II The Duty to Provide Data Security

II. The Duty to Provide Data Security

A. What Is the Duty?

The law often simply refers to the basic legal duty to provide data security as an obligation to implement "reasonable" or "appropriate" security measures designed to ensure the confidentiality, integrity, and availability of information. For example, several state security laws, such as in California, generally impose a duty to implement "reasonable security procedures and practices."⁵ At the federal level, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires "reasonable and appropriate" security,⁶ and the Gramm-Leach-Bliley (GLB) security regulations require security "appropriate to the size and complexity of the bank and the nature and scope of its activities."⁷

The focus on the reasonableness or appropriateness of security makes clear that the law recognizes that security is a relative concept: what qualifies as reasonable or appropriate security varies with the situation. Thus, the law typically provides little or no guidance on what specific security measures are required or on how much security a business should implement to satisfy those legal obligations. Although some laws include specific requirements for particular security measures that must be implemented,⁸ the laws generally provide no safe harbors. Accordingly, the choice of security measures and technology can vary depending on the situation.

B. To Whom Does the Duty Apply?

Generally, the duty to provide security applies to all businesses, including law firms.

Certain sectors of the U.S. economy are, of course, subject to extensive regulations regarding data security. The most obvious examples are the financial sector,⁹ the healthcare sector,¹⁰ the federal government sector,¹¹ and other critical infrastructure sectors.¹² But there also is no doubt that unregulated businesses are subject to data security obligations.

One need look no further than the last 15 years of Federal Trade Commission (FTC) enforcement actions, as well as recent state attorney general enforcement actions, to see that numerous nonregulated businesses have been targeted for failing to provide appropriate security for their own data. Examples include software vendors (Oracle, Microsoft, Guidance Software), consumer electronics companies (ASUS, TRENDnet, HTC America, Genica/Computer Geeks), mobile app developers (Snapchat, Fandango, Credit Karma), clothing/shoe retailers (Guess, Life is Good, DSW), music retailers (Tower Records), animal supply retailers (Petco), general merchandise stores (Target, BJ's Wholesale, TJX Companies), restaurant and entertainment establishments (Dave & Busters, Briar Group), social media and networking sites (Twitter, Facebook, and Ashley Madison), transcription services (GMR), bookstores (Barnes & Noble), property management firms (Maloney Properties, Inc.), and hotels (Wyndham).¹³

In addition to the federal- and state-level unfair or deceptive trade practice statutes that often support these enforcement actions, many state security laws and regulations expressly apply to "any business" or "any person" that maintains certain types of data. Of course, this includes law firms.

Moreover, as discussed below, many sector-specific security regulations may be imposed on law firms through their client relationships. For example, the HIPAA regulations in the healthcare sector and the GLB regulations in the financial sector both require that entities governed by those regulations push down certain security obligations to their service providers (which includes law firms) who access the protected data. In addition, the HIPAA regulations have been revised to impose security obligations directly on "covered entities" providing services to healthcare companies.

C. What Is the Source of the Duty?

There is no single law, statute, or regulation that governs the obligations of a business or law firm to provide security for the information in its possession or under its control. Instead, legal obligations to implement data security measures are found in an ever-expanding patchwork of state, federal, and international laws, regulations, and enforcement actions, as well as in common-law duties and other express and implied obligations to provide "reasonable" or "appropriate" security for business data.

Some laws seek to protect the business and its owners, shareholders, investors, and business partners. Other laws focus on the interests of employees, customers, and prospects. In some cases, governmental regulatory interests or evidentiary requirements are at stake. Many of the requirements are industry-specific (e.g., focused on the financial sector or the healthcare sector) or data-specific (e.g., focused on personal information or financial data). Some laws focus only on public companies.

When viewed as a group, however, such laws and regulations provide ever-expanding coverage of most business activity. The most common sources of obligations to provide security include the following: Statutes and Regulations.¹⁴ Numerous statutes and regulations impose obligations to provide data security. Sometimes these statutes and regulations use recognizable terms such as "security" or "safeguards," but in many cases they are subtler by using attributes of security, such as "authenticate," "integrity," "confidentiality," "availability of data," and the like. Such statutes and regulations include the following:

• Privacy laws and regulations, which typically include provisions governing the security of the personal data covered by the applicable law.
• Security laws and regulations, such as the state-level security laws that impose a general obligation on businesses to protect the security of certain personal data they maintain about individuals and/or that regulate the communication or destruction of certain data;
• E-transaction laws, which are designed to ensure the enforceability and compliance of electronic documents generally;
• Corporate governance legislation and regulations, which are designed to protect public companies and their shareholders, investors, and business partners;
• Unfair business practice laws, at both the federal and state level, and precedent set by related government enforcement actions; and
• Sector-specific regulations, such as the HIPAA security regulations and the GLB Safeguard Rules, which impose security obligations regarding specific data in the healthcare and financial sectors, respectively.

Common-Law Obligations.¹⁵ For years, commentators have argued that there is a common-law duty to provide appropriate security for corporate and personal data, the breach of which constitutes a tort. Courts are beginning to accept that view. In one case, for example, the court held that "defendant did owe plaintiffs a duty to protect them from identity theft by providing some safeguards to ensure the security of their most essential confidential identifying information."¹⁶ In another case of particular significance to lawyers, the court allowed plaintiffs to proceed on a "negligent misrepresentation" claim based on the theory that the defendants made implied representations that they had implemented the security measures required by industry practice to safeguard personal and financial information.¹⁷

Rules of Evidence. Providing appropriate security to ensure the integrity of electronic records (and the identity of the creator, sender, or signer of the record) can be critical to securing the admission of an electronic record in evidence in a dispute. This conclusion is supported by the form requirement for an "original" in electronic transaction laws,¹⁸ the evidence rules regarding authentication,¹⁹ and case law addressing evidentiary authentication requirements.²⁰

Rules of Professional Responsibility. Lawyers are, of course, subject to rules of professional responsibility. Such rules generally are patterned after the ABA Model Rules of Professional Conduct, which were modified in August 2012 by the ABA Commission on Ethics 20/20 to provide updated guidance regarding lawyers' use of technology and confidentiality obligations.²¹

Contractual Obligations. Businesses frequently try to satisfy (at least in part) their obligation to protect data by entering contracts with third parties who will possess, or have access to, their business data. This is particularly common in outsourcing agreements where the data will be processed by a third party. Several laws, such as the generally applicable Massachusetts data security regulations²² or the financial sector's GLB Safeguard Rules, mandate that the business impose appropriate security obligations on the third party with access to its data. In other cases, businesses must comply with the requirements of certain technical security standards. Examples include the Payment Card Industry Data Security Standard (PCI Standard),²³ to which merchants must agree as a condition of accepting credit cards.

Self-imposed Obligations. In many cases, security obligations are self-imposed. Through statements in privacy notices, on websites, in advertising materials, or elsewhere, businesses often make representations regarding the level of security they provide for their data (particularly personal data collected from persons to whom the statements are made). By making such statements, businesses impose on themselves an obligation to comply with the standard they have told the public that they meet. If those statements are not true, or are misleading, they may become deceptive trade practices under section 5 of the FTC Act or equivalent state laws.

Obligations Pushed Down from Clients. In some cases, data security laws and regulations do not apply directly to law firms, but might apply indirectly (e.g., because of law firm clients who themselves are subject to certain sector-specific security regulations). Such regulations frequently impose on covered businesses an obligation to push down certain security requirements to third parties with whom...