With the legal industry’s increased efforts to integrate new technology into the profession, it has never been more important for law firms to protect themselves and their data. However, what happens when a breach does occur and privileged information is compromised? More specifically, what is a breach notification and what procedures are Florida law firms required to follow immediately after the incident?
In this episode of The Florida Bar Podcast, host Adriana Linares sits down with Orange County Bar Association Technology Committee Chair Daniel Whitehouse to discuss data breach notification procedures and what constitutes personally identifiable information. Daniel breaks down what Florida statutes consider a data breach (basically an unauthorized party accessing restricted data) and gives a few examples of situations within a law firm where this definition applies. He then provides an in-depth explanation as to what types of data fall under personally identifiable information, such as social security numbers, medical records, and email addresses, and discusses what Florida’s data breach notification law is. Daniel takes time to explain what the Florida attorney general’s office will require from law firms that experience such a breach and analyzes what ethical obligations legal professionals have to their clients and the prevention of future unauthorized access. He closes the interview with tips on how law firms can encrypt their data and proactive changes companies can implement to increase their security policies.
Daniel Whitehouse holds a Bachelor of Science in computer science and a Master of Business Administration (MBA), both from Webster University. He interned for The Honorable Susan C. Bucklew of the United States District Court for the Middle District of Florida and attended Stetson University College of Law where he graduated Co-Valedictorian. Daniel is currently the chair of the Orange County Bar Association Technology Committee.
The Florida Bar Podcast: Data Security and Florida Breach Notification Law – 4/20/2016
Advertiser: Welcome to the official Florida Bar Podcast. Where we cover practice management, leadership, and what’s happening in Florida law. Brought to you by the Florida Bar Practice Resource Institute. You’re listening to Legal Talk Network.
Adriana Linares: Hello and welcome to the official Florida Bar Podcast brought to you by the Practice Resource Institute on Legal Talk Network. The Practice Resource Institute is the Florida Bar’s online center for practice management information dedicated to Florida attorneys. I’m Adriana Linares and I’ll be your host today. I’m a legal technology consultant and trainer that’s been working for the Florida Bar for several years. I feel very lucky to have been doing that and am very honored to be able to host this podcast. Today I have Daniel Whitehouse on as our guest, he’s an attorney at Whitehouse Cooper in Orlando. Hey, Daniel!
Daniel Whitehouse: Hi there, Adriana, thanks for having me on.
Adriana Linares: I’m very excited to have you on. Tell our guests a little bit about yourself and your practice and also what you’ve been doing for the Orange County Bar Association.
Daniel Whitehouse: Sure. I practice business and technology law. I have a background in technology – I actually worked in the technology field before going to law school. So I married the two professions together. My bachelor’s degree is in computer science and I wanted to lend that experience to the practice of law. So we work with a lot of technology companies or we deal with a lot of technology issues in the practice of law. And through the Orange County Bar Association, I’ve been the chair for the past two years of our technology committee there which really has focused on the use of technology in the practice of law and gaining efficiency to make us all better as practicing attorneys and as legal professionals.
Adriana Linares: A noble, noble cause, and I know you’re doing a really good job at that. Not easy but congratulations on your tenure and honestly on doing a pretty good job for them. I asked you to come on to talk to us about breach notification laws and security issues and what law firms really need to know and understand about those things specifically when it comes to being a Florida based law firm but also what do you do when these situations come up and maybe you have client information or other special information outside of Florida. So we did our last podcast or two podcasts ago specifically on talking about how to recognize and address security risks. So we kind of got that out of the way but I’m still surprised at how often I go into a law firm and they have no idea that they are held to the standards of a breach notification law should there be one. So my first question to you is going to be tell me what a security breach is when it comes to law firms. So I’m a lawyer and I don’t know if I’ve had a breach. What exactly is a breach and just describe it for me.Or give me some synonyms, I should say.
Daniel Whitehouse: It’s fairly simple as far as the statutes here in Florida define it. It’s unauthorized access to data, to information that we may be storing. Now you can take the definition of unauthorized access in a few different ways. Does unauthorized access mean it’s a former employee who accessed the data after they were terminated? Is unauthorized access somebody in another country? Or is unauthorized access the loss of, say, a laptop that contains information. And in many situations all of those could be correct. So it’s essentially someone who is not authorized to view that information gaining access somehow.
Adriana Linares: So how about this as an example: I’m a lawyer in West Palm Beach – and this is an actual true story. I let my secretary go on Friday. On Sunday night, because she knew my email password, she used Outlook web access, logged onto my email account through my law firm and sent an email to my new secretary that was starting on Monday saying, “We’ve decided to go in a different direction, you don’t need to show up on Monday.” Is that a breach?
Daniel Whitehouse: Ouch! That is a very unfortunate situation! And what I would say is it depends. But it really depends on what else that person may have done while she was in that email account. If she was going through and looking at all of the information in there and taking copies of that – maybe forward emails, printing information or somehow taking an offline copy of it, then that would be an unauthorized person gaining access to that. She was no longer authorized at that time. But if it was purely for the unfortunate situation of logging in to send that email, then that probably wouldn’t constitute unauthorized access, at least in the form of a data breach as we know it.
Adriana Linares: Good. And that’s because in that specific example, maybe she didn’t access personally identifiable information. Is that one of the triggers for a breach notification or is that the trigger for breach notification when it comes to the attorney general’s office?
Daniel Whitehouse: It really is the trigger for personally identifiable information as to what’s defined by our statutes here in Florida. It’s listed a little differently around the country – and I’m sure we can talk about that at some point. But personally identifiable information is a combination of items such as somebody’s first name and last name or first initial and last name.
Adriana Linares: Can it be as little as somebody’s first name and last name?
Daniel Whitehouse: Personally identifiable information is defined as as little as that. However, just getting somebody’s name and first and last name is not a breach, necessarily. There has to be something else coupled with a first name and a last name or some other information that’s out there. For example, when a social security number is involved, that triggers a breach notification, regardless of whether a first and last name accompanies it. That’s one of the items that’s so sensitive that it needs to be protected and there are obviously safeguards out there for that to occur. But it can be as little as that first name and last name or first initial and last name and email addresses and passwords or some combination of information that would allow someone to start guessing what this person’s password could be, like a security question; those types of things. We all fill out these online forms and it asks us how we can remember our passwords; those are the security type questions that we could be talking about.
Adriana Linares: So it could be things like where they live, health information, medical information, a passport number, driver’s license, name of their children. So any combination that makes it possible to find out more information about an individual who qualifies as personally identifiable information.
Daniel Whitehouse: Correct. And certainly anything that’s financial is triggered and it can also be talking about medical information. It can even be a health insurance policy number. So very specific and very broad at the same time.
Adriana Linares: Okay. So we’ve talked a little bit about what a breach is, which is unauthorized access by someone to your systems, your data, your firm information. We’ve talked about personally identifiable information in the makeup, of what that is – and each state is different. But specifically in Florida, somebody who is very interested in this needs to go and look at what those exact combinations are, but they’re pretty standard. And tell me exactly what is a breach notification law when it comes to Florida. What does that mean?
Daniel Whitehouse: That means that the individuals whose information has been compromised – which is information that’s been breached – must receive notification from the company that was holding that information. And that’s important because many times we’re using third parties to house data and those third parties have obligations to us – to the actually owner and holder of that information – to let us know that this data that we’re holding on your behalf may have been compromised and now you the owner of the data should go out and perform a notification to the effect individuals. So the notification is just that. It is the notice to the individuals whose data has or is believed to have been compromised and many-
Adriana Linares: May have been.
Daniel Whitehouse: Yeah, may have been-
Adriana Linares: It’s hard because you don’t even need to know for sure that it was accessed. I’ve seen a lot of breach notification letters that law firms have sent out and it says we regret to inform you that your information may have been accessed.
Daniel Whitehouse: Absolutely.
Adriana Linares: May have been. It’s very specific and I think this is what I’m trying to make clear to law firms is that you can’t get out of this. If this possibly happens you have to report it.
Daniel Whitehouse: Oh yeah, you’re absolutely right, I agree.
Adriana Linares: Who do they have to report it to?
Daniel Whitehouse: Not only to the individuals themselves but if there are more than 500 individuals in the state of Florida, then the attorney general’s office needs to receive notification as well. So 499. They don’t need that notice but 500 or more and attorney general’s office needs notice as well. And then there are additional steps to the attorney general’s office will want to know you have taken. Including a copy of the notification that you sent to the individuals that were affected, what offering you’ve made to them – whether it’s credit reporting, whether it’s some sort of financial assistance-
Adriana Linares: Fraud alert.
Daniel Whitehouse: Exactly. Helpdesk that they can call and ask questions and help them through the process if their credit has in fact been compromised. And some of these investigations are very detailed and there’s a lot of questions that the attorney general wants to know because they have an obligation to protect the consumers of their state.
Adriana Linares: And it can be very expensive is another thing that law firms don’t realize. If you have to cover 500 individuals for one year. You hear about this happening all the time and I bet many of our listeners have received that credit notice or credit reporting opportunity from Target or PayPal or any of those big companies that have had a breach. You have to pay and say for the next year we’re going to offer you this free credit alert. And if it’s 500 people, that’s very, very expensive. And I can’t think of a law firm that doesn’t have more than 500 records of either clients or maybe it was discovered that they had; spreadsheets and databases of information.
Daniel Whitehouse: Absolutely, and it’s not only the cost, the actual hard cost, but it’s an embarassing to go through. So you are required by the statute to notify these individuals and you lose some credibility with them. Now we can shift for a moment and talk about the ethical side of this because we’ve been talking purely about the notification laws.
Adriana Linares: That would be great.
Daniel Whitehouse: These extend beyond just Florida. 47 states in the United States have notification laws as do DC, the Virgin Islands, Guam and Puerto Rico. And we’re seeing more and more action that occurs in these instances. But HIPAA, the office of civil rights that regulates the HIPAA and hitech regulations also has separate notification requirements. So there’s a lot of different statues out there, a lot of different interpretations, and if you’re dealing with people in other states then that’s something else to consider. But back here in Florida, from a legal, ethical standpoint, our main confidence with our clients is attorney-client privilege. We have to protect that information that we receive from our clients. So not only are we dealing with notification to the consumers but we also need to consider what our ethical obligations are with the Florida Bar. I’ve dealt with a law firm that had an unfortunate situation happen and called the Bar for advice and received very good advice as far as what they could do to try to ensure attorney-client privilege was maintained. So that’s another layer that we have to consider here if this does happen within a law firm. It’s not just pulling up the Florida statute, it’s not just doing these notifications and dealing with attorney generals. We have the Florida Bar, we have attorney-client privilege that we have to maintain and that really is at the forefront of what we do in representing our clients.
Adriana Linares: Yeah, I mean it’s 101. You have to act competently to preserve information. You have a duty to safeguard. You have to make reasonable efforts to prevent that inadvertent or unauthorized disclosure of access. So earlier when you said the attorney general’s office might have a lot of questions to ask you, would you say that those questions are things like not just how did this happen, but what did you do ahead of time in order to try and prevent this? And then the law firm has to turn around and say we had passwords on our iPhones and our iPads. We have a firewall, we have two factor authentication, all our data is encrypted. Those are the types of things the attorney general’s office would like to hear and I’m sure that the Florida Bar too would like to hear that. These are all the things we’ve done within our realm of possibilities to protect this data. Is that what they’re looking for?
Daniel Whitehouse: Absolutely. The more you can show you’re not just sitting on your hands and hoping that nothing bad happens, that you’re being proactive and are taking a stand against the criminals who are seeking this information, certainly. They would love to hear those things. If you have a breach notification policy they would love to see that as well. And then they want to know if you followed that policy. It’s one thing to have it, it’s another thing not to abide by it; so separate issues there. So at the end of the day they want to know that the consumers of their state are protected and that they can stand up to those consumers and say yes, this did happen. But really, this law firm did everything that it could have possibly done to prevent these things from happening. The criminals just happen to be one step ahead.
Adriana Linares: Very good. You mentioned policies so you mentioned having a breach notification policy. Give me an idea of what a law firm’s breach notification policy would entail. What would I have to do to get me one of those if I’m a lawyer in Florida?
Daniel Whitehouse: Many companies that are putting these in place now are treating them similar to a disaster policy or an incident response policy. It’s very similar to that. It starts out the same in that we have had some event that has occurred and you forecast all of the people who need to be involved, all of the actions you will need to take and all of the potential third parties who need to be involved – whether it’s a forensics company, whether it’s someone to handle the actual notifications themselves. For example, if you’ve got 500 people, you’re going to stuff 500 letters with credit monitoring codes or do you use a service to do those things. More importantly, something that many companies don’t think about in advance is what happens when the media comes asking for questions? Who’s going to handle the public relations side of this? Do you have an outside PR firm or are you turning to in-house staff to try to manage that aspect? We recently saw a law firm that formed a lot of pandemonium companies that is getting a lot of press due to what they’re saying is an outside hack. So from a PR standpoint, I can’t even imagine what they’re going through right now. If they hadn’t thought about that ahead of time then they’d be completely inundated. So the answer to the question is there’s no form that says this is how your company, your law firm, will go through a data breach. It’s highly fact intensive; It’s going to be different from my firm versus another firm. But you have to go through the exercise to understand what works for your company and what doesn’t work for your company.
Adriana Linares: Great. And I want to mention aside from having a breach notification policy some other good ideas for law firms that don’t have policies – and many of them don’t – would include things like a password policy, an internet use policy, an email use policy, bring your own device policies. Acceptable computer use policies. Maybe a document management and retention policy. So even a solo attorney should have an idea and a list of these policies. You can Google them and get an idea of what they look like. You can certainly hire a company or lawyers like Daniel to probably help get those put together and be prepared. I hate to hear or think that when law firms say it’ll never happen to me, we’re just a three person firm here, they don’t want our data – believe me, they want your data! They will take your information and sell it on a black market. They want any data that law firms have because it’s valuable. We have wanted data. So let me ask you another question, Daniel – they do right? We have all kinds of good information that law firms contain from financial to medical to health to corporate; it’s really amazing. Is there any exception from having to report a breach to the office?
Daniel Whitehouse: There is and currently every state that has a data breach notification law has this exception included – I’ll come back to this in just a moment – but if your data is encrypted at rest, meaning that it is stored in an encrypted format, not that it goes from point A to point B via encryption but that the data itself is actually encrypted, that is not considered data that becomes access. So the prime example is you lose a laptop in an airport or wherever that contains personally identifiable information but that laptop was using modern day encryption. That is not considered a breach of personally identifiable information under every state today because that data was encrypted. So essentially when somebody goes to look at it, they’re looking at garbled text. They’re not looking at the clear information that you and I can read when you just take somebody’s hard drive and boot it up. Having said that, I learned just today that Tennessee has a law on the books that’s supposed to go into effect on July 1st and was recently signed into law that they have removed the encryption exception from their data breach notification statute. That’s the first that I’ve heard of any state doing that. It’s an interesting move, we’ll have to keep a close eye on that and see if any other states follow suit.
Adriana Linares: So you’re saying that safe harbor is gone now or will be gone in Tennessee as of July 1st. Doesn’t matter if your laptop was encrypted, you’re still going to have to report it.
Daniel Whitehouse: Correct.
Adriana Linares: Okay, now that’s interesting; wow. So in Florida – and I’m going to come back to other states in just a second – what you’re saying is if you lose your iPhone, your iPad, your Mac laptop or your PC laptop or it gets stolen or you forget it in an airport; losing your laptop, if you don’t get it back, it becomes a stolen laptop in my opinion. So how do we as everyday users turn on or get those devices to become encrypted to meet that safe harbor in Florida?
Daniel Whitehouse: So there’s software on many of them that comes built in that will allow you to enable encryption. On the current day iphones and iPad, we have to be very clear on that, it’s current iPhones or iPads. If you haven’t updated it since you bought it four or five years ago, then we’re talking different things and I see people all the time who are in that boat. Current software has options to enable encryption on the iPhone and iPad – both of them come via encryption as long as you have a decent password set. So as simple as enabling the password is going to ensure that you have encrypted data on that iPhone or iPad. Don’t make the password “1234” or something that’s easily guessable. So there is some diligence that you need to incur. But it’s there in modern technology. It’s so important that we’re using-
Adriana Linares: And it’s free.
Daniel Whitehouse: It’s free, yes, it is free.
Adriana Linares: It’s built in. So if you’re a Mac user listening to this podcast, you’re going to go into your settings, you’re going to go into security and you’re going to turn on Filevault. That’s the built in encryption system for Macs. If you’re a PC user, you’re going to look for Bitlocker. That’s the name that comes with Windows and it will depend on the version of Windows that you have. So if you don’t have Bitlocker in your control panel, you’ll have to either upgrade the software – it does have a hardware requirement but you can talk to your IT person or your kid about helping you with that. So we’ve talked about iPhones and iPads which are pretty popular and Macs and PCs. What about Androids? Anything that you can suggest for anyone who might have chosen to go with an Android other than the advice of go get an iPhone?
Daniel Whitehouse: You’re looking at software in those to help enable it. The software that comes to mind that has been around for quite some time is called PGP. I’m fairly certain they have it for Androids. I’ll admit I’m an iPhone user myself.
Adriana Linares: I think most people are but we should mention that. There’s third party software that should help you encrypt your Android devices so that should be great. Before I let you go, we talked specifically about what happened in Florida. So there’s a breach and if it’s three people, you have to notify those three people, that’s the law. Right?
Daniel Whitehouse: Correct.
Adriana Linares: If it’s 500 or more, not only do you have to notify those 500 people, you’ve got to send in a notice of breach to the AG’s office and that has to include, like you said, a synopsis of what happened, the number of individuals in Florida affected, what service or retribution you’re going to offer in return, a copy of that notice and then the names addresses and emails of anyone who’s information was obtained. So we know that in that, and what happens if I’m a multistate firm and I have a case with information about people in Illinois, for example. Do I also have to notify Illinois at that point? Do I have to notify the Illinois residents? What happens when I’m dealing with PII outside of Florida?
Daniel Whitehouse: Excellent question. So even though we are just a Florida law firm but we have somebody’s information who’s in Illinois, we now have to look at the Illinois statute for what it requires what it defines as personally identifiable information. It’s timeframes of when those notifications must occur if they specify them. So it’s not based on where we’re located, it’s based on where the consumer whose data is located. If you’ve got data from everyone in all 50 states, then you’re looking at those notification laws to notify them. Interesting little tidbit here, I mentioned there’s 47 states that have notification laws. Texas has in its state of breach notification states that if you have information for someone who’s in one of the 3 states that don’t have a notification law, under the Texas statute, they require you to notify the individuals in the other 3 states. So essentially, you can say that all 50 states have notification requirements because you have some in Texas and you have some in the other 3 then you still have to perform the notifications. Even if we are just that Florida law firm with three attorneys and we have that information for people spread around the country, every state notification laws are different. We have to abide by each one of them and they change like any law changes. The Tennessee one we mentioned, that’s going to be changing July 1st. What we know to be the case last month can’t be what we assume to be next month.
Adriana Linares: Very interesting. I want to encourage our listeners to make sure they either Google or read more about the Florida Information Protection Act. I think it’s been around a while but it changed in 2014 and I don’t know if you know what the changes were specifically, Daniel. But I know one of the things that it changed was a shorter timeline to notify. So I think you used to have something like 90 days but now you have to do these things within 30 days. Do you have any comments or tips that you can give about what I guess we would call FIPA? Florida Information Protection Act?
Daniel Whitehouse: Florida is one of the shortest states in the country as far as its notification timelines are involved. So with all of us being Florida based attorneys, we can guarantee that we’re going to have people, consumers, in Florida. We can’t sit on our hands when we learn of something or if we even think there may have been something. We have a very short timeframe here. It’s very important to call in the experts whether it’s legal counsel who understands this or forensic experts who can come in and assess what has in fact happened. And then more importantly once the damage is done and you’ve assessed the situation, preventing it from happening going forward, having the right measures in place, having the right policy, the different layers of protection that you can have to try to avoid these things. And a lot of it can be attributed to user education and user training. Click on that wrong email and next thing you know you’re uploading data to who knows where. It can happen.
Adriana Linares: It really is. I’ve been doing a lot of that training in law firms and it really is probably the most preventative measure that you can take is simple training for your staff and for your attorneys on how to look for fraudulent emails, how even phone calls can be fraudulent and be seeking information. We get a lot of different phone calls from all sorts of sources and I always find that one of the biggest problems that law firms have is there are very trusting people that work inside of there that can be taken advantage of. So good training really, really helps. Before I let you go Daniel, because we’re almost out of time, I just want to say this out loud. I have a lot of law firms or lawyers who will say to me we don’t have to comply with breach notification laws. We’re covered under our confidentiality and client privilege rules and regulations. Is that true?
Daniel Whitehouse: No. It could not be further than the truth. You absolutely must comply with the data breach notification laws. Not only in our state but in every other state.
Adriana Linares: Great. So there’s no exception for law firms when it comes to breach notification and HIPAA rules.
Daniel Whitehouse: None.
Adriana Linares: None, great. Well listen, Daniel, I want to thank you so much for taking time to talk to us about this. I know it’s really important, it’s one of my favorite topics. Tell our listeners where they can either find, friend, follow, link, learn more about you and anything else that you’d want to share with them.
Daniel Whitehouse: Sure. We’re on all the usual social media outlets. Of course Twitter, Facebook, Google Plus, and our website is www.WhiteHouse-Cooper.com.
Adriana Linares: This was really helpful and great, thank you very much. For all of you listeners who would like to learn more about what you’ve heard today, make sure you visit the official Florida Bar Podcast on the PRI section of the Florida Bar website. That brings us to the end of this show. I’m Adriana Linares and thank you for listening. Join us next time for another great episode of the Florida Bar Podcast.
Advertiser: The views expressed by the participants of the program are their own, and do not represent the views of, nor are they endorsed by, Legal Talk Network, its officers, directors, employees, agents, representatives, shareholders, and subsidiaries. None of the content should be considered legal advice. As always, consult a lawyer. Thanks for listening to the official Florida Bar Podcast, brought to you by the Florida Bar Practice Resource Institute and produced by the broadcast professionals at Legal Talk Network. Join host, Adriana Linares, for her next podcast on practice management, leadership, and what’s happening in Florida Law. Subscribe to the RSS feed on LegalTalkNetwork.com, or in iTunes.