MTC: What is the common sense approach lawyers can learn from 23andMe’s recent client data breach?

What can 23andme’s client data breach teach lawyers about keeping their own client’s data secure?

I can’t stress enough that as legal professionals, we bear a dual responsibility when it comes to personal identification information (PII): safeguarding our own data and protecting our clients' sensitive information. 

The 23andMe Incident: A Wake-Up Call

Last week’s report of the 23andMe breach serves as a stark reminder of the vulnerabilities inherent in storing sensitive personal information online. Hackers gained access to user profiles, including genetic data, names, birth years, and ancestry report. This incident underscores the need for heightened awareness and caution when sharing personal identification information (PII) with online companies. THIS data breach serves as a perfect reminder of the critical importance of data security in our increasingly digital world, especially for those of us in the legal field.

Legal Ethics and Client Confidentiality

The cornerstone of the attorney-client relationship is confidentiality, extending far beyond our physical offices in today's digital age. We are bound by ethical rules mandating the protection of client information. The American Bar Association's Model Rule 1.6(c) explicitly states that "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” But our legal ethics responsibilities just don’t stop there!

Even small law firms are not immune from cyberattacks!

ABA Model Rule 1.1 Comment 8 (Rule 1.1[8]) requires lawyers to stay informed about changes in the law and its practice, including the benefits and risks associated with relevant technology. This comment explicitly recognizes that competent representation in today's legal landscape involves understanding and effectively using pertinent technology. Lawyers must be aware of the security levels, general operational status, and potential risks and actual data breaches of the services and software they use, both in-office and cloud-based. While the goal isn't to transform lawyers into tech experts, it's crucial that we can leverage technology (even with the assistance of more technically proficient experts) to provide efficient, effective, and ethical legal services to our clients.

Implications of Data Breaches

The 23andMe incident highlights the potential consequences of a data breach, which for lawyers could include:

  1. Violation of ethical obligations

  2. Potential malpractice claims

  3. Loss of client trust and reputation damage

  4. Regulatory penalties and sanctions

Protecting Client and Our Own Information in the Digital Age

To fulfill our ethical obligations and protect our clients' PII, we must implement robust data security measures:

Secure Data Storage and Transmission

Utilize encrypted cloud storage solutions and secure file transfer protocols when handling client data. Avoid using public Wi-Fi networks for accessing or transmitting sensitive information. And if you do, be sure to use a reliable Virtual Private Network (VPN) when on public Wi-Fi.

Client Communication Practices

Lawyers need not be tech experts but they need to know how to use tech to not only for their clients but use it to protect their client’s Data.

Implement secure client portals for document sharing and communication. Educate clients on the risks of sending sensitive information via unsecured email, and advise them on what information should never be shared electronically.

Vendor Due Diligence

Carefully vet third-party service providers, ensuring they adhere to stringent data protection standards. This includes practice management software, e-discovery platforms, and cloud storage providers.

Here are Some Best Practices for Personal and Professional Data Protection

  1. Implement strong authentication: Use multi-factor authentication for all professional and personal accounts. Consider using a password manager that creates and stores complex passwords.

  2. Separate personal and professional online presence: Maintain distinct profiles and accounts for personal and professional use.

  3. Regularly update security measures: Stay informed about the latest cybersecurity threats and update your protection strategies accordingly.

  4. Minimize data sharing: Critically assess what personal information is truly necessary to share online, and refrain from providing sensitive data unless absolutely essential.

Lawyers Are Important Participants to the Future Legal Landscape 

The 23andMe breach raises important questions about the adequacy of current data protection laws. As legal professionals, we have a responsibility to:

  1. Advocate for stronger data protection legislation: Support and contribute to the development of comprehensive data privacy laws that protect individuals and businesses.

  2. Stay informed on data privacy regulations: Keep abreast of evolving laws such as The European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA), and industry-specific regulations like Health Insurance Portability and Accountability Act (HIPAA).

  3. Advise clients on data protection: Provide guidance on compliance with data protection laws and best practices for safeguarding sensitive information, including when to refrain from sharing certain types of data altogether.

maybe we don’t need to put all of our information on the internet?

The Fundamental Lesson: Some Data Should Never Be Shared

Perhaps the most crucial takeaway from the 23andMe incident is that certain types of information are so sensitive and personal that they may not belong in anyone else's hands, regardless of the security measures in place. This is particularly true for genetic data, which is immutable and deeply personal. As lawyers, we must critically evaluate what information truly needs to be shared or stored externally, always erring on the side of caution.

My Final Thoughts

The 23andMe incident serves as a critical reminder of the vulnerabilities inherent in our digital ecosystem and the importance of discerning what information should never be shared. As lawyers, we must be at the forefront of data protection efforts, not only to safeguard our own information but also to uphold our ethical obligations to our clients. By implementing robust security measures, staying informed about evolving threats and regulations, and advocating for stronger data protection laws, we can help mitigate the risks associated with sharing PII in our increasingly interconnected world.

In this digital age, protecting personal identification information is not just a matter of individual privacy—it's a fundamental aspect of legal ethics and professional responsibility. As tech-savvy lawyers, we must lead by example in implementing and promoting best practices for data security, ensuring that we maintain the trust and confidentiality that form the bedrock of our profession. Most importantly, we must always question whether certain information needs to be shared at all, recognizing that the best protection sometimes lies in not disseminating sensitive data in the first place.

MTC