Model Rule Variation Creates Disparate Post-Breach Duty
Like the ABA, Maine’s commission found once a lawyer discovered a breach, the lawyer must notify clients whose confidential information the breach compromised. However, the commission diverged from the ABA opinion regarding former clients. Former clients are “entitled to no less protection and candor than a current client in the case of compromised secrets and confidences,” the state commission said.
In reaching its conclusion, the commission drew upon Maine Rule of Professional Conduct 1.9, which differs from ABA Model Rule 1.9 by stipulating that an attorney should not reveal confidences or secrets of a former client. “The duty of confidentiality survives the termination of the client-lawyer relationship,” the commission said. The lawyer must timely inform a former client if a cyberattack or data breach exposed client confidences, the opinion stated.
The Maine commission agreed with the ABA opinion that lawyers need not tell clients if the breach compromised no confidential information and a cyberattack has not significantly affected their representation. The rules may limit a lawyer’s ethical obligation to reasonable efforts to prevent a reoccurrence, the commission said. For example, a lawyer or her law firm may need to install or update security systems or get added data breach prevention and technology training, the Maine opinion stated.
Detecting and Responding to an Inevitable Breach
“The Maine opinion uses the word ‘when’ and not ‘if’ in reference to cyberattacks,” says John M. Barkett, Miami, FL, cochair of the ABA Section of Litigation’s Ethics & Professionalism Committee. “Attorneys cannot avoid a data breach,” he opines, noting a larger firm may receive hundreds of security penetrations or attempted penetrations per day.
Nicole M. Reid, Orlando, FL, subcommittee cochair of the Section of Litigation’s Professional Liability Litigation Committee agrees, and notes practices of any size can be targets. “Although many solo practitioners and small firm owners think they will never be a likely target of hacking, that is absolutely not the case. Hackers understand that small firms often have less-secure technology measures, and that makes them an easy target,” Reid says.
To detect and minimize data breaches, “train the people who use your systems to recognize how a hacker can gain access and train them to understand when an email is a phishing email,” Barkett suggests. He also encourages attorneys to deploy enhanced security protocols and check in with technology vendors. “Two factor-authentication is something lawyers need to consider. And if you are at a small firm, confirm that your IT vendor is taking steps that permit you to comply with the rules of professional conduct,” Barkett says.
But when a data breach happens, “a lawyer must act reasonably and promptly to stop the breach and to mitigate damage resulting from the breach,” Reid notes. “Generally, the process should include identification and evaluation of the intrusion, suppression of the threat/malware, a determination of what data may have been accessed or compromised, and restoration of the integrity and security of the firm’s network,” she says.
Communicating a Breach to Clients
Additionally, Reid emphasizes the need for effective communication with clients. “If the lawyer has been able to identify what client information was accessed or disclosed, that information should be conveyed. If the lawyer has made reasonable efforts to determine the extent of the information accessed, but has been unable to do so, the client should be advised of that as well,” Reid says.
Lawyers should consider a comprehensive approach to cybersecurity and client notification after a data breach. “You need to look at all facts and circumstances, including the nature of breach, how it happened, and whether it comprises a client’s confidence in your ability to protect them. Lawyers must also look at their individual state ethics rules and opinions to determine their disclosure obligations and discern whether their state follows the guidance from Maine or the ABA,” says Barkett.