A Practice Note discussing attorneys' obligations to protect client data against security breaches under ethical rules, federal laws including the Health Insurance Portability and Accountability Act of 1996, as amended (HIPAA), and Gramm-Leach-Bliley Act (GLBA), and state data breach notification and information security laws. It also discusses the potential applicability of the EU General Data Protection Regulation (GDPR) to law firms. This Note provides guidance for law firms and attorneys on how to comply with their obligations to protect client data.