Significant exposure
Clients entrust law firms with the most sensitive information about themselves and their family members, including financial and investment data, tax returns, personal and business income figures, privileged legal information, estate planning materials, Social Security numbers, and driver’s license numbers and other governmental identification numbers. This information is highly attractive to hackers and vulnerable to breaches both accidental and malicious.
Law firms commonly have fewer resources than larger companies to devote to managing and mitigating cyber vulnerabilities. When a breach occurs, firms can be obligated to comply with complex state privacy notification laws, undertake time-consuming internal forensics, and face outside regulatory investigations and liability claims. For some attorneys the bar is even higher. They have contractual and regulatory obligations to protect information relating to clients – including personally identifiable information, financial and health information. In addition, firms rely on their good names for success. Cyber breaches can breach the trust between a client and a law firm – and irreparably damage a firm’s reputation..
Legal, regulatory and ethical issues investigations and penalties
Forty-eight different state breach notification statutes govern a law firm’s legal obligation to investigate and respond. These statutes are a messy patchwork of often inconsistent requirements, with significant variations in the scope of data covered, the definition of what constitutes a “breach,” and the mechanics of how impacted persons must to be notified. Depending on the size of the breach, a law firm may have to notify various state attorneys general and potentially be subject to fines and lengthy regulatory investigations.
And beyond what may be legally required, law firms must also consider their ethical obligations to clients. A data breach may implicate a number of the Rules of Professional Conduct. For example, the comments to Model Rule 1.1 (Competence) provide that a lawyer must “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
And Model Rule 1.6(c) (Confidentiality of Information) requires a lawyer to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 18 elaborates that subsection c “requires a lawyer to act competently to safeguard information . . . against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or [those under the] lawyer’s supervision.” In addition, Comment 19 states that when transmitting information relating to the representation of a client, “the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.”
Source: American Bar Association, Model Rules of Professional Conduct (Wikipedia) and https://www.americanbar.org/ - Rule 1.1 cmt. 8, 1.6(c), 1.6 cmt. 18 and 1.6 cmt. 19.