Expanded guidance issued Oct. 17 by the American Bar Association Standing Committee on Ethics and Professional Responsibility reaffirms that lawyers have a duty to notify clients of a data breach, and details the reasonable steps they should take to meet ABA model rules.
Formal Opinion 483 underscores the importance for lawyers to plan for the possibility of an electronic breach or cyberattack and to understand how model rules come into play when an incident is either detected or suspected. Specifically, the model rules that might apply cover competence of an attorney, safekeeping of property, communication with clients, confidentiality and lawyer and nonlawyer oversight related to law practices and firms.
“When a breach of protected client information is either suspected or detected, (the competence rule) requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach,” Formal Opinion 483 says.
“Lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach,” the opinion continues. “The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach.”
Last month, the committee issued Formal Opinion 482, which outlines lawyers’ ethical obligations related to disasters, such as recent Hurricanes Florence and Michael. “Lawyers must be prepared to deal with disasters,” Formal Opinion 482 says. “…By proper advance preparation and taking advantage of available technology during recovery efforts, lawyers will reduce the risk of violating professional obligations after a disaster.”