It is reported that a personal computer is lost or stolen every 12 seconds, most of which contain highly confidential information.1 Among these, many belong to attorneys. Should something like this ever happen to you, could you be sued for malpractice?
For a successful legal malpractice claim, the plaintiff must establish (1) an attorney-client relationship; (2) negligent breach of duty or contract by the defendant; (3) proximate causation of plaintiff's damages; and (4) damages to the plaintiff. Let us assume that confidential client information was lost along with the laptop so that the existence of an attorney-client relationship is now a given.
The nest step is to determine whether an attorney breached his or her duty to the client. To determine breach of duty, most jurisdictions have a reasonable person standard; basically, under the circumstances, did the attorney act like any other reasonable attorney? Using our coffee shop example, most reasonable attorneys probably would not leave their laptops on a table unguarded for an extended period of time. Therefore, the attorney at the coffee shop may have negligently breached his duty. In contrast however, if an attorney left his laptop in his office over the weekend and a thief stole the laptop, it would seem that the attorney acted reasonably since other reasonable attorneys would do the same.
The important question is if you lost your laptop in a crowded café, could your clients show that the negligence led to their damages? Most states require that the plaintiff present a “but for” and “proximate” causation to sustain a negligence claim. In a recent malpractice suit, a client sued his lawyer for allegedly disclosing confidential information, claiming such disclosure caused the government officials to press criminal charges against the plaintiff. However, the client could not prove that disclosure of the confidential information was what actually led to the criminal charges.2
So the question remains, how can one prove that “but for” the loss of the laptop the outcome would have been different? The importance and duplicability of the confidential information within the laptop probably will answer this causation question on a case by case basis. However, in this day and age, it seems doubtful that most clients and their attorneys would not have the information backed-up and it is important to note that to date, a malpractice suit against an attorney for losing a laptop has not arisen in federal or state courts.
The real concern at this point may be not so much one of malpractice but one of awareness of and compliance with the obligations that can arise under a notice of security breach statute. Already instituted in 34 states, these statutes provide another possible claim for angry clients.3 For example, in Washington state, the Revised Code of Washington § 19.255.010(2) states,
Any person or business that maintains computerized data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Such statutes allow a cause of action as “Any customer injured by a violation of this section may institute a civil action to recover damages.”4
With the notice of security breach statutes, it appears that the causation issue is easier to prove than a malpractice claim since the client merely has to show that the laptop containing personal information was lost and was not reported immediately following discovery. An attorney should be wise enough to tell his or her clients as soon as it is discovered that the laptop is missing to avoid this kind of claim.
So while there is no reported case of attorney malpractice arising from a lost laptop that contained confidential information, one should not rest easy. Other laws such as the notice of security breach statutes are available for use by clients. Take every reasonable precaution not to lose your laptop. The fallout could be disastrous.
*Chris Kang, a 2007 Summer Associate with Stanislaw Ashbaugh, LLP, guest wrote this month's Tech Tip. Created in 1987, Stanislaw Ashbaugh, LLP is a mid-sized Seattle firm whose attorneys practice in the areas of Construction Law, Corporate & Securities Law, Insurance Coverage Law and Litigation.
I wish to thank Chris for his efforts with this article. Anyone wishing to submit an article for consideration in our ALPS Risk Management Report can do so via email. Simply contact me at mbass@alpsnet.com.
Mark Bassingthwaighte, Esq.
Risk Manager, ALPS
1 Ellen Freedman, Reid Trautz and Jim Calloway, A Lawyer’s Guide to Mobile Computer Security, 77 Okla. B.J. 3085 (2006).
2 Garret v. Bryan Cave LLP, 2000 U.S. App. LEXIS 7339 (2000).
3 Donald G. Ries, Information Security for Attorneys: An Ethical Obligation, 78 PA Bar Assn. Quarterly 1, 3 (2007).
4 Wash. Rev. Code § 19.255.010(10)(a) (2007).