If there is one thing that holds enormous importance in this digital world is nothing but data. Today, almost every firm has gone digital, and so has gone data of its clients. When it comes to the law firms, the significance of data held by them is a lot since it can directly impact the judgment of a case.
According to the California Consumer Privacy Act (“CCPA”), from Jan 1, 2020, California became the first state in the United States of America to allow its residents to claim statutory damages in case of a data breach with respect to their personal information. The residents can seek damages between the costs of $100-$750, even if no potential harm has occurred after a breach.
This clearly means that if a data breach occurs in a law firm or any other organization for that matter, individuals have all the right to data breach litigation. In order to prepare a successful defense against the claimants, it is necessary for the firms to establish that they had the right security tools in place for securing the personal or sensitive information of the clients. The more prepared a law firm is, the more are the chances of defending a breach lawsuit.
As per a report in 2018 by Identity Theft Resource Center:
- Incidents of a data breach went over 1,244, with 446,515,334 cases of exposed records.
According to a Research by Experian Data Breach Resolution:
When to Notify Clients of a Data Breach?
Each state does not particularly describe the timing for notifying clients of a data breach. However, there are a few states who have specified this, like Washington, Colorado, and Florida (30 days), Wisconsin (45 days), and Louisiana (60 days).
Going by the general rule, law firms are required to notify the clients within 30-45 days after assessing the date of the breach occurred. If there is any criminal investigation required, the notification gets delayed as per the authorities say.
Note: It is imperative to obtain written permission from law enforcement if you are looking to delay the breach notification to the clients.
Dos and Don’ts of Sending a Notification
There are various things that you have to keep in mind while sending out a breach notification to the clients since it is a very critical matter for you as well as your clients.
Dos to Follow in Your E-mail
- Make sure your sentiment should not make them feel suspicious, vulnerable, and betrayed.
- Be apologetic, sincere, and helpful.
- Maintain a calm and serious tone throughout.
- Keep it simple and write in layman terms.
- Provide them with detailed information.
- Make sure you answer all the 5 W’s: Who, What, Where, When, Why (or How)
- Create sub-headings for their better understanding.
- Highlight the key elements of a data breach.
- Recommend them with all the possible solutions you can.
Don’ts to Follow in Your E-mail
- Do not notify them in a humorous way like using words like “oops.”
- Do not make it complicated for them in any way like including things that do not have anything to do with a data breach.
- Avoid sending a personalized e-mail at this point in time, like using their ‘name’ instead of ‘customer’ to maintain the seriousness of a breach.
- Avoid including too many internal or external links (especially third-party domains).
What All Information You Need to Include?
Similar to the time limits, the information to be included varies from state to state. However, a few states have asked the law firms to include the following information:
- Breach description
- Breach date
- Obtained personal information type
- Obtained contact information for reporting to government or credit reporting agencies
- The toll-free number for one-on-one client communication
In the state of California, a specific format has been issued for sending breach notifications to clients. It is essential to adhere to this format when notifying clients about a breach. Similarly, Massachusetts works in a different way and restricts law firms from identifying breach nature. The format for sending notifications depends on the state where your law firm is located. Different states may have different requirements for the format to be followed.
Are Third-Party Notifications Required?
There are a lot of state statues that require sending out third-party notifications. During the breach incident, some states require including the top 3 credit reporting agencies and a minimum of 1000 affected individuals in the notification.
The statutes that require law firms to meet such a requirement normally do not specify the type of information to be provided to the credit reporting agencies. The only thing that needs to be included is the content, distribution, and timing of the notices sent to the clients.
In conclusion, law firms need to take several measures when notifying clients of a data breach. It involves ensuring proper protocols are followed, and timely breach notifications are sent. Depending upon the specific state in which your law firm operates, it should follow the format prepared for the same.
Law firms should take all necessary precautions to set up robust security measures within their processes. This is recommended to prevent data breaches from occurring in the first place.
A law firm’s success depends upon its image, and during the times of a breach, the image of the law firm goes down significantly. So, in order to succeed and maintain their image in the eyes of clients, law firms need to tighten their security by incorporating the use of the latest technology against any kind of a data breach.
Is spending time and effort on all this, including handling your back-office processes simultaneously, becoming overwhelming for you? If yes, you need not worry as Legal Support World; a Litigation Support Specialist is there to support you. We have been providing proficient, detailed, and cost-effective legal back-office outsourcing services to law firms worldwide for the last 11 years. Get in touch now to get started with your 14-day free trial.