ABA Issues Formal Opinion on Lawyers’ Obligations After a Data Breach or Cyberattack

On October 17, 2018, the ABA Standing Committee on Ethics and Professional Responsibility issued a formal opinion addressing lawyers’ obligations in the wake of an electronic data breach or cyberattack. See ABA Formal Op. No. 483 (Oct. 17, 2018). Noting that hackers have targetted law firm information systems for cyberattacks in the past, the committee discusses what the ethical obligations of competence, communication, and confidentiality require of lawyers to prevent attacks in the future and to remediate them when they occur.

Competence

Model Rule 1.1 requires a lawyer to competent. To be competent, a lawyer must keep “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” See ABA Model Rule of Prof’l Conduct r. 1.1, cmt. 8. To competently protect against a data breach, a lawyer must employ “reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.” ABA Formal Op. No. 483 at 5. Neverthless, the lawyer does not have to undertake “extraordinary efforts”— only “reasonable efforts to avoid data loss” and to “detect cyber-intrusion.” Id. at 6.

One reasonable measure a lawyer should take is to have an “incident response plan.” Id. at 6. While the committee (wisely) doesn’t undertake to give technical advice in this regard, it simply advises that a lawyer must think about how the lawyer will handle an attack before it actually occurs. Among other things to consider, a lawyer should have a plan for promptly stopping the breach and restoring computer operations and client data. Furthermore, a lawyer needs to conduct a reasonable investigation to “determine what occurred during the data breach” and to evaluate “the data lost or accessed.” Id. at 7.

Confidentiality

Model Rule 1.6 requires a lawyer to make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” See ABA Model Rule of Prof’l Conduct r. 1.6(c). These efforts should include a process to “assess risks, identify and implement appropriate security measures responsive to those risks, verify that the measures are effectively implemented, and ensure that they are continually updated in response to new developments.” Id. at 9 (quoting Jill D. Rhodes & Robert S. Litt, The ABA Cybersecurity Handbook at 73 (2d ed. 2018). But, a lawyer’s duty to preserve a client’s confidential information “is not a strict liability standard and does not require the lawyer to be invulnerable or impenetrable.” Id. at 9.

Communication

As to current clients, Model Rule 1.4 requires a lawyer to keep each “reasonably informed” about the status of the client’s matter. See ABA Model Rule 1.4(a)(3). This obligation “would be compromised if a lawyer who experiences a data breach that impacts client confidential information is permitted to hide those events from their clients.” See Formal Op. 483 at 11. The rules thus require full disclosure of the cyberttack to the client.

As to former clients, however, the committee declared that  it “is unwilling to require notice to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice.” Id. at 13. Rather, the committee merely suggests that lawyers should “adopt and follow a paper and electronic document retention schedule, which meets all applicable laws and rules, to reduce the amount of information relating to the representation of former clients that the lawyers retain.” Id. Good advice, perhaps, but that doesn’t provide much help after the virtual cow has left the digital barn.

In my view, this is quite odd advice with regard to former clients. A lawyer should have a duty to inform a former client that the client’s data has been compromised. Only then can the client implement protective measures to avoid or to mitigate any harm that may result from the breach.¹

Conclusion

My takeaway from the opinion is this: a lawyer must exercise reasonable care to avoid and to remediate data breaches. To this end, a lawyer must exercise basic digital hygiene—things like recognizing malicious phishing, using complex passwords, enabling two-factor authentication, and regularly updating software. Moreover, a lawyer must have a reasonable response plan for handling a data breach when it comes. None of these efforts will guarantee against a future cyberattack or the unpleasantness that will follow. But they will help to avoid the added indingnity of a post-breach disciplinary proceeding.