Liability for Lax Data Security

Clients entrust professionals with personal information.  As such, professionals have an ethical duty not to disclose confidential information in a manner not permitted by the client.  However, in today’s electronic age, professionals are also expected to take proactive steps to ensure that third-parties do not access confidential client information without authorization. Professionals who fail to prioritize client data security could expose themselves to civil liability.

Recently, a group of clients filed a proposed class action lawsuit against their former law firm, alleging that the firm failed to protect client data and had critical vulnerabilities in its web services. While the plaintiffs did not allege that their personal information had actually been accessed by any third-party, they contend that these weaknesses in the firm’s data security measures could result in disclosure of confidential information, and that the vulnerability itself is a basis for liability.  In particular, the clients noted that the firm utilized a time-logging system that was over ten years old and was known to be a target for hackers.  The suit further claims that the firm’s private network is vulnerable to exploitation, notwithstanding that the firm holds itself out as having expertise in cyber security.

As firms become increasingly reliant on internet and cloud-based technologies to operate their practices, they must ensure that they have proper security measures in place to help mitigate unauthorized access to client information.  There is reason to believe that hackers view law firms as the “weakest link” and therefore specifically target lawyers. Firms who fail to maintain up to date security features could expose themselves to significant liability if client data are compromised.