Cybersecurity law in California has been evolving significantly over the last decade, with law firms keeping a particularly close eye on it, given the amount of sensitive data they tend to hold.
In this post, we’ll break it all down so you come away with a solid overview of just what your firm needs to do to comply with cybersecurity laws within the Golden State.
Current state of California cybersecurity law
It would be hard to argue that the advancements in legal technology over the past two decades haven’t fundamentally improved the practice of law. After all, we’re now more efficient, more informed, and more organized than ever before.
That said, major improvements often come with major costs – and legal tech is no exception. The undeniable and inescapable risk of all this technology is that the data stored within it – often highly sensitive data pertaining to our clients – will be stolen and misused.
In reality, today’s California law firms face a whole host of challenges in safeguarding their clients’ confidential information. Gone are the days when a locked storage closet was all the security you needed. Today, the threats can come from inside and outside the building.
Data breaches are an ever-present risk. They can compromise confidentiality, disrupt operations, and erode client trust.
Adding complexity to this dilemma are California’s stringent data privacy laws, specifically the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), which set some of the highest standards for data protection in existence.
That said, these laws only apply to a small percentage of California law firms. Does that mean the rest of the State’s firms are off the hook when it comes to cybersecurity measures? Not a chance. Indeed, the State Bar has issued a formal opinion outlining measures all lawyers should take to safeguard client information in today’s tech-rich climate.
Which law firms need to worry about the CCPA/CPRA?
Perhaps the shortest (and most ethical) answer to this question is: “All of them.” The truth, however, is that the stringent requirements of the CCPA and CPRA don’t apply to all businesses equally. Rather, according to the California Attorney General’s Office, the only businesses who must comply with these laws include those that:
- Have a gross annual revenue exceeding $25 million;
- Buy, sell, or share the personal information of 100,000 or more California residents or households; or
- Derive at least 50% of their annual revenue from selling the personal information of California residents.
So, to ease many of your minds, these laws technically only apply to very large, very successful law firms. Nonetheless, the protections these laws provide are good guardrails for all law firms to consider.
Additionally, even if your law firm doesn’t fall within one of the three categories, some of your clients may be businesses that are impacted by the CCPA/CPRA. Thus, understanding the confines of these laws will aid you in that representation.
So, let’s begin with an overview of these measures, shall we?
Overview of CCPA and CPRA requirements
The CCPA, enacted in 2018, marked the first major cybersecurity law in California, chiefly concerning data privacy regulation. Ultimately, it provides consumers with greater control over their personal information.
The CPRA, which came into effect in 2023, expanded on the CCPA by strengthening consumer rights and establishing the California Privacy Protection Agency (CPPA) to enforce compliance.
Under the CCPA, certain businesses (see above) must comply with key requirements surrounding personal information handling. This includes, in a very general sense:
Consumer rights
Businesses must provide clients with access to their data, the option to request deletion, and the ability to opt out of data sharing.
Data collection disclosures
Additionally, those businesses that are subject to these laws must disclose what personal information they collect, how it is used, and whether it is shared or sold.
With the CPRA’s enactment, the scope of these protections has expanded further, introducing new rights such as data correction and usage restrictions.
These laws now require companies (including qualifying law firms) to implement stricter data security measures, assess vendor compliance, and regularly evaluate internal security practices.
For California law firms, the takeaway is clear: compliance with the CCPA and CPRA goes beyond a checklist. Qualifying law firms (and their clients) must actively manage client data and adopt policies and procedures that protect against data breaches and other risks to consumer/client privacy.
Formal Ethics Opinion No. 2020-203
In its Formal Opinion No. 2020-203, the California State Bar addressed the issue of an attorney’s obligation to protect electronically stored client information from unauthorized access by third parties.
Interestingly, this Opinion took on the issue of cybersecurity from a micro-perspective. In other words, it applies to the obligations of every lawyer (as opposed to only large, successful law firms) and every device they use (as opposed to global data privacy policies like those found in the CCPA).
And while the Opinion certainly isn’t a California cybersecurity law, it is rooted in the ethical principles of competence and confidentiality and it requires firms to take proactive and responsive steps to secure client data (many of them borrowed from the ABA, in fact).
Let’s dive into the Opinion’s requirements:
Preventive measures
According to the Opinion, lawyers should implement and maintain reasonable cybersecurity protocols, such as encryption, strong passwords, secure data storage, and limiting access to authorized personnel only. If the firm relies on third-party vendors, it must ensure these providers follow comparable security standards to prevent potential breaches.
Ongoing monitoring and assessment
Firms should regularly review and update their security practices, which includes risk assessments and staying informed about evolving cybersecurity threats. This vigilance helps firms to detect vulnerabilities and respond swiftly to any indications of unauthorized access.
Response protocols in case of a breach
If a breach occurs, lawyers are required to notify affected clients promptly. The notification should detail the scope and impact of the breach, steps the firm is taking to resolve it, and any recommended actions for the client.
The firm should also collaborate with cybersecurity professionals as needed to remediate vulnerabilities and prevent future incidents.
Commitment to client trust
These responsibilities extend beyond mere compliance. Protecting client information is essential to maintaining trust, which only reflects the ethical commitment lawyers have to safeguard their clients’ interests and confidentiality in all circumstances.
Boots-on-the-ground security measures
So, now that you have an idea of the laws and policies that impact your firm’s cybersecurity obligations, let’s talk about some of the boots-on-the-ground practices you can implement to keep your client’s information safe:
Data mapping and inventory
Before you can protect your clients’ precious data, you first need to understand the types of personal information you’re holding onto. This involves data mapping and conducting regular inventories to identify client data stored across systems.
Data mapping not only helps your firm understand what’s at risk, but also bolsters your ability to respond quickly in case of a breach.
Data protection and encryption
Encrypting personal data – both at rest and in transit – is crucial for protecting sensitive client information. Both California’s cybersecurity laws and the State Bar’s Ethics Opinions emphasize that reasonable security measures are necessary to avoid unauthorized access. Simply put, encryption is a fundamental component of this type of security.
Access controls and user management
Law firms should limit data access to essential personnel only. Role-based access controls ensure that employees (and, in some cases, clients) can only access data pertinent to their matters or responsibilities. These sorts of controls minimize exposure and reduce the risk of internal breaches.
Employee training and awareness
One of the most effective measures against cyber threats is comprehensive training for all firm employees. From phishing awareness to data handling protocols, training employees to recognize and respond to potential threats can mitigate many risks.
Given that ethical breaches by non-attorney staff can be imputed to the firm’s attorneys, this type of training is not only a practical safeguard – it’s an ethical imperative.
Implications of data breaches and non-compliance
For those impacted by its mandates, the consequences of failing to comply with CCPA and CPRA can be severe, ranging from financial penalties to reputational damage.
Non-compliance may result in fines of up to $7,500 per intentional violation, with additional penalties if data breaches are found to result from negligence.
More pressing for law firms, however, is the potential loss of client trust, which is invaluable in an industry built on confidentiality and reliability.
Law firms should also understand the broader implications of data breaches. With increasing attention on data privacy and a more vigilant regulatory environment, firms may face lawsuits and investigations that distract from their core practice areas.
In addition to fines, these legal repercussions could entirely erode a firm’s reputation.
Conclusion
As cybersecurity threats evolve, so does California cybersecurity law, and firms in California face growing pressure to adopt rigorous data protection measures.
Whether it’s the CCPA/CPRA or the State Bar’s Ethics Opinions that guide a particular firm, meeting these standards involves not only understanding the data at risk, but also the effective security practices that can protect the sensitive nature of legal work.
Ultimately, however, the responsibility to protect client data transcends regulation, doesn’t it? It’s truly rooted in the foundational principles of trust and integrity that the legal profession owes to the people it serves.
