Ethical Considerations for Attorneys Responding to a Data-Security Breach
By Robert J. Scott and Julie Machal-Fulks
It seems that not a week goes by without news reports about yet another company or agency suffering a data-security breach. A laptop is lost, a firewall is penetrated, or sensitive personal information purportedly kept secure is exposed. The legal implications of such a breach are significant, and given the novelty of data breaches and the laws meant to address them, the ethical implications for an attorney representing a client that has suffered such a breach are magnified.
In addition to being an embarrassment, a data-security breach has many potential legal implications under both federal laws such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) also may be implicated by a data-security breach, as well as the Federal Trade Commission's unfair trade practices rules. Many states also have enacted statutes requiring businesses that have suffered a data-security breach to notify individuals about the breach under certain circumstances.
Beyond the statutory and regulatory implications, businesses suffering a data-security breach also may face civil litigation. Because this is a new and evolving area of law, a company may find itself facing various private causes of action, commonly including negligence, breach of contract, infliction of emotional distress, and state unlawful trade practices and consumer protection claims. In addition, there has been a recent trend of plaintiffs seeking relief in the form of compensation for future credit monitoring, though the viability of such a claim remains unclear.
Companies that experience a data-security breach often will find it useful to employ outside counsel and outside information technology ("IT") specialists to investigate the breach. If such an investigation is conducted by internal resources, the results of that investigation might not be protected by the attorney-client privilege or the attorney work-product privilege.
The Supreme Court of the United States has held that the purpose of the attorney-client privilege is to encourage full communication between attorneys and their clients in order to "promote broader public interests in the observance of the law and administration of justice." To be protected by the attorney-client privilege, a communication must be confidential and made for the purpose of obtaining legal advice from the attorney. A communication is confidential only if it is not intended to be disclosed to third persons; such a disclosure may result in waiver of the privilege. In addition, the attorney-client privilege is held by the client, not by the lawyer.
Communications between in-house counsel and corporate IT professionals may themselves be privileged when they meet the subject matter test established by the United States Supreme Court in Upjohn Co. v. United States (Editor's Note: see Andrew Serwin's article on page 1 for more information on this issue).
Responding to a Data-Security Breach—The Attorney's Ethical Obligations and Role
When a data-security breach does occur, evidence should be preserved and collected diligently. It is critical to document what the client was doing at the time of the breach incident in order to comply with ethical and discovery obligations. Attorneys have an ethical obligation to ensure that their clients avoid possible court sanctions for spoliation of evidence. Also, litigants have an obligation to preserve relevant evidence for use by the adverse party.
Spoliation poses a significant danger in responding to a data breach. A finding of spoliation can result in substantial court sanctions, typically including a jury instruction allowing an inference that the destroyed evidence was unfavorable to the offending party. Generally, an adverse inference is created when evidence has been destroyed and:
1. the party having control over the evidence had an obligation to preserve it at the time it was destroyed;
2. the records were destroyed "with a culpable state of mind;" and,
3. the destroyed evidence was "relevant" to the party's claim or defense such that a reasonable trier of fact could find that it would support that claim or defense.
Courts also have the authority to grant an adverse inference instruction even where a party did not intentionally destroy the evidence, but merely neglected to preserve evidence relevant to the case, allowing the jury to infer that the unproduced evidence was damaging to that party's case and supportive of the adverse party's claims.
Keep in mind that spoliation applies to electronic information as well as other documents, destroyed intentionally or unintentionally. Therefore, when responding to a data breach, attorneys may want to have a computer forensics expert on their team to make certain that all electronic information is properly preserved.
It is important to document all the client's actions taken in connection with, and in response to, an incident. It is also important to identify appropriate law enforcement contacts to notify regarding security incidents that may involve illegal activities.
Statutory Notification — Advising Clients Regarding New Statutes, Rules, and Regulatory Compliance
Only within the past few years have many states enacted data-security breach and/or identity theft statutory schemes, so there is very little state or federal case law interpreting the scope or application of these statutes. In an effort to assure compliance with the new laws and regulations, an attorney should be involved in assessing whether a company is required to give notice in each state where it does business or where a potential loss of data may have occurred.
It is also important to determine how notice must be given, when notice should be given, the form notice should take, and the specific contents of any notice, while also ascertaining what a state's statute defines as "personal information" in order to determine if the breach is one giving rise to the notice requirement, and if so, the statutory requirement for how notice should be given.
When giving advice about statutes that have yet to be authoritatively interpreted, attorneys should be particularly careful. While an attorney generally is not liable for malpractice "for a mistake in a point of law which has not been settled by the court of last resort in his state and on which reasonable doubt may be entertained by well-informed lawyers," (Jerry's Enter., Inc. v. Larkin, Hoffman, Daly & Lindgren, LTD.), an attorney in such circumstances must be able to demonstrate that he or she acted in good faith "and in an honest belief that his advice and acts are well founded and in the best interest of his client."
To meet this standard the attorney should provide research supportive of the reasoning as well as opinion letters containing caveats notifying the client that this is a new and unpredictable area of litigation.
The Attorney's Ethical Obligations During Litigation Over a Data-Security Breach
Lawsuits over data-security breaches are becoming more common, and because most of the information in such cases is stored in electronic form, the cases present significant challenges for counsel. As in any other case, initial disclosures under Federal Rule of Civil Procedure 26 must be signed by an attorney, certifying that, after reasonable inquiry, the disclosure is complete and correct as of the time it is made. Discovery obligations also require a signature by an attorney, certifying compliance with the rules, warranted by the law or a good faith argument for extension, not interposed for an improper purpose, and not unreasonably or unduly burdensome. Attorneys are also subject to sanctions if these certifications are made in violation of the rules. Attorneys have a duty to supplement disclosures and discovery responses under Federal Rule of Civil Procedure 26(e) as well.
The new e-discovery rules raise additional issues and obligations. Attorneys are advised to include IT personnel as part of the discovery team in light of the new rules because they can assist counsel in making certain that all information is collected and reviewed. Prior to the codification of guidelines regarding electronic discovery in Federal Rules of Civil Procedure 26, 34, and 37 (effective December 1, 2006), the federal courts addressed a litigant's obligations with respect to preservation and production of electronic evidence on a case-by-case basis. Now Federal Rule of Civil Procedure 37(e) establishes the so-called "safe harbor" for electronic discovery: "[a]bsent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system."
And remember that a "safe harbor" is not always safe. An attorney still has an ethical obligation to avoid a spoliation problem with electronic records. It is commonly understood that destroying relevant evidence after entry of a federal court order requiring its production to the adverse party will support severe sanctions.
While Rule 37(e) appears to provide a safe harbor protecting the party against sanctions for the routine destruction of electronic evidence except in exceptional circumstances, Rule 37(f) narrowly defines such circumstances. Accordingly, data that is not lost due to routine operation of a system may lead to a spoliation sanction. The committee notes also emphasize that for the safe harbor provision to apply, the loss of evidence must have been in good faith.
Because e-discovery compliance is an emerging topic, the courts are still sorting out which categories of data are necessary for litigation. For example, a federal court in California held that information stored in a computer's Random Access Memory ("RAM") is a tangible document that must be turned over in litigation, despite the fact that RAM is not permanent storage and is continually being updated, changed, deleted, or overwritten in business computers.
Attorneys also should make sure they are familiar with any specific document retention obligations for their client's industry, such as regulations by the Securities and Exchange Commission that require a broker-dealer to maintain records of electronic communications for a certain time period. A private litigant in a federal civil action seeking such information due to its relevance in his or her case has no private right of action under industry record-keeping rules. However, there is a strong argument in federal court that a document retention policy is unreasonable as a matter of law if it allows for the destruction of potentially useful evidence that a party was required by law to independently maintain.
Attorneys should be wary when dealing with this relatively new area of the law. Because the results of a data-breach investigation may be critical in subsequent litigation, attorneys must be careful to make certain that those results are protected from discovery. Until courts have definitively interpreted the state and federal laws and regulations applicable to data-security breaches, attorneys should be especially prudent when advising clients regarding the proper course of action. Counsel should assemble a team that includes IT professionals to make certain that all relevant information is collected, analyzed, and preserved. Attorneys also should not rely exclusively on the new "safe harbor" discovery provision when responding to e-discovery requests.
Robert J. Scott is a managing partner with the law firm Scott & Scott LLP, representing clients on technology issues including privacy and network security, regulatory compliance, intellectual property, IT transactions, and IT litigation. Julie Machal-Fulks is director of legal services for Scott & Scott LLP, advising clients on network security, software compliance, and audit defense issues. They can be reached at (214) 999-0080.