We all know data breaches can impact all of us, regardless of whether we are a Fortune 500 company or a small business. Lawyers, of course, are not immune from data attacks and recent guidance from the American Bar Association Standing Committee on Ethics and Professional Responsibility illustrates how critical it is for lawyers and law firms to be aware of cybersecurity issues and accompanying ethical considerations. See a copy of Formal Opinion 483 here. (Opinion).
The opinion is based on the Model Rules of Professional Conduct and focused on an attorney’s obligations to understand technologies and how they are being used to deliver legal services to clients. Safeguarding confidential information, as well as protecting and monitoring technology and internet resources to prevent a data breach, are an integral part of an attorney’s ethical obligations. The Opinion discussed a lawyer’s duty to undertake reasonable efforts to avoid data loss and/or to detect cyber intrusion. Should a lawyer not undertake that reasonable effort, that is what could give rise to ethics difficulties. The Opinion also focused on “an attorney’s ethical obligations after a data breach, and it addresses only data breaches that involve information relating to the representation of a client.” See p. 2 of the Opinion. The Opinion further defines a data breach to be a data event where client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode. Id. at p. 4.
So what does all this mean for law firms big and small? One suggestion is to have a cybersecurity plan and procedures in place long before the threat of an actual data breach. Identifying what data was compromised, how the breach happened and what notifications, including to clients and former clients, need to take place are all important facts in ensuring that a lawyer is upholding his/her ethical obligations.
We’ve also written before about the options that businesses, and in this case, lawyers and law firms, may consider in order to reduce risk. See Privacy Tip #109 – Cybersecurity Tips for Small (and all) Businesses. Lawyers and law firms may also consider having cyber liability insurance as these policies typically provide external guidance and support, as well as various types of coverage in the event of a data breach.