On October 17, 2018, the American Bar Association published Formal Opinion (“F.O. 483) to directly address cyber security for lawyers. Specifically, F.O. 483 provides guidance on “attorney’s ethical obligations when a data breach exposes client confidential information.” As an initial matter, F.O. 483 defines a “data breach” as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.” While F.O. 483 provides guidance based on a lawyer’s ethical responsibilities, F.O. 483 is not intended to address “other laws that may impose postbreach obligations, such as privacy laws or other statutory schemes that law firm data breaches might also implicate.”
F.O. 483 is based primarily on two ABA Model Rules.
First, ABA Model Rule 1.1 states “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” In recognizing the impact on the practice of law, F.O. 483 generally requires “lawyers to understand technologies that are being used to deliver legal services to their clients” and compels lawyers and their staff to use this technology to protect their clients’ private information. F.O. 483 provides the following best practices to meet the lawyer’s ethical obligations:
- Monitoring for a Data Breach: F.O. 483 states “lawyers must make reasonable efforts to monitor their technology resources to detect a breach” in order to meet the requirements of Rule 1.1. In other words, F.O. 483 warns the “potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”
- Stopping the Breach and Restoring the System: F.O. 483 also requires a “lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.” One method to meet this requirement is to adopt an incident response plan before an incident occurs. Relying on the NIST standards, F.O. 483 reminds attorneys “[o]ne of the benefits of having an incident response capability is that it supports responding to incidents systematically (i.e., following a consistent incident handling methodology) so that the appropriate actions are taken. Incident response plans help personnel to minimize loss or theft of information and disruption of services caused by incidents.”
- Determining What Occurred: F.O. 483 obligates an attorney to “make reasonable attempts to determine whether electronic files were accessed, and if so, which ones” if a breach occurs.
Next, ABA Model Rule 1.6(a) requires that “‘[a] lawyer shall not reveal information relating to the representation of a client’ unless certain circumstances arise.” As for cyber security, F.O. 483 requires an attorney to take “reasonable efforts” to preserve client confidentiality in order to meet their ethical obligations.
Finally, F.O. 483 provides guidance for lawyers to provide notice to current and former clients. Overall, a lawyer has a duty to notify their clients of an unauthorized disclosure of their personal information “irrespective of what type of security efforts were implemented prior to the breach.” As with many data breach laws, F.O. 483 requires the client disclosure “to provide sufficient enough information for the client to make an informed decision as to what to do next, if anything.” The lawyer should also inform the client of the plan to respond to the incident and efforts to protect the client’s data. Finally, F.O. 483 directs lawyers to evaluate their obligations under state and federal law.
Law firms have been plagued by cyber issues. The ABA’s Formal Opinion concerning a lawyer’s cyber security obligations does not necessarily go beyond the obligations that any other data collector may have. That is, all data collectors, regardless of whether they are lawyers, must take reasonable steps to protect data and provide proper notification if personal data is disclosed without authorization. While these obligations may not go beyond existing state and federal obligations, the Model Rules of Conduct make the analysis of cyber issues slightly different for lawyers when a cyber security issue may result in a ethical issue.