Law firm stores closed files in a remote access storage facility. As has been the usual course for several years, the lawyer travels to the facility to retrieve a file and is told that the storage facility has been sold and the new owner has transferred the firm’s files to an out of state facility without the law firm’s knowledge or permission. Oh, S#&@! The new storage facility owner does not have an inventory of what was removed from the old unit or what was delivered to the new unit and is hesitant to disclose the location of the firm’s files. The lawyer is instructed to log-in to the facility’s website to submit a request to have the needed file couriered to the lawyer at the law firm’s expense.
The new owner also requires the law firm to sign a new payment contract but does not provide them a new vendor agreement. The payment contract includes a monthly charge for data breach response services. Furthermore, the law firm was pre-enrolled in this program without their knowledge and or approval and had to opt out of the program in writing. Double S#&@! The law firm calls Ritman agent who advises that such a data breach response service would directly jeopardize the firm’s standalone cyber liability insurance policy. Cyber liability insurance carriers mandate that the breach notification services are controlled by and carried out using their approved vendors in conjunction with their approved legal counsel.
And finally, the storage facility’s data breach response service advises the law firm incorrectly that in the event of a breach wherein non-public information or personal health information of individuals in three different states did not require notification in those three states, but only the state in which the law firm is domiciled.
The moral of this story? There are many. Keep in close communication with your vendors. Review each party’s duties and responsibilities before signing vendor agreements. But most importantly, call RITMAN if you have a question. As your trusted advisor, we have your best interest at heart.