If there is one thing that holds enormous importance in this digital world is nothing but data. Today, almost every firm has gone digital, and so has gone data of its clients. When it comes to the law firms, the significance of data held by them is a lot since it can directly impact the judgment of a case.
According to the California Consumer Privacy Act (“CCPA”), from Jan 1, 2020, California became the first state in the United States of America to allow its residents to claim statutory damages in case of a data breach with respect to their personal information. The residents can seek damages between the costs of $100-$750, even if no potential harm has occurred after a breach.
This clearly means that if a data breach occurs in a law firm or any other organization for that matter, individuals have all the right to data breach litigation. In order to prepare a successful defense against the claimants, it is necessary for the firms to establish that they had the right security tools in place for securing the personal or sensitive information of the clients. The more prepared a law firm is, the more are the chances of defending a breach lawsuit.
As per a report in 2018 by Identity Theft Resource Center:
- Incidents of a data breach went over 1,244, with 446,515,334 cases of exposed records.
According to a Research by Experian Data Breach Resolution:
When to Notify Clients of a Data Breach?
As far as notifying clients of a data breach is concerned, timing is not particularly described by each state. However, there are a few states who have specified this, like Washington, Colorado, and Florida (30 days), Wisconsin (45 days), and Louisiana (60 days).
Going by the general rule, law firms are required to notify the clients within 30-45 days after assessing the date of the breach occurred. If there is any criminal investigation required, the notification gets delayed as per the authorities say.
Note: It is imperative to obtain written permission from law enforcement if you are looking to delay the breach notification to the clients.
Dos and Don’ts of Sending a Notification
There are various things that you have to keep in mind while sending out a breach notification to the clients since it is a very critical matter for you as well as your clients.
Dos to Follow in Your E-mail
- Make sure your sentiment should not make them feel suspicious, vulnerable, and betrayed.
- Be apologetic, sincere, and helpful.
- Maintain a calm and serious tone throughout.
- Keep it simple and write in layman terms.
- Provide them with detailed information.
- Make sure you answer all the 5 W’s: Who, What, Where, When, Why (or How)
- Create sub-headings for their better understanding.
- Highlight the key elements of a data breach.
- Recommend them with all the possible solutions you can.
Don’ts to Follow in Your E-mail
- Do not notify them in a humorous way like using words like “oops.”
- Do not make it complicated for them in any way like including things that do not have anything to do with a data breach.
- Avoid sending a personalized e-mail at this point in time, like using their ‘name’ instead of ‘customer’ to maintain the seriousness of a breach.
- Avoid including too many internal or external links (especially third-party domains).
What All Information You Need to Include?
Similar to the time limits, the information to be included varies from state to state. However, a few states have asked the law firms to include the following information:
- Breach description
- Breach date
- Obtained personal information type
- Obtained contact information for reporting to government or credit reporting agencies
- The toll-free number for one-on-one client communication
When it comes to the state of California, a particular format has been issued, which needs to be followed when sending a breach notification to the clients. Similarly, Massachusetts works in a different way and restricts law firms from identifying breach nature. So, it all depends on the state your law firm is located and the type of format that needs to be followed there.
Are Third-Party Notifications Required?
There are a lot of state statues that require sending out third-party notifications. Some states require you to include the top 3 agencies for credit reporting during the breach incident, with the inclusion of a minimum number of 1000 people who are affected.
The statues which ask law firms to have such a requirement normally do not put across the type of information to be given to the agencies for credit reporting. The only thing which needs to be included is the notices’ content, distribution, and timing, which is to be sent to the clients.
This brings us to the conclusion that a lot of measures have to be taken by law firms when it comes to notifying the clients of a data breach. Depending upon the specific state in which your law firm operates, it should follow the format prepared for the same.
Also, it is recommended that the law firms should leave no stone unturned when it comes to setting up security measures within their processes to avoid the incident of a data breach in the first place.
A law firm’s success depends upon its image, and during the times of a breach, the image of the law firm goes down significantly. So, in order to succeed and maintain their image in the eyes of clients, law firms need to tighten their security by incorporating the use of the latest technology against any kind of a data breach.
Is spending time and effort on all this, including handling your back-office processes simultaneously, becoming overwhelming for you? If yes, you need not worry as Legal Support World; a Litigation Support Specialist is there to support you. We have been providing proficient, detailed, and cost-effective legal back-office outsourcing services to law firms worldwide for the last 11 years. Get in touch now to get started with your 14-day free trial.