Published on JD Supra on October 22, 2018
Developments in the rules and regulations governing data breaches happen as quickly as you can click through the headlines on your favorite news media site. Now, the American Bar Association (“ABA”) has gotten in on the action and is mandating that attorneys notify current clients of real or substantially likely data breaches where confidential client information is or may be compromised.
On October 17, 2018, the ABA issued Formal Opinion 483, entitled “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (the “Opinion”). The Opinion establishes an ethical obligation for attorneys to notify clients of a data breach or substantially likely breach, and to take other reasonable steps consistent with the Model Rules of Conduct. However, the Opinion noted that not all events will trigger an attorney’s ethical obligations. In fact, the Opinion states that this obligation arises only in connection with:
“a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode”
The ABA noted that law firms, as keepers of highly sensitive information, are attractive targets for hackers. As such, the ABA issued to the Opinion as a follow-up to the previously issued Formal Opinion 477, discussed in my previous article, “Before You Hit “Send”: Ensuring Your Attorney-Client Emails Comply with the New ABA Guidance.” But the focus of Formal Opinion 483 is on an attorney’s obligation to monitor and secure electronically stored confidential client information, in addition to related obligations if such data is improperly accessed or breached.
The ABA’s analysis focuses on:
Attorneys also should consider carefully the duty of confidentiality when determining how much and which information to share with law enforcement officials in connection with any suffered breach. The duty to protect sensitive information remains even during a breach, and attorneys should consider: a) whether certain sensitive information would harm a client if it were released to law enforcement officials; b) whether the client would object to the attorney sharing the information; and c) whether divulging the confidential information would, in fact, benefit the client by helping to stop the breach. Overall, the lawyer should disclose only the information which is reasonable necessary to assist law enforcement in stopping the breach or recovering the stolen files.
Based on the ethical obligations set forth above, ABA-confirmed attorneys have an affirmative duty pursuant to Rule 1.4 (which generally governs attorney-client communications) to notify current clients of a breach or suspected breach. Notification of the breach or suspected breach is integral to keeping a client reasonably informed as to the status of an attorney’s representation of the client and providing the client all relevant information, so that a client can make informed decisions about an attorney’s representation. While not requiring attorneys to notify former clients of data breaches, the ABA noted that an attorney should consider contractual arrangements with previous clients, as well as regulatory or statutory breach notification requirements in determining whether client notification is merited, so as to limit liability.
Once a decision has been made that a breach or potential breach involves material client information, and the duty to notify has been triggered, the notification must provide sufficient information for a client to make a reasonably informed decision of whether it wants to continue with the representation. Depending on the facts of the breach, the lawyer will need to disclose what it does and does not know about the breach, as well as satisfy the ongoing duty to update a client as the post-breach investigation proceeds.
The Opinion concludes by discussing the need for attorneys experiencing a data breach also to carefully analyze all federal and state regulatory and statutory schemes which may apply to the breach and ensure compliance with those, especially if personally identifiable information was involved in the breach. The ABA further cautioned that compliance with regulatory schemes and compliance with the attorney’s ethical obligations are separate requirements, and satisfying regulatory or statutory obligations does not necessarily ensure ethical obligations are also satisfied (or vice versa).