Informing Clients and Former Clients of Data Breaches

By David Hricik, Mercer Law School

Law firms are targets of hackers, and patent firms in particular are so. Why? Because hackers know they have the “wheat” separated from the chaff, and hackers believe firms also have less robust security than their clients.  See Am. B. Ass’n. Formal Eth. Op. 483 (here). That is likely more so in disbursed work forces caused by the pandemic.

In that opinion, the ABA explained the duties of a firm to use reasonable care to avoid hacking.  If a hacking occurred, the opinion concluded that a firm had to notify current clients and provide sufficient information to them to respond.  The ABA refused to say that lawyers owed such an obligation to former clients.

In Maine Opinion 220 (here), the Maine committee reasoned that a lawyer had an obligation to inform both current and former clients of breaches affecting their data.  The issue remains open in many states.

Firms should consider addressing the issue in engagement letters:  once the relationship ends, so too does the duty to advise on hacking.  Of course, returning the files at the end of a representation and destroying remaining ESI is also a good risk management tool.

About David

Professor of Law, Mercer University School of Law. Formerly Of Counsel, Taylor English Duma, LLP and in 2012-13, judicial clerk to Chief Judge Rader.

3 thoughts on “Informing Clients and Former Clients of Data Breaches

Comments are closed.