ABA Formal Opinion 483 Suggests that Attorneys Have Certain Obligations to Clients After a Data Breach, But Declines to Propose Detailed Requirements
On October 17, 2018, the American Bar Association's Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483 on a lawyers' obligations after an electronic data breach or cyberattack. This opinion acts as the compliment to Formal Opinion 477R which opines on a lawyer's obligations to safe guard protected information prior to a data breach or cyberattack. Formal Opinion 483 concludes that "lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations" under the ABA Model Rules of Professional Conduct (adopted by most states). But what are the "reasonable steps" an attorney must take? And what form of notification is necessary and when exactly is it required? These questions remain unclear.
Let's dive in:
Formal Opinion 483 focuses on an attorney's ethical obligations after a data breach that relates to the attorney's representation of the client (as opposed to a breach of other material). Specifically, "a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or whether a lawyer's ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode."
The ABA Model Rule of Professional Conduct which governs post-breach requirements is Rule 1.4, requiring lawyers to keep clients "reasonably informed" about the status of a matter and to explain matters "to the extent reasonably necessary to permit a client to make an informed decision regarding representation." Other rules, such as Model Rules 1.1 and 1.6, provide lawyers with requirements prior to the breach, such as requiring lawyers to understand technologies that are being used to deliver legal services to their clients (Rule 1.1) and requiring lawyers to make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client (Rule 1.6).
As an initial matter, Committee states that lawyers have certain obligations to monitor and identify a breach. Relying on Model Rules 5.1 and 5.3 (requiring supervision of law firm staff to conform with the rules) and Model Rule 1.1, the Opinion "concludes that lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data." However, the opinion declines to specify what actions would (or would not) satisfy the "reasonable efforts" requirement.
Even more so, the Committee is quick to note that even if the "reasonable effort" requirement is not satisfied, "an ethical violation does not necessarily occur if a cyber-intrusion or loss of electronic information is not immediately detected." In doing so, the Committee recognizes that cyber criminals are savvy and just as an attorney might not have been able to prevent a cyberattack from occurring in the first place (see Formal Opinion 477R, attorneys not required to be invulnerable or impenetrable), an attorney might not be able to immediately detect a cyber intrusion "despite reasonable or even extraordinary efforts by the lawyer."
After detection of the breach, the Committee opines that Rule 1.1 requires that a "lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach." What specific steps need to be taken to satisfy the requirement? The Committee declines to specify, which is likely because the steps will be highly dependent on what type of data systems the attorney has in place, what type of breach it was, and other entities involved, including authorities. For example, if the breach resulted in the loss of funds that were not being held by the attorney, often the attorney's ability to be involved in the mitigation process, or even learn the details surrounding the loss, is limited.
Instead of outlining what steps need to be taken in response to the breach, the Committee merely states that lawyers should "consider" developing a cyber incident response plan. Such a plan is a good idea, not because having an cyber breach response plan is a requirement, but the plan would seemingly help establish compliance with Rule 1.1 in the event of litigation over a cyber breach. However, if a firm does choose to prepare such a plan, the firm should also be prepared to follow the plan.
What should the attorney suffering a cyber breach do after identification of the breach and "acting reasonably" to stop the breach? The Committee opines that a lawyer should "make all reasonable efforts to restore computer operations to be able again to service the needs of the lawyer's clients." Here the Committee was a more concrete than previously, defining "reasonable efforts" as including, but not limited to, "(i) restoring the technology systems as practical, (ii) the implementation of new technology or new systems, or (iii) the use of no technology at all if the task does not require it." That last item seems like a tall order for this day and age where even the simplest task is done over the internet - right now, the article I'm writing is automatically saved online. Did I need to write the article this way? No. But at this point in Digital Age, it is hard to imagine going back. I could mostly call clients and use my computer primarily for word processing off-line, but I think I would be violating Rule 1.1 if I did so.
Next the Committee states that a lawyer has some obligation to do a post-breach investigation opining that a lawyer "must make reasonable attempts to determine whether electronic files were accessed, and if so, which ones...[and] determine what occurred during the breach." Again the Committee declines to define what the "reasonable attempts" are. Even more importantly, the Committee does not appear to require a lawyer to actually determine what occurred during the breach, just take "reasonable efforts" to make that determination. This is an important distinction because often even forensic investigators cannot determine which of the attorney's many electronic files were accessed in the event of a breach.
The most significant portion of the opinion is on notification post-breach. Specifically, the Committee found that under Rule 1.4, "an obligation exists for a lawyer to communicate with current clients about a data breach" if that breach occurs "involving, or having a substantial likelihood of involving, material client confidential information." This requirement echoes statutes already in place in many states. However, functionally, most attorneys learn of breaches involving current client's confidential information at or around the same time the client learns of the breach. For example, in the now all-too-common fact pattern where an attorney's email is compromised allowing a hacker to send the client fraudulent wire instructions which are seemingly from the attorney. The attorney often discovers this breach when the client tells the attorney about the client's wire transfer based on the fraudulent instructions. Therefore, in this example, the Opinion's notification requirement is seemingly satisfied because the attorney learned of the scam from the client.
With respect to former clients, the Committee was unwilling to require a lawyer to provide notice to a former clients of a security breach. Instead, the Committee encourages lawyers to reach an agreement with clients before the conclusion of representation about how to handle the client's electronic information that is in the lawyer's possession. Certain data privacy laws, including New York Gen. Bus. Law § 899-aa, may require notification of a former client in the event of unauthorized access to specific information.
But now we get to a very interesting element of this opinion, what type of breach triggers the notification requirements. Here, the Committee was very clear that disclosure is "required if material client information was actually or reasonably suspected to have been accessed, disclosed or lost in a breach." So essentially, the fraudulent wire instructions situation mentioned above would require notification, but a ransomware attack where the lawyer was unable to determine what information, if any, was accessed, is not.
Finally, the Committee concludes that "lawyers have a continuing duty to keep clients reasonably apprised of material developments in post-breach investigations affecting the clients' information." However, often, after the client becomes aware of the breach, the client terminates the attorney-client relationship, allegations against the attorney may even be filed. The Opinion is silent on whether the attorney has a "continuing duty" to the now-former client under these circumstances. Since an attorney's duties to former clients are generally fairly limited, it might be reasonable to assume there is no such duty.
This opinion corresponds to similar ethics opinions in many state bar associations. For example, the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility Formal Opinion 2011-200 opines that storage of a client’s confidential material on cloud software is permissible as long as “reasonable safeguards are employed” and that attorneys are permitted to use web-based email, i.e., products such as Gmail, AOL Mail, Yahoo! and Hotmail with certain limitations.
In any event, this Opinion seemingly formalizes a common sense approach to what actually takes place in the event of a cyber breach involving a lawyer i.e. the lawyer notifies identifiable clients specifically affected by the breach and takes reasonable steps to understand and, if possible, remedy the situation. While this new opinion will no doubt be cited by both plaintiffs and defendants in civil actions arising from a lawyer's cyber breach, it will likely not significantly change the claims and defenses with respect to such allegations. It is also important to point out that the proponent of claims arising from a lawyer's failure to timely notify a client of a breach of that client's information would need to establish that there were specific damages arising from the failure to notify. This may be difficult to establish if funds had already been transferred to the cyber scammer at the time the lawyer first became aware of the breach. Further, in many states, a violation of the professional rules by itself does not give rise to a private cause of action. In sum, while a lawyer now has some limited notification requirements for current clients specifically affected by a cyber breach, these requirements are likely not broader than what real-life lawyers experiencing such breaches were already doing to notify their clients.
This article was prepared by Rachel Aghassi of the New York City-based law firm of Furman Kornfeld & Brennan LLP. Rachel is part of a team of 15 lawyers and paralegals devoted to the defense of attorneys and other professionals in malpractice and disciplinary matters, as well as the defense of construction and personal-injury accidents. For more information about the above topic or the authors, please visit: www.fkblaw.com
We trust that the above article was useful and thought-provoking; however, please note that it is intended as a general guide and opinion only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters.For more information on LPL coverage generally, contact USI Affinity today.