Maryland’s Personal Information Protection Act (PIPA) is designed to protect the personal identifying information (PII) of Maryland residents. PIPA requires businesses to implement reasonable security measures to protect PII from disclosure or unauthorized access. The PIPA also applies to law firms. In a nightmare scenario for all law firms, the United States District Court for the Southern District of Florida is considering a preliminary approval of a class action settlement involving a data breach at the law firm. The proposed settlement includes a $8.5 million dollar fund for claims, with individual reimbursements up to $35,000 and three years of credit monitoring. Plaintiffs allege Gunster failed to protect their personal information from unauthorized access by cybercriminals.
Facts
On November 27, 2022, Gunster, Yoakley & Stewart, P.A. (Gunster) determined that third-party cybercriminals had gained access to their systems, resulting in a data breach. Gunster notified impacted individuals of the data breach beginning August 2023. The data breach allegedly compromised the security of personal information belonging to current and former employees, clients, and other persons, for a total of 9,550 individuals. This information included personal identifying information (PII) and personal health information (PHI) such as names, addresses, dates of birth, social security numbers, medical or health insurance information, and other sensitive data.
On May 13, 2024, Whalen (Plaintiff) filed a putative class action complaint against Gunster, asserting claims arising out of the data breach. The Amended Complaint included six separate counts for negligence, negligence
per se, implied contract, breach of fiduciary duty, unjust enrichment, and violation of the Florida Deceptive and Unfair Trade Practices Act (Fla. Stat. § 501.201, “FDUTPA”). Plaintiff alleged that Gunster inadequately maintained its computer network, platform, and software - rendering them easy prey for cybercriminals. In addition, Plaintiff contended that Gunster failed to provide timely notice to the affected plaintiffs for nearly 18 months.
The parties reached a settlement agreement which must be approved by the court. The case is
Whalen v. Gunster, Yoakley & Stewart, P.A., Case No. 9:24-CV-80612-AMC (S.D. Fla. 2024).
Obligations of each party
If the court approves the settlement agreement, Gunster will be obligated to create a non-reversionary cash settlement fund of $8.5 million dollars. Plus, Gunster must enhance its data security infrastructure, including comprehensive System and Organization Controls (SOC) Type II review and audit that will be conducted by a third party to assess the organizations’ security controls over a period of time. The firm must deploy a best-in-class Endpoint Detection & Response (EDR) tool which will monitor the firm’s computers and servers to detect suspicious behavior, and take action to contain or remediate malicious activity. Additional security measures that must be implemented include centralized logging and monitoring solutions, enhanced backup solutions and disaster recovery protocols, expanded and hardened cloud environments, enhanced access controls and application security testing, and comprehensive review and modification of firewall rules and configurations.
Key Takeaways
1. The Federal Trade Commission (FTC), published,
Protecting Personal Information: A Guide for Business, which established guidelines for fundamental data security principles and practices for business. The guidelines explain that businesses should:
a. protect the personal customer information that they keep;
b. properly dispose of personal information that is no longer needed;
c. encrypt information stored on computer networks;
d. understand their network’s vulnerabilities; and
e. implement policies to correct security problems.
The Plaintiffs contend that Gunster failed to employ reasonable measures to protect against unauthorized access to PII and PHI constituting an unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (FTCA).
Tip: Law firms may want to consider following industry standards promulgated by the FTC for protection of PII and PHI.
2. Best practices for data security include educating all employees; strong passwords; multi-layer security (including firewalls); anti-virus, and anti-malware software; encryption; multi-factor authentication; backup data; and limiting which employees can access sensitive data. Other best cybersecurity practices include installing appropriate malware detection software; monitoring and limiting the network ports; protecting web browsers and email management systems; setting up network systems such as firewalls, switches and routers; monitoring and protection of physical security systems; protection against any possible communication system; and training staff regarding critical points.
Tip: Law firms should consider implementing some or all of these best practices for protection of PII and PHI.
3. The FTC has issued numerous orders against businesses that further clarify the measures businesses must take to meet their data security obligations. Those orders include organizations that allowed users to bypass authentication procedures, failed to employ sufficient measures to detect and prevent unauthorized access to computer networks, stored PII and PHI in clear text on its corporate networks, and failed to monitor outbound traffic from its networks to identify and block export of PII and PHI without authorization.
Tip: Review of these FTC orders is important to determine if your law firm has sufficient security measures in place to defend against cyber attacks.
4. PIPA protects the PII of Maryland residents. PIPA applies to all businesses that collect, use, or disclose personal data about Maryland residents.
Tip: The Maryland Attorney General’s Office led by Maryland Attorney General, Anthony G. Brown, has published guidelines for businesses to comply with PIPA. It would be a good investment of time to read, study and implement these guidelines at your law firm.
As illustrated by the
Whalen case, law firms are not immune to cyber attacks, nor are they immune to lawsuits for security breaches of their clients’ information. The United States Attorney for the District of Maryland, Erek L. Barron, recently hosted the 2024 Cybersecurity Conference. The conference highlighted the daily cyber threats that organizations and individuals are susceptible to, and strongly encourages individuals and organizations to implement strict security measures.
See Erek Barron Hosts 2024 Cybersecurity Conference,
MSBA Blog (Nov. 12, 2024).
Law firms and lawyers may want to think about implementing the FTC security measures and other cybersecurity protections. Consulting with a cybersecurity expert to ensure the PII and PHI in their possession is protected from cyber threats may also be necessary. By implementing security measures, a law firm can significantly reduce the risk of cyber attacks and protect sensitive client information.