Yes, Lawyers Too! ABA Formal Opinion 483 and the Affirmative Duty to Inform Clients of Data Breaches

Oct 22, 2018

By Jennifer Thompson


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

Developments in the rules and regulations governing data breaches happen as quickly as you can click through the headlines on your favorite news media site.  Now, the American Bar Association (“ABA”) has gotten in on the action and is mandating that attorneys notify current clients of real or substantially likely data breaches where confidential client information is or may be compromised.

On October 17, 2018, the ABA issued Formal Opinion 483, entitled “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (the “Opinion”).  The Opinion establishes an ethical obligation for attorneys to notify clients of a data breach or substantially likely breach, and to take other reasonable steps consistent with the Model Rules of Conduct.  However, the Opinion noted that not all events will trigger an attorney’s ethical obligations.  In fact, the Opinion states that this obligation arises only in connection with:

“a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode”

The ABA noted that law firms, as keepers of highly sensitive information, are attractive targets for hackers.  As such, the ABA issued to the Opinion as a follow-up to the previously issued Formal Opinion 477, discussed in my previous article, “Before You Hit “Send”: Ensuring Your Attorney-Client Emails Comply with the New ABA Guidance.”   But the focus of Formal Opinion 483 is on an attorney’s obligation to monitor and secure electronically stored confidential client information, in addition to related obligations if such data is improperly accessed or breached.

The ABA’s analysis focuses on:

  • Model Rule 1.1 – Duty of Competence: This rule and subsequent interpretive comments made it clear that attorneys are required to stay abreast of and to understand current technologies.  The attorney may satisfy this obligation by self-study or by “employing or retaining qualified lawyers and non-lawyer assistants.”  Thus, this duty of competence requires that the attorney appropriately employ technology to safeguard client information from unauthorized access.In the context of a data breach, the duty of competence requires the attorney to “promptly stop the breach and mitigate damage resulting from the breach.”  While the ABA stops short of dictating how this is to be achieved, it does suggest that the attorney proactively should create and implement an incident response plan containing specific policies and procedures for responding to a data breach.  The Opinion also suggests that the attorney’s activities in mitigating and investigating the breach after resolution are equally important, to ensure that the damage is contained, and measures are implemented to prevent a recurrence.
  • Model Rules 5.1 and 5.3 – Duty to Supervise Lawyers and Staff: Comments to these rules not only obligate managing attorneys in a firm to create appropriate policies to safeguard client information, but also to ensure that all lawyers and staff are following such policies.  Though a subset of the duty of competence in the Opinion, these rules are nonetheless pertinent in the event of a data breach, in that an attorney must ensure it is appropriately supervising all retained data security professionals, as well as requiring all firm personnel to comply with appropriate cybersecurity and technology policies.
  • Model Rule 1.6 – Duty of Confidentiality:  The confidentiality rule requires all attorneys to use reasonable efforts to prevent the unauthorized disclosure or inadvertent access of information pertaining to its representation of a client.  The analysis of what are “reasonable efforts” is fact- based and depends upon: a) the sensitivity of the information; b) the relative effectiveness, cost and difficulty in implementing available safeguards; c) and the effect of the safeguards on the attorney’s ability to represent clients.  Again declining to prescribe required measures, the ABA instead refers to the ABA Cybersecurity Handbook, which discusses an emerging standard for “reasonable” security that rejects specific requirements, and instead suggests a fact-specific analysis of the processes employed by the attorney for data protection that includes:
    • risk assessment;
    • identification and implementation of appropriate security measures to address risks;
    • testing to ensure the effective implementation of the security measures; and
    • continuous updates as technologies and risks evolve

Attorneys also should consider carefully the duty of confidentiality when determining how much and which information to share with law enforcement officials in connection with any suffered breach.  The duty to protect sensitive information remains even during a breach, and attorneys should consider: a) whether certain sensitive information would harm a client if it were released to law enforcement officials; b) whether the client would object to the attorney sharing the information; and c) whether divulging the confidential information would, in fact, benefit the client by helping to stop the breach.  Overall, the lawyer should disclose only the information which is reasonable necessary to assist law enforcement in stopping the breach or recovering the stolen files.

Based on the  ethical obligations set forth above, ABA-confirmed attorneys have an affirmative duty pursuant to Rule 1.4 (which generally governs attorney-client communications) to notify current clients of a breach or suspected breach.  Notification of the breach or suspected breach is integral to keeping a client reasonably informed as to the status of an attorney’s representation of the client and providing the client all relevant information, so that a client can make informed decisions about an attorney’s representation.  While not requiring attorneys to notify former clients of data breaches, the ABA noted that an attorney should consider contractual arrangements with previous clients, as well as regulatory or statutory breach notification requirements in determining whether client notification is merited, so as to limit liability.

Once a decision has been made that a breach or potential breach involves material client information, and the duty to notify has been triggered, the notification must provide sufficient information for a client to make a reasonably informed decision of whether it wants to continue with the representation.  Depending on the facts of the breach, the lawyer will need to disclose what it does and does not know about the breach, as well as satisfy the ongoing duty to update a client as the post-breach investigation proceeds.

The Opinion concludes by discussing the need for attorneys experiencing a data breach also to carefully analyze all federal and state regulatory and statutory schemes which may apply to the breach and ensure compliance with those, especially if personally identifiable information was involved in the breach.  The ABA further cautioned that compliance with regulatory schemes and compliance with the attorney’s ethical obligations are separate requirements, and satisfying regulatory or statutory obligations does not necessarily ensure ethical obligations are also satisfied (or vice versa).

OTHER THOUGHT LEADERSHIP POSTS:

Yes, Lawyers Too! ABA Formal Opinion 483 and the Affirmative Duty to Inform Clients of Data Breaches

By Jennifer Thompson | Developments in the rules and regulations governing data breaches happen as quickly as you can click through the headlines on your favorite news media site.  Now, the American Bar Association (“ABA”) has gotten in on the action and is mandating that attorneys notify current clients of real or substantially likely data breaches where confidential client information is or may be compromised.

GDPR Compliance and Blockchain: The French Data Protection Authority Offers Initial Guidance

By Linda Henry | The French Data Protection Authority (“CNIL”) recently became the first data protection authority to provide guidance as to how the European Union’s General Data Protection Regulation (“GDPR”) applies to blockchain.

D-Link Continues Challenges to FTC’s Data Security Authority

By Linda Henry | On September 21, 2018, the FTC and D-Link Systems Inc. each filed a motion for summary judgement in one of the most closely watched recent enforcement actions in privacy and data security law (FTC v. D-Link Systems Inc., No. 3:17-cv-00039).  The dispute, which dates back to early 2017, may have widespread implications on companies’ potential liability for lax security practices, even in the absence of actual consumer harm.

Good, Bad or Ugly? Implementation of Ethical Standards In the Age of AI

By Dawn Ingley | With the explosion of artificial intelligence (AI) implementations, several technology organizations have established AI ethics teams to ensure that their respective and myriad uses across platforms are reasonable, fair and non-discriminatory.  Yet, to date, very few details have emerged regarding those teams—Who are the members?  What standards are applied to creation and implementation of AI?  Axon, the manufacturer behind community policing products and services such as body cameras and related video analytics, has embarked upon creation of an ethics board.  Google’s DeepMind Ethics and Society division (DeepMind) also seeks to temper the innovative potential of AI with the dangers of a technology that is not inherently “value-neutral” and that could lead to outcomes ranging from good to bad to downright ugly.  Indeed, a peak behind both ethics programs may offer some interesting insights into the direction of all corporate AI ethics programs.

IoT Device Companies: The FTC is Monitoring Your COPPA Data Deletion Duties and More

By Jennifer Thompson | Recent Federal Trade Commission (FTC) activities with respect to the Children’s Online Privacy Protection Act (COPPA) demonstrate a continued interest in, and increased scrutiny of, companies subject to COPPA. While the FTC has pursued companies for alleged violations of all facets of its COPPA Six Step Compliance Plan, most recently the FTC has focused on the obligation to promptly and securely delete all data collected if it is no longer needed. Taken as a whole, recent FTC activity may indicate a desire on the part of the FTC to expand its regulatory reach.

Predictive Algorithms in Sentencing: Are We Automating Bias?

By Linda Henry | Although algorithms are often presumed to be objective and unbiased, recent investigations into algorithms used in the criminal justice system to predict recidivism have produced compelling evidence that such algorithms may be racially biased.  As a result of one such investigation by ProPublica, the New York City Council recently passed the first bill in the country designed to address algorithmic discrimination in government agencies. The goal of New York City’s algorithmic accountability bill is to monitor algorithms used by municipal agencies and provide recommendations as to how to make the City’s algorithms fairer and more transparent.

My Car Made Me Do It: Tales from a Telematics Trial

By Dawn Ingley | Recently, my automobile insurance company gauged my interest in saving up to 20% on insurance premiums.  The catch?  For three months, I would be required to install a plug-in monitor that collected extensive metadata—average speeds and distances, routes routinely traveled, seat belt usage and other types of data.  But to what end?  Was the purpose of the monitor to learn more about my driving practices and to encourage better driving habits?  To share my data with advertisers wishing to serve up a buy-one, get-one free coupon for paper towels from my favorite grocery store (just as I pass by it) on my touchscreen dashboard?  Or to build a “risk profile” that could be sold to parties (AirBnB, banks, other insurance companies) who may have a vested interest in learning more about my propensity for making good decisions?  The answer could be, “all of the above.”

When Data Scraping and the Computer Fraud and Abuse Act Collide

By Linda Henry | As the volume of data available on the internet continues to increase at an extraordinary pace, it is no surprise that many companies are eager to harvest publicly available data for their own use and monetization.  Data scraping has come a long way since its early days, which involved manually copying data visible on a website.  Today, data scraping is a thriving industry, and high-performance web scraping tools are fueling the big data revolution.  Like many technological advances though, the law has not kept up with the technology that enables scraping. As a result, the state of the law on data scraping remains in flux.

Is Your Bug Bounty Program Uber Risky?

By Jennifer Thompson | In October 2016, Uber discovered that the personal contact information of some 57 million Uber customers and drivers, as well as the driver’s license numbers of over 600,000 United States Uber drivers had been hacked.  Uber, like many companies, leveraged a vulnerability disclosure or “bug bounty” program that invited hackers to test Uber’s systems for certain vulnerabilities, and offered financial rewards for qualifying vulnerabilities.  In fact, Uber has paid out over $1,000,000 pursuant to its program, which is administered through HackerOne, a third-party vendor.  Uber initially identified the breach as an authorized vulnerability disclosure, paid the hackers $100,000, and the hackers deleted the records.  Yet, Uber has faced lawsuits, governmental inquiry and much public criticism in connection with this payment.

IoT Device Companies: COPPA Lessons Learned from VTech’s FTC Settlement

By Jennifer Thompson | In “IoT Device Companies:  Add COPPA to Your “To Do” Lists,” I summarized the Federal Trade Commission (FTC)’s June, 2017 guidance that IoT companies selling devices used by children will be subject to the Children’s Online Privacy Protection Act (COPPA) and may face increased scrutiny from the FTC with respect to their data collection practices.  That warning became a harsh reality for VTech Electronics Limited (VTech), which recently entered into a settlement with the FTC to, among other things, pay $650,000 for alleged violations of COPPA and the FTC Act.