Law Firm Data Breaches: A Legal Snapshot

Introduction

By now, attorneys recognize that data security has become a top concern for not just law firms themselves, but also clients, regulatory agencies, and state legislatures throughout the country. Countless firms have suffered data breaches, from solos to Big Law, but beyond the initial headlines, early settlements and sealed records have left a paucity of case law governing post-breach liability. As a result, many attorneys are left to wonder about the aftermath of a data breach and their potential exposure in an area of law that is rapidly evolving and far from settled.

State Data Breach Laws

All 50 states, as well as Washington, D.C., Puerto Rico, Guam, and the U.S. Virgin Islands, have enacted statutes requiring notice of a data breach to affected individuals. While these laws share the same basic framework, they contain several differences as well. These often substantial variations, coupled with the requirement that a business comply with the statute of the state where each affected individual resides, means that avoiding regulatory fines following a breach is a burdensome process, particularly for multijurisdictional law firms.

A typical data breach statute will apply to any business or entity in the state that owns, licenses, or maintains certain classes of information. These categories always consist of social security numbers, driver’s license numbers, and financial account numbers, but some statutes also include information related to medical conditions, health insurance coverage, or even biometric data like fingerprints or retinal scans. Although some law firms may not be considered a “covered entity” pursuant to the statutory definition – attorneys specializing in criminal or juvenile representations, for example – most attorneys maintain their clients’ tax returns, medical reports, financial records, and other sensitive documents that subject them to their state breach statute.

Beyond varying definitions of covered entities and covered information, statutes may or may not contain exemptions for encrypted information, with 1 exception based upon compliance with federal laws such as the Health Insurance Portability and Accountability Act (HIPAA) or the Gramm-Leach Bliley Act (GLBA), or requirements that an entity contact certain government agencies in addition to their affected clients. Perhaps the most important variation concerns whether the statute includes a harm threshold provision, which permits a business to circumvent notification requirements following a determination that the breach will likely not result in any harm to consumers. Even among state laws providing a harm threshold, statutes differ on whether this determination requires documented consultation with law enforcement. Law firms practicing internationally should also be mindful of any duties under foreign regulations, including the EU’s General Data Protection Regulation (GDPR).

Statutory penalties vary as well, and may be calculated based on the number of affected individuals, the number of days that notice was delayed, or may amount to one large fine per breach. In any event, civil penalties can quickly escalate to six figures, and caps on the total penalty, where they exist at all, fall anywhere between $150,000 and $750,000. In addition to monetary penalties, the California, Connecticut, and Delaware statutes require entities to offer identity protection services to affected individuals for one year following a breach.

Click here to read more of this article.