I’ve blogged often on a lawyer’s duty to act competently to safeguard client data. Generally, an attorney must take reasonable precautions to protect against inadvertent or unauthorized disclosure of client information. Some of my posts:
- Protecting Client Data
- Encryption & The Evolving Duty to Safeguard Client Information
- The Cloud: What are Reasonable Precautions?
Last month, the ABA’s Standing Committee on Ethics & Professional Responsibility issued Formal Opinion 483. It sets out a lawyer’s obligations following an electronic data breach or cyber attack.
The opinion is detailed and technical. It’s worth reading, or, at the very least, sharing with your IT support staff. Also, various outlets have reported on the opinion, including The National Law Review, Louisiana Legal Ethics, and The ABA Journal. I suggest each.
I’m going to try to stick to a summary.
- Prior to a breach, a lawyer has a duty to act competently to safeguard client property and information. This likely includes adopting an “incident response plan” that will kick in once a breach occurs.
- The duty includes an obligation “to monitor the security of electronically stored client property and information.” In other words, there’s a duty to take reasonable efforts to monitor for and detect unauthorized access. This includes reasonable steps to ensure that vendors act in accordance with the lawyer’s professional obligations.
- A breach is not necessarily evidence that the lawyer failed to act competently to safeguard client information.
- If a breach occurs, a lawyer must take reasonable steps to stop it and mitigate the damage that results.
- If a breach occurs, a lawyer must assess its scope. This includes determining what information, if any, was lost or accessed.
- A lawyer must notify current clients if the breach:
- involves material, confidential client information; or,
- impairs or prevents the lawyer from representing the client. For example, as would be the case in a ransomware attack.
- Lawyers must be aware that their ethical obligations are independent of any post-breach obligations imposed by law. Compliance with professional obligations is not necessarily compliance with other law, and vice versa.
Again, the full opinion is here.
As usual, I like to analogize to non-tech issues. For instance, when it comes to paper files, most lawyers probably know that there’s a duty to take reasonable safeguards to protect them. Locked file cabinets. Locked rooms. Secure office space.
If a lawyer arrives at work and realizes that the office has been broken into, I imagine the lawyer would intuitively understand the need to determine what, if anything, was viewed or taken. Then, as appropriate, will notify clients. I also imagine that the lawyer would replace the broken locks, doors, and windows.
Thus, in my view, the ABA opinion clarifies that very standards that most of us already apply to clients’ paper files also applies to their electronic files.