting it. Plans must address dozens of items within the regulations.
In the event of a breach, the law requires not only notification as soon as possible to state authorities, but also details on the nature of the breach, the number of people affected, and what steps have or will be taken in response.
According to a 2012 business security study by the National Cybersecurity Alliance and Symantec, 77 percent of businesses did not have a formal written internal security policy for employees; 63 percent did not have policies regarding how their employees use social media; 50 percent did not completely wipe their machines of data before disposal; and 48 percent did not have a plan or strategic approach in place for keeping their business cyber-secure.
But a number of high-profile breaches and jaw-dropping reports are opening clients’ eyes to the importance of cybersecurity, lawyers say.
In the past week alone, UMass Memorial Medical Center in Worcester announced a potential breach of information pertaining to more than 2,000 patients, and privacy and data security think tank Ponemon Institute released an analysis finding that the average two-year cost of a data breach for a U.S. company grew 8 percent in 2013 to $5.85 million.
The government is getting ever more involved in regulating data security. The Securities and Exchange Commission continues to expand its role, from simply requiring public companies to report successful breaches to announcing recently that it will examine the cybersecurity programs and procedures of investment advisers and brokers.
Meanwhile, a federal judge in New Jersey ruled that breaches could constitute an unfair practice under the Federal Trade Commission Act. And in its just-released report on big data, the White House included a recommendation for a national data breach notification law.
But the biggest eye-opener of all for businesses, according to Ellen M. Giblin of the Ashcroft Law Firm in Boston, was the May 5 ouster of Target CEO Gregg Steinhafel following the headline-grabbing hacker attack on the retailer during the 2013 holiday shopping season that compromised the information of 110 million consumers.
“One of the issues from the beginning of data breach law was that a lot of privacy professionals had a hard time getting visibility into the C suite that this was a bona fide risk,” said Giblin, a privacy counsel. “No longer is it something that is not on the C suite radar. It is directly on their radar.”
Now that most businesses appreciate the gravity of the issue, the next task for lawyers is convincing their clients of the valuable role attorneys can play in addressing it.
Many of the most commonly recommended steps for protecting against a breach — such as installing the right software, hiring the appropriate information technology officials, and setting up a data governance committee — may not appear to be legal in nature.
But Larose said cybersecurity also is a “compliance exercise” and that a company should have lawyers quarterbacking their efforts to make sure they don’t ran afoul of regulations that differ from agency to agency and state to state.
“We’re more involved with, ‘Does everything you do meet the requirements of the various laws you have to comply with?’” she said. “The technology consultant isn’t going to be able to tell you that you are now in compliance with Massachusetts law. That’s really where we come in … to make sure you have the right pieces in place, so that when you do have a breach and you have to report/notify, you know what you’re supposed to take care of and can do it.”
Barr said there is also a very practical reason to let one’s lawyers lead the charge, particularly in the event of a successful breach that could result in litigation: being able to put the attorney-client privilege around the entire process.
“We actually manage the data breach. We manage the outside service providers. We review the reports. We report to the client. We draft the notices. We report to the regulators,” Larose said.
More often than not, Larose said, notice of a data breach leads to some level of questioning from regulators, if not necessarily an investigation.
“One thing I always say when I’m speaking on this or speaking with clients is that the handling of a data breach can either encourage or discourage a class action lawsuit. It all depends on how you handle it,” she said.
Privacy and data security is a “burgeoning, explosive practice area,” according to Brenda R. Sharton, chairwoman of the field at Goodwin Procter in Boston, but not one that lends itself to generalists.
“It is a situation where you have to sprint as fast as you can just to stay in place,” said Sharton, noting the large cast of regulators and the ever-evolving nature of computer viruses and other threats.
It is impossible to eradicate potential liability in such an environment, Giblin said, and so lawyers working in the field have to know how to be risk managers, rather than risk eliminators.
Giblin said businesses should look for lawyers who have handled a “volume” of breaches and who have relationships with the appropriate vendors. Law firms hoping to groom or recruit talent in the practice area should look at in-house lawyers and those who work with industries, such as financial services and health care, most often targeted by hackers.
“You become more expert in determining whether they are reportable and notifiable or not,” Giblin said of breaches. “If you over-report, you’re putting your client company at risk for FTC scrutiny and possible fines for having lax data security. Nobody wants to over-report and give away free credit monitoring.”
Or an insurance company might determine there was no breach and deny coverage, she said.
“It’s really a key competency for privacy counsel to know when and how to report,” Giblin said.
Larose also noted that most companies do business across state, if not also international, boundaries.
“To be able to handle the scope and depth of the current privacy laws and to be able to manage a data breach for a client, it’s as much of a specialty field now as health law or environmental law,” she said. “I don’t think a general business lawyer would be handling an environmental issue.”