On October 17, 2018, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility (the “Committee”) issued Formal Opinion 483 (the “Opinion”) entitled Lawyers’ Obligations After an Electronic Data Breach of Cyberattack.
In the Opinion, the Committee addresses an attorney’s ethical obligations when confidential information relating to the representation of a client is exposed as a result of a data breach. The opinion does not discuss other laws that may become implicated as a result of a breach, such as privacy laws or other statutory schemes. The Opinion emphasizes the importance of establishing a response plan in the event of a data breach and analyzes how several of the Model Rules are implicated when an incident occurs or is suspected.
As an initial matter, the Opinion notes that under Model Rule 1.1, “[a] lawyer shall provide competent representation to a client.” In the context of a data breach, competency includes understanding the basic features of the relevant technology used to deliver legal services to clients, and using and maintaining the relevant technologies in a manner that safeguards the property and information to which the lawyer has been entrusted. “A lawyer’s competency in this regard may be satisfied either through the lawyer’s own study and investigation or by employing or retaining qualified lawyer and nonlawyer assistants.”
With respect to what qualifies as a data breach, the Opinion defines it as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”
The lawyer’s obligation to monitor for a data breach are rooted in the lawyer’s obligation to use technology competently as well as the lawyer’s obligation to ensure that all lawyers and staff conform to the rules of professional conduct required under Model Rules 5.1 Comment  and Model Rule 5.3 Comment . A lawyer is obligated to safeguard and monitor a client’s electronically stored information in the same manner as paper files and physical property are secured. As a result, a lawyer may be subject to an ethical violation when he or she does not undertake reasonable efforts to “avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”
Once a breach is either suspected or detected, Model Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate any resulting damages. To avoid any liability, the Committee advises that a lawyer should consider implementing a plan to respond to a data breach before the breach occurs. Irrespective of whether an incident response plan is in place, the Committee requires a lawyer to take prompt action to stop the breach, and to restore all computer operations. The lawyer should evaluate how to prevent a reoccurrence in accordance with Model Rule 1. 6(c), which mandates undertaking “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of the client.” This is not a strict liability standard, but rather one of “reasonable efforts.” Any investigation into the incident post-breach should amass sufficient information to ensure any intrusion of the system has ceased and evaluate the data lost or compromised.
A lawyer’s obligation to provide notice of a data breach depends on whether the breach involves information from a current and former client. Model Rule 1.4 addresses communications between a lawyer and a current client and requires that a lawyer “shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.” Under this provision, the Committee concluded that an obligation existed requiring a lawyer to communicate with current clients about a data breach. The obligation varies for former clients. Under Model Rule 1.9(c), a lawyer shall not reveal information relating to the representation of a former client. Since the rule does not describe what steps should be taken if information is revealed, the Committee was unwilling to require notice to a former client of a data breach. Nevertheless, the Committee noted that Rule 1.16(d) directs that lawyers return papers and property at the conclusion of a representation, and, as a matter of best practice, that a lawyer should reach an agreement with a former client at the conclusion of the relationship regarding how to handle electronic information in the lawyer’s possession. The Committee noted that the even if the Model Rules are not implicated in the data breach involving the representation of a former client, data privacy laws, common law duties of care or contractual relationships may mandate notice.
In addition, the Committee found that the nature and extent of a lawyer’s communication regarding the data breach depended on the type of breach and the nature of the data compromised. The disclosure must be sufficient to provide the client with enough information to determine what action to take, if any. “[A]s a matter of best practices, a lawyer also should inform the client of the lawyer’s plan to respond to the data breach, from efforts to recover information . . . to steps being taken to increase data security.” Finally, beyond any obligations under the Model Rules, the lawyer should evaluate whether notification is required under a separate statutory or regulatory scheme.
Sanjay Ibrahim serves as the Managing Partner of Parker Ibrahim & Berg LLP, and has served in that capacity since 2011. He chairs the Firm’s Executive Committee and has led the strategic direction of the Firm in its growth from a ...