Categories & Search

ABA Provides Guidance for Law Firm Data Breaches

Lawyers don’t get a free pass when it comes to data security.  In fact, ethical rules impose a series of obligations on lawyers when they or their firms are subject to a data breach.

In a significant ethics opinion issued last month, Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility provides a detailed roadmap to a lawyer’s obligations to current and former clients when they learn that they – or their firm – have been the subject of a data breach.

Notably, the opinion warns that a lawyer’s compliance with state or federal data security laws does “not necessarily achieve compliance with ethics obligations,” and identifies six ABA Model Rules that might be implicated in the breach of client information.

This opinion follows Formal Opinion 477R, released last year, in which the ABA explained a lawyer’s ethical obligation to secure client confidential client data when communicating over the Internet. 

The fact that the ABA has issued two formal opinions on the topic of data security in such a short time indicates the importance of ethical principles when lawyers are confronted with the unenviable task of sorting out their own responsibilities in a data breach.

Opinion 483 underscores the fact that law firms, “[a]s custodians of highly sensitive information,” may be “inviting” targets for hackers.

While the opinion is exhaustive, and certainly worthy of a full read, here are our key takeaways from the opinion’s guidance:

  • As part of their duty of competence, lawyers have an obligation to take “reasonable steps” to monitor for data breaches. The opinion defines a “data breach” as an event where “material client confidential information is misappropriated, destroyed, or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”
  • When a breach is detected, a lawyer must act “reasonably and promptly” to stop the breach and mitigate damages resulting from the breach.  In order to ensure their ability to do this, lawyers should proactively develop incident response plans that will allow them to respond quickly and appropriately to a data security incident. 
  • A lawyer must make reasonable efforts to assess whether any electronic files were, in fact, accessed and, if so, identify them.  This requires a post-breach investigation where the lawyer gathers enough information to determine that the intrusion has been stopped, and then – “to the extent possible” – evaluate the data lost or accessed.  The lawyer must do so in order to allow for full and accurate disclosure to affected clients.
  • Lawyers must then provide notice to their affected clients of the breach “to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.”
  • While stopping short of requiring attorneys to notify former clients of data breaches, the ABA notes that an attorney should consider contractual arrangements with previous clients, as well as regulatory or statutory breach notification requirements in determining whether notification is merited, so as to limit liability. In addition, the ABA encourages law firms to adopt a limited document retention schedule that allows them to reduce the amount of information they keep relating to former clients.
  • The ethical guidelines set forth in the opinion could apply to any client data that may interfere with representation, instead of being expressly limited to only legally protected information such as personally identifiable information (PII) or personal health information (PHI).

The ABA’s opinion is a somber but realistic reminder that lawyers and law firms, like other professionals and businesses that deal with sensitive information, must exercise vigilance when it comes to cybercrime.  But at the same time, the ABA says, lawyers are required to deal not only with the aftermath of a breach but with all the ethical and legal obligations that may come with it.