Duty to Safeguard
Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and also often have contractual and regulatory duties to protect confidential information.
Several ethics rules in the ABA Model Rules have particular application to the protection of client information, including competence (Model Rule 1.1), communication (Model Rule 1.4), confidentiality of information (Model Rule 1.6), supervision (Model Rules 5.1, 5.2 and 5.3), and safeguarding property (Model Rule 1.15).
At the ABA Annual Meeting in 2012, the ABA adopted the recommendations of the ABA Commission on Ethics 20/20 on technology and confidentiality. They include:
- An amendment to Comment  to Model Rule 1.1 providing that competence requires knowing and keeping abreast of changes in “the benefits and risks associated with relevant technology…”,
- Addition of section (c) to Model Rule 1.6, requiring attorneys to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”, and
- Additions to Comment  to Model Rule 1.6, providing that “reasonable efforts” require a risk-based analysis, with additional details.
A number of ethics opinions, for over a decade, have addressed professional responsibility issues related to security in attorneys’ use of various technologies. Consistent with the Ethics 20/20 amendments, they generally require competent and reasonable safeguards.
A recent opinion on safeguarding client data is ABA Formal Opinion 477R, “Securing Communication of Protected Client Information” (May 2017). While focusing on electronic communications, it also explores the general duties to safeguard information relating to clients in light of current threats and the Ethics 20/20 technology amendments to the Model Rules. Its conclusion includes:
Rule 1.1 requires a lawyer to provide competent representation to a client. Comment  to Rule 1.1 advises lawyers that to maintain the requisite knowledge and skill for competent representation, a lawyer should keep abreast of the benefits and risks associated with relevant technology. Rule 1.6(c) requires a lawyer to make “reasonable efforts” to prevent the inadvertent or unauthorized disclosure of or access to information relating to the representation.
ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (October 17, 2018), reviews lawyers’ duties of competence, communication, confidentiality, and supervision in safeguarding confidential data and in responding to data breaches. It finds that Model Rule 1.15: Safeguarding Property applies to electronic client files as well as paper client files and requires the care required of a professional fiduciary.
The opinion states that these duties include:
- The obligation to monitor for a breach,
- The duty to stop a breach and restore systems, and
- The duty to determine what happened.
It uses the following definition of a data breach: “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.” It is important to note that the terms “security event,” “security incident,” and “data breach” sometimes have different meanings in various security standards and frameworks, laws and regulations, and contracts. It is, accordingly, important to understand the context and any applicable definitions when viewing and using these terms.
Although it does not impose a requirement for an incident response plan, the opinion suggests “as a matter of preparation and best practices” that “lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.”
The opinion finds that attorneys have a duty under Model Rule 1.4 to communicate with current clients concerning a data breach:
Communications between a lawyer and current client are addressed generally in Model Rule 1.4. Rule 1.4(a)(3) provides that a lawyer must “keep the client reasonably informed about the status of the matter.” Rule 1.4(b) provides: “A lawyer shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.” Under these provisions, an obligation exists for a lawyer to communicate with current clients about a data breach.
Applying Model Rule 1.9(c), the opinion finds no requirement to notify a former client of a breach “as a matter of legal ethics.”
The opinion concludes:
Even lawyers who, (i) under Model Rule 1.6(c), make “reasonable efforts to prevent the unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client,” (ii) under Model Rule 1.1, stay abreast of changes in technology, and (iii) under Model Rules 5.1 and 5.3, properly supervise other lawyers and third-party electronic-information storage vendors, may suffer a data breach. When they do, they have a duty to notify clients of the data breach under Model Rule 1.4 in sufficient detail to keep clients “reasonably informed” and with an explanation “to the extent necessary to permit the client to make informed decisions regarding the representation.”
In April 2019, the Maine Professional Ethics Commission issued Opinion #220. “Cyberattack and Data Breach: The Ethics of Prevention and Response” (April 11, 2019). Its conclusions under the Maine Rules of Professional Conduct are the same as ABA Formal Opinion 483, with the exception that it concludes that the duty to notify applies to both current and former clients.
The most recent ethics opinion on data breaches is California Opinion No. 2020-203. Consistent with the ABA and Maine opinions, it concludes that “lawyers have an obligation to conduct a reasonable inquiry to determine the extent and consequences of [a] breach and to notify any client whose interests have a reasonable possibility of being negatively impacted by the breach.” It also concludes that creation of a data breach response plan may be required. The opinion includes four hypotheticals that apply its conclusions to fact situations. It applies to current clients and, referencing the ABA and Maine opinions, notes that it does not address duties to former clients.
The key professional responsibility requirements from the rules and opinions on attorneys’ use of technology are competent and reasonable measures to safeguard client data. This should include an understanding of limitations in attorneys’ knowledge, obtaining appropriate assistance, continuing security awareness, appropriate supervision, and ongoing review as technology, threats, and available safeguards evolve. They also require obtaining clients’ informed consent, in some circumstances, and notifying clients of a breach or compromise. It is important for attorneys to consult the rules, comments, and ethics opinions in the relevant jurisdiction(s).
Common Law and Contractual Duties.
Along with the ethical duties, parallel common law duties are defined by case law in the various states. They include competence, communication, and confidentiality. Breach of these duties can result in a malpractice action.
Instances are increasing where lawyers have contractual duties to protect client data, particularly for clients in regulated industries, such as health care and financial services that have regulatory requirements to protect privacy and security. They frequently include requirements for incident response and notice of security incidents and data breaches.
Attorneys and law firms that have specified personal information about their employees, clients, clients’ employees or customers, opposing parties and their employees, or even witnesses may also be covered by federal and state laws that variously require reasonable safeguards for covered information and notice to affected individuals and sometimes to regulators in the event of a data breach.
More details about attorneys’ duties to safeguard confidential information and complying with them are covered in David G. Ries, “Cybersecurity for Attorneys: Addressing the Legal and Ethical Duties,” Law Practice Today (November 2019).
Complying with the Duties
Understanding all the applicable duties is the first step, before moving to the challenges of compliance by designing, implementing and maintaining an appropriate risk-based cybersecurity program.
A cybersecurity program should cover the core security functions: identify, protect, detect, respond, and recover. There has been an increasing emphasis on detection, response, and recovery in recent years. While detection, response, and recovery have always been important parts of security, they have too often taken a back seat to protection. Since security incidents and data breaches are increasingly viewed as sometimes being inevitable, these other functions have taken on increased importance. Gartner, a leading technology consulting firm, has predicted that by 2020, 60% of enterprises' information security budgets will be allocated for rapid detection and response approaches, up from less than 10% in 2014. Since it’s well into 2020, it will be interesting to see the actual percentages for this year.
Cybersecurity is best viewed as a part of the information governance process, which manages documents and data from creation to final disposition—including security and privacy. Managing and minimizing data is a critical part of information governance, including security, privacy, and records and information management.
Security starts with an inventory of information assets and data to determine what needs to be protected and then a risk assessment to identify anticipated threats to the information assets. The next step is development, implementation, and maintenance of a comprehensive information security program to employ reasonable physical, administrative, and technical safeguards to protect against identified risks.
A comprehensive security program, including incident response, should be based on a standard or framework, like those published by the National Institute for Standards and Technology (NIST) and the International Organization for Standardization’s (ISO). For small and mid-size firms, more basic information is available on the Federal Trade Commission (FTC) website, Cybersecurity for Small Business, and NIST’s Small Business Cybersecurity Corner website.
For incident response, the NIST Cybersecurity Framework includes the core functions: respond and recover (in addition to identify, protect, and detect). Respond includes response planning, communication, analysis, mitigation, and improvements. Recover includes recovery planning, improvements, and communication. The ISO standards include ISO/IEC 27035-2:2016, Guidelines to plan for incident response. More basic guidance is provided in the FTC’s Data Breach Response: A Guide for Business (May 2019) and the U.S. Department of Justice, Cybersecurity Unit’s Best Practices for Victim Response and Reporting of Cyber Incidents (September 2018).
Attorneys and law firms will often need assistance with cybersecurity programs, including incident response because they do not have the requisite knowledge and experience. For those who need assistance, it is important to find an IT consultant with knowledge and experience in security or a qualified security consultant.
Incident Response Plans
The foundation of the respond function is advance planning. This means that attorneys and law firms should have a plan, usually called an incident response plan (IRP). An IRP should broadly cover all kinds of security events, incidents and breaches, including spearphishing, ransomware, business email compromise, insiders accessing data without authorization, a lost or stolen laptop or mobile device, and others.
Preparing processes and technology in advance is necessary for effective incident response. For example, having an inventory of information assets and data, and a data map showing data flow and storage locations, will expedite an incident response. It can be a nightmare to put together when an incident is in progress. Notice requirements should be identified in advance, including the type of covered information, who should be notified, and contact information. In addition, enabling and retaining logs in networks, cloud services, and intrusion detection/prevention software can provide invaluable information, otherwise unavailable, to understand the nature and scope of an incident. Effective backup and business continuity measures are also important.
The IRP should be appropriately scaled to the size of the law practice and the sensitivity of the information. For a solo or very small firm, it may just be some checklists and who to call for what.
The elements of an IRP should include:
- Assign responsibility
- Internal reporting procedures
- Criteria for activating the plan
- Internal personnel and resources
- Alternate communications channels for response
- External resources:
- Data breach lawyer
- Insurance carrier
- Law enforcement
- Digital forensics consultant
- Notice and credit monitoring service provider
- Crisis communications consultant
- Communications plan (internal and external)
- Identify required and optional notice
- Service providers
- Other third parties
- Keep a record of response activities and systems changes
- Preserve digital evidence
- Mitigation: confirm that compromise has been contained and eradicated
- Restore systems
- Practice the incident response plan
- Periodic review and update
IRPs should be flexible. They may not survive first contact with the enemy, but that’s okay. It’s usually better to have to adapt than to have to start from scratch in a panic. Alternates should be included for internal and external personnel and resources in case the primary ones in the plan are unavailable. It’s much easier to move down a list than to scramble for an alternate during an incident.
The plan should identify a full complement of internal and external resources that may be necessary for the most serious incidents or data breaches. It should be scalable so that resources are activated as they are needed. For example, malware on a single laptop may be handled by IT, with notice to management, while a major ransomware infection may require all of the resources in the plan.
The IRP should identify internal personnel who may be necessary for each function in the plan, including management, IT, compliance, security, human resources, finance, marketing, etc. In a small firm, the same person(s) will perform multiple roles. Include complete contact information (e.g., home and cell phone numbers and personal email) in case of an incident at night or during a weekend, or if firm communications are down or compromised. Some laws firms use communications services that can send notices to personal phones and emails – either the entire firm or selected groups.
An experienced data breach lawyer will often serve as a coach or quarterback for an IRP team. In addition to providing legal advice and coordinating response activities, he or she may be able to assist in protecting privilege for some of the information related to the investigation and response.
It’s generally a good idea to contact external resources, like a breach attorney, digital forensics consultant, and law enforcement, in advance, before any incident. Having a working relationship or even just an introduction can make an actual response more effective.
If the firm has an insurance policy that provides or may provide coverage, check the notice requirements in the policy. Policies often require the use of approved service providers, like breach attorneys and digital forensics firms, and may require prior authorization to use an approved provider.
It is sometimes difficult to get prompt and active involvement of the appropriate federal agency (FBI, Secret Service, Department of Homeland Security, etc.) in response to a complaint. They have a priority for national security and heavy caseloads. A good approach is to start with an online complaint to the FBI’s Internet Crime Complaint Center (IC3). This provides an immediate record of the complaint and may start an IC3 analyst on financial account recovery if the details of the transaction are provided on the appropriate online form. A complaint to IC3 can be promptly followed by contacting the appropriate federal agency and state or local law enforcement.
For additional details on incident response plans, see Sharon D. Nelson, David G. Ries, and John W. Simek, “What to Do When Your Data is Breached,” Michigan Bar Journal (September 2018) (an information source for parts of this article).
Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and often have contractual and regulatory duties. The safeguards should be included in a risk-based, comprehensive cybersecurity program, including an incident response plan. Attorneys and law firms prepared for a security incident are more likely to survive and limit damage. Those who are unprepared are likely to spend more money, lose more time, and suffer more client and public relations problems.
- American Bar Association, Cybersecurity Legal Taskforce
- American Bar Association, Law Practice Division, including the Legal Technology Resource Center and ABA TECHSHOW
- Cybersecurity and Infrastructure Security Agency (CISA), Technical Approaches to Uncovering and Remediating Malicious Activity (September 2020) (joint advisory by the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States)
- Jason T. Luttgens, Matthew Pepe and Kevin Mandia, Incident Response & Computer Forensics: Third Edition (McGraw-Hill Education, 2014)
- Sharon D. Nelson, David G. Ries and John W. Simek, Locked Down: Practical Information Security for Lawyers, Second Edition (ABA 2016)
- Jill D. Rhodes and Robert S. Litt, The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Second Edition (ABA 2017), Chp. 14, “Best Practices for Incident Response”
- The Sedona Conference, Incident Response Guide (January 2020)