Lawyers’ obligations after an electronic data breach or a cyberattack

Lawyers are increasingly subject to cyber events including data breaches.  In Formal Opinion 483 the ABA Ethics Committee dealt with lawyers’ ethical obligations in connection with a “data breach.”  The Committee was careful to limit its opinion to “data breaches” as distinguished from other cyber events: “A data breach for the purposes of this opinion means a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”  Id.at 4.   The committee identified the following ethical duties regarding data breaches:

         1.      The duty to monitor for a data breach.  Lawyers with managerial and supervisory authority over other lawyers and nonlawyers in a firm have obligations under Rules 5.1 and 5.3 to adopt policies and procedures designed to give reasonable assurances that lawyers and nonlawyers in the firm comply with the obligations of professional conduct, which include the obligations of competency and confidentiality in connection with the use of technology.  These obligations mean that “lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to dataand the use of data.”  Id.at 5.   While lawyers have an ethical obligation to monitor for data breaches, in that cyber criminals can hide their intrusions, lawyers do not commit an ethical violation simply because a data breach occurs.

         2.      Stopping the breach and restoring systems.  When a breach occurs, lawyers must act reasonably and promptly to stop the breach and mitigate damages.  Because the circumstances of data breaches vary widely, the committee could not give specific guidance on what steps are ethically required.   However, it recommended that “lawyers should consider proactivelydeveloping an incident response plan with specific plans and procedures for responding to a data breach.”  Id. at 6 (emphasis added.)

3.    Determining what occurred.   The general ethical obligations stated above, require lawyers to conduct a post-breach investigation to determine what occurred, to ensure that the intrusion has stopped, and to evaluate the extent of loss or disclosure of client data.  

4.    Confidentiality and disclosure of a data breach to third persons.The opinion discusses the factors that lawyers should consider in determining what constitutes reasonable efforts to protect confidential client information.   With regard to disclosure of data breaches to third persons (not the client) such as law enforcement, the opinion indicates that lawyers may have discretion to reveal such information to law enforcement; in exercising this discretion lawyers should consider 

(i) whether the client would object to the disclosure; (ii) whether the client would be harmed by the disclosure; and (iii) whether reporting the theft would benefit the client by assisting in ending the breach or recovering stolen information. Even then, without consent, the lawyer may disclose only such information as is reasonably necessary to assist in stopping the breach or recovering the stolen information. Id. at 10.

         5.     Notification to clients.  With regard to current clients the committee advised that lawyers had an ethical duty to inform the clients of a data breach under Model Rule 1.4, dealing with communication to clients, in particular Rules 1.4(a)(3) (the duty to keep clients reasonably informed about the status of the matter) and 1.4(b) (the duty to inform clients of information necessary to make informed decisions).

         On the other hand, the Rules of Professional Conduct do not provide any explicit guidance to lawyers about whether a duty to notify former clients of a data breach exists.  Accordingly, the Committee was “unwilling to require notice to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice.”   Id. at 13.   

         The committee also discussed the scope of the duty to notify clients:

In a data breach scenario, the minimum disclosure required to all affected clients under Rule 1.4 is that there has been unauthorized access to or disclosure of their information, or that unauthorized access or disclosure is reasonably suspected of having occurred. Lawyers must advise clients of the known or reasonably ascertainable extent to which client information was accessed or disclosed. If the lawyer has made reasonable efforts to ascertain the extent of information affected by the breach but cannot do so, the client must be advised of that fact. Id. at 14.

Best practice, but not necessarily ethical obligation, may require disclosure of other information such as the lawyer’s plan to respond to the data breach, efforts to recover information, and any actions taken to increase security.  The duty to communicate requires lawyers to keep clients up to date about material development post-breach.  

6.      Breach notification laws.  The committee’s opinion was limited to lawyers’ obligations under the Rules of Professional Conduct.   The committee noted that all fifty states have breach notification laws and depending on the type of information involved in the breach federal laws such as HIPAA, or the Gramm-Leach-Bliley Act may be involved.  Id. at 2, 15.  Lawyers must consider these laws as well as their ethical obligations when responding to a data breach.

For more information: Nathan M. Crystal