This blog begins a series that discusses interesting issues discussed at the ABA Standing Committee on Lawyers Professional Liability I attended on April 14-16.
Data Security: State laws that may apply to lawyers.
If your laptop or other computer hardware with sensitive information is stolen, or if there is a security breach of sensitive information, you may be required to report that fact to the individuals and credit reporting agencies by law. In Texas, Chapter 521 of the Business and Commerce code requires that a security breach of a computer with the following information must be reported to the individuals whose data is involved:
An individual ’s first name or first initial and last name in combination with any one or more of the following, if the name and the items are not encrypted:
- Social security number;
- Driver’s license number or
- Government-issued identification number; or
- Account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account
Information that identifies an individual and relates to:
- The physical or mental health or condition of the individual;
- The provision of health care to the individual; or
- Payment for the provision of health care to the individual.
Lawyers often have this type of information on their computer systems and electronic devices. The level of notice required by the statute depends upon how many names are potentially compromised, and the expense of notification. Other states may have more stringent reporting requirements that apply to particular situations.A direct breach of a law firm’s computer system could conceivably expose many sources of the type of information required by the statute. Law firms might want to consider logging the names of individuals with sensitive information in a searchable database as it is received by the law firm. Keep in mind that sensitive information covered by the statute includes not only client information, but opponents, aligned parties and families of firm personnel as well. For example, an insurance defense firm may have sensitive information about injured parties on the other side of a case.