Law Practice Management and Technology
The Bottom Line Volume 34, No.3, August 2013
Content
- MCLE Self-Study Article: Cybersecurity -- a Top of Mind Issue That Companies Must Consider
- MCLE Self-Study Article: the Advanced Persistent Attack and What Your Law Firm Should Do
- Book Review By Larry Meyer
- Coach's Corner: Technology, Competence and Risk in Data Security and Privacy
- MCLE Self-Study Article: Addressing Social Media Security and Privacy Challenges
- MCLE Self-Study Article: "Naked Online", an Excerpt from the Book "Protecting Your Internet Security"
- MCLE Self-Study Article: the Attorney as Employer: the Law Regarding Employee Privacy in Social Media Posts
- MCLE Self-Study Article: Using Client Portals to Protect Your Clients’ Privacy
- MCLE Self-Study Article: What Is Privacy in the Information Age?
- Message from the Chair: Privacy at Risk
- Message from the Guest Editor: Protecting Privacy in Your Law Practice
- MCLE Self-Study Article: Data Security Breach Notification Laws: How They Affect Your Law Firm and Your Clients
MCLE Self-Study Article: Data Security Breach Notification Laws: How They Affect Your Law Firm and Your Clients
By David Bender, Esq.
Introduction
It is difficult to escape the continuing deluge of news articles about the latest data security breaches. All sorts of companies, agencies, and educational institutions are suffering breaches. These articles have been proliferating shortly after California enacted the worldâs first general data security breach notification statute, which became effective ten years ago. Although some breaches involve the data of more than a million people, information about data breaches rarely saw the light of day before the California statute was enacted.1 Under the statute, any entity conducting business in California that owns or is the licensee of certain personal information about California residents must notify these residents if it learns of an unauthorized acquisition of that information, in unencrypted computerized form, that compromises the informationâs security, confidentiality, or integrity.2 Any customer injured by a violation of this statute may institute a civil action for damages.3 But just what does all this mean for California law firms?
The answer to that query has two aspects. First, law firms likely are subject to the statute. Accordingly, a law firm must see that the pertinent personal information (hereinafter, âstatutory piâ)4 it collects is maintained securely so as to avoid triggering the statute, and must send notifications in the event of a breach. The law firm is already subject to the requirements of legal ethics and in particular the attorney-client privilege. But this statute adds new security obligations because much statutory pi in the firmâs possession is not subject to the privilege as it does not emanate from any attorney-client communication. For example, statutory pi about the firmâs employees, or supplied by adversaries in litigation, would not generally be subject to the privilege, but would be subject to the statute.