Cybersecurity and Ethics
What are our professional responsibility obligations when it comes to cyber risk?
Comment [1] to Rules of Professional Conduct, Rule 1.1 (Competence) tells us that the duties set forth in the competence rule require us “to keep abreast of the changes in the law and its practice, including the benefits and risks associated with relevant technology” — emphasis mine.
A survey of current professional literature — indeed, even skimming news media — states the obvious: cyber-attacks are on the rise, even becoming commonplace. At the same time many more of us are practicing remotely — thus using the very technology that cyber-attackers target.
Not surprisingly, lawyers and law firms are frequent victims precisely because we’re thought of as low-hanging fruit — not terribly sophisticated about the technology we use, busy, and repositories of immensely valuable information: about litigation; deals in the works; or patent applications not yet filed, just to pick a few examples. There’s more.
The duty of competence and our obligation to safeguard our clients’ confidences and secrets, which are found at Rule 1.6 of the Rules of Professional Conduct and Business and Professions Code, section 6068, subdivision (e), combine to require us to make reasonable efforts to protect that information from unauthorized disclosure or destruction. This general principle requires that we have at least a basic understanding of the risks posed when we use a given technology and, if necessary, get help from technology experts to assess those risks and to take reasonable steps to prevent data breaches that could — and likely will — harm our clients.
What are some of those “reasonable efforts?”
First, to monitor for data breaches. While we’re not required to become technology experts or master the complexities or deficiencies of the security features of each technology we employ, we owe our clients a duty to develop some basic understanding of the protections those technologies afford, or to consult with someone who knows — e.g., another reasonably skilled lawyer or an information technology consultant (See, California State Bar Formal Opinion Nos. 2012-184 and 2010-179.)
For those of us who are working remotely, reasonable efforts also include ensuring that all data flowing to and from our remote locations to our firm’s servers or cloud storage are adequately secured. The methods we select reflect an assessment of risk; relative ease of adoption and use; and availability, among other factors.
Primary, however, is the protection of client confidential information. Moreover, the risk-assessment process should be ongoing, because of the evolution of existing technologies, the introduction of new technologies, and the development of new and more creative threats.
What’s our obligation when we detect or suspect a data breach? Act reasonably and promptly to stop the breach. Then do what we can to mitigate the resulting damage. Consider having a data breach plan in place before disaster strikes so that we can respond in a coordinated way to a security incident or cyber intrusion.
Next, we must assess what data was compromised, what electronic files were accessed, and what clients, if any, have been affected. Here again, if we do not have the requisite skill or learning to make such an assessment — I certainly do not — then competence requires that we consult another lawyer or other professional who has that competence. (Rule 1.1(c).)
Then what? Rule 1.4(a)(3) and Business and Professions Code section 6068, subdivision (m) require us to keep our clients “reasonable informed about significant developments” related to the representation. Relevant professional responsibility authorities have uniformly concluded that the misappropriation, destruction, or compromise of confidential client information, or a cyber breach that significantly impairs our ability to provide clients with legal services is a “significant development” that we must communicate to all affected clients (See, e.g., ABA Formal Opinion Nos. 18-483, at p. 10.)
When should we disclose the breach? When a data breach occurs, we must disclose it to affected clients as soon as reasonably possible, so that the clients can then take steps to ameliorate the harm.
What do we tell clients? At a minimum, disclosure includes that there has been unauthorized access to and/or disclosure of client information, or that such unauthorized access or disclosure is reasonably suspected to have occurred. Obviously, the more information we can provide to affected clients, the more readily they can make informed decisions about what they want to do, or should do, next.
Technology has made remote practice possible even during a deadly pandemic. Indeed, remote practice has become increasingly popular, even as we can now return to our “office” offices.
That same technology, however, has likely increased the risk that client confidential information may be compromised, with varying levels of potential damage to clients. Hence, our ethical obligations to anticipate and minimize the risk of cyber intrusion have likewise increased.