November 02, 2018

ABA issues new guidance on lawyer obligations after a cyber breach or attack

CHICAGO, Oct. 17, 2018 —The American Bar Association Standing Committee on Ethics and Professional Responsibility released today Formal Opinion 483 that reaffirms the duty that lawyers have to notify clients of a data breach and details reasonable steps for them to take to meet obligations set forth by ABA model rules.

The opinion underscores the importance for lawyers to both plan beforehand for an electronic breach or cyberattack and to understand how model rules come into play when an incident is either detected or suspected. Specifically, these ABA Model Rules of Professional Conduct might apply to such an incident:

  • Model Rule 1.1 (competence), which requires lawyers to develop sufficient competence in technology to meet their obligations under the rules after a breach.
  • Model Rule 1.15 (safekeeping property), which requires lawyers to protect trust accounts, documents and property the lawyer is holding for clients or third parties.
  • Model Rule 1.4 (communication), which requires lawyers to take reasonable steps to communicate with clients after an incident.
  • Model Rule 1.6 (confidentiality), which covers issues dealing with confidentiality of the client-lawyer relationship.
  • Model Rule 5.1 (lawyer oversight), which addresses the added responsibilities of a managing partner or supervisory lawyer.
  • Model Rule 5.3 (nonlawyer oversight), which addresses the responsibilities of those in supervisory capacities who are nonlawyers.

“When a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach,” Formal Opinion 483 says. “How a lawyer does so in any particular circumstance is beyond the scope of this opinion. As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach. The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach.”

The ABA Standing Committee on Ethics and Professional Responsibility periodically issues ethics opinions to guide lawyers, courts and the public in interpreting and applying ABA model ethics rules to specific issues of legal practice, client-lawyer relationships and judicial behavior. Last month, for instance, the committee issued Formal Opinion 482, which outlines the ethical obligations for lawyers related to disasters, such as recent Hurricanes Florence and Michael. Other recent ABA ethics opinions are available on the ABA Center for Professional Responsibility website.

With more than 400,000 members, the American Bar Association is one of the largest voluntary professional membership organizations in the world. As the national voice of the legal profession, the ABA works to improve the administration of justice, promotes programs that assist lawyers and judges in their work, accredits law schools, provides continuing legal education, and works to build public understanding around the world of the importance of the rule of law. View our privacy statement online. Follow the latest ABA news at and on Twitter @ABANews