I require my clients to give me personal information, such as Social Security numbers and credit card numbers for payment of fees. What happens if this information is compromised or lost?
A lawyer who obtains personal information from a client is obligated to communicate with the client if that information is lost (or taken). This requirement exists under state law as well as under the Rules of Professional Conduct.
SCR 20:1.6 covers confidentiality of client information. A lawyer is obligated to keep all client information confidential – this means anything learned or received by the attorney during the course of the representation. This would include personal information that the lawyer receives, including credit card information or personal identification information such as a Social Security number or a driver's license number. It is not often that a lawyer will request a Social Security number or a driver's license number (except when representing a client in a traffic matter), but if that information is received, it is considered attorney-client confidential information and must be protected by the lawyer.
The lawyer is also obligated to notify the client if that information is compromised in some fashion, such as by loss of a laptop or someone hacking into the lawyer's computer network. SCR 20:1.4 requires that a lawyer communicate with the client about all things related to the representation and necessary for the client to make decisions regarding the representation. The disclosure of personal information relates to the representation and is something that must be communicated to the client if it occurs.
A Wisconsin statute also affects lawyers' obligations related to client information. Section 134.98 of the Wisconsin Statutes, known as the data breach notification law, requires any business that obtains personal information to notify the individual if that information is somehow disclosed or compromised. This would include information such as a credit card number, a driver's license number, or a Social Security number. The statute specifically defines personal information as the following:
"(b) 'Personal information' means an individual's last name and the individual's first name or first initial, in combination with and linked to any of the following elements, if the element is not publicly available information and is not encrypted, redacted, or altered in a manner that renders the element unreadable:
"1. The individual's [S]ocial [S]ecurity number.
"2. The individual's driver's license number or state identification number.
"3. The number of the individual's financial account number, including a credit or debit card account number, or any security code, access code, or password that would permit access to the individual's financial account.
"4. The individual's deoxyribonucleic acid profile, as defined in s. 939.74(2d)(a).
"5. The individual's unique biometric data, including fingerprint, voice print, retina or iris image, or any other unique physical representation."
A business is obligated to notify the individual within 30 days of becoming aware that the information has been compromised or disclosed in some manner, whether by negligence or by some intentional act of another person. To comply with this law, a lawyer is required, for example, to notify the client if the lawyer loses a laptop or some other computer equipment that contains a client's personal information. Notification may also be required if a laptop is lost but it does not contain or give access to information that would be considered personal information.
Dean R. Dietrich, Marquette 1977, of Ruder Ware, Wausau, is past chair of the State Bar Professional Ethics Committee. He can be reached at email@example.com.
Lawyers must be careful to protect any information learned during the course of representation, including clients' personal information, whether obtained for purposes of representation or for purposes of obtaining payment for fees. Lawyers should exercise caution in all respects to ensure that this information is protected from either inadvertent disclosure or some type of unauthorized disclosure.
For more information on protecting client information, see "25 Tips to Prevent Law Firm Data Breaches" elsewhere in this issue.