Notification is not required if the law firm`s file server has been the victim of a ransomware attack, but no information about a client`s representation has been inaccessible for an extended period of time or has not been accessed or disclosed by unauthorized persons. Conversely, disclosure is required if there is a real or reasonable suspicion that important customer information has been recovered, disclosed or lost in the event of a breach. Lawyers have an ethical and customary obligation to take competent and appropriate measures to protect client information, and often also have contractual and regulatory obligations to protect confidential information. There are an increasing number of cases where lawyers have contractual obligations to protect client data, particularly for clients in regulated sectors such as healthcare and financial services that have regulatory requirements to protect privacy and security. They often include requirements for incident response and notification of security incidents and data breaches. [88] See, for example, Nicole Hong, For Consumers, Injury Is Hard to Prove in Data-Breach Case, Wall St. J. (26 June 2016, 20:06), www.wsj.com/articles/for-consumers-injury-is-hard-to-prove-in-data-breach-cases-1466985988, archived in perma.cc/F3VF-8LKD. HIPAA only requires notification of security breaches for insecure PHI (for example, unencrypted PHIs). Therefore, physicians are encouraged to use appropriate encryption and destruction techniques for PHI that render PHI unusable, illegible or indecipherable to unauthorized persons.
[65] Timothy J. Toohey, Beyond Technophobia: Lawyers` Ethical and Legal Obligations to Monitor Evolving Technology and Security Risks, 21 J.L. & Tech. 1, 14 (2015). The Michigan State Bar recently concluded that a material data breach by a law firm triggers a duty to notify its clients. According to Michigan Bar Ethics Notice RI 381: [79] See id. (“Replace the current patchwork of. State laws with a single, comprehensive federal law would give businesses a clear roadmap to follow after a breach. Fourth, oversight requires lawyers with managerial authority to establish appropriate internal policies and procedures to protect client trust from data breaches.
See CRPC 5.1 and 5.3. Law firms should also provide lawyers and staff with hands-on training on data protection by creating a culture of awareness and security practices. [87] See id., p. 1197 (noting that a national data breach law that gives consumers a private right of action or requires mandatory credit monitoring “encourages companies to minimize data breaches”). [2] See Bill Hardekopf, The Big Data Breach of 2014, Forbes, (January 13, 2015, 7:06 p.m.), www.forbes.com/sites/moneybuilder/2015/01/13/the-big-data-breaches-of-2014/#4ad6aa5f3a48, archived in perma.cc/WYT4-8JX8. Build a team of experts to provide a comprehensive response to security breaches. Depending on the size and nature of your business, this may include forensics, law, information security, information technology, operations, human resources, communications, investor relations and management. If the attorney can determine what client data was compromised, those clients should at least be notified in accordance with Michigan Bar Association guidelines, provided the stolen or exposed data is significant. The law firm should also promptly investigate and remedy the violation. Click on each status to view your data breach reporting obligations. [80] See, for example, Data Security and Breach Notification Act of 2015, H.R.
1770, 114th Cong. (2. September 2016) (demonstration of a federal data breach bill that was not passed in Congress). The statement notes that Model Rule 1.4 requires lawyers to communicate with their current clients about a data breach: [18] In addition, critics argue that the bills are weak and do not provide sufficient protection for consumers. [82] In particular, critics point out that the proposals are not sufficient to provide incentives to prevent data breaches, as they are intended to notify consumers after a breach has already occurred. [83] To encourage the prevention of data breaches, organizations should consider additional security measures as wise investments that minimize the risk of loss. [84] The main business risks associated with data breaches are loss of customers and, of course, complaints from affected consumers. [85] As discussed below, allegations of data breaches are difficult to pursue. As a result, the risk of consumer disputes has not played a major role in prompting companies to adopt stricter security measures. [86] The plan should identify a comprehensive complement to the internal and external resources that may be required for the most serious security incidents or data breaches. It must be scalable so that resources are activated when needed. For example, malware on a single laptop can be managed by the IT department with management notification, while a larger ransomware infection may require all of the plan`s resources.
Security threats to lawyers and law firms remain significant, real and on the rise – security incidents and data breaches have occurred and are occurring. It is critical that lawyers and law firms identify and address these threats through comprehensive cybersecurity programs, including the preparation and implementation of incident response plans. [90] See Kesan et al., op. cit. cit., note 77, p. 277 (noting that “many other States only require companies to notify their customers of data breaches, and the relevant laws do not create additional rights or obligations”). Opinion 483 follows ABA`s 2017 Formal Notice 477R, which emphasized the importance of customer data privacy when communicating over the internet. As risks increase due to new technologies and digital dependency, the ABA acknowledged that more guidance was needed on how to respond in the event of a breach.