How a Massachusetts Decision to Publish Data Breach Info Will Affect Big Law

The Massachusetts decision spells out new challenges for lawyers working with breached companies.

, Legaltech News


The Massachusetts decision spells out new challenges for lawyers working with breached companies.

This premium content is reserved for American Lawyer subscribers.

Continue reading by getting started with a subscription.

Already a subscriber? Log in now

What's being said

  • Ben Weinberger

    To echo what [I think] the below post was saying, businesses today must take appropriate precautions and implement reasonable security measures. There is no defense for doing nothing - and those entities who suffer breaches will be judged based on the expected standard of care. This is a pretty reasonable expectation. In the case of law firms, this is just one more example (on top of recent regulations and State AG directives) of why they are now required to change their "optimistic" security models which give open access to everything inside the firm to "pessimistic" security models which would limit access to confidential client data to only those who need access (bringing it in line not only with client demands since the Panama Papers breach but also in line with recent legislation such as the EU GDPR and the NY Dept. of Financial Regs which cover every firm representing a bank, insurance company, or other regulated entity).

  • Richard I. Isacoff

    The change in the practice/law for notification is critical. With OPM, Yahoo, Clinton, Trump and several major retailers being breached the must be quick notification to all who might be harmed. The existing law was enacted before the major breaches over the past 3-4 years. Despite the risk for the targeted entity. the underlying owner of the info (customer, employee, client etc) has rights of disclosure if for no other reason to enable damage control. There will be a growing clamor to determine if reasonable secure was in place. Nothing is foolproof but there are standards for most industries, and even if the are not sufficient the data handler must meet that level: the risk then sits firmly on the breached entity Richard Isacoff

Comments are not moderated. To report offensive comments, click here.

Preparing comment abuse report for Article #1202776691163

Thank you!

This article's comments will be reviewed.