In March 2023, a New York-based medical malpractice law firm agreed to pay a $200,000 financial penalty to the New York Attorney General to settle alleged HIPAA and NY privacy law violations. The ransomware “LockBit” victimized the law firm and compromised the private information of 114,000 patients. How did LockBit gain access to the law firm’s data? Through a vulnerability in Microsoft Exchange (an email service). According to the NY AG, software patches had been released months prior, but the firm failed to apply them in a timely manner. In other words, the law firm had to pay a massive fine simply because it failed to timely apply software patches.
Had this happened in Texas, the law firm would have faced an additional punishment–being publicly listed for a year on the Texas Attorney General’s website’s “wall of shame”, a virtual listing of all those who suffered security breaches resulting in the potential exposure of the private data of 250 or more Texas residents. It can be seen by all the world here.
A 2015 post by retired TLIE Senior Vice President Jett Hanna outlined important HIPAA and data privacy obligations for lawyers. This article builds on Mr. Hanna’s by addressing new and updated data privacy laws and presenting a few “best practices” for handling clients’ private information. A comprehensive review of data privacy practices is beyond the scope of this article, although the linked resources are helpful guides for additional information.
What Rules, Laws, and Regulations Apply to Clients’ Private Data?
A handful of acronymed rules, laws, and regulations govern Texas attorneys’ relationship to their clients’ private information. As Mr. Hanna noted in his 2015 post, an attorney’s obligations begins with the ethical duty of confidentiality under TDRPC 1.05, which requires attorneys to maintain the confidentiality of clients’ privileged and unprivileged information. As discussed below, Rule 1.05’s ethical standards are amplified by several federal and state laws that apply in specific circumstances.
The most commonly-known federal privacy law may be the Health Insurance Portability and Accountability Act. HIPAA directs how an individual’s protected health information must be handled by specific healthcare entities and by “business associates”–a term which includes lawyers who handle protected health information when doing work for clients who are “covered entities.” Although there may be some debate whether HIPAA applies to lawyers who do not meet the “business associate” definition, the Texas Medical Records Privacy Act (“TMRPA” aka “Texas HIPAA”) expands the coverage to include “any person” who “comes into possession of protected health information” which necessarily includes lawyers who possess such data from their clients.
At least two other statutes also require Texas attorneys to protect their clients’ private data. The Texas Identity Theft Enforcement and Protection Act (“TITEPA”) requires attorneys to “implement and maintain reasonable procedures” to protect clients’ “sensitive personal information” including name, social security number, date of birth, and other data that could be used to identify a client. And the recently signed Texas Data Privacy and Security Act (“TDPSA”) may also apply when it takes effect in July 2024. That Act will cover lawyers that are not covered by HIPAA and are not classified as small businesses by the US SBA. Both have breach reporting requirements that will lead to the business entity whose security was breached being posted on the Texas AG’s wall of shame.
What Data is Protected?
Each rule and statute identifies specific information protected, but lawyers can follow a general rule of thumb–the lawyer should protect a client’s private information as zealously as she would protect her own private information.
Three general categories of client information are protected:
- Privileged and unprivileged confidential information;
- Protected health information; and
- Personally-identifying information, like names, dates of birth, and social security numbers.
TDRPC 1.05 commands lawyers to keep their clients’ confidential information confidential, regardless whether that information is privileged. Privileged information is that information protected by Texas Rule of Evidence 503 or Federal Rule of Evidence 501. “Unprivileged client information means all information relating to a client or furnished by the client, other than privileged information, acquired by the lawyer during the course of or by reason of the representation of the client.” This duty of confidentiality prohibits the lawyer from using the information “to the detriment of the client or for the benefit of the lawyer or a third person.” Given its application to all information the lawyer receives through the representation or by means of the representation, Rule 1.05 is the most broad of the rules and regulations discussed here.
HIPAA and TMRPA cover a client’s “protected health information.” The HIPAA Journal provides a helpful discussion of what is “protected health information,” which, overly simplified, is any health information that contains any information that could identify the patient and which is maintained or transmitted by a provider.
TITEPA requires businesses to protect clients’ “sensitive personal information,” which it defines as:
(A) an individual’s first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:
(i) social security number;
(ii) driver’s license number or government-issued identification number; or
(iii) account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account; or
(B) information that identifies an individual and relates to:
(i) the physical or mental health or condition of the individual;
(ii) the provision of health care to the individual; or
(iii) payment for the provision of health care to the individual.
Notably, the conjunctive “or” between (A) and (B) indicates that “sensitive personal information” includes both the personal identifiers in (A) and the health information in (B), whereas HIPAA and TMRPA require the combination of (A) and (B) before the information becomes covered “protected health information” under those acts.
To the extent the TDPSA applies to lawyers, it covers “personal data” which is “any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual” but exempts information covered by HIPAA and other acts.
What Are the Reporting Requirements in the Event of a Breach?
TITEPA supplies the reporting requirements in the event of a breach which results in the unauthorized acquisition of sensitive personal information. All “breaches of system security” require the person whose system was breached to notify any individual whose sensitive personal information was, or may have been, acquired in the breach. This disclosure to the individuals must be made “without unreasonable delay” but not later than the 60th day after the party is aware of the breach. If the breach involves at least 250 Texas residents, the breached party must also notify the Texas Attorney General via a form on its website. That notification must be made not later than 30 days after the breach is discovered. The Attorney General must list on its virtual wall of shame all such notifications received and leave each notification up for one year.
What Are Some Best Practices to Avoid a Breach and Landing on the Wall of Shame?
There are excellent CLEs, blogs, and articles that discuss compliance and data privacy in great detail, so this post provides a simple overview of many common best practices with links to additional resources.
- Use HIPAA authorizations signed by clients that authorize gathering and sharing PHI. A proper authorization, like the one linked, will help ensure that the lawyer and the client are both on the same page regarding the use and distribution of the client’s private information.
- Use proper training for all in the firm who handle PHI and SPI. Training employees on how to handle private information, even if such training isn’t required, will help keep data safety top-of-mind within the firm.
- Use cybersecurity software. In 2024, prohibiting a breach is an admirable goal, but it’s almost a given that a firm’s security will be breached. However, a breach isn’t the end of the world when caught quickly because the damage can be triaged before becoming widespread. The Texas State Bar’s Computer & Technology Section provides numerous resources and recommendations, including this video, for practices and software to help secure the firm’s and client’s data.
- Use two-factor or multi-factor authentication. Requiring employees to use more than a single password to login and to access the firm’s systems (e.g., case management, client management, email, etc.) will help deter breaches at the front door by eliminating the risks associated with single-password logins.
- Use thin clients instead of laptops. Laptops are now as powerful as yesteryear’s servers, meaning the amount of data stored locally in a laptop’s 4TB hard drive surpasses the amount of data a firm’s server stored just a few years ago. A thin client limits local storage by leaving most data stored in the firm’s cloud, which is likely far more secure than a laptop.
As the amount of data firms collect, intentionally or inadvertently, about their clients grow, the bigger the target lawyers and law firms will be for cyber threats and hackers. Following these best practices, and keeping abreast of trends and new regulations, will help lawyers and law firms comply with their obligations to protect their clients’ health and other sensitive private information and will help keep lawyers and law firms off the Attorney General’s wall of shame.
If your law firm suffers a system breach, you should immediately contact your insurance carrier. All TLIE policies currently include $50,000 of cyber insurance administered through Tokio Marine HCC Cyber & Professional Lines Group. The coverage assists in mitigation costs and expenses including IT forensics expenses and breach notification costs. You may contact Tokio Marine at 888-627-8995 or TLIE at 800-252-9332.