Hackers are increasingly targeting law firms, viewing them as a “one-stop shop” for sensitive lucrative client data. The examples are many: hackers breaking into M&A firms to steal info for insider trading; Russian cyber criminals going after elite firms; an epidemic of ransomware programs holding attorneys’ information hostage. And it’s not just hackers that you have to worry about. Even everyday thievery can put client information in jeopardy.
These breaches don’t just threaten your client data, they often implicate state data breach notice laws -- a messy tangle of statutes that vary significantly from state to state. Just as lawyers cannot ignore their cybersecurity duties, they can no longer remain ignorant to data breach notice laws.
48 State Laws -- And Growing
Ever since California passed the first statewide data breach notice statute in 2002, state legislatures have been enacting a flurry of legislation geared at organizations that either possess or work with individuals’ private information. These laws require private and government organizations to alert clients and consumers about recent data breaches affecting their private personal data. Nearly all states, the District of Columbia, and American commonwealths and territories have enacted their own data breach notice statutes. New Mexico recently becoming the 48th state to adopt its own data breach statute, leaving Alabama and South Dakota as the nation’s lone holdouts.
Unfortunately, these laws are anything but uniform.
Unfortunately, these laws are anything but uniform, and they can vary so drastically that lawyers trying to comply with them could find themselves slogging through 50 different types of government red tape. But the risk of law firm data breaches remains real, especially when only 15% of attorneys use full drive encryption to fully encrypt data on their law firm computer and laptop hard drives, while less than one third of attorneys encrypt individual files.
Thus, should a firm experience a data breach, noncompliance or ineffective compliance with notice laws could prove damaging. Lawyers must be aware of what data breach notification laws apply to them, in order to avoid potential civil liability and inevitable reputational damage.
What State Data Breach Notice Laws Cover, Generally
Many of these data breach notice laws share some consistent, common traits, despite state-to-state differences. In general, an organization is required to send a notice to potentially affected customers or clients whenever someone unlawfully acquires others’ personal information without authorization, and in turn compromises the security, confidentiality or integrity of the information.
In most states, this information includes social security numbers, driver license numbers, identification card numbers, credit & debit account numbers, and financial account login credentials. If a data breach occurs, these organizations are required to send notices to customers or clients either by mail or electronically to inform them about the breach and what steps they can take to prevent identity theft or fraud of their data. Failure to comply with these statutes often results in monetary fines or, in certain states, civil liability.
Consistently Inconsistent Data Breach Laws
Unfortunately, the similarities end there, and both law firms and companies are often left to compare and contrast different states’ laws in order to ensure compliance in the event of a breach.
In Illinois, for example, law firms and other entities are required to send notices if an unauthorized person obtains medical information, insurance information, and biometric information, like fingerprints or retina scans. States such as Hawaii and North Carolina also require notices for compromised information stored in non-electronic media.
Other states have separate notice procedures for HIPPA-covered organizations and specific paperwork formatting requirements.
Obviously, these inconsistent regulations can become unwieldy.
Some state statutes, such as New Jersey’s, are triggered if someone simply obtained unauthorized access to personal confidential information without actually acquiring information.
Even notice delivery requirements are inconsistent on a state-to-state basis, as well. Some require organizations to notify the state’s Attorney General directly, while some states exempt firms and other entities from the requirements entirely if they implement their own data notice protocol.
Obviously, these inconsistent regulations can become unwieldy—particularly if your firm services a large geographic region.
Why State Data Breach Notice Laws Matter For Law Firms
Data breach notice laws can easily make law firms more vulnerable to damning publicity -- or worse.
A growing number of states, including Massachusetts and California, are now publishing searchable data breach notice archives that allow potential clients and the public to research any law firm’s data breach history & reputation. Significantly, these data breach archives don’t just cover cybercriminal activity; even stolen laptops are fair game for mandated disclosure. All of this could lead to embarrassing revelations that current & potential clients could find difficult to stomach.
Beyond reputational damage, law firms could be severely fined for noncompliance.
Beyond reputational damage, law firms could be severely fined for noncompliance. In Texas, for example, law firms would be required to dole out at least $2,000-$50,000 per violation, with a $250,000 maximum penalty amount per breach for failure to comply with all notice requirements.
Although exemptions to the statutes exist, state legislatures are making it hard for law firms to qualify for them. While many states incorporate safe harbors that excuse firms from sending notices for breaches of encrypted personal data, these safe harbor provisions are not universal. States such as California, for example, do not grant immunity if the firm’s encryption keys and credentials were stolen and there was a reasonable belief that the stolen keys or credentials would have revealed private information.
In general, firms are only exempt if they regularly follow their own notice procedures or if the state attorney general’s office advises against sending notices for public safety and policy reasons.
While data breaches can happen to any law firm, lawyers can save a lot of hassle, trouble, and unnecessary fines by knowing and complying with the appropriate state data breach laws. To ensure compliance, lawyers should look up their respective state rules for guidance and consult with appropriate local counsel where necessary. An overview of these rules is available at the National Conference of State Legislatures’ website.
This post was authored by Eric Pesale, a soon-to-be attorney who recently graduated from the New York Law School. Eric contributes regularly to the Logikcull blog, focusing on the legal impact of emerging technologies. He can be reached at firstname.lastname@example.org or on Twitter at @ericpesale