Editor’s Note:
This article is part of a comprehensive series on Data Governance and AI Data Governance for Law Firms. The series is designed to help legal professionals understand and implement effective governance frameworks. Each article builds on foundational concepts to address specific challenges, from assessing governance needs to managing risks associated with AI tools. The series aims to provide practical, actionable guidance tailored to the legal sector's unique demands. It empowers law firms to safeguard client data, ensure regulatory compliance, and enhance operational efficiency. Stay tuned for upcoming articles as we delve deeper into this critical topic.
On December 6, 2024, a three-judge federal panel denied TikTok's appeal to overturn a law banning the platform, or requiring it be sold to distance it from Chinese Government control. This week the U.S. Supreme Court hears TikTok owner ByteDance’s arguments about whether this is a violation of free speech. The Biden Administration's decision to ban TikTok or that it be sold isn't a concern about time wasted on short videos—it's about sensitive data being accessible to the Chinese Government through the platform.
If data that can be collected from a social media app—where teens lip-sync and twenty-somethings sell their wares and beauty tips—warrants federal intervention, consider the stakes for law firms safeguarding confidential client information. While TikTok manages user entertainment data, law firms protect trade secrets, financial records, medical information, and litigation strategies. A single data breach could devastate client interests, destroy attorney-client privilege, and permanently damage a firm's reputation.
The modern law firm sits at a unique crossroads of regulatory obligations. As guardians of client confidences, firms must navigate traditional ethical duties while complying with an expanding web of data protection regulations. From the California Consumer Privacy Act to the EU's General Data Protection Regulation, from HIPAA to the Gramm-Leach-Bliley Act, a single client matter might involve personal data protected by multiple frameworks—all while maintaining attorney-client privilege and work product protection.
This article guides you through essential data governance elements for modern law firms. We examine key regulatory frameworks affecting law firm data management, explore how these requirements intersect with ethical obligations, and address emerging challenges posed by generative AI. Throughout, we provide practical strategies and actionable guidance to help your firm navigate this complex landscape effectively.
Regulatory Frameworks Affecting Data Governance
Law firms operate in an environment where compliance with regulatory frameworks is not just advisable—it’s essential. There are various state, federal and international laws and regulations that apply to the data your firm holds. In other words, data privacy is not just a rule of professional responsibility. Instead it is a potentially complex maze to be navigated carefully. Following are the key regulations that apply to data governance practices in the legal profession follow. Each of these regulations could be discussed in a number of articles. The purpose of this article is not to be expansive on these frameworks nor to give an exhaustive list of every possible applicable regulatory framework. Rather, it highlights a number of notable compliance laws and regulations to be aware of. Each framework comes with its own set of requirements and implications for lawyers, particularly in how they manage sensitive client data.
INTERNATIONAL REGULATIONS
General Data Protection Regulation (GDPR)
The GDPR is the European Union’s comprehensive data protection law that came into effective on May 25, 2018. It is a regulation that governs the collection, processing, and storage of personal data belonging to EU residents or entities, regardless of where the organization handling the data is located. It applies to any organization, including U.S.-based law firms, handling data belonging to a citizen or entity of the EU.
Purpose: The regulation aims to give individuals control over their personal data while creating a unified data protection framework across the EU.
Key Provisions:
Data Rights: Grants individuals the right to be informed about data collection and use. These rights include: the right to access their personal data, the right to rectify or correct inaccurate data, the right to have their data deleted (“right to be forgotten”), the right to restrict or object to data processing, and the right to data portability.
Consent: The law requires explicit, written consent for data collection. The entity collecting the data must maintain records of consent. Consent must be informed and unambiguous, and must require opt-in rather than allowing opt-out. It also must be easy to withdraw consent.
Data Breach Notification: Notification to those affected depends on several factors. Generally, must notify the supervising authority in the country where your main office or company representative is located or the authority in the country of the person whose data was breached--within 72 hours of learning of it. Documentation of all breaches is mandatory, and you must notify affected individuals if the breach is likely to result in high risk to them.
Penalties: Fines up to €20 million or 4% of global annual revenue (whichever is higher) for serious violations.
Impact on Lawyers:
Law firms representing international clients or handling cross-border cases must comply with GDPR standards.
Non-EU law firms who collect information from an employee or contractor in the EU, has a website that collects information or cookies from even one EU resident must comply with the standards.
FEDERAL REGULATIONS
Health Insurance Portability and Accountability Act (HIPAA)
HIPAA is a U.S. law enacted in 1996 that is designed to protect the confidentiality and security of health information. It applies to “covered entities” like healthcare providers and their “business associates,” which can include law firms handling medical data in litigation.
Key Provisions:
Data Rights: Patients have the right to examine and obtain copies of records, right to request amendments, right to receive accounting of disclosures, and right to request restrictions on the release of data.
Privacy Rule: Limits the use and disclosure of protected health information (PHI). The Entity must only use the minimum PHI needed in a given circumstance, and must safeguard electronic PHI, including regular risk assessments. The Entity must also inform patients of their privacy rights.
Business Associates: Business associates have separate agreements (Business Associate Agreements or BAA) with the covered entity. They must abide by the same rules, except they don’t need to provide a copy of the privacy policy to patients. They must make certain any downstream vendors also have a BAA in place.
Data Breach Notification:
Must notify affected individuals and the Office of Health & Human Services within 60 days of discovery. And must sometimes notify media; the requirements are based on the size of the breach. Business Associates must report to the covered entity rather than individual – reporting requirements can vary. Must verify these individually.
Penalties:
Tier 1: $100-$50,000 per violation (no knowledge)
Tier 2: $1,000-$50,000 per violation (reasonable cause)
Tier 3: $10,000-$50,000 per violation (willful neglect, corrected)
Tier 4: $50,000+ per violation (willful neglect, not corrected)
Maximum annual penalty of $1.5 million per violation type
Impact on Lawyers:
Law firms involved in cases requiring access to medical records, such as personal injury or medical malpractice, must ensure HIPAA compliance.
Requires administrative, physical, and technical safeguards for electronic PHI, along with risk analysis and management, and access controls.
The Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) is a US federal law enacted in 1999 that requires financial institutions to explain their information-sharing practices to customers and safeguard sensitive data. It aims to protect consumers' personal financial information and ensure privacy in the financial services industry.
Key Provisions:
Data Rights: Right to receive privacy notice, opt-out of information sharing with non-affiliated third parties, receive notice of changes in privacy policies, and protection of their nonpublic personal information (NPI)
Consent/Notice Requirements: Initial privacy notice when customer relationship established, revised notices when practices change, and an annual privacy notice. Opt-out for third-party sharing.
Data Breach Notification:
No specific time requirement in GLBA itself, however, covered institutions typically must follow Federal banking regulator requirements, state breach notification laws, and/or other sector-specific requirements.
Penalties:
Up to $100,000 per violation for institutions
Up to $10,000 per violation for officers and directors
Criminal penalties possible for certain violations
Additional penalties from federal banking regulators
State enforcement actions possible
Impact to Lawyers:
Must protect clients’ NPI when handling financial data, including when received from financial institutions. Need security measures aligned with GLBA standards. Cannot reuse or redisclose NPI without authorization.
Required to report security incidents and must have data disposal procedures. And must document procedures.
If Law Firm Provides Financial Services: some law firms might be directly covered by GLBA if they provide tax preparation services, offer financial advisory services, or handle real estate settlements.
Federal Rules of Civil Procedure (FRCP)
FRCP governs the discovery process in U.S. litigation, including handling electronically stored information (ESI).
Key Provisions:
Rule 26(b)(2)(B): Requires parties to preserve relevant electronically stored information (ESI).
Rule 26(f): Requires parties to discuss ESI preservation and production and mandates discussion of form of production.
Rule 34: Sets rules for sharing data during discovery.
Rule 37(e): Imposes penalties for spoliation or mishandling of evidence, sanctions for failure to preserve ESI, and remedies for lost ESI.
Federal Rules of Evidence (FRE)
Rule 502: Addresses privilege in electronic document production and provides a framework for clawback of inaccurately disclosed information.
Rule 901: Requirements for authenticating electronic evidence, including verifying electronic signatures.
Consider other related rules and statutes such as the Stored Communications Act (18 USC SS 2701-2712).
STATE REGULATIONS
As more companies find ways to obtain and use our data, multiplied by the ease and convenience of using GenAI to scrape data, a multitude of states have proposed bills regarding data privacy. The grandmother of these is California’s Consumer Privacy Act (CCPA) which became effective in 2020.
The current state of privacy bills can be loosely grouped into four (4) categories, as set forth in the following chart.
California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)
The CCPA represents the most comprehensive state privacy law in the United States and has become a de facto national standard due to California's economic importance and the law's broad reach. Enacted in 2018 and effective since 2020, with significant amendments through the California Privacy Rights Act (CPRA) taking effect in 2023, the CCPA has inspired similar legislation across the country. Its robust consumer protections and strict compliance requirements have prompted many organizations, including law firms, to upgrade their data governance practices nationwide rather than maintaining different standards for California and non-California data. The law's influence is so significant that even firms without California clients often align their practices with CCPA requirements, anticipating that other states will follow California's lead.
The CCPA gives California residents enhanced control over their personal data. While it primarily targets businesses, law firms serving California clients are often affected.
Key Provisions:
Consumer Rights: Grants rights to access, delete, and opt out of the sale of personal data. Requires disclosure of data collection practices.
Penalties: Statutory damages of up to $750 per individual for breaches.
Impact on Lawyers:
Law firms must evaluate how they collect and use personal data, especially if they work with consumer data in employment or class action cases.
Robust breach response plans and clear privacy notices are critical for compliance.
Virginia Consumer Data Protection Act (VCDPA)
The Virginia Consumer Data Protection Act became effective on January 1, 2023 after being signed into law on March 2, 2021. Although the VCDPA follows the CCPA’s lead in some respects, its approach differs in several key aspects from California’s laws.
Scope: Applies to businesses handling personal data of 100,000 or more Virginia residents or earning 50% or more of their revenue from the sale of personal data.
Key Provisions:
Provides rights similar to the CCPA, such as access, correction, and deletion of personal data.
Requires data protection assessments for activities involving personal data.
Mandates opt-outs for data processing for targeted advertising.
Impact on Lawyers:
Law firms representing clients in Virginia or processing significant amounts of resident data must ensure compliance, particularly with data processing assessments and privacy notices.
Other State Privacy Laws
Several U.S. states have enacted or are in the process of enacting their own data privacy and protection regulations. These laws are often inspired by the CCPA or Virginia’s privacy law but include unique provisions and compliance requirements. Here are a few additional key state-specific regulations:
Other state privacy laws to consider include:
Colorado Privacy Act (CPA) Applies to businesses processing data of 100,000 or more Colorado residents annually or deriving revenue from the sale of personal data of at least 25,000 residents. Allows for opt-out, correction, deletion and portability of data.
Connecticut Data Privacy Act (CTDPA) Similar to Colorado's law, applies to businesses meeting specific data volume or revenue criteria. Exempts non-profits and higher education institutions.
Utah Consumer Privacy Act (UCPA) Targets businesses processing data of 100,000 or more residents or generating at least 50% of revenue from selling personal data. Allows for access to and deletion of personal data. Does not require opt-ins for data sales but provides opt-out rights. Exempts certain small businesses.
Texas Data Privacy and Security Act (TDPSA) Similar to the CCPA, it does not, however, include a private right of action. It follows the “Virginia Model” of privacy law, and is more business friendly than California’s approach.
For an up-to-date list of all data privacy regulations, check out the International Association of Privacy Professionals state privacy law tracker, here.
While these laws share common principles (e.g., consumer rights to access and delete data, transparency, and opt-out mechanisms), they vary in scope, definitions, and enforcement mechanisms. Law firms must adapt their data governance strategies to meet the specific requirements of each jurisdiction where they operate or serve clients.
State Bar Ethics Opinions on Technology
While federal and state regulations create a broad framework for data protection, lawyers must also comply with state bar ethics opinions that specifically address AI and advanced technology use in legal practice. These opinions interpret the Rules of Professional Conduct in the context of emerging technologies and create additional obligations for data governance.
ABA Model Rule 1.1, Comment 8 requires lawyers to understand "the benefits and risks associated with relevant technology." This "duty of technology competence" directly impacts AI adoption. The duty extends to understanding AI-specific data security and protection measures
The California Standing Committee on Professional Responsibility and Conduct issued “Practical Guidance for the use of Generative Artificial Intelligence in the Practice of Law.” It addresses ethical obligations when using generative AI.
New York State Bar and a number of other state bar organizations have formed task forces to address artificial intelligence in the practice of law.
State bar regulations on GenAI are the exception rather than the rule, but they are emerging. Be sure to watch your state bar to stay compliant.
Additional Rules and Regulations to Consider
Beyond the general data protection frameworks, law firms must also consider industry-specific regulations that affect their clients' data. These vary significantly by sector - SOX compliance in financial services, FERPA in education and CPNI requirements in telecommunications. Understanding these regulatory frameworks is the cornerstone of effective data governance. Each law brings its own challenges and obligations, but compliance is essential for protecting sensitive information, maintaining client trust, and avoiding penalties.
AI’s Role in Data Governance
AI’s reliance on vast amounts of data also amplifies data privacy and security risks. Tools that process sensitive client information can inadvertently expose firms to breaches or misuse of data, which would trigger stringent rules under regulations like the GDPR, CCPA, and HIPAA. More concerning, however, is the fact that breaches involving GenAI are usually compounded by their scope, and the speed with which they can be transmitted. To mitigate these risks, law firms must adhere to principles like data minimization, encrypt sensitive information, and maintain robust breach notification procedures. For how to do this, review all of the articles in this Data Governance Series.
Best Practices for Compliance
Regular technology audits to ensure compliance with state bar requirements
Documentation of technology decisions and risk assessments
Written policies for technology use and data protection
Regular staff training on technology ethics
Client communication protocols regarding technology use
Conclusion
As AI becomes a cornerstone of modern legal practice, law firms must address these challenges proactively. By focusing on transparency, mitigating bias, safeguarding data privacy, ensuring oversight, and adapting to new standards, firms can harness AI responsibly, strengthening their operations while maintaining compliance and client trust.
Firms that invest in developing and maintaining strong data governance policies position themselves for success in an environment where data protection and efficient information management are crucial competitive advantages.
© 2025 Amy Swaner. All Rights Reserved. May use with attribution and link to article.