ABA Provides Guidance on Lawyers’ Ethical Obligations after an Electronic Data Breach
The Bencher—January/February 2019
By Kevin F. Brady, Esquire
The famous bank robber Slick Willie Sutton was asked once why he robbed banks in the 1950s and he responded “that’s where the money is.” Cyber criminals are no different except that they target lawyers and law firms instead of banks because that is where highly-sensitive, valuable, and confidential information is located and many have vulnerable cyber security.
On October 17, 2018, the American Bar Association issued Formal Opinion 483 Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, requiring lawyers to take steps to proactively monitor for data breaches and cyberattacks; and, if a breach occurs, lawyers are required to take steps to stop the breach, restore the affected systems, determine what happened, and notify clients about the breach and any damage. Opinion 483 defines “data breach” to mean “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”
Under Model Rules 5.1 and 5.3, lawyers with managerial authority have oversight responsibilities to make certain that lawyers and staff in the firm conform to the applicable Rules of Professional Conduct. Those responsibilities include taking reasonable steps “to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.” Lawyers run afoul of their ethical obligations when the lawyer does not make “reasonable efforts” to avoid a breach and “the lack of reasonable effort is the cause of the breach.”
When a data breach or cyberattack is suspected or detected, a lawyer is required to act promptly and reasonably to stop the breach and mitigate its damage. How the lawyer does that is beyond the purview of Opinion 483. However, the opinion states that when lawyers are analyzing how to exercise their ethical responsibilities competently with respect to technology and safeguarding client information associated with the law firm’s technology, lawyers can and should obtain technical advice or associate with another lawyer experienced in this area or with a cyber expert consultant.
As a matter of best practices, Opinion 483 notes that lawyers also should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach. Moreover, “the decision whether to adopt a plan, the content of any plan, and actions taken to train and prepare for implementation of the plan, should be made before a lawyer is swept up in an actual breach.”
While Opinion 483 notes that “a competent attorney must make reasonable efforts to determine what occurred during the data breach,” when a breach or cyberattack has occurred, in many instances, quickly determining what happened and whether any information compromised by the data breach belongs or relates to the representation of a client can be challenging. Breaches caused by a vendor or services provider may also impose a duty on the lawyer or law firm.
For a post-breach investigation, Opinion 483 notes that the lawyer is required to “gather sufficient information to ensure the intrusion has been stopped and then, to the extent reasonably possible, evaluate the data lost or accessed.” The evidence gathered in a post-breach investigation is critical not only to understand the scope of the incident, but to provide a basis for disclosure to the client consistent with the lawyer’s ethical obligation under Rules 1.4 and 8.4(c).
When a data breach has occurred, not only does the lawyer have an ethical obligation to notify current and former clients, the lawyer has “a continuing duty to keep clients reasonably apprised of material developments in post-breach investigations affecting the clients’ information.” If personally identifiable information of clients or others is compromised as a result of a data beach, the lawyer should understand their obligations under state and federal breach notification laws especially with respect to the scope and timing of the notice. Because the disclosure must provide enough information for the client to make an informed decision, the lawyer must gather enough information to satisfy that obligation fully, which may take time. Lawyers may need to notify clients whose information may have been compromised. In line with an initial notification, Opinion 483 recommends that the lawyer “inform the client of the lawyer’s plan to respond to the data breach, including efforts to recover information (if feasible), and steps being taken to increase data security.”
Kevin F. Brady, Esq. is of counsel in the firm of Redgrave LLP in Washington, DC. He is the immediate past president of the Richard K. Herrmann Technology AIC in Wilmington, DE.