MCLE Self-Study Article: Data Security Breach Notification Laws: How They Affect Your Law Firm and Your Clients

By David Bender, Esq.

Introduction

It is difficult to escape the continuing deluge of news articles about the latest data security breaches. All sorts of companies, agencies, and educational institutions are suffering breaches. These articles have been proliferating shortly after California enacted the world’s first general data security breach notification statute, which became effective ten years ago. Although some breaches involve the data of more than a million people, information about data breaches rarely saw the light of day before the California statute was enacted.¹ Under the statute, any entity conducting business in California that owns or is the licensee of certain personal information about California residents must notify these residents if it learns of an unauthorized acquisition of that information, in unencrypted computerized form, that compromises the information’s security, confidentiality, or integrity.² Any customer injured by a violation of this statute may institute a civil action for damages.³ But just what does all this mean for California law firms?

The answer to that query has two aspects. First, law firms likely are subject to the statute. Accordingly, a law firm must see that the pertinent personal information (hereinafter, “statutory pi”)⁴ it collects is maintained securely so as to avoid triggering the statute, and must send notifications in the event of a breach. The law firm is already subject to the requirements of legal ethics and in particular the attorney-client privilege. But this statute adds new security obligations because much statutory pi in the firm’s possession is not subject to the privilege as it does not emanate from any attorney-client communication. For example, statutory pi about the firm’s employees, or supplied by adversaries in litigation, would not generally be subject to the privilege, but would be subject to the statute.