How times have changed. Five years ago, most people had never heard of a data breach. Two years ago, everyone was talking about the Target data breach. Today, we are accustomed to news reports announcing data breaches on a weekly basis. The world has become surprisingly numb to the public announcements of lost personal information and health care records that are the result of human error or cyberhacking attacks.

However, the significant legal and financial consequences of a data breach and the failure to notify the public have never been greater. State attorneys general, the Department of Health and Human Services, credit card companies and banks are all actively enforcing laws, regulations and contractual obligations to recoup the millions of dollars lost in data breaches.

Law firms, like all businesses, receive and store significant amounts of personally identifiable information and personal health information. Just like other businesses, law firms can suffer a breach through human error, phishing scams or other cyberattacks. As the owner of clients' confidential personal and legal information, law firms have a special obligation to protect this data.

Data Breach Notification Laws

Law firms have always been aware of the legal and ethical obligations to keep clients' confidences. However, in the event of a data breach, a firm must also determine its obligations under data breach notification laws that may be in effect in the firm's jurisdiction. Today, 47 states have laws requiring some form of breach notification.