Cyberattacks Have Become Commonplace – Know the Ethics of Prevention and Response

Hackers frequently target law firms because of the valuable client data we acquire and retain in the scope of representation (e.g., trade secrets, financial data, and sensitive personal information). For example, in December 2016, a team of three hackers was charged with hacking into at least seven law firms to obtain insider information on merger and acquisition deals. Over eight days, they collected 40 gigabytes of confidential information, guiding an investment strategy that yielded a profit of $4 million.

The construction industry is an equally attractive target for hackers. This is likely because, similar to the legal industry, the construction industry has historically lagged behind other sectors in implementing data-security measures. For example, the Target credit card data breach in 2013, which affected as many as 70 million accounts, was traced back to log-in information held by a HVAC subcontractor that monitored Target’s energy consumption and costs. Brian Krebs, Target Hackers Broke in Via HVAC Company, Krebs on Security (February 14, 2014). After penetrating the HVAC subcontractor’s network, the hackers were able to collect data and acquire credentials for Target-hosted web services dedicated to vendors. The resulting loss to Target following the breach was estimated to be as much as $420 million.

Data breaches are just one of many forms of cyberattacks that law firms or construction companies may fall victim to. Phishing and ransomware are also common occurrences. Phishing is an attempt to obtain sensitive information, such as usernames, passwords, and financial account information through fraudulent electronic communications. Ransomware prevents users from accessing their system or client files and demands a ransom payment to regain access. While cyberattacks vary significantly in methodology, they implicate similar ethical obligations for attorneys regarding prevention and response.

ABA Formal Opinion No. 483 Addresses an Attorney’s Ethical Obligations Once a Cyberattack or Data Breach Has Occurred.

In October 2018, the ABA Standing Committee on Ethics and Professional Responsibility issued guidance explicitly addressing this issue through Formal Opinion No. 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack.”  To date, at least 36 states have adopted the ABA Technology Amendments incorporating the duty of technological competence. Opinion No. 483 interprets and applies the 2012 Technology Amendments to the Model Rules of Professional Conduct and more recent amendments from 2018.

 Opinion No. 483 provides that before a data breach, attorneys have an obligation to:

• Remain up to date on changes in the law and its practice, including the benefits and risks associated with relevant technology;
• Use and maintain technologies in a manner that will reasonably safeguard client data against unauthorized access or loss;
• Make reasonable efforts to monitor technology resources to prevent and detect data breaches; and
• Implement measures giving reasonable assurance that all lawyers, staff, and third-party technology vendors comply with appropriate cybersecurity policies.

After a data breach or cyberattack, an attorney’s ethical obligations require:

• Reasonable and prompt action to stop the data breach and mitigate any resulting damage for the client;
• A post-breach investigation to ensure the intrusion has stopped, evaluate the data lost or accessed, and gather sufficient information to accurately disclose the scope of the breach to affected clients; and
• Compliance with any governing federal or state data-breach notification laws which have been triggered by a cyberattack.

Because the ethical rules vary by jurisdiction, a comparison of the state and Model Rules and review of applicable state laws is recommended to determine your ethical and legal obligations.

Maine Opinion No. 220 Further Clarifies an Attorney’s Ethical Obligations.

In April 2019, Maine became one of the few states to explicitly recommend and expand upon Opinion No. 483 when the Maine Board of Overseers of the Bar Professional Ethics Commission (the “ Maine Commission”) issued Opinion No. 220, “Cyberattack and Data Breach: The Ethics of Prevention and Response.”  Similar to the ABA, the Maine Commission advised that in “the case of a data breach or cyberattack, the standard for measuring ethical conduct is not one of strict liability, but reasonableness.” Law firms are not required to be “invulnerable or impenetrable,” but are obligated to make reasonable efforts to protect client data and prevent unauthorized disclosure. The Maine Commission goes on to explain that “reasonable efforts” include:

• Keeping abreast of practice changes by “seeking education on evolving technology on a regular basis in order to maintain competence in its use”;
• Seeking education on how to evaluate and employ technological safeguards from an expert or associate with another lawyer who is competent;
• Respecting and implementing client standards for data security; and
• The creation of a data-breach response plan to “address known or suspected security breaches, including identification of persons to be notified.”

While associating with the technologically savvy can help meet your ethical obligations, merely teaming up with a millennial does not make the grade.  “All partners or shareholders . . . have an obligation to ensure that there are sufficient internal policies and procedures” to protect client data. This “responsibility is two-fold: (1) supervising the use of technology by lawyers and staff to ensure it is consistent with their training and instruction, and (2) monitoring the status of technology itself in order to reveal attaches and breaches as soon as reasonably detectible.” Even with these safeguards in place, Opinion No. 483 and Opinion No. 220 both acknowledge that attorneys might meet their ethical obligations regarding prevention, yet still fall victim to a data breach.

In the event of a data breach, an attorney’s response should begin with a comprehensive investigation, and may then require notification of breach to the potentially affected client, depending upon the type and nature of the data breach or cyberattack. Both the ABA and the Maine Commission agree that the obligation to notify clients arises when confidences or secrets are exposed, or the breach significantly impairs or impacts the representation of the client. Data need not be lost or stolen; a prolonged disturbance in an attorney’s technology systems could sufficiently prejudice the representation of a client that it triggers an attorney’s notice obligations.

Lawyers are also ethically bound to comply with any notice requirements arising from state or federal law. When governing law or the rules of ethics require disclosure of the data breach to third parties such as law enforcement, an analysis of Rule 1.6 (“Confidentiality of Information”) is first required to determine what, if any, client information an attorney can provide to the investigating authorities.

The ABA and the Maine Commission deviate regarding the requirement for post-breach notice to former clients. In Opinion No. 483, the ABA looked to Rules 1.9 and 1.6 and determined that notice to a former client is not required.  In contrast, in Opinion No. 220, the Maine Commission concluded ”that a former client is entitled to no less protection and candor than a current client in the case of compromised secrets and confidences.” In Maine, therefore, former clients are entitled to the same data breach notifications as current clients. Regardless, in other jurisdictions state law may require notice to former clients, even if the attorney is not otherwise ethically obligated to provide notice.

If confidential client information has not been compromised by the cyberattack, and the representation of the client has not been significantly impacted, “a lawyer’s ethical obligation may be limited to making reasonable efforts to prevent a reoccurrence.”  Preventative measures can include:

• Installing or updating security systems, technologies, or protocols;
• Mandating and/or providing additional training; and
• Hiring outside consultants/experts to assist with future management of the firm’s data resources.

Preventative Measures for Law Firms and Construction Companies.

Ultimately, the solution for law firms and construction companies is largely similar. Both need to budget for and implement security measures that address the ever-evolving threats to the data they control. In addition, businesses in both industries should:

• Purchase cyber insurance to cover costs incurred as a result of data restoration, business interruption, data extortion, or other related losses;
• Implement contract management policies focused on minimum standards for downstream data security provisions;
• Include hold harmless and indemnity clauses in contracts with subcontractors and third-party vendors who store or have access to sensitive data;
• Acknowledge and address its own technological competency, seek training when needed, and collaborate with those more knowledgeable in order to protect the business.