Lawyers have to safeguard client data and notify clients of a data breach, and the ABA Standing Committee on Ethics and Professional Responsibility has issued a formal opinion that reaffirms that duty.
In Formal Opinion 483, issued Tuesday, the standing committee also provided new guidance to help attorneys take reasonable steps to meet this obligation.
“Lawyers today face daunting challenges from the risk of data breaches and cyber attacks that can lead to disclosure of client confidences,” says Barbara S. Gillers, chair of the standing committee. “Formal Opinion 483 offers helpful guidance on how the ABA Model Rules of Professional Conduct should inform lawyers’ approaches to these risks in order to comply with the duty to protect client information.”
This opinion builds on the standing committee’s Formal Opinion 477R released in May 2017, which set forth a lawyer’s ethical obligation to secure protected client information when communicating digitally.
“When a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach,” Formal Opinion 483 says.
To that end, this week’s new formal opinion only discusses the breach of client data, not other data breaches that may also require action on the part of an attorney or firm.
The ethics opinion implicates Model Rule 1.1 (competence), Model Rule 1.4 (communications), Model Rule 1.6 (confidentiality of information), Model Rule 1.15 (safekeeping property), Model Rule 5.1 (responsibilities of a partner or supervisory lawyer) and Model Rule 5.3 (responsibilities regarding nonlawyer assistance).
Like many ethics opinions regarding technology, this opinion does not endorse particular hardware or software, but rather presents “reasonable” steps a lawyer could take.
“As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach,” states the opinion. “The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach.”
These recommendations are to be tailored to a lawyer’s particular needs and potential threats.
The opinion states that these efforts may include restoring or implementing technology systems where it is practical, but also declining a technology solution if a task does not require it. The idea here being that internet-enabled services increase a firm’s vulnerabilities. The opinion also recommends, in a footnote, that firms should have data retention policies that limit their possession of personally identifiable information.
The opinion ends on a somber reminder that even if attorneys follow the Model Rules and make “reasonable efforts” to prevent disclosure and access to client information, they may still experience a data breach. “When they do, they have a duty to notify clients of the data breach under Model Rule 1.4 in sufficient detail to keep clients ‘reasonably informed’ and with an explanation ‘to the extent necessary to permit the client to make informed decisions regarding the representation,’” the opinion closes.
ABA Journal: “Simulations test law firm system security”
ABA Journal: “Ethics opinions have to reflect the present and future—not the past”