When was the last time one of your attorneys lost an iPhone? And when was the last time you called your clients and told them you have lost their data?
If the answer to these two questions is different, then you are probably in violation of common sense, ABA's rules, and (in some cases) the law.
Lost devices happen every day, approximately $7 million worth each day. If the lost device contained any client data such as emails, documents, matter names, etc,. then you have lost your client's data and you must pick up the phone and tell them about it. Do you think that because the data was encrypted you are off the hook? Not so fast. You still have to tell them you have lost it, here’s why:
#1: The Rule of Common Sense
The data belongs to your client and you have lost it. Are you going to make the argument that your clients do not want to know about it? Go ahead. Make that argument. But, we are pretty sure your clients want to know ASAP and will not be amused if they found out you are failing to notify them every time you lose their data, whether it is encrypted or not.
#2: The ABA Rules
In the ABA whitepaper paper Ethics and CyberSecurity: Obligations to Protect Client Data the authors argue that the rules "require a notification in the event of a data breach involving client information". There is no mention of encryption here either.
#3: The Rule of Law
Most jurisdictions in the USA offer a safe harbor for data that is encrypted, but in many places like Massachusetts, New York, and Pennsylvania (see here for a full list) the safe harbor provisions do not apply if the data is available in "offline mode", so check your MDM configuration and make sure it does not allow working offline. In any event, other jurisdictions, such as Tennessee, recently changed the law so that notification is required regardless of encryption. It is expected that more jurisdictions will follow Tennessee’s lead, further eliminating encryption as a valid excuse to avoid notifying your clients.
Any one of the three rules discussed here should be enough to convince you that you must notify your clients every time a mobile device is lost or stolen. The only way for you to avoid this is to make sure those devices contain no data whatsoever.