You've been hacked: Now what?
Lawyers have an obligation to safeguard client data and notify clients of data breaches, and the ABA Standing Committee on Ethics and Professional Responsibility has issued a formal opinion that reaffirms that duty.
In Formal Opinion 483, issued in October, the standing committee also provided new guidance to help attorneys take reasonable steps to meet this obligation.
“Lawyers today face daunting challenges from the risk of data breaches and cyberattacks that can lead to disclosure of client confidences,” says Barbara S. Gillers, chair of the ABA Standing Committee on Ethics and Professional Responsibility. “Formal Opinion 483 offers helpful guidance on how the ABA Model Rules of Professional Conduct should inform lawyers’ approaches to these risks in order to comply with the duty to protect client information.”
This opinion bookends the standing committee’s May 2017 Formal Opinion 477R, which set forth a lawyer’s ethical obligation to secure protected client information when communicating digitally, says Lucian Pera, a partner at Adams and Reese in Memphis, Tennes- see, and co-author of an article in the second edition of the ABA Cybersecurity Handbook.
The new formal opinion only discusses breaches of client data, not other data breaches that may also require action on the part of an attorney or firm.
“When a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach,” Formal Opinion 483 says.
The ethics opinion implicates Model Rule 1.1 (competence), Model Rule 1.4 (communications), Model Rule 1.6 (confidentiality of information), Model Rule 1.9 (duties to former clients), Model Rule 1.15 (safekeeping property), Model Rule 5.1 (responsibilities of a partner or supervisory lawyer) and Model Rule 5.3 (responsibilities regarding nonlawyer assistance).
Like many legal ethics opinions regarding technology, this opinion does not endorse particular hardware or software but rather presents “reasonable” steps a lawyer could take.
“As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach,” the opinion states. “The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach.”
While amorphous to some seeking concrete recommendations, others see this as the indicia of a changing obligation.
“The opinion identifies an emerging legal standard for ‘reasonable’ security that requires instituting a fact-based process for assessing risk, identifying and implementing security measures, verifying effectiveness, and ensuring security measures are continually updated,” says James Walker, partner at the New York City office of Richards Kibbe & Orbe.
The opinion offers flexibility for lawyers to tailor the recommendations to a particular need or potential threats.
The opinion states that these efforts may include restoring or implementing technology systems where it is practical but also declining a technology solution if a task does not require it, taking into account that internet-enabled services could increase a firm’s vulnerabilities.
As the new opinion tries to shed light on a complex topic, some issues are not covered. Experts noted that there remains uncertainty around what an attorney’s obligations are if they aren’t sure that confidential client information was affected during a hack.
“In my opinion, when lawyers cannot determine whether a breach compromised material confidential client information, they must notify the client accordingly because the lawyers’ inability to determine what happened is material to the client,” says Eli Wald, a law professor at the University of Denver Sturm College of Law.
Calling the opinion “the best summary of our learning on this subject at this point,” Pera in Tennessee sees areas where the committee could have gone further.
The opinion declines to extend the same breach notification protections to former clients as current clients because Model Rule 1.9(c) doesn’t have “a black letter provision requiring such notice.”
But the opinion does suggest attorneys come to an agreement with each client about how to handle the client’s information after representation ends. A client may also give informed waiver of these obligations under Model Rule 1.9.
“I’m not sure I agree with them that the ethics rules don’t require the notification to a former client,” says Pera, adding that his former clients would be upset if their information was caught up in a breach but weren’t informed.
As a precaution, he says that even if the committee is right on this point, lawyers should consider what client information they keep after representation ends.
In a footnote, the opinion recommends that firms should have data retention policies that limit their possession of personally identifiable information.
The document ends with a somber reminder that even if attorneys follow the model rules and make “reasonable efforts” to prevent disclosure and access to client information, they may still experience a data breach.
“When they do, they have a duty to notify clients of the data breach under Model Rule 1.4 in sufficient detail to keep clients ‘reasonably informed’ and with an explanation ‘to the extent necessary to permit the client to make informed decisions regarding the representation,’ ” the opinion says.