ABA offers guidance on ethical duties, best practices after data breaches

BY KATE GORDON MAYNARD

Lawyers and law firms, just like our clients and other businesses, are the targets of cyberthreats.  Acknowledging this reality, American Bar Association Formal Opinion 483, issued on Oct. 17, reviews lawyers’ ethical obligations to employ reasonable efforts to protect electronic client confidential information and concludes lawyers must make efforts to monitor for and remediate data breaches, and must notify current clients affected by a data breach.

The ABA opinion recognizes the real and evolving challenges of technology and does not impose an absolute obligation to protect data against cyberthreats. Rather, the opinion demands reasonable efforts and offers best practice guidance that may emerge as the standard for lawyer reasonableness.

The opinion addresses obligations relating to data breaches involving the representation of a client. It defines a data breach as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform legal services for which the lawyer is hired is significantly impaired by the episode.”

These two scenarios—the compromise of confidential information and the incapacity of a lawyer to perform work—are distinct, but both implicate duties under Model Rules 1.1 (competence), 1.6 (confidentiality), and 1.4 (communication).

Take reasonable precautions: Obligation to monitor for data breach

Based on Model Rule 1.1’s obligations to be competent in the use of technology, lawyers must employ reasonable measures to protect electronic client confidential information and employ reasonable measures to monitor technology and resources connected to the internet or other external sources.

The opinion cautions that failing to monitor for data breaches or cyber-intrusions would leave discovery to “happenstance.” What constitutes reasonable efforts will differ based on law firm size, the nature of the client information, and the perceived threats. Lawyers and law firms may rely on employees or experts to fulfill this duty, and monitoring may include automated systems.

The opinion acknowledges that cyber-intrusions may not be detected immediately despite reasonable efforts and concludes an ethical violation would occur only if a lawyer fails to employ reasonable means to avoid loss or detect cyber-intrusion and that lack of reasonable efforts is the cause of harm to clients.

Plan ahead: Stopping the breach, restoring systems, determining what occurred

When a data breach is suspected or detected, Model Rule 1.1 requires a lawyer to act reasonably and promptly to stop the breach and mitigate resulting damage. After stopping the breach, a competent lawyer must take all reasonable efforts to restore computer operations to allow for continued service to the needs of the lawyer’s clients. After a breach has been identified, a competent lawyer must also take reasonable efforts to determine what occurred during the data breach. Again, a lawyer may engage experts to fulfill these responsibilities.  

Although the opinion does not prescribe specific reactive steps to be taken when a breach is discovered, it does encourage the development of an incident response plan as best practice. Taking the proactive step of creating an incident response plan allows a lawyer or law firm to thoughtfully establish specific procedures and responsibilities for responding to a data breach.

Most incident response plans will address plans for breach detection, investigation, containment, recovery, and necessary communications. An effective plan will assign roles and responsibilities to response team members and provide contact information for team members and external resources (such as technology vendors and experts, insurance carriers, and law enforcement), who may be necessary for an effective response. Lawyers have been advising clients to develop such plans, and the ABA’s guidance confirms such planning efforts are worthwhile for law firms as well.

An ethical duty to current clients: Notification obligations

Analyzing Model Rule 1.4’s obligations to keep current clients reasonably informed about the status of a matter, the opinion concludes that when a data breach occurs involving the misappropriation, destruction, or compromise of client confidential information, or a cyber-incident significantly impairs a lawyer’s ability to perform the legal services for which the lawyer was hired, a lawyer must notify the affected clients.

Although the opinion does not specify when the communication must occur, it is clear that the lawyer has a continuing obligation to communicate. A lawyer must provide affected clients enough information as reasonably necessary to make informed decisions regarding the representation. Minimum disclosures may include notice that an unauthorized access or disclosure has occurred, or is reasonably suspected; the known or reasonably ascertainable extent to which client information was accessed or disclosed, or the inability to ascertain the extent; and the lawyer’s plans to respond to the data breach.

Notably, the opinion does not extend this notification duty to former clients, concluding the Model Rules do not provide direct guidance on a lawyer’s obligation to notify a former client.  However, the opinion does caution that other duties may mandate notice to former clients.

In the event of a data breach, lawyers must also assess statutory, regulatory, and contractual notification obligations that exist independent of the ethics rules. Such duties may apply to both current and former clients and may be dependent on the nature of the compromised information (such as personal, financial, or health information). The opinion instructs lawyers to consider their ethical notification duties in tandem with these other obligations.

Record retention practices

Although the opinion concludes the ethics rules do not mandate notice to former clients of a data breach, it provides guidance on best practices for handling of electronic information of former clients.  To reduce the amount of former client information a lawyer retains and the potential risk of a future breach affecting that data, best practice is to reach an agreement with the client regarding disposition of such information at the end of a representation and to implement record retention policies.

Kate Gordon Maynard serves as Robinson Bradshaw’s general counsel. She advises the firm on legal issues including ethics and professional responsibility, risk management and compliance, and privacy and cybersecurity.