When Do Law Firms Have to Disclose a Data Breach?
Now that you're on high alert over your client data because of the revelation of Olera's hacking into some of the nation's most prominent law firms, you're probably beginning to wonder: "Do I have to disclose a data breach to my firm?"
That's an excellent question, and it deserves an excellent answer. Unfortunately, an excellent answer is not easy to come by.
Terra Incognita?
There isn't much case law out there tackling the issue of data breach and disclosure. Although law firms and lawyers are ethically obligated to take steps to safeguard client data, the whole industry is having to re-assess what "reasonable precautions" are.
However, the American Bar Association has been setting the tone for noose tightening on the issue of cybersecurity, especially in the way of encryption. Take a look at the broad language of Rule 1.6. With that in mind, it's only a matter of time before the ABA and other entities will start declaring lawyers negligent when they fail to take further preventative steps to stop further damage -- like seeking outside help from law enforcement.
On the Books
Actually, it's not as mystical as it sounds. Many states have general laws about when business entities (including law firms) must disclose a breach. These laws mandate company disclosure of a breach when it involves unauthorized accessed to "personal information." And since client data is about as personal as you're going to get, the better policy is to disclose ... quickly. Of course, remember to take into account steps to protect client privacy in any way that you can from that point.
But there's a problem here and you've already guessed it: isn't getting help from law enforcement itself a potential breach of attorney-client confidentiality or privilege?
Yikes. Why did we ever get into this business? At this point, our suggestion is to err on the side of what appears to be reasonable.
Related Resources:
- Hack the Pentagon -- US Government Challenges Hackers to Breack its Security (The Hacker News)
- Pentagon Asks Hackers to Search for Security Breaches in Pilot Project (FindLaw's Technologist)
- The 6 Most Newsworthy Data Breaches of 2015 (FindLaw's Technologist)
- Top 7 Data Security Lessons for In-House Counsel (FindLaw's In-House)