The phrase “battening down the hatches” takes on more urgency as state after state passes privacy laws affecting law firms.
Table of contents
Privacy Laws Increase Law Firm Risks
It’s been a long while since law firms got used to data breach laws and the required notifications — all 50 states have such laws. But now, privacy laws, a relatively new development, are fast becoming another concern for law firms. “Battening down the hatches” is taking on a new urgency as state after state passes a privacy law. These laws increase the financial risks of a data breach or a failure to abide by the privacy laws themselves — which govern the collection, use and disclosure of personal data and establish standards for handling sensitive personal data.
Here’s a list of states with privacy laws, noting the effective date for those states where the law is not yet in force.
- California
- Colorado
- Connecticut
- Delaware (effective January 1, 2025)
- Indiana (effective January 1, 2026)
- Iowa (effective January 1, 2025)
- Kentucky (effective January 1, 2026)
- Maryland (effective July 1, 2025)
- Minnesota (effective July 1, 2025)
- Montana (effective October 1, 2024)
- Nebraska (effective January 1, 2025)
- New Hampshire (effective January 1, 2025)
- New Jersey (effective January 1, 2025)
- Oregon
- Tennessee (effective July 1, 2025)
- Texas
- Utah
- Virginia
As you will note, only seven states had privacy laws in effect by July 2024. But a wave of states have laws that will be effective in the next two years — and many additional states are poised to pass privacy laws soon.
What Brought About the Onslaught of Privacy Laws?
Just when law firms had come to grips with data breach laws in all 50 states and the territories, lawmakers determined that privacy laws were needed. Everyone and their brother seeks to hoover our private information and is willing to pay for it.
The interconnections of the internet make it easy to harvest data — and protection is all but nonexistent. Our data is no longer our data. It is stolen, monetized and used for endless nefarious purposes. The outcry of consumers and businesses whose data has been misused led to state legislators bent on taking action. The more fraud, identity theft and other misdeeds occurred, the more constituents pressed their legislators to “bring down the hammer.” Not only was privacy legislation needed, but so were fines designed to mandate stronger protection for individuals and companies.
How Does the Wave of Privacy Laws Affect Law Firms?
Of course, this is good news for any law firm that practices privacy law. Privacy law has taken off as a practice area, sometimes alongside data breach law.
However, there is no good news for law firms that do not adequately protect clients’ personal information. (One recent and concerning example is the number of lawyers who have given client data over to artificial intelligence systems.) Not properly protecting data, including the use of adequate cybersecurity measures, could violate client privacy. Shoddy or obsolete cybersecurity could also violate privacy laws, with severe potential penalties to follow.
Will Law Firms Feel the Heat of New Cyberinsurance Requirements?
We think it is very likely that cyberinsurance companies, already known for increasingly strict cybersecurity demands, will want to ensure they are not on the hook for paying privacy law fines. Getting coverage from cyber-insurers has become an increasing headache for law firms. We have observed that law firms generally pay more and get less coverage. Some things may be explicitly excluded from coverage. For instance, if you do not mandate the minimum data protections required by state privacy laws, you may not be covered.
As data privacy laws proliferate, their impact is certainly likely to increase — and thus far, we’ve not seen a rush to comply with them!
Privacy Is Illusory in Today’s Interconnected World
Can state laws play any significant role in restoring privacy? Doubtful, to say the least. However, the new laws are probably a worthy call to arms for law firms that must comply with stringent ethics rules and meet the demands of cyberinsurance companies.
Sharon D. Nelson is a practicing attorney and the president of Sensei Enterprises, Inc. She is a past president of the Virginia State Bar, the Fairfax Bar Association and the Fairfax Law Foundation. She is a co-author of 18 books published by the ABA.
John W. Simek is vice president of Sensei Enterprises, Inc. He is a Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH) and a nationally known expert in the area of digital forensics. He and Sharon provide legal technology, cybersecurity and digital forensics services from their Fairfax, Virginia, firm.
Michael C. Maschke is the chief executive officer at Sensei Enterprises. He is an EnCase Certified Examiner (EnCE), a Certified Computer Examiner (CCE #744), an AccessData Certified Examiner (ACE), and a CISSP as well as a CEH. He is a frequent speaker on IT, cybersecurity and digital forensics and he has co-authored 14 books published by the ABA.
Read more from the Sensei team:
- Beware of Ethical Perils When Using Generative AI
- What the Heck Is a SIEM? Here’s Your Primer
- OpenAI’s Prompt Guide for ChatGPT
Image © iStockPhoto.com.
Don’t miss out on our daily practice management tips. Subscribe to Attorney at Work’s free newsletter here >