Lawyers must notify both current and former clients when a data breach occurs involving material client information, according to a formal opinion by the Maine professional ethics commission. The commission’s stance departs from that expressed in earlier issued ABA Formal Opinion No. 483, which requires informing only current clients of a cyberattack. Though the Maine commission agreed with the ABA’s analysis about current clients, Maine’s Board of Overseers of the Bar concluded in its own Opinion No. 220 that the state’s rules caused expanded client notification obligations.
ABA Ethics Panel Encourages, But Does Not Require, Former Client Notification
In its Opinion 483, the ABA Standing Committee on Ethics and Professional Responsibility reviewed Model Rule 1.9 addressing duties to former clients and Rule 1.16 discussing confidentiality of information. It concluded that because neither rule describes what steps a lawyer should take if a breach involved electronic information relating to a former client, the committee would not impose a broad notification requirement. “The Committee is unwilling to require notice to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice,” the opinion said.
Lawyers should follow, however, best practices in handling clients’ electronic files, which may include adopting document retention schedules, said the Committee. It also cautioned that attorneys may have other obligations under data privacy laws, common law, and contract law that require them to tell former clients if a breach compromised their information. “A prudent lawyer will consider such issues in evaluating the response to the data breach,” the opinion said.
Model Rule Variation Creates Disparate Post-Breach Duty
Like the ABA, Maine’s commission found once a lawyer discovered a breach, the lawyer must notify clients whose confidential information the breach compromised. However, the commission diverged from the ABA opinion regarding former clients. Former clients are “entitled to no less protection and candor than a current client in the case of compromised secrets and confidences,” the state commission said.
In reaching its conclusion, the commission drew upon Maine Rule of Professional Conduct 1.9, which differs from ABA Model Rule 1.9 by stipulating that an attorney should not reveal confidences or secrets of a former client. “The duty of confidentiality survives the termination of the client-lawyer relationship,” the commission said. The lawyer must timely inform a former client if a cyberattack or data breach exposed client confidences, the opinion stated.
The Maine commission agreed with the ABA opinion that lawyers need not tell clients if the breach compromised no confidential information and a cyberattack has not significantly affected their representation. The rules may limit a lawyer’s ethical obligation to reasonable efforts to prevent a reoccurrence, the commission said. For example, a lawyer or her law firm may need to install or update security systems or get added data breach prevention and technology training, the Maine opinion stated.
Detecting and Responding to an Inevitable Breach
“The Maine opinion uses the word ‘when’ and not ‘if’ in reference to cyberattacks,” says John M. Barkett, Miami, FL, cochair of the ABA Section of Litigation’s Ethics & Professionalism Committee. “Attorneys cannot avoid a data breach,” he opines, noting a larger firm may receive hundreds of security penetrations or attempted penetrations per day.
Nicole M. Reid, Orlando, FL, subcommittee cochair of the Section of Litigation’s Professional Liability Litigation Committee agrees, and notes practices of any size can be targets. “Although many solo practitioners and small firm owners think they will never be a likely target of hacking, that is absolutely not the case. Hackers understand that small firms often have less-secure technology measures, and that makes them an easy target,” Reid says.
To detect and minimize data breaches, “train the people who use your systems to recognize how a hacker can gain access and train them to understand when an email is a phishing email,” Barkett suggests. He also encourages attorneys to deploy enhanced security protocols and check in with technology vendors. “Two factor-authentication is something lawyers need to consider. And if you are at a small firm, confirm that your IT vendor is taking steps that permit you to comply with the rules of professional conduct,” Barkett says.
But when a data breach happens, “a lawyer must act reasonably and promptly to stop the breach and to mitigate damage resulting from the breach,” Reid notes. “Generally, the process should include identification and evaluation of the intrusion, suppression of the threat/malware, a determination of what data may have been accessed or compromised, and restoration of the integrity and security of the firm’s network,” she says.
Communicating a Breach to Clients
Additionally, Reid emphasizes the need for effective communication with clients. “If the lawyer has been able to identify what client information was accessed or disclosed, that information should be conveyed. If the lawyer has made reasonable efforts to determine the extent of the information accessed, but has been unable to do so, the client should be advised of that as well,” Reid says.
Lawyers should consider a comprehensive approach to cybersecurity and client notification after a data breach. “You need to look at all facts and circumstances, including the nature of breach, how it happened, and whether it comprises a client’s confidence in your ability to protect them. Lawyers must also look at their individual state ethics rules and opinions to determine their disclosure obligations and discern whether their state follows the guidance from Maine or the ABA,” says Barkett.
Amy Mattson is an associate editor for Litigation News.
Hashtags: #cybersecurity #databreach #cyberattack
- David G. Ries, “2018 Cybersecurity,” TechReport 2018 (Jan. 28, 2019).
- Jason Tashea, “ABA ethics opinion offers guidance on data breaches,” ABA J. (Oct. 17, 2018).
Copyright © 2020, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).