DPI16_Banner_300x250 WITH COPY

By Robert J. Scott and Julie Machal-Fulks

It seems that not a week goes by without news reports about yet another company or agency suffering a data-security breach. A laptop is lost, a firewall is penetrated, or sensitive personal information purportedly kept secure is exposed. The legal implications of such a breach are significant, and given the novelty of data breaches and the laws meant to address them, the ethical implications for an attorney representing a client that has suffered such a breach are magnified.

In addition to being an embarrassment, a data-security breach has many potential legal implications under both federal laws such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA) also may be implicated by a data-security breach, as well as the Federal Trade Commission's unfair trade practices rules. Many states also have enacted statutes requiring businesses that have suffered a data-security breach to notify individuals about the breach under certain circumstances.

Beyond the statutory and regulatory implications, businesses suffering a data-security breach also may face civil litigation. Because this is a new and evolving area of law, a company may find itself facing various private causes of action, commonly including negligence, breach of contract, infliction of emotional distress, and state unlawful trade practices and consumer protection claims. In addition, there has been a recent trend of plaintiffs seeking relief in the form of compensation for future credit monitoring, though the viability of such a claim remains unclear.

Companies that experience a data-security breach often will find it useful to employ outside counsel and outside information technology ("IT") specialists to investigate the breach. If such an investigation is conducted by internal resources, the results of that investigation might not be protected by the attorney-client privilege or the attorney work-product privilege.

The Supreme Court of the United States has held that the purpose of the attorney-client privilege is to encourage full communication between attorneys and their clients in order to "promote broader public interests in the observance of the law and administration of justice." To be protected by the attorney-client privilege, a communication must be confidential and made for the purpose of obtaining legal advice from the attorney. A communication is confidential only if it is not intended to be disclosed to third persons; such a disclosure may result in waiver of the privilege. In addition, the attorney-client privilege is held by the client, not by the lawyer.

Communications between in-house counsel and corporate IT professionals may themselves be privileged when they meet the subject matter test established by the United States Supreme Court in Upjohn Co. v. United States (Editor's Note: see Andrew Serwin's article on page 1 for more information on this issue).

Responding to a Data-Security Breach—The Attorney's Ethical Obligations and Role

When a data-security breach does occur, evidence should be preserved and collected diligently. It is critical to document what the client was doing at the time of the breach incident in order to comply with ethical and discovery obligations. Attorneys have an ethical obligation to ensure that their clients avoid possible court sanctions for spoliation of evidence. Also, litigants have an obligation to preserve relevant evidence for use by the adverse party.

Spoliation poses a significant danger in responding to a data breach. A finding of spoliation can result in substantial court sanctions, typically including a jury instruction allowing an inference that the destroyed evidence was unfavorable to the offending party. Generally, an adverse inference is created when evidence has been destroyed and:

   1. the party having control over the evidence had an obligation to preserve it at the time it was destroyed;
   2. the records were destroyed "with a culpable state of mind;" and,
   3. the destroyed evidence was "relevant" to the party's claim or defense such that a reasonable trier of fact could find that it would support that claim or defense.

Courts also have the authority to grant an adverse inference instruction even where a party did not intentionally destroy the evidence, but merely neglected to preserve evidence relevant to the case, allowing the jury to infer that the unproduced evidence was damaging to that party's case and supportive of the adverse party's claims.

Keep in mind that spoliation applies to electronic information as well as other documents, destroyed intentionally or unintentionally. Therefore, when responding to a data breach, attorneys may want to have a computer forensics expert on their team to make certain that all electronic information is properly preserved.

It is important to document all the client's actions taken in connection with, and in response to, an incident. It is also important to identify appropriate law enforcement contacts to notify regarding security incidents that may involve illegal activities.

Statutory Notification — Advising Clients Regarding New Statutes, Rules, and Regulatory Compliance

Only within the past few years have many states enacted data-security breach and/or identity theft statutory schemes, so there is very little state or federal case law interpreting the scope or application of these statutes. In an effort to assure compliance with the new laws and regulations, an attorney should be involved in assessing whether a company is required to give notice in each state where it does business or where a potential loss of data may have occurred.

It is also important to determine how notice must be given, when notice should be given, the form notice should take, and the specific contents of any notice, while also ascertaining what a state's statute defines as "personal information" in order to determine if the breach is one giving rise to the notice requirement, and if so, the statutory requirement for how notice should be given.

When giving advice about statutes that have yet to be authoritatively interpreted, attorneys should be particularly careful. While an attorney generally is not liable for malpractice "for a mistake in a point of law which has not been settled by the court of last resort in his state and on which reasonable doubt may be entertained by well-informed lawyers," (Jerry's Enter., Inc. v. Larkin, Hoffman, Daly & Lindgren, LTD.), an attorney in such circumstances must be able to demonstrate that he or she acted in good faith "and in an honest belief that his advice and acts are well founded and in the best interest of his client."

To meet this standard the attorney should provide research supportive of the reasoning as well as opinion letters containing caveats notifying the client that this is a new and unpredictable area of litigation.

The Attorney's Ethical Obligations During Litigation Over a Data-Security Breach

Lawsuits over data-security breaches are becoming more common, and because most of the information in such cases is stored in electronic form, the cases present significant challenges for counsel. As in any other case, initial disclosures under Federal Rule of Civil Procedure 26 must be signed by an attorney, certifying that, after reasonable inquiry, the disclosure is complete and correct as of the time it is made. Discovery obligations also require a signature by an attorney, certifying compliance with the rules, warranted by the law or a good faith argument for extension, not interposed for an improper purpose, and not unreasonably or unduly burdensome. Attorneys are also subject to sanctions if these certifications are made in violation of the rules. Attorneys have a duty to supplement disclosures and discovery responses under Federal Rule of Civil Procedure 26(e) as well.

The new e-discovery rules raise additional issues and obligations. Attorneys are advised to include IT personnel as part of the discovery team in light of the new rules because they can assist counsel in making certain that all information is collected and reviewed. Prior to the codification of guidelines regarding electronic discovery in Federal Rules of Civil Procedure 26, 34, and 37 (effective December 1, 2006), the federal courts addressed a litigant's obligations with respect to preservation and production of electronic evidence on a case-by-case basis. Now Federal Rule of Civil Procedure 37(e) establishes the so-called "safe harbor" for electronic discovery: "[a]bsent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system."

And remember that a "safe harbor" is not always safe. An attorney still has an ethical obligation to avoid a spoliation problem with electronic records. It is commonly understood that destroying relevant evidence after entry of a federal court order requiring its production to the adverse party will support severe sanctions.

While Rule 37(e) appears to provide a safe harbor protecting the party against sanctions for the routine destruction of electronic evidence except in exceptional circumstances, Rule 37(f) narrowly defines such circumstances. Accordingly, data that is not lost due to routine operation of a system may lead to a spoliation sanction. The committee notes also emphasize that for the safe harbor provision to apply, the loss of evidence must have been in good faith.

Because e-discovery compliance is an emerging topic, the courts are still sorting out which categories of data are necessary for litigation. For example, a federal court in California held that information stored in a computer's Random Access Memory ("RAM") is a tangible document that must be turned over in litigation, despite the fact that RAM is not permanent storage and is continually being updated, changed, deleted, or overwritten in business computers.

Attorneys also should make sure they are familiar with any specific document retention obligations for their client's industry, such as regulations by the Securities and Exchange Commission that require a broker-dealer to maintain records of electronic communications for a certain time period. A private litigant in a federal civil action seeking such information due to its relevance in his or her case has no private right of action under industry record-keeping rules. However, there is a strong argument in federal court that a document retention policy is unreasonable as a matter of law if it allows for the destruction of potentially useful evidence that a party was required by law to independently maintain.


Attorneys should be wary when dealing with this relatively new area of the law. Because the results of a data-breach investigation may be critical in subsequent litigation, attorneys must be careful to make certain that those results are protected from discovery. Until courts have definitively interpreted the state and federal laws and regulations applicable to data-security breaches, attorneys should be especially prudent when advising clients regarding the proper course of action. Counsel should assemble a team that includes IT professionals to make certain that all relevant information is collected, analyzed, and preserved. Attorneys also should not rely exclusively on the new "safe harbor" discovery provision when responding to e-discovery requests.

Robert J. Scott is a managing partner with the law firm Scott & Scott LLP, representing clients on technology issues including privacy and network security, regulatory compliance, intellectual property, IT transactions, and IT litigation. Julie Machal-Fulks is director of legal services for Scott & Scott LLP, advising clients on network security, software compliance, and audit defense issues. They can be reached at (214) 999-0080.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»