This was a disturbing story. If your law firm is breached, you have an ethical duty to tell your clients. You also have a statutory duty since almost every state has a data breach notification law.
Yes, I'll back up. Here the gist of the story. A large New York law firm was advised by the FBI that it had suffered a data breach. Interesting that the FBI always seems to know while the law firms are blissfully ignorant. Off the record, the agents said the attack came from China. They showed the partners a listing of the files and it amounted to all client files.
All of this was disclosed to Alan Paller, the Director of Research for the SANS Institute. The managing partner and the IT partner wanted to know why the files were stolen, how they were likely to be used and how to prevent such attacks in the future. All logical enough.
As Paller pointed out, law firms are often less secure than their corporate clients, so the Chinese target the law firms. When asked if they had any clients doing business in China, one of the partners replied concisely: "Sh*t."
Here's the part that astonished and dismayed me:
"Paller: What are you planning to tell your clients?
Attorney: Are you crazy? Can you think of a better way to destroy their trust in us than letting them know we had lost every document they gave us under (attorney-client) privilege?"
Actually, I can. Let them know that their attorneys, in violation of their ethical duties and state law, will keep the data breach a secret. That ought to effectively destroy all trust forever. I hope the New York State Bar and New York's Attorney General have seen this story. It looks like they have some investigating to do.
Hat tip to friend and colleague Sean Harrington.
E-mail: firstname.lastname@example.org Phone: 703-359-0700