This post is the fourth in a four-part series where we explore challenges in mobile security faced by law firms today. Check out our last post on Containing a Data Leak here.
In our last post, on how to contain a data leak, we mentioned that the leak isn’t over until the clients are notified. Notifying clients of a data breach is not pleasant, but it is necessary in the event of a breach taking place. In this post, we’ll discuss why it is important to notify clients and when you should do so.
As human beings, we tend to avoid things that are unpleasant. Perhaps that is the reason that so many security professionals look for justification against notifying a client when a breach happens. Our argument in favor of notification is rooted in these three perspectives:
- Common Sense: Put yourself in your clients’ shoes. If your data is lost, you would want to know. End of story.
- Ethical: The American Bar Association rules require a notification in the event of a data breach involving client information.
- Legal: In some jurisdictions you are required by law to notify clients when certain kinds of data are lost.
Does MDM Encryption Get You Off the Hook?
Many states have an encryption “safe harbor” rule saying that if the data that was lost was encrypted, the law does not require you to notify. You still have to practice common sense and abide by ABA guidelines, but the law will not force you. Some places like New York and Pennsylvania will not give you safe harbor unless offline mode is disabled. And then some places like Tennessee simply do not care whether the data was encrypted or not. In Tennessee, you have to notify your clients no matter what. And the important thing is that Tennessee just changed their law in this direction and we expect more places to follow Tennessee in this regard. The tendency is toward more notification, not less. So you really have to get used to this idea that a data breach means that clients must be notified.
The Best Way to Avoid Notifying Clients of a Data Leak
The best way to avoid having that uncomfortable conversation is to avoid exposing data in the first place. We talked about this at length during part two of this series when we discussed preventing a data leak. However, it is worth reinforcing here that if you don’t store data on your phone, you won’t risk losing that data when an attorney inevitably loses their device.
What are your thoughts about notifying your clients of a breach? Has your firm encounterd a similar situation in the past? Share your experience in the comments section below.
Catch up on the whole Mobile Security Post Series here:Part 3: How to Contain a Data Leak