Last month, the American Bar Association issued Formal Opinion 483 addressing a lawyer’s obligation after an electronic data breach or a cyberattack.
Under the opinion, a data breach “involves the misappropriation, destruction or compromise of client confidential information, or a situation where a lawyer’s ability to perform the legal services for which the lawyer was hired is significantly impaired by the event.”
When a data breach is detected involving, or likely involving, confidential client information lawyers have an obligation to notify clients of the breach. They must take reasonable steps to mitigate the breach consistent with ABA Model Rules of Professional Conduct 1.1, 1.4, 1.6, 5.1, and 5.3.
An ethical violation may occur when lawyers don’t employ reasonable steps to “avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort causes a breach.”
Detecting a Data Breach
Lawyers are required to monitor for breaches of client confidentially, and to act promptly to stop a data breach to alleviate damage (Rule 1.1).
If a breach is identified, attorneys are obligated to confirm when it has been stopped. To the extent reasonably possible, lawyers must evaluate what data have been breached.
A lawyer isn’t in violation of Rule 1.6 if a reasonable effort was made to prevent a data breach. This obligation includes efforts to monitor for breaches of client confidentiality (ABA Formal Opinion 477R).
Under Rule 1.4(a)(3) and Rule 1.4(b) a lawyer is obligated to notify a current client of a breach of confidential information related to the legal services the lawyer was hired to administer. Notice must be given if a breach was committed by or through a third-party computer vendor or another service provider (ABA Formal Ethics Opinion 95-398).
Rule 1.9(c) doesn’t describe what steps, if any, a lawyer should take if a former client’s information is revealed. However, Rule 1.16(d) directs lawyers to establish data destruction policies and return “papers and property” to clients at the conclusion of the relationship.
If material client information is suspected to have been the subject of a breach, a lawyer must disclose sufficient information for a client to make an informed decision on what to do next. Information might include the extent of the data impacted, the lawyer’s plans to respond to the breach, and efforts to recover the information.
Lawyers have a duty to keep clients reasonably apprised of material developments in post-breach investigations that are affecting client information.
Law firms should familiarize themselves with the formal opinion and consider developing an incident response plan. Attorneys who have experienced a data breach should review applicable legal response obligations and analyze compliance separately under every relevant law or rule.