Data Privacy Obligations for Estate Professionals: Beyond HIPAA

When estate attorneys discuss data security, the conversation often fixates on HIPAA. But for most estate practices, HIPAA is a minor concern compared to the privacy laws actually shaping compliance requirements. A California attorney collecting a client's Social Security number, storing it in an unencrypted email folder, and processing it through a third-party service provider triggers obligations under CCPA, CPRA, state privacy laws, and potentially SOC 2 standards. HIPAA? Probably doesn't apply at all.

This overlapping regulatory landscape creates real exposure. A single breach notification can cost $50,000 to $200,000 or more once you add in forensic investigation, legal review, and notification to affected individuals. Class action litigation follows. Insurance carriers increasingly demand SOC 2 certification before renewing coverage. Yet many estate practices operate without a formal data privacy program.

The task is not to become a privacy lawyer but to understand which obligations apply to your practice and implement straightforward protections: data inventories, written policies, encryption, and vendor oversight. This article maps the compliance terrain and provides actionable steps.

The Privacy Law Patchwork: CCPA, CPRA, and State Equivalents

CCPA and CPRA: Consumer Rights and Sensitive Information

The California Consumer Privacy Act (CCPA), effective in 2020, grants consumers four rights: the right to know what personal information a business collects, the right to delete that information, the right to opt out of its sale, and the right to equal service regardless of privacy choices. The California Privacy Rights Act (CPRA), effective in 2023, strengthens those protections and adds a new category called "sensitive personal information."

For estate professionals, the scope is broad. CCPA/CPRA applies to any for-profit business that collects personal information from California residents if it meets one of three thresholds: annual gross revenues exceeding $25 million, buys/sells/shares personal information of 100,000+ consumers or households, or derives 50%+ of revenue from selling/sharing consumer personal information. Most law firms easily cross one of these thresholds.

"Personal information" includes name, Social Security number, date of birth, financial account information, and health information. It is difficult to practice estate law without collecting this data. A single intake form captures name, SSN, DOB, bank account numbers, property valuations, and references to healthcare providers.

The CPRA introduced "sensitive personal information," a subcategory that includes SSNs, financial account numbers with authentication credentials, precise geolocation, racial/ethnic origin, religious beliefs, union membership, genetic data, biometric data, health information, and sex life information. Handling sensitive PI imposes stricter obligations: disclosure must be clear, use is limited to specific purposes, and consumers have an absolute right to opt out of any sale or sharing.

State Privacy Laws: A Fragmented Landscape

CCPA/CPRA does not stand alone. Colorado, Connecticut, Virginia, Utah, Montana, Delaware, and Texas have enacted consumer privacy laws with their own mechanics and timelines. More states follow annually. Each law has slightly different definitions of "personal information," different thresholds for business applicability, and varying consumer rights.

For a national estate practice with clients in multiple states, this patchwork creates overlapping compliance obligations. A Massachusetts attorney serving Connecticut clients must comply with Connecticut's data privacy law. A Texas firm serving Colorado residents must respect Colorado's law. The safer approach is to treat California's framework as a floor and apply its protections nationally: assume CCPA/CPRA applies, assume all client data is sensitive, and build compliance around that standard. Compliance with CCPA largely satisfies state equivalents.

Practical Definition of Personal Information in Estate Work

In estate law, you collect and store voluminous personal information across multiple documents and systems. A typical probate or trust administration engagement captures:

• Client contact information and family relationships
• Social Security numbers and tax identification numbers
• Dates of birth and driver's license numbers
• Financial accounts, balances, routing numbers, credit card numbers
• Real property descriptions and valuations
• References to health information (medical directives, health insurance policies)
• Email correspondence with vendors, family members, and third parties
• Digital asset passwords and account information
• Tax returns and financial statements

Each of these categories qualifies as personal information under CCPA/CPRA. Once collected, it is subject to California's consumer rights framework. That does not mean you must delete data upon request if the law allows retention for legal obligations, but it does mean you must have a mechanism to receive and respond to consumer requests, a written privacy policy describing what you collect and how you use it, and security controls documenting who can access it and how it is protected.

Service Provider and Third-Party Compliance

Data Processing Agreements: The Essential Foundation

Few estate practices handle client data entirely in-house. Most use third-party tools: cloud file storage, email hosting, practice management software, document automation, accounting platforms, and communication tools. Each of these services acts as a "service provider" or "processor" under CCPA, CPRA, and state privacy laws. When you share client data with a service provider, you enter a data processing relationship governed by contract.

A data processing agreement (DPA) is a contract specifying how the service provider may collect, use, disclose, and secure client data. At minimum, a DPA should cover:

• Permitted uses: Service provider may access data only to provide services you specified, not for its own marketing or data sale.
• Security measures: Service provider commits to encryption in transit and at rest, access controls, employee training, and incident response procedures.
• Data location: Specifies where data is stored geographically; some clients require data remain in the US.
• Subprocessors: Service provider must disclose if it uses third-party subprocessors and give you the right to object to new ones.
• Deletion and return: Upon contract termination, service provider must delete or return all client data within a specified timeframe.
• Audit rights: You have the right to audit the service provider's security practices or demand a SOC 2 report.
• Liability and indemnification: Service provider indemnifies you for breaches caused by its negligence.

Many service providers now offer DPAs as standard contracts; cloud storage services, CRM platforms, and document automation tools often include DPA terms. Review them carefully. If terms are unacceptable, negotiate. If a service provider refuses a DPA or is unwilling to commit to basic security measures, find an alternative.

Liability for Service Provider Breaches

A critical principle: your firm remains liable for a service provider breach even though the service provider caused it. If a vendor's negligence exposes client SSNs, you are the party notifying affected individuals, paying the notification costs, and defending against litigation. The DPA and insurance coverage are your protections, but they do not eliminate your risk.

This liability assignment creates strong incentive to audit service providers for security maturity. Before moving client data to a vendor, request a SOC 2 Type II report demonstrating the vendor's security, availability, confidentiality, and privacy controls. If the vendor does not have a SOC 2 report, ask why and assess the risk accordingly. A vendor storing thousands of client SSNs should have third-party security validation.

Subprocessor Disclosure and Transparency

Many service providers use their own subprocessors. A cloud storage service might use a third-party for data backup. An accounting platform might integrate with payment processors and tax filing services. Each subprocessor introduces risk. If a subprocessor is compromised, your client data can be exposed.

CCPA and CPRA require service providers to disclose subprocessors and give you the right to object to new ones. Review your service providers' subprocessor lists. If a vendor uses subprocessors you do not trust or in geographies with weak privacy laws, raise the issue in writing and request the DPA be amended to restrict subprocessors.

HIPAA's Limited Applicability and Gaps

When HIPAA Applies to Estate Practices

Health Insurance Portability and Accountability Act (HIPAA) is a federal privacy law applying to "covered entities" such as healthcare providers, health plans, and healthcare clearinghouses. Most estate law practices are not covered entities and thus are not directly regulated by HIPAA.

You may encounter HIPAA if you represent a healthcare provider or health plan that must comply with HIPAA. In that case, HIPAA's requirements apply to your handling of that client's information. But representing a healthcare provider is different from being subject to HIPAA yourself.

The more common HIPAA scenario arises when you receive protected health information (PHI) from a healthcare provider as part of your estate work. For example, you obtain medical records from a decedent's physician to support a guardianship petition, or you access a client's healthcare proxy authorization. If you are the recipient of PHI from a covered entity, you become a "business associate" of that covered entity. As a business associate, you must sign a Business Associate Agreement (BAA) and comply with HIPAA's safeguards.

Business Associate Implications

A BAA obligates you to:

• Safeguard PHI using administrative, physical, and technical controls.
• Limit access to PHI to staff who need it for the specified purpose.
• Encrypt PHI in transit and at rest.
• Report breaches to the covered entity within 60 days.
• Implement an audit trail and access logs for all PHI access.
• Provide the covered entity a written privacy policy.
• Ensure subprocessors (e.g., your IT vendor) also sign BAAs.

The BAA is a contractual obligation, and violation can result in civil penalties up to $100 per violation, with annual maximums in the millions. HIPAA also provides for private rights of action in some states, meaning individuals can sue directly.

HIPAA's Gaps: Financial Information and State Laws

Here is the practical limitation: HIPAA applies only to health information. It does not regulate financial information, Social Security numbers, tax returns, or bank account numbers. An estate practice managing a decedent's financial accounts collects information that HIPAA ignores entirely.

That is where state privacy laws fill the gap. CCPA, CPRA, and state equivalents regulate the full spectrum of personal information: financial accounts, SSNs, dates of birth, and health information (to the extent not covered by HIPAA). By building compliance around state privacy law obligations, you cover both health information (through a BAA if applicable) and financial information (through CCPA/CPRA compliance).

Breach Notification and Incident Response

Breach Definition and Notification Timelines

A breach of personal information occurs when an unauthorized person accesses or uses that information in a way that compels notification to affected individuals. Not all unauthorized access constitutes a breach. If an employee accidentally opens a file but does not copy or transmit data, that is likely not a breach. If an external attacker exfiltrates client SSNs, that is a breach.

State laws define breach thresholds and timelines. Most states require notification without unreasonable delay and in no case later than 30 to 60 days after discovery. Some states impose a "most expedient time possible" standard. The notification must be in writing (unless the state permits email) and must include:

• Description of the breach and what information was affected.
• Timing of the breach and when the firm discovered it.
• Contact information for the firm and its counsel.
• Resources the individual can use to protect themselves (credit monitoring, fraud alerts, etc.).
• Description of steps the firm is taking to prevent future breaches.

Notification Requirements and Regulatory Reporting

Notification must reach the affected individual. If the breach affects more than a threshold number of residents in a state (typically 500), you must also notify the state Attorney General. If the breach is significant, you may need to notify credit bureaus and possibly issue a press release.

The cost of breach notification is substantial. Forensic investigation to determine what was accessed can run $10,000 to $50,000. Notification to thousands of individuals, including written notice, credit monitoring offers, and call center support, can easily exceed $100,000. Legal review and outside counsel hours add more. A mid-size breach of several hundred individuals can easily exceed $200,000 in direct costs before any litigation expenses or insurance deductibles.

Class Action Litigation and Exposure

Breaches trigger class action litigation. Even if the individuals incur no direct financial loss, they can argue they suffered injury from the increased risk of identity theft and the value of their personal information. Class actions in data privacy cases have recovered tens of millions of dollars. Your liability insurance may provide coverage, but often with high deductibles, exclusions, and limits.

The lesson: invest in prevention. A $10,000 investment in encryption, access controls, and vendor audits is far cheaper than a $200,000 breach response.

SOC 2 Compliance and Audit Framework

SOC 2 Certification: What It Is and Why It Matters

SOC 2 is a third-party audit framework administered by the American Institute of Certified Public Accountants (AICPA). It assesses a service provider's controls across five trust service principles: security, availability, processing integrity, confidentiality, and privacy. A SOC 2 audit produces a report (SOC 2 Type I or Type II) documenting the controls the service provider has implemented and whether those controls were operating effectively during the audit period.

SOC 2 is not a legal requirement for most estate practices. But it is becoming a de facto market standard. Insurance carriers are increasingly requiring SOC 2 certification as a condition of renewal or coverage. Clients (especially large institutional clients or those subject to regulatory requirements) demand SOC 2 reports from law firm service providers. Courts and regulators view SOC 2 as objective evidence of a reasonable security program.

Type I vs. Type II Audits: Scope and Cost

A Type I audit tests controls at a point in time (a single day or week). A Type II audit tests controls over a sustained period, typically 6 to 12 months, demonstrating that controls operated effectively continuously, not just on audit day.

Type II is the more valuable and more expensive option. A Type II SOC 2 audit typically costs $10,000 to $30,000 depending on the size and complexity of the practice, the scope of systems and processes audited, and the audit firm selected. The audit involves on-site visits, interviews with staff, testing of access logs and security controls, and review of incident response procedures. Once completed, the report can be shared with clients, insurers, and regulators as evidence of a reasonable security program.

For small solo practices, a Type II audit may not be economical. For firms with multiple attorneys, staff, and significant client data volumes, it is an increasingly necessary compliance investment.

Competitive Advantage and Practitioner Reliance

A firm with a current SOC 2 Type II report has a competitive advantage. It can market compliance to clients, assure insurers of its security posture, and defend against regulatory scrutiny if a breach occurs. Regulators and courts recognize SOC 2 as meaningful evidence of a reasonable security program. If you breach despite a current SOC 2 report, your liability exposure is lower because you can demonstrate you were following industry-standard controls.

Additionally, if your firm uses vendors or integrates with other platforms, those vendors are increasingly requesting your SOC 2 report as evidence that you will handle their data securely. A firm without a SOC 2 report may find itself locked out of integrations or partnerships.

Practical Compliance Steps for Estate Practices

Data Audit and Inventory

Begin with a data inventory. Document what personal information you collect, where it is stored, how long you retain it, and who has access. Create a simple spreadsheet:

• Data type (SSN, financial account, health info, email correspondence, etc.)
• Location (email, file server, cloud storage, practice management system, physical files, etc.)
• Volume (approximate number of client records or files containing that data type).
• Retention period (how long you keep it after a matter closes).
• Access (who in the firm has access, whether access is logged, whether there is a password or encryption).

This inventory is not a regulatory requirement but a foundational management tool. It forces you to confront where sensitive data lives, whether it is encrypted, and whether access is controlled. Many practices discover during this exercise that they are storing years of old files in unencrypted email folders or that administrative staff have unrestricted access to sensitive client data.

Written Privacy Policy

Develop a written privacy policy describing what personal information you collect, why, how long you keep it, who can access it, and what security controls protect it. The policy should address:

• What information you collect and from what sources.
• How you use and disclose that information (only for legal services unless required by law, court order, or consent).
• Your data retention practices (e.g., destroy files three years after matter closes, securely delete email).
• Encryption and access controls (all client data encrypted in transit and at rest, access limited to staff needing it, all access logged).
• Third-party service providers and your DPA requirements.
• How you respond to breaches and notify affected individuals.
• Your incident response procedures.
• Contact information for privacy questions.

This policy serves multiple purposes. It documents your compliance program and demonstrates to regulators and insurers that you have thought through privacy obligations. It guides staff on what they should and should not do with client data. It assures clients that you take their privacy seriously. And it provides the transparency that CCPA/CPRA requires.

Data Retention and Secure Destruction

Establish a data retention schedule tied to the statute of limitations for malpractice claims. Most states allow malpractice claims three to six years after a client-attorney relationship ends. After that period, retaining files exposes you to data breach risk without corresponding legal benefit.

A retention schedule might read: "Client files retained five years after matter closes, then securely destroyed." For paper files, this means shredding through an industrial shredder or a licensed document destruction service. For digital files, it means using a secure deletion tool that overwrites the file space multiple times (not just moving files to the trash, which leaves them recoverable).

This is not hypothetical. A data breach involving a file from a matter closed 10 years ago raises the question: why were you still storing that? Regulators view indefinite retention skeptically. A defined retention schedule with evidence of secure destruction demonstrates reasonableness.

Additionally, ensure that when you delete files, associated backups are also deleted. Cloud storage services often maintain backups; you must verify that deletion instructions delete from both active storage and backups.

FAQ

How do I know if I am subject to CCPA or CPRA?

If your firm collects personal information from California residents and you meet any of these thresholds, you are subject to CCPA/CPRA: (1) annual gross revenues exceeding $25 million; (2) you buy, sell, or share personal information of 100,000 or more consumers or households; or (3) you derive 50% or more of revenue from selling or sharing consumer personal information. Most estate law practices easily meet the first threshold. Even if you do not have California clients, you should adopt CCPA/CPRA compliance as a national standard because other states have enacted similar laws and because it provides a robust baseline for client data protection.

What counts as personal information under state privacy laws?

Personal information includes any information that identifies, relates to, or could be linked with a specific individual. In estate work, this includes: name, address, phone number, email address, Social Security number, date of birth, driver's license number, financial account numbers, bank routing information, credit card numbers, health information, insurance information, property ownership records, and tax returns. Any collection of this data triggers CCPA/CPRA compliance obligations.

What should I do if a breach occurs?

If you discover a breach or suspected breach, immediately preserve evidence (do not delete logs or forensic artifacts) and contact your IT vendor or IT counsel to investigate the scope. Once you understand what was accessed and affected, engage outside counsel specializing in breach response and privacy law. They will guide notification timing, regulatory reporting, and insurer notification. Do not notify individuals before understanding the scope and consulting counsel, because notifications can accelerate litigation. Most importantly, notify your cyber liability insurance carrier immediately; delays can forfeit coverage.

Do I need SOC 2 certification?

SOC 2 is not a legal requirement for most estate practices, but it is increasingly expected by insurance carriers, clients, and service providers. If your firm is growing, has multiple staff members, stores significant volumes of client data, or wants to differentiate itself on security, a Type II SOC 2 audit is a worthwhile investment. For solo practices with limited client data, other compliance steps (data audit, written policy, encryption, vendor oversight) may be sufficient.

Moving Forward

Data privacy obligations for estate professionals go far beyond HIPAA. CCPA, CPRA, and state equivalents impose affirmative compliance duties: documenting what personal information you collect, securing it with encryption and access controls, vetting service providers with DPAs, and responding to breaches within strict timelines.

The good news is that compliance does not require hiring a specialized privacy officer or overhauling your practice overnight. Start with a data audit and inventory. Document your current practices in a written privacy policy. Ensure your service providers have executed DPAs. Implement basic encryption and access controls. Define a retention schedule and secure destruction process. Over time, consider a SOC 2 audit to validate your controls and signal to clients and insurers that you take data security seriously.

Afterpath is SOC 2 Type II certified and encrypts all client data in transit and at rest, so you can focus on delivering estate settlement services without worrying about your clients' sensitive information being exposed. Learn how Afterpath's secure, compliant platform can simplify estate administration while maintaining the highest privacy standards for your clients.