The American Bar Association Standing Committee on Ethics and Professional Responsibility published guidance for attorneys in the event they suffer a data breach or cyberattack. "Formal Opinion 483" describes a lawyer’s obligations under the Model Rules of Professional Conduct after an electronic data breach or cyberattack that compromises client data. The committee says lawyers have a duty to notify clients of a breach, under Model Rule 1.4, “in sufficient detail to keep clients ‘reasonably informed,’” and with sufficient explanation “to permit the client to make informed decisions regarding the representation.”
The obligations outlined in the opinion are not new but rather clarify and affirm an attorney’s duties under the existing model rules. The committee’s opinion reviews lawyers’ duties: of competence under Rule 1.1, as informed by Rules 5.1 and 5.3; of confidentiality under Rule 1.6; to inform clients under Rule 1.4; and to safeguard client property under Rule 1.15. The committee also notes that an attorney’s ethical obligations under the Model Rules are distinct from statutory obligations imposed by state or federal laws.
The opinion outlines basic duties for an attorney in the aftermath of a data breach or cyberattack where “material client confidential information” is impacted. A lawyer must first act reasonably and promptly to stop the breach and mitigate its damages. Best practice dictates that a firm have a breach response plan in place with “specific plans and procedures for responding to a data breach.” Important to include in the plan are specific steps to evaluate the impact and scope of a breach immediately after its discovery, with team members assigned to each step and charged with responsibility to execute them, the opinion states.
It's not prescriptive, but it outlines what a proper breach response might include.
Next, an attorney must determine what occurred during the breach. The committee does not differentiate between an attorney’s obligations during a breach involving physical or electronic client files. In both circumstances, an attorney needs to determine whether and which electronic files were accessed, make reasonable efforts to determine what occurred during the breach, gather sufficient information to ensure the intrusion has been stopped, and evaluate — to the extent possible — the data lost or accessed.
Post-breach, the precautions an attorney implemented to prevent a cybersecurity event are reviewed. The duty of confidentiality requires that “a lawyer make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Failure to deploy “reasonable efforts” is a violation of the duty of confidentiality. The committee does not define what reasonable efforts include, but it does offer a nonexclusive list of factors that considers the sensitivity of the breached information, the cost of additional safeguards, and the impact additional safeguards may have on a lawyer’s ability to represent clients, among other factors. The committee points to the ABA Cybersecurity Handbook for “reasonable” security standards and suggests that they include a process-based risk assessment to identify and address vulnerabilities and follow-up procedures to ensure security measures are effectively implemented and updated.
The committee also mentions that the duty of confidentiality does not preclude disclosure of a breach to law enforcement if such a disclosure can meet certain factors that consider the client’s interests.
Lastly, an attorney has an obligation to provide notice of a breach to clients. An attorney must keep clients “reasonably informed” and must “explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.” In addition, lawyers must responsibly hold client “property,” a description the committee says includes client files.
A data breach for which a current client must to be notified is one in which “a client’s interests have a reasonable possibility of being negatively impacted.” The committee outlines two instances that meet this threshold: First, the breach involves the misappropriation, destruction or compromise of client confidential information, and/or the lawyer’s ability to perform the legal services for which the lawyer was hired is significantly impaired by the event. The breach need not have involved material client confidential information to trigger the notification obligation; rather, “substantial likelihood” that material client confidential information was involved is enough.
The obligation to provide notice of a breach to clients, however, only extends to current clients, not former clients. Because the model rules do not include direct guidance on the matter, the committee declined to require notice to former clients.
The opinion closes by clarifying that a lawyer’s post-breach notification obligations are independent of a reasonableness assessment of the lawyer’s efforts to avoid a breach and that specific disclosure requirements will vary based on the type of breach and the nature of the data compromised. Rule 1.4 does require that notice of a breach to a current client include, at a minimum:
- That there has been unauthorized access to or disclosure of the client’s information.
- That unauthorized access or disclosure is reasonably suspected of having occurred. If reasonable efforts have been made to ascertain the extent of information affected, but the extent cannot be determined, the client must be advised of that fact.
Of course, obligations under the "Model Rules of Professional Conduct" are independent of statutory obligations. In the event client data (whether of a current or a former client) is exposed to an outside entity, attorneys should consult state and federal laws that may impose additional obligations, especially if personally identifiable data was breached.
The IAPP created a flowchart from the instructions included in Formal Opinion 483 to guide attorneys through their post-breach obligations. It is intended to be used as a reference and to supplement the ABA’s formal opinion. You can find it here.
If you want to comment on this post, you need to login.