Lawyers have an obligation to safeguard client data and notify clients of data breaches, and the ABA Standing Committee on Ethics and Professional Responsibility has issued a formal opinion that reaffirms that duty.
In Formal Opinion 483, issued in October, the standing committee also provided new guidance to help attorneys take reasonable steps to meet this obligation.
“Lawyers today face daunting challenges from the risk of data breaches and cyberattacks that can lead to disclosure of client confidences,” says Barbara S. Gillers, chair of the ABA Standing Committee on Ethics and Professional Responsibility. “Formal Opinion 483 offers helpful guidance on how the ABA Model Rules of Professional Conduct should inform lawyers’ approaches to these risks in order to comply with the duty to protect client information.”
This opinion bookends the standing committee’s May 2017 Formal Opinion 477R, which set forth a lawyer’s ethical obligation to secure protected client information when communicating digitally, says Lucian Pera, a partner at Adams and Reese in Memphis, Tennes- see, and co-author of an article in the second edition of the ABA Cybersecurity Handbook.
The new formal opinion only discusses breaches of client data, not other data breaches that may also require action on the part of an attorney or firm.
“When a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach,” Formal Opinion 483 says.
The ethics opinion implicates Model Rule 1.1 (competence), Model Rule 1.4 (communications), Model Rule 1.6 (confidentiality of information), Model Rule 1.9 (duties to former clients), Model Rule 1.15 (safekeeping property), Model Rule 5.1 (responsibilities of a partner or supervisory lawyer) and Model Rule 5.3 (responsibilities regarding nonlawyer assistance).
Like many legal ethics opinions regarding technology, this opinion does not endorse particular hardware or software but rather presents “reasonable” steps a lawyer could take.
“As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach,” the opinion states. “The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach.”
While amorphous to some seeking concrete recommendations, others see this as the indicia of a changing obligation.
“The opinion identifies an emerging legal standard for ‘reasonable’ security that requires instituting a fact-based process for assessing risk, identifying and implementing security measures, verifying effectiveness, and ensuring security measures are continually updated,” says James Walker, partner at the New York City office of Richards Kibbe & Orbe.
The opinion offers flexibility for lawyers to tailor the recommendations to a particular need or potential threats.
The opinion states that these efforts may include restoring or implementing technology systems where it is practical but also declining a technology solution if a task does not require it, taking into account that internet-enabled services could increase a firm’s vulnerabilities.
As the new opinion tries to shed light on a complex topic, some issues are not covered. Experts noted that there remains uncertainty around what an attorney’s obligations are if they aren’t sure that confidential client information was affected during a hack.