Last week, the American Bar Association (ABA) revised its formal opinion on what constitutes reasonable data privacy and information security practices for lawyers and law firms. It is ABA Formal Opinion 477R: “Securing communication of protected client information.” You may download it here.
This revised opinion can and will be used as a legal standard to prove the duty elements of negligence claims after lawyers or law firms suffer preventable data breaches. It will also be used to prove attorneys breached their fiduciary duties or duties of confidentiality after preventable data breaches occurred. Preventable data breaches include but are not limited to breaches resulting from:
- social engineering;
- vengeful actions by disgruntled employees (insider threats);
- inadequate privacy and security training for personnel who handle private and sensitive client information;
- unreasonable data privacy or information security practices; and
- preventable cybercriminal hacks.
Hackers can profit handsomely from stealing law firms’ clients’ medical records, tax records, or financial records. There is a market for this sort of information on the dark web. Identity theft criminals can use this information to get medical treatment or drug prescriptions using others’ insurance plans, steal others’ tax refunds, or commit credit card or bank fraud.
Attorneys should read the opinion and talk with their data privacy and information security professionals to make sure their firms’ privacy programs, information security practices, and cybersecurity insurance coverage plans are reasonable under the opinion’s new standard. Attorneys or small firms who practice in Arizona or Colorado and need help creating, implementing, assessing, or auditing their firms’ privacy programs or information security practices may call our firm.
By Ed Hopkins, HopkinsWay PLLC. | © HopkinsWay PLLC 2017. All rights reserved.