Ethical Roadmap for Data Breach or Cyberattack1

ABA Formal Opinion 483 provides a roadmap regarding a lawyer’s ethical obligations following a cyberattack or data breach involving confidential client information, where such information is misappropriated, destroyed or otherwise compromised, or where the data event impairs the lawyer’s ability to perform client services.  The ethical obligations of lawyers following a data breach depend on the lawyer’s role, level of authority, and responsibility in the operation of a law firm.

All lawyers have duty of competence in understanding technology under Rule 1.1.[2]  Under Rules 5.1 and 5.3, lawyers with managerial authority must adopt reasonable measures to safeguard and monitor the security of electronically stored client information.  A data breach does not necessarily mean that an ethical violation has occurred, given the ingenuity of cyber criminals.  An ethical violation occurs only when an attorney fails to “undertake reasonable efforts to avoid data loss or to detect cyber intrusion, and that lack of reasonable effort is the cause of the breach.”[3] 

Once a breach occurs, a lawyer must act both promptly and reasonably to intervene to stop the breach and to mitigate damages.  Having an incident response plan in place is key to addressing the situation in a coordinated manner to identify intrusion, assess the scope, determine whether data is accessed and/or compromised, quarantine threats and prevent exfiltration, and finally, restore the firm’s network.  Id.  Having a predetermined team in place with a process ready to go is recommended, with either the lawyer taking necessary steps, if competent, or engaging qualified experts.  After a breach, a lawyer should evaluate what steps should be taken to avoid a reoccurrence.

Mitigating a data breach involves a post-breach investigation to determine what occurred in terms of any data intrusion and loss.  This allows the lawyer to address the duty of confidentiality under Rule 1.6.  The Committee points out that this “is not a strict liability standard and does not require the lawyer to be invulnerable or impenetrable.”[4]  The Opinion also references the ABA Cybersecurity Handbook as to the emerging standard requiring an ongoing risk assessment and mitigation process.  Whether to disclose to law enforcement may depend on the client’s objections, risks to clients, and whether a report would aid in recovery of stolen information.

Finally, the Opinion addresses the nuances of client notification.  Current clients must be advised of a data breach under Rule 1.4 if the breach involves material client confidential information.  The notice must be sufficient to allow a client to decide what to do, if anything.  As to former clients, while there is a duty to protect confidential information, there is no blackletter ethics rule requiring notification; however lawyers should consider other applicable law, particularly if personally identifiable information is involved.  Lawyers should also follow a document retention policy that reduces the amount of information retained that relates to former clients. 

Carole Buckner is a Partner and General Counsel at Procopio, Cory, Hargreaves & Savitch, LLP.

[1] Given the importance and timeliness of cyber security related issues Ethics in Brief offers this follow up article to the article ”Lawyers Response to Cyber Attacks”  appearing in EIB on November 5, 2018.”

[2] This article refers to the ABA Model Rules of Professional Conduct.

[3] ABA Formal Op. 483, 6. 

[4] Id. at 9.  

**No portion of this summary is intended to constitute legal advice. Be sure to perform independent research and analysis. Any views expressed are those of the author only and not of the SDCBA or its Legal Ethics Committee.**