The scope of hacking of computer systems and Internet devices such as a Smart Phone is increasing exponentially worldwide. The legal profession is no exception to this development and, unfortunately, carries an even heavier burden for computer system security than the typical business. This is true because of a lawyer’s fiduciary duty of preserving client confidentiality and the sensitive nature of the information in electronic client files vulnerable to being hacked. Hacked financial information concerning business deals, settlements, and divorce negotiations are just a few examples of how compromised client files can harm clients and expose a firm to a large liability claim.
According to the National Conference of State Legislatures, 46 states have enacted laws to protect the general public from this kind of injury by requiring those who maintain personal information of others to secure it and upon being hacked to notify all persons whose personal information is compromised. To date Kentucky has not passed such a law, but the Kentucky Legislature by resolution in its 2013 session recognized that "Kentucky is one of only four states without a security breach law requiring notification to consumers by government and private data custodians of security breaches involving personal information." The resolution directed the Interim Joint Committee on State Government of the Legislative Research Commission to study issues related to cyber security and provide a report by November 27, 2013.
Since in Kentucky the Supreme Court issues the rules governing the practice of law, it may be that any Kentucky security breach law passed by the Legislature will not be applicable to Kentucky lawyers. This point, however, does not overcome a lawyer’s existing professional responsibility to protect client confidentiality and the duty to reasonably inform a client of the status of a matter and of errors in its handling. For this reason, it is recommended that lawyers risk manage computer security breaches as if any new law will apply as well as existing professional responsibility duties.
Other State Laws
There is considerable uniformity among the state laws on security breaches suggesting that any Kentucky law will be similar. The following extracts from West Virginia’s law (W.V. Code §§ 46A- 2A-101 et seq.) provide a good overview of what you may see in a Kentucky Law:
Computer Security Breach Risk Management
There are a number of good sources for developing a security breach risk management plan on the Internet. We recommend the following sites to begin research for determination of what is best for your practice:
#1 install latest updates to eliminate security vulnerabilities
#2 make full and proper use of passwords
#3 antivirus software is essential
#4 avoid spyware and adware
#5 install a firewall on your Internet connection
#6 be aware of and avoid the dangers of e-mail
#7 beware the dangers of metadata
#8 lockdown and protect your data, wherever it is
#9 harden your wireless connections
#10 learn how to safely surf the Web
#11 change key default settings
#12 implement a technology use policy
#13 a backup can save your practice
Opposing Parties and Third Parties: Fiduciary duties applicable to clients do not apply to opposing parties and third parties. Thus, it is an open question what responsibility Kentucky lawyers may have to notify them of a security breach. Kentucky Rule of Professional Conduct 4.4, Respect for the Rights of Others, can be read broadly to require notification of third parties, but that is arguable. Also consider that notification may not be in your client’s best interest even though future law or rules could require you do so. Should you face this ethical issue, call the KBA Ethics Hotline for guidance.
Out-of-State Clients, Opposing Parties, and Third Parties: Note that the West Virginia law protects residents of West Virginia. If you maintain electronic files of persons in West Virginia you may have a legal requirement to notify them of a security breach regardless of Kentucky law or rules. The point is that if you currently maintain files of persons in states outside of Kentucky, you need to know now the law in those states on security breaches.