Lawyers May Need to Inform Former Clients of Data Breaches

Lawyers must notify both current and former clients when a data breach occurs involving material client information, according to a formal opinion by the Maine professional ethics commission. The commission’s stance departs from that expressed in earlier issued ABA Formal Opinion No. 483, which requires informing only current clients of a cyberattack. Though the Maine commission agreed with the ABA’s analysis about current clients, Maine’s Board of Overseers of the Bar concluded in its own Opinion No. 220 that the state’s rules caused expanded client notification obligations.

ABA Ethics Panel Encourages, But Does Not Require, Former Client Notification

In its Opinion 483, the ABA Standing Committee on Ethics and Professional Responsibility reviewed Model Rule 1.9 addressing duties to former clients and Rule 1.16 discussing confidentiality of information. It concluded that because neither rule describes what steps a lawyer should take if a breach involved electronic information relating to a former client, the committee would not impose a broad notification requirement. “The Committee is unwilling to require notice to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice,” the opinion said.

Lawyers should follow, however, best practices in handling clients’ electronic files, which may include adopting document retention schedules, said the Committee. It also cautioned that attorneys may have other obligations under data privacy laws, common law, and contract law that require them to tell former clients if a breach compromised their information. “A prudent lawyer will consider such issues in evaluating the response to the data breach,” the opinion said.