Attorney Ethical Obligations Following a Data Breach

The practice of law is continually evolving in the digital age, from the digitization of case law to e-filing.  While this evolution provides many benefits, it also presents new risks and threats.  The American Bar Association’s (“ABA“) 2017 Legal Technology Survey Report found that 22% of responding law firms experienced a data breach or cyberattack.  With the existence of these threats, it is vital that attorneys know how to respond to a data breach, and what steps they must take to prevent one in the first place.  Failure to do so could result in a disciplinary violation or malpractice claim.

The ABA recently released Formal Opinion 483 titled, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (the “Opinion“), which examines an attorney’s duties and obligations following a data breach.  The Opinion is based on the ABA Model Rules of Professional Conduct.  Attorneys should also review their local rules for any distinctions.

The Opinion defines a data breach as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”

An attorney’s duties of competence (Model Rule 1.1) and confidentiality (Model Rule 1.6) obligate attorneys to monitor for a data breach, promptly stop the data breach and restore systems, examine what happened during the data breach, and notify affected clients.

Attorneys must competently represent their clients, including by being aware of changes in technology.  Competent attorneys must both understand the technology utilized to serve their clients, and properly manage that technology so client information is reasonably safeguarded. See Model Rule 1.1.  Further, Model Rule 1.6 obligates attorneys to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Attorneys need to have policies and procedures in place that give reasonable assurances that all lawyers and staff comply with these Model Rules.  See Model Rules 5.1 and 5.3.  The Opinion concludes that “lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.”

Once a data breach has been detected, an attorney should reasonably and promptly stop it, and mitigate any damage from it.  The ABA suggests the adoption of an incident response plan that details the procedures for doing just that.  Attorneys must also undertake reasonable efforts to restore technology systems in order to continue serving their clients’ legal needs.  The ABA recommends retaining an expert to help stop any breach and restore the corresponding computer systems.

A competent attorney must make reasonable efforts to examine what happened during the data breach.  Computer systems should be evaluated to determine what data has been accessed or lost.  This examination is necessary to both understand the extent of the breach, and determine whether clients must be notified of the breach.  The Opinion concludes that notice of a data breach is a vital part of keeping a client reasonably informed.  See Model Rule 1.4.  Therefore, if a data breach results in, or likely will result in, the exposure of confidential client information, then an attorney has a duty to notify the client.  However, the Opinion declined to extend this duty to former clients.

Attorneys may have additional obligations when a data breach occurs.  These obligations include compliance with state breach notification laws, HIPAA or other applicable laws.  For example, in Illinois, entities with access to non-public personal information must comply with the Personal Information Protection Act.  See 815 ILCS 530.  It is best practice to consult any applicable laws to ensure compliance.

ABA Formal Opinion 483 may be viewed here.