The ABA Says Lawyers Have Obligations Before and After a Data Breach
Tuesday, November 6, 2018
American Bar Association on Law Firm Data Breach
Print Mail Download i

In the age of the data breach, lawyers and law firms have a lot in common with comic book superheroes: they are locked in a relentless battle against a cunning, ever-changing threat. This past week, Foley & Lardner experienced a “cyber event,” adding its name to the list of cyber attack victims which, according to Bloomberg Law, includes DLA Piper, Cravath, Swaine & Moore, Weil, Gotshal & Manges, over one third of small and medium-sized firms, and just under one quarter of large firms. Because of this growing and serious threat to the legal profession, the ABA published Formal Opinion 483 to direct attorneys and law firms on how they should handle data breaches before, during, and after an event. In short, lawyers are not expected to be as bulletproof as Superman, but they must take proactive steps to protect sensitive client data and they must disclose material data breaches.

The entire ABA opinion can be accessed here and a summary of the opinion is below.

The ABA states that data breaches pose a “major professional responsibility and liability threat” to the entire legal profession.  It defines a data breach as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”

When there is data breach, attorneys must first comply with state and federal legislation. Next, attorneys must disclose a breach to a current client if (a) that client’s material, confidential information is or reasonably may have been compromised (e.g., unauthorized access, use, theft, or destruction), or (b) the breach has materially disrupted the attorney’s ability to serve the client (e.g., ransomware limiting access to client information for any material amount of time). In essence, lawyers must notify clients when incidents like ransomware materially impair operations—even when there is no evidence of exfilatrated or compromised data.  Here, strong defense mechanisms include up-to-date, accessible, and easily restorable back-ups to fend off disruption of legal services.

What are a lawyer’s ethical duties concerning a data breach?

  • Make reasonable efforts to understand the risks and benefits of technology relevant to the practice of law;

  • Monitor for data breaches;

  • Hold electronic property with the same fiduciary care required of physical property;

  • Implement reasonable precautions to limit vulnerabilities;

  • Act reasonably and promptly to stop a breach and mitigate damage;

  • After a breach, investigate its cause and evaluate notice obligations; and

  • In the case of a data breach that rises to the level of a notice-triggering event, provide current, affected clients with notice of such data breach.

What can lawyers do to prepare for and respond to a data breach?

  • Preemptively develop an incident response plan;

  • Analyze compliance on an ongoing basis;

  • Keep abreast of regulatory and statutory notice requirements;

  • Reach an agreement with clients before conclusion of services, or when client-attorney relationship terminates, about how to handle the client’s electronic information still in attorney’s possession;

  • Absent agreement otherwise, maintain physical and electronic document retention schedules in compliance with applicable rules; and

  • Inform clients affected by a breach about the lawyer’s plan to respond to the incident.

Are there any instances when a lawyer or firm does not have to disclose a data breach?

Notably, Formal Opinion 483 states that lawyers are not required to give notice of a breach to a former client unless black letter law requires otherwise. Similarly, a breach that limits access to information for an immaterial amount of time, or consists of non-confidential or publicly available information, does not rise to the level of a data breach requiring disclosure to a client.

As a best practice, lawyers and firms should be well-versed in local and federal data breach and privacy laws, as those laws may require action where the Rules of Professional Responsibility do not.

Dayle Duran authored this post.

© Copyright 2024 Murtha Cullina

Current Legal Analysis

More from Murtha Cullina

Securities Group News: A Refresher (and update) On Data Privacy Requirements for Investment Advisors in the Commonwealth
by: Anthony R. Leone
New York City Considers Paid Vacation and the Right to Disconnect
by: Salvatore G. Gangemi
January 3, 2019 - Tax Group News: IRS Issues Initial Guidance on Deferral Option for Qualified Equity Grants
by: Marc T. Finer
Connecticut’s Salary History Inquiry Prohibition Effective As Of January 1, 2019
by: Matthew K. Curtin
Federal Court Dismisses Federal Securities Class Action Based on Data Breach
by: Edward B. Whittemore
Ten Things You Should Know About the 2019 Session of the Connecticut General Assembly
by: David J. McQuade
Another HIPAA Breach, Another 6-Figure HIPAA Settlement
by: Daniel J. Kagan
OCR Issues Anticipated RFI on HIPAA Modifications
by: Dena M. Castricone
Can Your Transfer of Family-Owned Business Stock or Assets be Avoided as a Fraudulent Transfer?
by: Michael P. Connolly
A Year-End Estate and Financial Planning Checklist: Make Your List and Check it Twice
by: Lisa P. Staron

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins