With SB 24 likely to pass in California, companies incurring a data breach with clients in the state will now be required to place the breach on record with the State’s Attorney General’s Office. For the law firm, it turns out to be more than a public embarrassment.Consider that according to privacy advocate and attorney Mari Frank, Esq., law firms are often primary data sources for identity theft. The result is that, that while haughty law firms may have actually been data sieves in the past, a formal admission of a data breach opens a firm to threat of civil litigation for violating client privilege. The threshold for AGO breach reporting is loss of 500 client records. What appears unsure is whether exceeding that threshold creates a requirement to public admission by law firms of wholesale violation of client privilege.
On the high side, encryption of a firm’s files exempt it from the AGO reporting requirement.
Even as the change brings the California law more in line with other states, data breach fines have already begun to mount in places like Massachusetts, while the Federal legislative effort this past month has been likened to herding cats.
Already through legislative committee in California, SB 24 is widely expected to be approved by the full legislature and signed into law by Governor Gerry Brown before October 9th of this year.
Looks like perfect timing: Chief of the California Office of Privacy Protection Joanne McNabb will present on the impact of SB 24 in a webinar sponsored by the California Webinar Law Journal on Oct. 20th. McNabb will discuss drivers to the changing status of the California Data Privacy Law and best practices for law firm client privacy. The event is open for members of the California State Bar for continuing legal education credit and free to law school staff and students. See here for registration details.