Whoops! The New Rules, Law Firms and Cyberattacks

By Edward McIntyre

Macbeth, Duncan and Sara were enjoying a celebratory toast at the Red Coach & Horses when MacTavish, drink in hand, joined them.

“Have you guys seen the news about that major law firm. Had its computer network hacked? Massive embarrassment, for sure.”

Duncan nodded. “I understand the FBI divides law firms into two kinds. Those that’ve been hacked — and those that will be.”

MacTavish laughed and sipped his scotch.

Macbeth cautioned, “Not sure I find much mirth in their misfortune. Not only embarrassing. They have to confront a myriad of liability issues. And think of the ethics nightmare.”

MacTavish looked surprised. “Ethics? How so?”

“Have you looked at the new and revised Rules of Professional Conduct? The ones that just became effective on November 1?”

“Not yet. On my to-do list. But —”

“When you get around to it, take a hard look, for example, at rule 5.1. It’s new in California. We’ve never had anything like it before.”

“What’s it about?”

“It imposes on lawyers with law firm management authority the obligation to ensure that the firm has in effect measures that give reasonable assurance that all the firm’s lawyers comply with the rules. And with State Bar Act.”

“Seems like a bit of an overreach, but —”

“It also requires lawyers with supervisor authority over another lawyer to make sure that lawyer does the same. Rule 5.3 applies the same obligations to the supervision of non-lawyer personnel, whether employees or not.”

“But what’s all that got to do with a computer hack?”

“I assume we agree that, as lawyers, we possess a vast trove of sensitive and confidential client information. Financial data. Transaction and litigation strategies. Personal information. Perhaps health histories.”

“Sure. Necessary to the practice.”

“Rule 1.6 and 6068(e)(1) require us to hold client confidential information inviolate. At almost any cost.”

“New number, huh. OK, understand that.”

“Further, rule 1.1 requires competence, including — in this digital era — staying knowledgeable about the benefits and risks associated with technology.”

“Well —”

Macbeth held up his hand. “Finally, rule 1.4 requires lawyers keep clients reasonably informed about significant developments related to the representation.”

“All fine. But I was talking about a computer hack —”

Sara smiled as Macbeth nodded to a waiter for another round for the table.

“We were indeed. Let’s start with rules 5.1 and 5.3 — even before any computer breach occurs.”

“If you want.”

“Given the prevalence of cyberattacks, likely firm managers and supervisors have an ethical obligation to ensure the firm has adequate cyber protection already in place —current and updated — to prevent the loss of any client information that rule 1.6 requires the firm’s lawyers keep confidential.”

“Good thing I’m a sole practitioner —”

“A manager of your own firm, in other words.”

“Ouch.”

“In fact, the ABA has said — interpreting Model Rule 1.6 — that our confidentiality duty requires lawyers to take reasonable efforts to prevent unauthorized disclosure or unauthorized access to information relating to client representation.”

Sara spoke, “ABA opinions may become more authoritative guidance in California now that the new rules in many instances track more closely the Model Rules.”

Macbeth nodded. “Good point. But back to MacTavish’s cyber breach. Let’s assume a cyberattack occurs. Rules 1.1 — competence — and 5.1 and 5.3 would also impose a duty to have mechanisms in place to monitor if a data breach was occurring. Or had occurred. And stop it or repair it.”

Sara nodded. MacTavish just stared.

Macbeth continued. “Finally, Rule 1.4 would require a lawyer promptly to notify all the affected clients about any data breach — independently of any obligation that other laws might impose to give notice.”

“Is the State Bar really going to come after me because I don’t have some high-tech cybersecurity setup?”

“It may not. But remember. The Rules of Professional Conduct help define our duty to a client for purposes of a breach of fiduciary claim.”

MacTavish’s eyes widened. “But give me a break, Macbeth. I’m a sole practitioner. I’m not a cyber guy. I can barely use the internet or my computer. What am I gonna do with these new obligations?”

“I understand the problem, MacTavish. We’re a small firm, too. We’re lawyers, not cybersleuths. Fortunately, the rules give an answer.”

“Help me with it.”

Rule 1.1 states, in effect, that if a lawyer doesn’t have sufficient learning or skill, the lawyer can still provide competent representation — by associating or professionally consulting another lawyer who is competent.”

“So —”

“There are lawyers in this community who, fortunately, are cybersmart. Consult one of them. Get help protecting your clients’ data. Develop and maintain a cyber disaster recovery plan.”

“A what?”

“You’ll see. It can be a bit foreign. But so was the law when we started. And we managed to work our way through it.”

Sara looked away and smiled.

The waiter approached with a full tray.

Editor’s Note: The reference to 6068(e)(1) is to Business and Professions Code section 6068, subdivision (e)(1); the ABA opinion is ABA Formal Opinion 477 (May 11, 2017). In BGJ Assoc. v. Wilson (2004) 113 Cal.App.4th 1217, 1227 the court reiterated that the Rules of Professional Conduct help define the duty component of the fiduciary duty a lawyer owes a client. See also Stanley v. Richmond (1995) 35 Cal.App.4th 1070, 1086-1087; Mirabito v. Liccardo (1992) 4 Cal.App.4th 41, 45.

Edward McIntyre is a professional responsibility lawyer and co-editor of San Diego Lawyer.

No portion of this article is intended to constitute legal advice. Be sure to perform independent research and analysis. Any views expressed are those of the author only and not of the SDCBA or its Legal Ethics Committee.


This article was originally published in the Nov/Dec 2018 issue of San Diego Lawyer.