A Health Law, Data Management & Cyber Security Cheat Sheet

  • June 29, 2023
  • Eric S. Baum & Carina Lentsch


  1. Overview

Law firms have legal, ethical and other obligations to protect various types of data, including the personally identifiable information (PII) of clients and opposing parties.[2]  In Canada, national standards for privacy practice in the private sector are found in the Personal Information Protection and Electronic Documents Act (PIPEDA).  

In the event of a cyber breach, law firms have an obligation under PIPEDA to notify the individuals whose personal information was disclosed, and in some circumstances, to disclose the breach to the Privacy Commissioner of Canada.

  1. Management of Health Records

Regardless of their size, today’s health law practices are repositories of immense amounts of PII, including electronic personal health information.  While such records are integral to the practice of health law, they are also a tempting target for cyber hackers.  In the circumstances, health law practices must take time to devise for themselves a defensible data management strategy.  This is even more important in the post-Covid 19 era of remote working.  

Nonetheless, a recent study of more than 200 small and medium-sized US law firms found that:

  • Only 30 percent of law firms use legal specific document management systems that are cloud-based, which offers additional security.
  • Only 35 percent of law firms conduct penetration testing of their environments using an external party.
  • Only 5 percent of law firms hold cybersecurity training on a monthly basis.[3]

Among other things, it is essential for today’s health law practices to know not only what data they are holding, but precisely where that data is being held (e.g. paper-based, onsite server, cloud-based server, personal and/or work laptop and desktop computers, personal and/or work mobile devices, portable storage devices, etc.).  A “bring your own device” (BYOD) system creates a risk that employees may unknowingly infect the firm’s system with viruses or malware from their personal devices. Accordingly, thought should be given to abandoning a BYOD system or otherwise implementing appropriate limits and safeguards with respect to when and how devices that are being used to hold and transmit PII can also be used for personal use.

At minimum, health law practices should develop and update defensible and workable plans for: (1) information governance and data destruction; and (2) responding to a cyber breach (including pre-assigned tasks to key people at your firm). 

If your practice does not have the internal expertise to develop such plans, it is important to obtain the advice of knowledgeable experts in the field (e.g. IT and data management specialists and cyber breach coaches). The reason for this is simple: an ounce of prevention is worth a pound of cure. 

Today’s health law practices should proactively identify and mitigate areas of possible risk, including conducting a “trial run” or “table-top exercise” of a firm’s response to a breach event, before it happens.   Here are 10 helpful risk mitigation measures to implement: