On October 17, 2018, the American Bar Association issued its first formal opinion addressing the obligations of a lawyer who has been the victim of a data breach or cyberattack.
The opinion is Formal Opinion 483, titled “Lawyers Obligations After an Electronic Data Breach or Cyberattack”. Before discussing this opinion, it is important to have an understanding of a lawyers’ obligation with regard to her use of technology in providing legal services.
For the last decade, lawyers and the ABA have been grappling with a lawyer’s ethical obligations as they pertain to the constantly evolving use of technology. As noted in Formal Opinion 483, the model rules were amended in 2012 to address the use of technology. These amendments are referred to as the “Technology Amendments” and include the obligation to understand the risks and benefits of relevant technology (Model Rule 1.1) and the obligation to take reasonable measures to prevent inadvertent or unauthorized disclosure of information pertaining to the representation (Model Rule 1.6(c)). They also include the requirement that lawyers ensure their staff is likewise trained to and takes reasonable measures to prevent unauthorized disclosure of or access to this information (Model Rules 5.1 and 5.3).
On May 11, 2017, the ABA issued Formal Opinion 477, titled “Securing Communication of Protected Client Information”. The Committee sought to update the prior rule, Formal Opinion 99-413, which addressed a lawyer’s confidentiality obligations pertaining to emails with clients. While the Committee does not dictate what constitutes reasonable steps a lawyer must or should take to protect sensitive data, it does provide seven considerations to guide lawyers with regard to reasonable steps.
The Committee concludes that “a lawyer may transmit information related to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access.” In practice, there are several ways lawyer can seek to protect client information from inadvertent disclosure. For example, a lawyer can encrypt emails and attachments, password protect attachments or transmit correspondence and attachments using a secure FTP site.
A year and a half later, recognizing that data breaches and cyberattacks have affected and will continue to affect law firms, the Committee issued Formal Opinion 483 to address a lawyer’s ethical obligation if this occurs and information related to representation of a client is compromised. This Opinion picks up where Formal Opinion 477 left off.
For purposes of this opinion, the Committee has defined data breach to mean “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised or where a lawyer’s ability to perform legal services for which the lawyer is hired is significantly impaired by the episode.”
This definition is broad enough to include a number of situations. For example, it could involve a data breach where sensitive client data is exfiltrated from a lawyer’s computer network or a ransomware attack where a lawyer is prohibited from accessing a client’s file. It could also include an attack involving destruction of part or all of a lawyer’s computer network where confidential information is stored, resulting in an inability for the lawyer to access the information necessary to perform legal services.
The Committee concluded based on the Model Rules discussed above, “lawyers must employ reasonable efforts to monitor the technology and office resources connected to the Internet, external data sources and external vendors providing services related to data and use of data.”
The Committee clarifies that a breach or failure to immediately detect a breach does not necessarily give rise to an ethical violation if reasonable steps were taken, but evaded by intruders. Instead, an ethical violation may be found when reasonable efforts are not taken, and because reasonable efforts are not taken, a breach occurs or goes undetected for some period of time.
If a breach is suspected or detected, a lawyer must “act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.” The Committee recommends having a plan in place to deal with a suspected or actual breach and provides guidance regarding the contents of an incident response plan.
Regardless of whether a plan is in place, “a competent lawyer must make all reasonable efforts to restore computer operations to be able again to service the needs of the lawyer’s clients.” The lawyer must also investigate the breach to determine it has been stopped and to figure out what information, if any, has been exposed.
Finally, under Model Rule 1.4, a lawyer must notify current clients when “unauthorized release of confidential information could reasonably be viewed as a significant factor in the representation…”
This includes situations where the client’s position or legal matter may be impacted. Interestingly, under Model Rule 1.9, the Committee declines to extend this requirement to former clients. However, the Committee does note that consistent with best practices a lawyer should reach an agreement with the client at the termination or conclusion of representation to determine how to handle the client’s electronic information. Absent an agreement, the Committee encourages lawyers to have a document retention policy, compliant with applicable laws and regulations, and to follow it.
The content of the notice to the client is dependent on the circumstances of the data breach and must be tailored accordingly. It is crucial that the notice provide sufficient information for the client to make an informed decision about what to do next. At a minimum, the lawyer must tell the client what sensitive information may be at risk and how it was believed to have been accessed unless the lawyer is unable to ascertain this information after taking reasonable steps to do so.
While not required, the Committee recommends the lawyer inform the client of the steps the lawyer is taking to respond to the breach and, where applicable and feasible, recover the data. The lawyer, on the other hand, has an ongoing obligation to keep the client apprised of any material information obtained from the post-breach investigation.
While Formal Opinion 483 does not address legal obligations a lawyer may have under federal or state privacy and notification laws such as HIPAA or the Graham-Leach-Bliley Act and other statutes such as notice statutes that may be implicated, the Committee notes that where personally identifiable information (PII) such as social security numbers are implicated, the lawyer should familiarize herself with the applicable federal and state notification laws. It is crucial that a lawyer who has been the victim of an attack understand and comply with all her legal obligations.