Cybersecurity and legal liability: the role of lawyers in the face of data breaches

InLaw Alliance - The treatment of information in today’s world inexorably involves the digital handling of data and documents, and this obliges all of us who handle other people’s data to guarantee its legality and security.  

The implementation of a cybersecurity system that protects data and makes them safe from unauthorized access is especially relevant in the case of lawyers, who are depositaries of sensitive information of our clients, related to their advice or, eventually, to their defense in court, and therefore we are indebted to them for a careful treatment of all this information, carried out in a secure environment. 

But of course, no protection system, no matter how solid its protocols are, is infallible.  As lawyers, we must bear in mind the consequences and the way to proceed in the event of a security breach, as those responsible for the processing of such data, which, moreover, will normally be subject to professional secrecy. 

The concept of security breach, in the scope of the European Union, is given by the Guidelines 01/2021 of the European Data Protection Committee and by the European Data Protection Regulation 679/2016. 

Security breaches are considered to be all those breaches of security that may affect personal data being processed. 
The Committee emphasizes in the aforementioned Guidelines that security breaches are a risk in themselves, even if no damage occurs, and that they are also an indication of the vulnerability of the storage and protection system. 

Once a breach has occurred, the data controller is obliged to notify the respective national data protection authority of the unauthorized access or the security breach that has put the data at risk, together with an initial estimate of the potential damage that may result, and to comply with the protocol for notifying those potentially affected.

This mandatory communication, which inevitably discredits the reliability of the security systems of any data controller, can cause additional reputational damage for lawyers. 

It is evident that the trust factor, fundamental in the lawyer-client relationship, may be damaged if it becomes known among the lawyer’s clients that the security of the information placed in their hands - sensitive information, perhaps linked to a judicial or arbitration process in progress - may be known, or even used, by third parties, including their counterparts or adversaries.

In any case, there is a widely held misconception that should be clarified: the occurrence of a security breach does not, in itself, imply the existence of actual economic damage to data owners. It only implies, in principle, that the security system is flawed, or has been circumvented, or both. The communication of the breach to the Authority is mandatory in any case, but the non-consented access - beyond its absolute illegality - may not have resulted in quantifiable damages for anyone. Although of course the damages may not only exist, but may even be truly devastating. From the simple misuse of the information, its hijacking, the impersonation of the identity of the data subjects for fraud operations, etc. 

In the event that the security breach results in damage or harm to the data subjects, a duty of compensation may logically arise, payable by the data controller, who was obliged to keep the data secure.  These claims require the accreditation by the holder of the actual damages suffered and derived from the unauthorized use that may have been made of the data affected in the breach, plus the effective quantification and proof of its amount.

The case of a security breach affecting a lawyer’s professional files has obvious singularities. In addition to the general risks that apply to any data controller, lawyers, as we have said, are depositaries of documents and data subject to professional secrecy.  There will always be a risk that even the most sophisticated security measures can be circumvented, resulting in an unintentional but real breach of confidentiality. Therefore, there is no doubt that lawyers are especially subject to this duty to protect information, making cybersecurity a basic and inseparable pillar of their legal services.  Perhaps this has become one of the modern elements on which the lawyer-client relationship of trust is based: the guarantee of genuine information security.

Another aspect of the question is the validity that may have in a trial the use of data eventually stolen or hacked to the lawyer of the adverse party. Can they be used and valued as legitimate evidence, or would they be considered by the Courts as illicit evidence, due to their spurious origin? This is an interesting question, but very complex and beyond the limits of this article. Although the judicial pronouncements produced in Europe, as a result of the various looting of law firms in the last decade (Panama Papers, Pandora’s Papers, the Football-Leaks case, in Spain, etc.) where part of the documentation hacked from lawyers has been used in court against their clients, and validated by most of the Courts and Prosecutors, does not invite to optimism. 

But that is another topic, another article.

inlawalliance.com