ABA Formal Opinion Discusses Ethical Implications of Data Breaches

On October 17, 2018, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion No. 483 addressing lawyers’ and law firms’ professional responsibilities during and after a cyber event. A link to the Opinion can be found here. Although advisory in nature and not binding in a court of law, lawyers would do well to heed the ABA’s advice concerning the ethical risks of being unprepared for or not properly responding to a cyber event.

The Opinion noted that because lawyers and law firms have become “inviting targets for hackers,” all legal practitioners should anticipate becoming the object of cyber-attacks. Given that likelihood, under well-established professional standards concerning client confidentiality and legal competency, lawyers have an ethical duty to undertake “reasonable” efforts to identify, ameliorate, respond to and keep clients informed in the event of a data breach arising in the context of an attorney-client relationship.

Not unexpectedly, the Opinion provides only broad guidance as to what efforts would be considered “reasonable” in any circumstance. Nevertheless, although advisory in nature, lawyers, and insurers who provide errors and omissions or cyber insurance to lawyers, should take note of the ABA’s advice concerning the ethical risks of being unprepared for or not properly responding to a cyber event.

First, according to the Opinion, lawyers have a continuing ethical duty to make reasonable efforts to monitor all technology and data they use in connection with client services in order to identify and prevent inadvertent disclosure or unauthorized access of client information. The Opinion makes clear that an undetected cyber event does not, by itself, necessarily constitute an ethical violation. Rather, an ethical violation would occur if a lawyer failed to take reasonable steps to both avoid and detect the data breach. And while the Opinion does not identify specific measures required to comply with these ethical obligations, it states generally that a lawyer should assess the specific risks presented, implement security measures that address those specific risks and continue to monitor the risks and security to ensure adequate protection over time.

Next, once a data breach occurs, the lawyer is required to act “reasonably and promptly” to stop the breach and mitigate the resulting damage. While there is no one right way to do this, the Opinion recommends lawyers proactively develop incident response plans that set forth how the lawyer/firm will identify an issue, eradicate the problem that led to the breach and prevent it from reoccurring. The Opinion states that, at a minimum, the lawyer must take reasonable steps to restore normal computer operations and determine what files were accessed during the breach.

After the lawyer has evaluated the breach, if it has been determined that material confidential client information has been accessed (or there is a substantial likelihood it was accessed), the lawyer is ethically obligated to inform the client. Notably, according to the Opinion, this ethical notification obligation only runs to current clients – not former clients (though additional disclosure obligations may be required under state and federal laws). The specific information required to be disclosed depends on the breach, but at a minimum the lawyer must provide enough information to the client to allow him or her to make an informed decision on how to proceed. This generally includes that there was unauthorized access and the extent of the access (to the extent known), the plan to respond to the breach and the steps being taken (if any) to increase security. Finally, the Opinion requires that the lawyer keep the client reasonably apprised of material post-breach developments so that the client may determine how, if at all, he or she wishes to proceed with the representation.

There are, of course, many federal and state laws that already govern privacy and data security outside of the attorney-client relationship. Opinion 483 does not supplant those legal obligations. Instead, Opinion 483 is solely addressed to a lawyer’s ethical responsibilities when, in the context of a cyber event, material client confidential information is misappropriated, destroyed or compromised, or where a lawyer’s ability to perform legal services for the client has been significantly impaired. When a client’s interests are implicated, the failure to proactively make a reasonable plan can result not only in financial consequences to a lawyer/firm but to disciplinary action as well.