A cyber incident occurring at a professional services firm (law office, accounting firm, medical practice) is an extinction level event.
To illustrate that point, I will use the following hypothetical:
Firm X has 20 professionals: 5 senior staff oversee and are responsible for the work of 15 junior staff. The firm has 100 clients whose data is stored electronically. On July 1 of year 200X, a client informs the firm that confidential data held by the firm has been used in a compromising way. The hack could only be traced to the service firm.
Here is the likely chain of events.
1.) The firm must notify customers of the data breach.
2.) A percentage of clients will pull their business from the firm.
3.) Some of these clients will tell of their bad experiences to other clients.
4.) In the age of social media, the possibility of negative publicity multiplying the damage is high. This will suppress future business.
The preceding events could probably be managed or at least mitigated via a disaster response program. However, that costs money.
1.) The firm should expect to be sued
2.) Several service professionals (lawyers and doctors) will be accused of violating oaths of confidentiality (which they have).
3.) The probability of a large number of plaintiffs joining in a single cause of action is high.
4.) Even if class action does not occur, multiple lawsuits are possible.
5.) A high number of lawsuits equals expensive litigation, and possibly more bad publicity.
And that’s not all
1.) In some situations, managing members/partners/shareholders may be accused of violating a duty to the company to keep the data safe.
2.) This potentially triggers personal liability for these individuals.
For a larger firm, survival is possible. But for a smaller firm – like the 20 member firm cited above – survival would be less than likely.
Over the next few blog posts, I’ll be looking at this situation in more detail, using the ISO cyber policy as a template.
Link From Our Previous Blog
The Law Office of Hale Stewart
734A E. 29th Street
Houston, Texas 77009