In 2018 the ABA released two very significant ethical opinions. One was Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack (Oct. 17, 2018). The other was Formal Opinion 482, Ethical Obligations Related to Disasters (Sept. 19, 2018).
To our surprise, we rarely find CLE attendees who are aware of these opinions. Even those who are aware of them do not seem to know their details or understand their implications. Hence the inspiration for this column. Both opinions should be carefully read by lawyers seeking to understand their ethical duties in the event of a disaster (natural or man-made) or a data breach (which is, of course, a very specific form of a disaster).
Data Breaches and Headless Chicken Mode
In our line of work, we see a lot of law firms who have been breached. “Headless chicken mode” is our name for the reaction of those who have not prepared for a breach—they have no incident response plan. They run in circles, hysterical, with no idea what to do. Sadly, there are a lot of law firms without an incident response plan. A 2018 study by IBM Resilient and the Ponemon Institute revealed that half of all organizations described their incident response plans as informal, ad hoc or completely nonexistent.