A $50 million dollar malpractice suit against a law firm for failure to protect a prominent client’s data is being closely watched as it highlights the question “Is a data breach a breach of duty”?

In at least two cases, courts have gone so far as to hold that corporations have a duty to protect against a third person’s criminal act if the organization has a reason to anticipate the crime, and breaches its duty to customers if it fails to prevent a foreseeable cyberattack.  (See Attias v. CatreFirst, Inc. and Arby’s Rest. Grp. Inc. Litig).

The district court in this case has determined that the Plaintiff has viable claims for malpractice on the basis that the law firm’s information security means were “inadequate and unreasonable” because the data was breached.  Which brings up the next question – what is considered “reasonable” for cybersecurity?

While there is no protection that is 100% foolproof when it comes to securing data, aligning your firm’s cybersecurity to an established framework provides a strong defense that your protections were “reasonable”. The National Institute of Standards and Technology Cyber Security Framework (NIST CSF) was originally developed for internal use by the US government and is the basis for the compliance requirements for healthcare, the payment card industry and Department of Defense contractors.  NIST CSF was made available for public use as a way to provide guidance on cybersecurity best practices, therefore it is a strong argument that aligning your practice to this standard would be reasonable care and protection of the data entrusted to you.

Which leads to the final question- How can you make sure that your firm is aligned with the NIST CSF standard?  There are a number of self-assessment resources available via the NIST.gov site, and our compliance team can perform a full assessment if a 3rd party attestation is desired (or requested by a key client) or provide consulting retainer to review your internal findings and make recommendations.  We can also provide a breach response service to address the areas where most firms have serious gaps:  Detection, Response and Recovery.

Negligence claims against law firms for information security breaches are sure to increase in the future as cyber criminals become ever more skillful and experienced in their attacks. All firms should take note.