When Bad Things Happen to Your Data

By Edward McIntyre

Let’s face it—stuff happens!

Someone steals the laptop you use in your practice. Or, finally at home at the end of a horrendous day, you realize you left your smartphone on a restaurant table—and the restaurant is now closed. Or a firm staff employee—in truth, more likely a luddite lawyer—mistakenly opens an attachment to an innocent-looking email. Suddenly you suffer a data breach or other kind of cyber attack.

After the first flush of panic subsides, a nagging question surfaces: do I have any ethical obligations? Quick answer: Yes. At the time of the event. And well before.

We are repositories of vast amounts of client confidential information—from both current and former clients. In this digital world, much of it we store on devices, or we use devices to access storage sites, e.g., the cloud. Those devices make our practices more manageable; enhance client communication; and allow us to be more flexible. But every benefit carries a risk. In short—we have met the enemy and he is us!

The stolen laptop

Does the laptop store client confidential information? Or, even if it does not, do you use it to access client information remotely? Does the laptop require biometric authentication for access? Do you have software on the laptop that allows you remotely to locate it, lock it down and erase everything—wipe it clean? For many of us, likely we don’t have all those safeguards or perhaps any. What then?

First, Rules of Professional Conduct, rule 1.4(a)(3) and Business and Professions Code section 6068, subdivision (m) require lawyers to keep clients “reasonably informed about significant developments” relating to the representation. Although the rule doesn’t define what events qualify as “significant”—it necessarily varies with a client’s needs and the nature of the representation—the misappropriation or compromise of a client’s confidential information or a cyber breach is a “significant event” that the lawyer must communicate to the client.[1]

If the laptop contains client confidential information or could be used to access such information, and does not have protections that give reasonable assurance there has not been, or will not be, a data breach—e.g., biometric authentication for access; ability to locate, lock and wipe it clean; and the lawyer has been able to take such measures promptly after the theft—then the lawyer likely has an obligation to notify clients.

When? As soon as reasonably possible so that the affected clients can take steps to mitigate any harm.

Who? Rule 1.4 and section 6068, subdivision (m) refer to “clients.” But what about former clients if their data, or access to their data, was on the laptop?

Rule 1.6 and Business and Professions Code section 6069, subdivision (e)(1) declare our duty of confidentiality, the most stringent of any jurisdiction. That duty lasts even after the representation ends. Consequently, although rule 1.4 and section 6068, subdivision (m) may refer only to “clients,” the confidentiality obligation we owe to former clients requires the lawyer to notify any former client whose confidential information was likely compromised.

The smartphone

First thing the next morning, the lawyer is on the restaurant doorstep. The manager hands her the phone with the assurance that it was locked in the office safe all night and that no one had access to it. Besides, the phone requires fingerprint authentication to open.

Ethical obligation to notify clients? Likely not; likely no breach of confidential information. Take a deep breath.

The cyber breach/cyber attack

Because a firm-wide cyber breach/cyber attackh has made client confidential information vulnerable and compromised, the same notification obligations that apply to the stolen laptop apply here as well—but now across the whole firm.

So much for post-event obligations. What about before?

Prevention versus cure

Digital technology is ubiquitous, thus increasing the risk of unauthorized access to client confidential information. Rule 1.1 requires that lawyers have the requisite skill to serve clients or consult with another lawyer who is competent. Competence today, however, includes knowing the benefits and risks associated with the technology we use in our practices. Rules 5.1 and 5.3—new in California as of November 2018—require that law firm managers make sure their firms have in effect measures that give reasonable assurance that all firm lawyers and non-lawyer personnel will comply with the Rules of Professional Conduct and the State Bar Act—here the duty of preserving client confidences. What specifically those measures may be varies firm to firm, practice to practice.

Our ethical obligation, however, requires that when bad things happen to our data, we’ve already taken the necessary steps to ensure that our clients and their confidential information is protected. Besides, we will rest a bit easier when stuff happens—because it will.


[1]  Apart from any other statutory obligation to inform clients that their data has been compromised.

Edward McIntyre is a professional responsibility lawyer and co-editor of San Diego Lawyer