By Gwenn Barney, White and Williams LLP
Lawyers are advisors and advocates. Clients trust lawyers to preserve secrets, confidential matters that when disclosed could cause financial or reputational damage. A significant element of legal representation involves safe-guarding these confidences competently and also acting responsibly if an unauthorized disclosure occurs.
Law firms are prime targets for data breaches because they hold a treasure trove of digital information. The American Bar Association (ABA) introduced a new opinion on October 17, 2018 to guide lawyers in their responsibilities to clients in relation to data breaches involving or having a substantial likelihood of involving material client information. These responsibilities, laid out in Formal Opinion 483, include monitoring for data breaches, restoring systems after a data breach, post-breach investigations, and informing current clients when a breach occurs. Law firms are expected to develop and implement data privacy and security programs, and as in other industries, a firm’s management is expected to undertake an active role with implementing such a program. A failure to do so could result in an ethical violation.
Data Breaches Defined
A data breach is defined in the ABA’s Opinion as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”
Not every cyber event meets this definition of a data breach that triggers a lawyer’s ethical obligations to a client. Only cyber events that result in the compromise of material client confidential information are considered to be breaches. Examples of data breaches that would prompt a lawyer’s ethical obligations include theft of a client’s information or a ransomware attack on the information, where no data is necessarily accessed or stolen, but the information is rendered inaccessible until a ransom is paid.
Monitoring for Data Breaches
Before a breach even occurs, a lawyer has a responsibility to take action. Lawyers must monitor for data breaches.
The ABA previously opined that lawyers must understand the basic features of relevant technology to competently service their clients. The ABA now extends this responsibility to the realm of data breaches. Lawyers must use and maintain technologies in a manner that will reasonably protect the digital property and information entrusted to the lawyer. This competency can be achieved through either a lawyer’s own study or by hiring staff with technological knowledge.
Lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources and external vendors providing services relating to data and the use of data.
There is no ethical violation if a potential breach or breach is not immediately detected because cyber criminals are skilled at hiding their activity in a system. The key is that a lawyer must make reasonable efforts to monitor their technology for a breach. An ethical violation occurs if a lack of reasonable efforts to prevent and detect a breach were not made and a breach results.
Employing Sufficient Security
A lawyer’s duty of confidentiality requires a lawyer to make reasonable efforts to prevent unauthorized access to a client’s information by third parties or inadvertent or unauthorized disclosure of the information by the lawyer.
The ABA Cybersecurity Handbook recognizes that “a legal standard for ‘reasonable’ security is emerging. That standard rejects requirements for specific security measures (such as firewalls, passwords, or the like) and instead adopts a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement appropriate security measures responsive to those risks, verify that the measures are effectively implemented and ensure that they are continually updated in response to new developments.”
After a Potential Breach is Detected
When a lawyer discovers that a breach may have occurred, he or she must act reasonably and promptly to stop the breach and mitigate the damage. To this end, the ABA suggests that lawyers develop an incident response plan with specific protocols and procedures for responding to a data breach.
Investigation and Restoration
Under the ethics rules, the lawyer must also make all reasonable efforts to restore computer operations to be able to continue work for their clients. During this restoration process, a lawyer should evaluate, with the help of technical experts as necessary, exactly what occurred during the breach and how to prevent a reoccurrence.
The lawyer must make reasonable efforts to ensure the intrusion has been stopped and to determine whether electronic files were accessed, and, if so, which ones. Post-breach investigations are important to understand the scope of the intrusion and allow for accurate disclosure to the client.
Disclosure to Law Enforcement and Clients
Lawyers need to exercise discretion when disclosing information to law enforcement about the data breach. The lawyer must consider whether the client would object to the disclosure, whether the client would be harmed by the disclosure and whether reporting the incident would benefit the client by assisting in ending the data breach or recovering stolen information. Even then, without consent, the lawyer may disclose only information that is reasonably necessary to assist in stopping the breach or recovering the stolen information.
The lawyer has a duty under the ethics rules to keep a client reasonably informed about the status of their matter and to explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation. Under these provisions, an obligation exists for a lawyer to inform current clients about a data breach.
The disclosure must be sufficient to provide enough information for the client to make an informed decision as to what to do next, if anything. The minimum disclosure required is notice that unauthorized access to or disclosure of their information has occurred or is reasonably suspected to have occurred. The lawyer should also inform the client of the extent to which information was accessed. If an attempt to discover the extent of the breach was made, but remains unclear, the lawyer should advise the client of this fact.
As a best practice, a lawyer should also inform his or her client of the plan to respond to the data breach, from efforts to recover information to steps being taken to increase data security.
Lawyers have a continuing duty to keep clients reasonably apprised of material developments in post-breach investigations affecting clients’ information.
The ABA at this time will not extend the requirement to notify former clients of a breach. Lawyers are encouraged though to reach an agreement with clients before conclusion or termination of the attorney-client relationship about how to handle the client’s electronic information in the lawyer’s possession. Without any agreement, attorneys are encouraged to adopt and follow a paper and electronic document retention schedule, which meets all applicable laws and rules. Though the ethics rule for notifying a client of a breach does not extend to former clients, data privacy laws, common law duties of care, or contractual arrangements with former clients may require disclosure.
Additional post-breach obligations may be required under state breach notification laws, such as HIPAA, the Gramm-Leach-Bliley Act or other statutory schemes, and lawyers should also analyze their responsibilities under any law when informing clients of a breach.
Ethical violations can be the source of court sanctions, lawyer disciplinary actions and malpractice lawsuits. This latest opinion emphasizes the obligations of counsel to clients in terms of the protection of digital information, just as earlier opinions and rules stressed the need for technological competency. Clearly, the excuse of “I’m a lawyer, not a techie” will ring hollow in the digital age.
Gwenn Barney is an associate at White and Williams where she practices in the areas of cyber, general corporate, transactional and securities law.