Data defenders

By: 
Mar. 10, 2017

Executive Summary
Industry. Law. Trend. Firms are boosting cybersecurity practices. Key. Cybersecurity laws are changing quickly.

There were 1,093 U.S. data breaches in 2016 — a record high and a 40% increase over 2015 numbers, according to the Identity Theft Resource Center, a nonprofit focused on public education and victim assistance.

Those breaches exposed more than 36 million records and occurred across a variety of sectors, including health care, education, government and banking.

Fort Myers-based cancer services provider 21st Century Oncology is one of multiple corporate victims of a recent data breach. The company reported the late 2015 breach last year, saying information of more than 2 million patients nationwide was compromised in a hack. Company officials say there's no indication the information, from Social Security numbers to insurance information, was misused. But the firm still faces more than a dozen data breach-related lawsuits.

A 2016 study from IBM and the Ponemon Institute, which conducts independent research on privacy and information security policy, found the average cost for each lost or stolen record containing sensitive and confidential information increased from $217 to $221. The average cost that U.S. organizations paid rose from $6.53 million to $7.01 million.

Based on statistics like these, it's not surprising that many law firms in the region have established cybersecurity practices or task forces to help clients prevent and respond to data breaches and other attacks. Some of these groups even look into the public relations and crisis response side, considering how important that is for a company to move forward post-breach.
The Business Observer spoke with three firms to learn more about the burgeoning trend.

Trenam Law, Tampa
The Need: Trenam Law launched its cybersecurity practice at the beginning of the year. Founded in 1970, Trenam is among the largest law firms in Florida, with offices in Tampa and St. Petersburg. The firm handles bankruptcy, real estate transactions, commercial litigation, government contracting and business law, among other specialties.
“I have been somewhat surprised by the lack of protection that many companies have, companies that are really still completely oblivious to the risk,” says John Goldsmith, co-chair of the practice.
Goldsmith joined the firm in 1986, and has been a shareholder since 1991. “They say, 'Oh, that's a Target or Bank of America issue.' They don't see this as anything that could impose a risk for them.”
And that's where they're wrong. “It's more often small and medium-sized businesses being attacked, because they're the low-hanging fruit,” says cybersecurity group co-chair Frank Santini.

The Response: To help prevent breaches, the firm works with clients on prevention measures that include security assessments and reviewing of policies and procedures, vendor contracts and insurance agreements.
“Oftentimes it's vendors that end up causing the breach,” says Goldsmith. “And you want to make sure that you have insurance that actually covers the breach. We've had several clients who have been very disappointed to learn that, while they thought they had coverage, they actually didn't really have coverage to provide any meaningful benefit for them.”

The Challenges: Keeping up with state and federal regulations, as well as methods used to gain access to data, is labor intensive. Client education about notification requirements — and potential fines that result from an unsuitable response — is an ongoing effort. “One thing a lot of companies don't realize is that they have to provide notification of not only a breach but also a potential breach,” says Goldsmith. “It can be a problem that can get out of control very quickly,” adds Santini.

Shumaker, Loop, & Kendrick, Sarasota and Tampa
The Need: Shumaker, Loop & Kendrick launched its data breach practice group at the end of 2014. The formation of the group was in response to several national breaches, in addition to the Florida Information Protection Act of 2014, which laid out prevention and reporting requirements for businesses statewide.
“If a company has a data breach, the time frame to respond is very, very short,” says Douglas Cherry, one of the seven attorneys in the group. Cherry is based in the Sarasota office, and regularly speaks to business groups about cybersecurity prevention and legal issues. “You really need to have a team in place so they can react quickly.”

The Response: Because a company with data that's been compromised must adhere to reporting requirements in all states in which it has customers, the law firm's data breach group stays on top of all the different rules and regulations to help clients respond in the manner needed as quickly as possible.
“And these laws are constantly changing,” says Cherry. “We had a difference of a couple months between breaches recently, and we found some of the state laws had changed just within that time.”
The team also assesses the level of response needed. “We get consultants in to analyze the size of the breach, whether it's been contained, and the amount of information compromised,” says attorney Michael Taaffe, who heads up the group from his Sarasota office. “The size of the breach has a lot to do with what penalties you have to pay or the level of response you have to do.”

The Challenges: Convincing businesses to take the needed preventive steps can be tough. “You usually don't get a company's attention until it's been breached,” says Cherry. “But companies should have data breach plans put in place so that they're ready to respond to these instances. If law enforcement or the attorney general asks you what sort of response plan you had in place, it doesn't look too good if you say, 'We didn't really have one at all.'”

Carlton Fields, Tampa
The Need: Carlton Fields established its privacy and cybersecurity task force about two years ago. “It was a matter of anticipating client needs and having the resources in place to respond to what continues to be increasing requests by existing and new clients with regard to assistance in this area,” says Joseph Swanson, co-leader of the task force, which includes attorneys from the firm's 10 offices. A former prosecutor with the U.S. Attorney's Office in Tampa, Swanson joined the Tampa office of Carlton Fields in 2015.

The Response: The firm works with clients to prevent and react to breaches. That includes assistance with drafting incident response guides “so that organizations have a playbook to follow in the event of a breach,” says Swanson.
Task force members help forge connections between businesses and law enforcement before an attack occurs, so there's already an established relationship. They also take clients through mock breach exercises. “It really forces them to grapple with some of these issues in as close to a real scenario as you can make it,” he says.
In addition to crafting the appropriate response to a breach, the firm advises clients of any litigation risk as a potential defendant or any prospects for litigation as a potential plaintiff.

The Challenges: The ever-changing regulatory landscape requires close and constant scrutiny. New state laws may not affect a business at this moment, but they often serve as models for other states to follow.
“There are changes and evolving guidelines being promulgated by regulators on a daily basis,” says Swanson. “To say nothing of staying abreast of what's going on in the courts. A big issue in this field is whether someone whose information has been compromised has standing to bring a lawsuit. There are opinions on all sides of that issue from courts around the country, so that's another area that demands attention.”