Skip to content

By Nicole Hyland and James Mariani

Every day, clients entrust their lawyers with confidential information.  Whether in a matrimonial dispute, high-stakes corporate acquisition, commercial litigation, criminal defense matter, or any other sensitive legal issue, clients rely on their lawyers to safeguard information that could be detrimental or embarrassing to the client if disclosed.  A lawyer’s ethical obligation to protect such confidential information is embodied in Rule 1.6 of the Rules of Professional Conduct (“RPCs”), which states in relevant part that “a lawyer shall not knowingly reveal confidential information.” The duty of confidentiality is not limited, however, to intentional disclosures.  Rule 1.6(c) also requires a lawyer to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to” confidential information.

As methods used to transmit and store information become more technologically advanced, however, the efforts required to protect confidential information from “inadvertent or unauthorized disclosure” must evolve. Protecting confidential information is no longer just about locking file drawers and office doors (although that’s still a good idea).  It is also about maintaining good data security practices and having a plan to deal with data security breaches.  Unfortunately, lawyers have a reputation – fair or unfair – for being technological luddites, despite the fact that Comment [8] to Rule 1.1 (Duty of Competence) requires lawyers to “keep abreast of the benefits and risks associated with the technology the lawyer uses to provide services to clients or to store or transmit confidential information.”

Technological competence has become even more critical during this Covid-19 crisis, where many law firms are operating entirely on a remote basis.  Lawyers and staff alike are accessing information from remote work spaces and many of them using unfamiliar technologies, often with little preparation or training. This wholesale transition to remote work took place virtually (no pun intended) overnight and has placed an unprecedented burden on most law firms’ technological capabilities.

The Risk of Data Breaches

With droves of confidential information and a potential lack of technical sophistication, law firms are a key target for bad actors looking to access and monetize sensitive information, through phishing emails, wire transfer scams, and other illicit means.  Once such method is the ransomware attack – in which a third party obtains access to a firm’s network or data and threatens to expose it or delete it unless the firm pays a ransom.  Unlike in movies or on television, these scammers rely primarily on human frailty or ignorance, rather than on super-genius computer hacking skills.  In many cases, an employee will receive a legitimate looking email, click on a link, and follow instructions to enter a password or some other key information.  In doing so, the employee unwittingly provides the scammer with enough information to penetrate the firm’s systems and gain control.

There are best practices that law firms should implement to guard against these types of invasions, some of which are discussed in this cybersecurity report from the New York State Bar Association https://nysba.org/app/uploads/2020/03/NYSBA-Cyber-Alert-031220.pdf).  But that’s not what this post is about.  This post is about what happens after your law firm’s system has been breached.  In other words, what duties does a law firm have to notify clients that a data breach has occurred?  We will get to that question; but first, a cautionary tale.

The Case of the Missing Data Breach Notification

In 2016, the Kansas City law firm of Warden Grier LLP suffered a ransomware attack by a notorious hacker group known as The Dark Overlord, according to a Complaint https://www.databreaches.net/wp-content/uploads/Hiscox_complaint.pdf filed in federal court last Friday.  Warden Grier allegedly paid off the hackers, which enabled the firm to regain control of its systems.  Although Warden Grier notified federal authorities, the firm allegedly did not notify Hiscox Insurance, a client that routinely hired Warden Grier to defend claims against Hiscox’s insureds.  According to Hiscox, it only learned of the hacking incident in 2018, when a Hiscox employee stumbled across some client-related information posted on the dark web.  Hiscox alleges that Warden Grier breached its contractual obligations and its fiduciary duties by failing to notify the company of the data breach and seeks $1.5 million in damages.

Are Law Firms Required to Notify Clients of a Data Breach?

A law firm that experiences a ransomware attack or other data security breach should take several immediate steps, such as hiring a data security consultant, conducting an investigation, and – in most cases – reporting the incident to relevant criminal authorities.  It should not be forgotten that the law firm is – first and foremost – the victim of a crime.  In reality, this does not always happen.  Many companies quietly pay off the extortionist in order to regain control of their systems and avoid embarrassment https://www.law360.com/articles/1123819.  Even if the firm decides not to report the incident to authorities, it should conduct an internal investigation, because without knowing what information an intruder might have accessed or stolen, the firm cannot determine whether it has a duty to notify clients, individuals, and regulators of a data breach.  If an investigation reveals that client information was, in fact, breached, this likely triggers a duty to notify the client, at a minimum.  There are multiple sources for this duty, each of which may have different – although overlapping – standards.  These sources include: contractual obligations, Rules of Professional Conduct, data breach notification statutes, and/or international law such as the General Data Protection Regulation (“GDPR”).  The firm should also consider whether risk management factors might favor notification, even where there is no clear duty to notify in a particular circumstance.  We address each of these considerations below.

Does the Firm Have a Contractual Duty to Notify a Client of a Data Breach

As with any professional relationship, one of the first places to look for duties is the contract that governs the relationship.  Most attorney-client relationships are governed by some sort of engagement letter.  Where the client is a large corporation or insurance company, the relationship may also be subject to outside counsel guidelines or similar terms and conditions.  Therefore, even if a law firm’s standard engagement letter is silent with respect to data breach notifications, the firm should also check if there are any outside counsel guidelines that might apply to the situation.  In Hiscox v. Warden Grier, for example, Hiscox alleges that Warden Grier signed “Terms of Engagement” that required the firm to “retain either the originals or copies of all file documents relating to the claim” and to “have in place an appropriate disaster recovery plan with appropriate back-up to ensure the continuity of services in the event of a disaster.”  Although the Terms of Engagement did not explicitly require “notification,” the Complaint alleges that Warden Grier breached the Terms of Engagement by, among other things, failing “to conduct and prompt and adequate investigation” into the data breach, which should have included  “notifying Hiscox” of the breach.  In some circumstances, a company’s outside counsel guidelines may go further than Hiscox’s Terms of Engagement to expressly require notification.

Do the Rules of Professional Conduct Require Notification?

The RPCs are obviously another key place for lawyers to look for duties to clients.  Each U.S. jurisdiction has adopted its own version of the RPCs, based primarily on the ABA Model RPCs, with some variations.  In New York’s version of the RPCs, as in the Model RPCs, Rule 1.4 governs the duty to communicate with clients.  New York’s Rule 1.4(a)(1)(iii) states, for example, that lawyers must “promptly” inform clients of “material developments” in their legal matters and Rule 1.4(a)(3) requires lawyers to “keep the client reasonably informed about the status of the matter.”

Does Rule 1.4 require lawyers to notify clients when their confidential information has been breached by hackers?  Not surprisingly, the answer is yes.  In a 2018 ethics opinion https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_op_483.pdf, the ABA ethics committee opined that “[w]hen a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their ethical obligations under these Model Rules.”  ABA Ethics Op. 483 (2018).  Opinion 483 is worth reading for its analysis and helpful advice on how to protect against data breaches and how to deal with them once they occur.  For the purposes of this post, however, the bottom line is that Rule 1.4 requires prompt notification to clients when a law firm suffers a data breach that compromises client information

Do Data Breach Notification Statutes Require Notification?

All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted statues requiring notification in the event of a data breach.  Additionally, there are sector-specific statutes, such as the Health Insurance Portability and Accountability Act (“HIPAA”), which include breach notification requirements.  Depending on the type of data that is compromised and certain thresholds, a law firm may have obligations to notify under these state or federal statutes.  These obligations may include notifying individuals, regulators, and even media and credit bureaus.  For instance, under the New York State breach notification statute—recently amended by the SHIELD Act—if the “private information” of any New York resident is subject to unauthorized access, both the individual that such data relates to and certain state agencies, including the New York Attorney General, must be notified.  Some states, including New York, require notification to a regulator if even one individual’s information is compromised.  Accordingly, firms that experience data breaches must engage in a complex legal analysis to determine whether notification requirements are triggered and what deadlines apply. Moreover, different states have a variety of different thresholds.  For example, California requires that the Attorney General be notified if the “personal information” of more than 500 CA residents is compromised.  Failure to timely notify the appropriate people under these statutes may lead to regulatory enforcement actions, statutory damages, and possibly class action lawsuits.

Does International Law Require Notification?

The data breach notification analysis is not simply a matter of domestic law.  Depending on the information compromised and the nature of a law firm’s clients, foreign regulations with extraterritorial reach may trigger a duty to notify (including severe penalties for failure to do so).  The most notorious example is the GDPR, the comprehensive data protection and privacy regulation of the European Union.  Unlike many state breach notification statutes, the GDPR uses an extremely broad definition of “personal data” and requires a “risk of harm” analysis to determine whether individuals or regulators must be notified.  If so, the law requires that relevant authorities be notified within 72 hours after discovery of the breach.  The regulation provides for fines as high as €20 million or 4 percent of the total worldwide turnover of the preceding financial year, whichever is greater.

Do Risk Management Considerations Support Notification?

When we advise law firm clients on their ethical or fiduciary obligations, we often point out that there are things you must do and then there are things you probably should do.  Those are not necessarily the same things.  The gap between “must do” and “probably should do” is where “risk management” does its most important work.  For example, a law firm that experiences a ransomware attack may conduct a thorough investigation, which is inconclusive as to whether client information was accessed or stolen.  Could a law firm reasonably conclude that it has no duty to notify clients of the breach, under the foregoing authorities?  Perhaps so.  On the other hand, should the law firm notify clients of the data breach, while reassuring them that – after a thorough investigation – the firm has found no conclusive evidence that client information was compromised?  Either option carries different risks.  If the law firm chooses not to notify its clients, and they later discover that there was a breach, this will likely undermine the clients’ faith in the law firm.  It could lead to embarrassing and costly litigation, loss of business, reputational harm, and possibly even disciplinary action.  On the other hand, if the firm chooses to notify its clients, that could open up a can of worms better left closed.  There is a chance the incident will never come to light, no one will ever be harmed, and no one will be wiser.  Choosing between these two options is an important decision that will depend on the facts and circumstances, as well as the firm’s appetite for risk.  Our one recommendation is not to make this important decision without getting advice from a trusted advisor outside the law firm.

Conclusion

Some experts predict that the Covid-19 pandemic will forever change the way that people work.  Even after the crisis abates, many businesses, including law firms, may increasingly rely on remote work arrangements.  In other words, we may all adjust to certain aspects of this “new normal” and may even come to prefer them (hopefully not the toilet paper hoarding).  We must wait to see if that prediction comes true.  Either way, law firms will certainly continue to rely on technology to share and store client information.  That will require law firms, not only to take reasonable steps to minimize the risk of data breaches and similar incursions, but to promptly investigate any data breaches and notify clients if their confidential information has been compromised.

Over the past several weeks, the California Attorney General (“AG”) published revisions to its proposed regulations implementing the CCPA (the “Modified Regulations”), and then further revised the Modified Regulations (“Version 2”).  Despite earlier warnings to the business community that AG’s initial draft of Regulations would not materially change, we’ve now seen it happen twice.  The full redlines of both the Modified Regulations and Version 2 are available here. This article highlights what’s new, what remains the same, what we expect to have the biggest impact on businesses working toward compliance, and the lack of predictability of next moves given the growing global health crisis.   Continue Reading CCPA Update: Oops, the CA AG Did It Again

Welcome to 2020. The California Consumer Privacy Act (“CCPA”) is now in effect, and your business has probably spent significant time and expense preparing for the law. With so much focus on CCPA preparations, it’s important to recall that the CCPA isn’t the only California privacy law to become effective this year. California will now also require any business that meets the definition of a data broker during a given year to register as a data broker with the California Attorney General’s Office on or before January 31st of the following year. Although the law is not clear whether it retroactively applies to business practices in 2019, the California Office of the Attorney General has issued a press statement on data broker registration and posted a registration page, which strongly indicates that the AG expects qualifying businesses to register by January 31, 2020.

Continue Reading Data Broker Registration for California is Live

On Thursday, October 10, 2019, only 83 days before the California Consumer Privacy Act (“CCPA”) was set to become effective, California Attorney General Xavier Becerra held a press conference, with no prior notice, and issued his long awaited proposed regulations (the “Regulations”). The hope had been that the Regulations would provide much needed guidance to businesses of all sizes and in all industries as to how to implement a law that was hastily passed in a week’s time in 2018. Instead, while the Regulations provide some clarity around the mechanisms that organizations may use to verify and respond to the various consumer requests allowed by the law, the Regulations also add even more ambiguity to a number of requirements. Even more concerning, the Regulations add some new requirements and deadlines that do not exist in the statute itself.

The Regulations include 24 pages of legalese. Every privacy lawyer I know – and I know the best and the brightest – is struggling to interpret these Regulations and what they really mean. That does not bode well for businesses who (1) are trying to run businesses and not become privacy experts; and (2) cannot afford experienced privacy counsel. And that, in turn, does not help California consumers. As I have said many times before, California can do better. I call again on all California businesses of any size, and in every industry, to submit comments to the Attorney General to let the AG know the impact on your business and the California economy. Comments are due on or before December 6.  There will also be hearings around the state December 2-5. Let’s show up and be heard.

With that, we give you a summary of the Regulations. I would say enjoy, but I know better.

Continue Reading The California AG’s Proposed CCPA Regulations are Live, but Not Ready for Prime Time

On July 24, 2019, the FTC announced a $5 billion settlement with Facebook to address Facebook’s alleged violations of the FTC Act and its 2012 consent order with the FTC. The settlement comes as no surprise to the privacy community – Facebook has been closely scrutinized by the public and regulators since the Cambridge Analytica data incident in March 2018 and indicated to investors earlier this year that it anticipated a fine from the FTC between $3 and $5 billion.

We have read the complaint, settlement, and press releases issued by the FTC and Facebook, and provide our thoughts below on what it means for business: Continue Reading Business Takeaways from the FTC $5 Billion Settlement with Facebook

Trend Micro, a cybersecurity solutions provider, recently reported that it blocked ~5 million hacking attempts of IP-connected cameras in just the last 5 months. This means that a hell of a lot of people are trying to hack into Internet-connected cameras. But why?

Continue Reading Watching Me, Watching You—IoT Camera Hacks Surge

An Internet advertising agency that specializes in lead generation for law firms failed to properly secure databases that included the records of about 150,000 individuals. The ad agency, X Social Media, utilizes campaigns on Facebook that target potential plaintiffs for personal injury cases, medical malpractice lawsuits, and mass tort claims. Since the Facebook ads that X Social Media uses to generate these leads are designed to collect and store medical information along with contact details, the database records themselves likely trigger many state breach notification statutes that list “medical information” as “personally identifiable information” — including California’s.

Continue Reading Just Ahead of CCPA, Ad Agency Fails to Secure Leads Data

The California Assembly had a busy May hearing amendments that might clarify (or further muddy) the California Consumer Privacy Act (“CCPA”). With four new bills approved by the Assembly in the final week of the month, May saw a total of 10 CCPA-related bills pass through the Assembly and on to the Senate. We covered a number of these in our last update. Here’s a rundown of the 10 bills: Continue Reading CCPA ABs – the Latest Alphabet Soup