By David Majchrzak
Law firms of all sizes have increasingly become the subject of cyber attacks. They maintain highly sensitive data, including private information about their clients. They have inside information about businesses, including potential mergers and acquisitions. And they generally store all of this information in a single location. So, as lawyers continue to use electronic means to store and transmit information, they have duties not only to protect their clients’ secrets, but also to respond to attacks.
Following last year’s Formal Opinion 477R, which discussed lawyers’ ethical duties to protect confidentiality when engaging in electronic communications, the American Bar Association recently addressed what should happen when these communications or other information lawyers store and use becomes compromised. Formal Opinion 483 provides that, when “a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their [ethical] obligations.”
Notably, the new California Rules of Professional Conduct that have just become effective on November 1 do not adopt the Model Rules’ comment on the duty of competency that lawyers must understand the risks and benefits associated with relevant technology. But that does not mean the obligation does not exist. The more general obligation that lawyers employ the learning and skill necessary to perform services presumably includes such obligations. This is especially true in the context of cybersecurity given the unchanged duty to preserve client secrets at every peril. So what should lawyers be doing?
First, they have an obligation to monitor for a data breach, particularly one that actually compromises material client confidential information, where information is blocked, or where the infrastructure is destroyed so the lawyer’s ability to use the system is either compromised or destroyed.
Once a breach is detected, lawyers should act diligently to stop it and restore the system. That is, they must “act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.” Formal Opinion 483 continues and recommends that lawyers develop an incident response plan in advance to determine the protocol they will follow. Generally, this will involve identifying and evaluating the intrusion, determining what information was accessed or compromised, quarantining affected aspects, destroying the malware, and restoring integrity to the firm’s network. Of course, once these efforts are undertaken, clients should be promptly notified that a breach occurred and how it could impact them.
Outside of their ethical obligations, other laws may dictate what lawyers need to do. For example privacy regulations may provide their own notice and response duties under state breach notification laws, HIPAA, or even the Gramm-Leach Biley Act. These may or may not overlap with the ethical obligations. Lawyers should ensure that they comply with all obligations.
Of course, the ideal situation is to protect data so that a breach does not occur. But even reasonable steps to that end do not guarantee cyber criminals will be unsuccessful. That is, a breach does not necessarily mean that an attorney has violated a duty. The response—or lack thereof—however, could lead to different issues. Lawyers need to respond diligently to these attacks to safeguard against unnecessary, additional problems.
David Majchrzak is an attorney at Klinedinst PC.
This article was originally published in the SDCBA’s “Ethics in Brief” column series.
**No portion of this summary is intended to constitute legal advice. Be sure to perform independent research and analysis. Any views expressed are those of the author only and not of the SDCBA or its Legal Ethics Committee.**