A recent publication by the FDA regarding cyber security for medical devices got me wondering how ready law firms are for the true cyber security needs of the future. The publication, official guidance to the medical device community, informs the manufacturers of medical devices that utilize wireless connectivity that it is necessary for them to consider cyber security in making their products. Necessary, but not required.
Huh? I don’t understand. If the FDA believes, as their report says, that the risk of hacking medical devices is significant, why aren’t they simply requiring cybersecurity steps? Why, before even stating the purpose of the rule, do they take a whole paragraph to emphasize that the word “should” as contained in the remaining NINE paragraphs does not indicate required action? For reference:
“FDA’s guidance documents, including this guidance, do not establish legally enforceable responsibilities. Instead, guidances describe the Agency’s current thinking on a topic and should be viewed only as recommendations, unless specific regulatory or statutory requirements are cited. The use of the word should in Agency guidances means that something is suggested or recommended, but not required.”
And how on earth does this have anything to do with lawyers?I’ll tell you how: plausible deniability.
Why would the FDA, the supposed “watchdog” of the medical device industry, make recommendations about such a critical issue, but make the fix voluntary? In my opinion, it’s because the fox is running the hen house. The rules are written with too much influence from the medical device industry, who – like all other industries – wants the standard to be permissive. That way, should there be litigation in the future over this issue, the device industry can demonstrate that even though they were obviously on notice of the risk, they were expressly told that they were not required to take any specific steps.
The Failure of State Ethics Boards to Address Cyber Security
While state ethics rulings and opinions are finally starting to reflect the reality of things like social media, the same cannot be said for cyber security. Although all states require that law firms take steps to keep confidential information secure, I have yet to see even a proposed opinion requiring law firms to have a Bring Your Own Device (“BYOD”) policy in place – or to even require that digital information be encrypted.
Many states have addressed the need to make sure that your cell phone communications with clients need to be secure, but even the Snowden revelations that the U.S. government violated attorney-client privilege only brought a tepid and toothless response from the American Bar Association – a stern letter.
The Amendments to the Model Rules are Insufficient
Let’s face it, attorneys are all about protecting their clients’ information, until it means having a serious conversation about security in the information age. I’ve written before about my belief that the amendment to Model Rule 1.1 by the ABA, requiring that attorneys keep themselves updated about changing technology, was a waste of time. Any states that adopt the new language will still rely on panels of attorneys, usually more senior attorneys who tend to be more technology averse, to implement any new rules.
So even though the reasons are different than the medical device manufacturers, you will have ethics opinions written primarily by attorneys who would prefer that issues like cyber security remain voluntary, rather than required.
“Reasonable” Cyber Security Has Not Been Clearly Defined
Some will argue that the current standards require reasonable steps, which could be interpreted to require that digital information stored in law firm servers must be encrypted. Really? Where has that been held to be the definition of reasonable? We’ve known about the dangers of storing unencrypted data for years, and we have also known that it costs next-to-nothing to encrypt data, but nowhere has it been required that stored digital data be encrypted.
Others will argue that measures can be evaluated on a case-by-case basis without further definition, because smaller firms are not at a substantial risk of being hacked. Wake up! Anyone who thinks their firm isn’t a target for hackers is woefully ill-prepared to address cyber security in the modern world. Contrary to what you see on the movies and on TV, it doesn’t require a lonely hacker staying awake for 72 hours straight to hack your system. Just like everyone else, they have computers do that for them now. And they automate them, just like those annoying robo-calls during election season. All you need to do in order to become a target these days is to have a computer hooked up to the internet.
In the end…
At least the FDA recognized the risk posed by hackers to wireless medical devices. They’re a step ahead of a lot of law firms. However, recognizing a serious risk, then announcing that protection for that risk is voluntary, is reckless. It endangers the public, and provides a ridiculous defense for medical device manufacturers, now aware of the risk, who wish to avoid spending the negligible amount of money to provide adequate cyber security in their devices. By failing to establish base line requirements for cyber security in law firms, state ethics boards are being just as reckless.