The march on the fragility of personal data in our hyperconnected world continues from my editorial three weeks ago! From Elon Musk’s DOGE team attempting to access Social Security Administration (SSA) records, to Cabinet officials discussing military strike details on Signal, to 23andMe’s bankruptcy risking genetic data exposure, these incidents underscore systemic vulnerabilities. Lawyers now operate on the front lines of this crisis, bound by ethical mandates and legal obligations to shield personally identifiable information (PII) from misuse. Let’s discuss how the legal profession must adapt to safeguard client trust in the digital age.

The Expanding Threat Landscape

1. DOGE’s Overreach at SSA
   A federal judge halted Elon Musk’s DOGE team from accessing SSA databases containing sensitive PII—including Social Security numbers and employment histories—after finding “unbridled access” violated privacy laws. Judge Hollander condemned the operation as a “fishing expedition” lacking justification, ordering the deletion of improperly obtained data. This case highlights risks when private entities bypass oversight to exploit bulk data repositories like SSA’s “crown jewel” Numident database.

2. Signal’s False Sense of Security
   The Atlantic’s release of Signal chats among Trump administration officials revealed shockingly detailed military plans, including F-18 strike windows and target coordinates. While Signal offers encryption, experts warn it’s no substitute for secure government systems. Former NSA analyst Jacob Williams noted that desktop-linked Signal accounts create vulnerabilities via malware-prone devices. The incident illustrates how convenience-driven tools can jeopardize national security and client confidentiality alike.

3. 23andMe’s Genetic Gamble
   23andMe’s bankruptcy filing exposes 12 million users’ DNA data to sale, raising fears of insurance discrimination and identity theft. Despite the protections of the Genetic Information Non-Discrimination Act (GINA) against health insurer bias, gaps remain in life/disability coverage. Lawyers must now confront novel risks as biometric data enters commercial markets.

Legal and Ethical Imperatives for Practitioners

A. Foundational Duties
Under ABA Model Rule 1.6(c), attorneys must employ “reasonable efforts” to prevent unauthorized PII disclosure.1, 2 This requires:

• Risk assessments: Evaluate data sensitivity, threat likelihood, and safeguard costs - Rule 1.6 Confidentiality of Information - Comment.

• Encryption: Protect communications and stored files, especially when using third-party platforms.

• Access controls: Limit PII exposure through role-based permissions and audit trails.3, 4

B. Emerging Best Practices

1. Client Consent & Transparency

• Disclose data collection purposes per FTC Act/GDPR principles. 5, 6

• Obtain explicit authorization for third-party transfers. 7, 8

2. Incident Response

• Conduct breach analyses under ABA Opinion 498.

• Notify affected clients promptly.

3. Tech Competence

• Track compliance across the jurisdictions where you practice.

• Train staff on phishing/social engineering risks highlighted in the SSA and Signal breaches.

A Call to Action

The DOGE, Signal, and 23andMe cases are not outliers—they signal a paradigm shift. As Perkins Coie’s privacy team emphasizes, “reasonable efforts” now demand proactive measures:

• Audit legacy systems: Identify where PII resides, as SSA failed to do.

• Purge obsolete data: Align retention policies with storage limits in ABA guidelines.

• Leverage AI cautiously: While predictive tools aid fraud detection (“ironically” DOGE’s stated goal), they risk algorithmic bias without human oversight.

Lawyers who treat data security as an afterthought risk disciplinary action, malpractice claims, and reputational harm. The alternative? Embrace plans to transform from reactive advisors to strategic guardians of the digital trust ecosystem.

MTC