Last week, the American Bar Association’s (“ABA”) Standing Committee on Ethics and Professional Responsibility (the “Committee”) issued Formal Opinion 483 (the “Opinion”) that sets forth the ABA’s opinion concerning the need for lawyers to notify clients of data breaches affecting client confidential data. The opinion outlines certain “reasonable” steps the ABA believes lawyers should take in the context of a data breach in order to meet the obligations set forth in the ABA’s Model Rules of Professional Conduct. This opinion builds on Formal Opinion 477R that the ABA published in May 2017, which focused upon lawyers’ need to secure protected client information when using electronic communications.
The Opinion outlines the present reality that all organizations are likely to be targets for cyber incidents, but particularly law firms, which regularly serve as custodians of highly sensitive client information. The Opinion further highlights several recent data incidents and articles explaining that law firms are specifically targeted for information to exploit in insider trading schemes.
Overall, the Opinion identifies six ABA Model Rules that might be implicated in the context of a data breach:
- Model Rule 1.1: Requires lawyers to “provide competent representation to a client,” including exercising the requisite “legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”
- Model Rule 1.4: Requires, among other things, that lawyers “keep the client reasonably informed about the status of the matter” and to explain matters “to the extent reasonably necessary to permit a client to make an informed decision regarding the representation.”
- Model Rule 1.6: Requires that lawyers “not reveal information relating to the representation of a client unless the client gives informed consent” and “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
- Model Rule 1.15: Requires lawyers to “appropriately safeguard” clients’ documents and property.
- Model Rule 5.1: Requires that lawyers with “managerial authority in a law firm . . . make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct.”
- Model Rule 5.3: requires that lawyers in supervisory capacities “make reasonable efforts to ensure that [any non-lawyer’s] conduct is compatible with the professional obligations of the lawyer.”
While the Opinion focuses on the obligations that are triggered by, and therefore arise following, a data breach, it also discusses routine practices that will help lawyers comply with their ethical obligations. We have outlined several of the key issues and advice presented in the Opinion below:
Definition of a “Data Breach”
The Opinion defines a “data breach” as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.” This definition is significant for several reasons. First, the definition includes only those incidents that misappropriate, destroy or otherwise compromise confidential client information or impair the lawyer’s ability to perform legal services. As the Opinion itself acknowledges, “[n]ot every cyber episode experienced by a lawyer is a data breach that triggers the obligations described in this [O]pinion” and explains that there are many cyber events that occur daily in lawyers’ offices, that do not rise to the level of a “data breach.”
The definition also differentiates between the scope of this definition and those found in applicable federal regulations and most state breach notification laws. As the Opinion points out, there are potentially both federal and state breach notification laws that require private or governmental entities to notify individuals of breaches involving loss or disclosure of personally identifiable information. These laws typically specify who must comply with the law, define “personal information,” define what constitutes a breach, and provide requirements for notice.
Because the triggers for notification under a lawyer’s ethical obligations are likely to vary greatly from the triggers for state and federal breach notification laws, it is likely that a particular data incident could trigger a lawyer’s ethical notification obligations, but not personal information breach notification laws (although it is also possible that both sets of obligations could be triggered for a single breach affecting client data retained by a lawyer).
Obligations Triggered by the Duty of Competence
As outlined above, Model Rule 1.1 requires that lawyers “provide competent representation to a client,” which requires the exercise of the “legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” The ABA’s comments to Model Rule 1.1 make clear that part of this duty of competence requires that lawyers keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology. As part of this obligation, the ABA has opined that “lawyers necessarily need to understand basic features of relevant technology . . . . For example, a lawyer would have difficulty providing competent legal services in today’s environment without knowing how to use email or create an electronic document.” Depending on the size and level of sophistication of the firm, this may implicate the lawyers themselves, other non-lawyer staff, or both. Because of this potential scope, the duty of competence as it relates to technical expertise and aptitude, might also implicate Model Rules 5.1 and 5.3, which address oversight of other lawyers and non-lawyers.
Specifically, the Opinion sets forth several actions relating to data breaches that might be required to satisfy competence duties, including monitoring for incidents, taking appropriate containment and remediation steps, and appropriately investigating the incident.
System Monitoring Activities
First, the Opinion explains that “lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.” Absent such monitoring capabilities, a lawyer might not be able to detect a data breach in the first instance, much less assess the firm’s overall compliance with cybersecurity policies and procedures or evaluate whether and to what extent any notification obligations might be triggered. The Opinion explains that these types of monitoring and detection capabilities are not only imputed based on the duty of competence, but are also the electronic analog to the types of protective measures required to appropriately safeguard client property as required by Model Rule 1.15.
Interestingly, the Opinion acknowledges the inherent challenges associated with detecting and identifying data breaches, explaining that a firm’s failure to immediately detect security incidents, despite the use of any monitoring and detection tools in use, does not, itself, mean that an ethical violation has occurred. The Committee recognizes that “cyber criminals might successfully hide their intrusion despite reasonable or even extraordinary efforts by the lawyer,” and, therefore, “the potential for an ethical violation occurs when a lawyer does not undertake reasonable efforts to avoid data loss or to detect cyber-intrusion, and that lack of reasonable effort is the cause of the breach.”
Containment and Remediation
Next, the Opinion explains that the duty of competency requires reasonable, prompt action in response to an actual or suspected data incident. While the Opinion does not address specific steps in such a response, it asserts that, as a matter of best practice, law firms should adopt an incident response plan prior to experiencing any incident that will allow the firm to promptly respond in a coordinated manner to any type of security incident or cyber intrusion, including provisions that address: identifying and evaluating any potential network anomaly or intrusion; assessing its nature and scope; determining whether any data or information may have been accessed or compromised; quarantining the threat or malware; preventing the exfiltration of information from the firm; eradicating the malware, and restoring the integrity of the firm’s network. The Opinion cites the NIST Computer Security Incident Handling Guide as a reference for preparing such a plan. The Opinion goes on to recommend that a firm respond in accordance with such a plan in the event of an incident.
In the absence of such a plan, lawyers are nonetheless required to “make all reasonable efforts to restore computer operations to be able again to service the needs of the lawyer’s clients” as part of their competency obligations. Depending on the particular circumstances of an incident, these reasonable efforts could include “(i) restoring the technology systems as practical, (ii) the implementation of new technology or new systems, or (iii) the use of no technology at all if the task does not require it, depending on the circumstances.”
The last requirement addressed in the Opinion relating to the duty of competence is to conduct a post-breach investigation to identify what occurred, evaluate whether any data was lost or accessed as a result of the incident, and confirm that any intrusion or unauthorized access has been stopped. A post-breach investigation requires that the lawyer gather sufficient information to make these determinations. The Opinion explains that the post-incident investigation is not only a component of the duty of competence, but also provides the requisite information to allow for accurate disclosure to the client consistent with lawyers’ duties of communication and honesty under Model Rules 1.4 and 8.4(c).
Obligations Triggered by the Duty of Confidentiality
Although the ethical obligation to preserve the confidentiality of information relating to the representation of a client has always been part of the Model Rules, in 2012 Model Rule 1.6 was amended to add the following language: “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” In addition, a comment to the Rule was added, explaining the interplay between the duty of confidentiality and the obligation to make reasonable efforts to safeguard client information:
[p]aragraph (c) [of Model Rule 1.6] requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.
This comment further outlines several factors to be used in assessing the reasonableness of the lawyer’s efforts, including:
- The sensitivity of the information;
- The likelihood of disclosure if additional safeguards are not employed;
- The cost of employing additional safeguards;
- The difficulty of implementing the safeguards; and
- The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Overall, the obligations relating to the duty of confidentiality relate primarily to the actions taken by lawyers in advance of any incident having occurred. However, these obligations are also implicated following an incident. For example, part of the post-incident investigation would be focused on identifying what happened and what vulnerabilities were exploited to gain access to the lawyer’s or firm’s systems. To comply with the obligations of Model Rule 1.6(c), the information learned from the post-incident assessment should inform the types of safeguards that lawyers put into place following an incident in order to help prevent the same or similar type of incident from occurring again in the future.
The duty of confidentiality is also implicated in the context of post-incident communications. As discussed in further detail below, certain incidents might obligate lawyers to provide notice of an incident to their clients, state or federal regulators or other individuals. The content of such communications would need to be prepared cautiously to ensure that they do not communicate any confidential client information. Further, many victims of these security incidents will communicate with law enforcement following an incident. As with other communications, lawyers would need to be cautious about the contents of any communications with law enforcement; however, Model Rule 1.6 does permit lawyers to reveal information relating to the representation of a client if, for example, the lawyer reasonably believes that disclosure: (1) is impliedly authorized and will advance the interests of the client in the representation, and (2) will not affect a material interest of the client adversely. This exception might come into play in communications with law enforcement designed to apprehend the responsible party and, thereby reduce or prevent the risk of any future misuse of such information.
The Opinion addresses the obligation to provide notice of an incident in two contexts: (1) notification to current clients, and (2) notification to former clients whose data is being maintained in accordance with record retention requirements.
As to existing clients, the Opinion explains that the breach notification obligation is based on Model Rule 1.4’s requirements to “keep the client reasonably informed about the status of the matter” and to “explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation.” The Opinion concludes that data breaches as defined by the Committee necessarily have a reasonable possibility of being negatively impacting a client’s interests. Accordingly, the Opinion states that this type of breach requires notice to the client because such notice would be properly viewed as “a significant factor in the representation” and is an integral communication required pursuant to Model Rule 1.4. However, it is worth noting that not all potential security incidents will necessarily fall within the definition of a “data breach” as used in the Opinion. Therefore, many incidents would require additional investigation and analysis to determine whether the scope is such that the incident actually implicates or compromises confidential client information or impairs the lawyer’s ability to perform legal services.
Interestingly, while the Opinion explains that Model Rule 1.9 largely prevents lawyers from revealing information relating to former clients, the Model Rules do not address what steps, if any, lawyers should take if confidential information of prior clients is revealed. Ultimately the Opinion explains that “[t]he Committee is unwilling to require notice to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice.” Accordingly, the Opinion continues, any obligation to notify former clients would be based only on obligations stemming from state or federal statutory or regulatory requirements, and not from the lawyers’ ethical obligations.
Finally, the Opinion discusses the substance of any data breach notification. The recommended contents of such a notification fall generally in line with the types of things required under most state breach notification laws, including:
- The fact that an incident has occurred resulting in unauthorized access to or disclosure of their information, or that unauthorized access or disclosure is reasonably suspected of having occurred;
- The known or reasonably ascertainable extent to which client information was accessed or disclosed (alternatively, “[i]f the lawyer has made reasonable efforts to ascertain the extent of information affected by the breach but cannot do so, the client must be advised of that fact”);
- The lawyer’s plan to respond to the data breach, from efforts to recover information (if feasible) to steps being taken to increase data security.
Furthermore, the Opinion explains that in addition to the initial communication about the incident, “lawyers have a continuing duty to keep clients reasonably apprised of material developments in post-breach investigations affecting the clients’ information.” The Opinion avoids providing specific advice on the nature and extent of follow up communications that might be necessary, explaining that these will largely be driven by the particular factual circumstances of an incident.
Overall, the Opinion provides general advice for lawyers that is very similar to standard incident response best practices seen across various industries outside of the legal field. Specifically, the Opinion identifies several actions that lawyers must take to address their ethical obligations as they relate to data security and potential security incidents. According to the opinion, prior to an incident occurring lawyers should:
- maintain at least a basic understanding of changes in the law and its practice, including the benefits and risks associated with relevant technology, as well as basic features of relevant technology;
- prepare an incident response plan which addresses how the lawyer or firm will promptly:
- identify and evaluate any potential network anomaly or intrusion;
- assess its nature and scope;
- determine if any data or information may have been accessed or compromised;
- quarantine the threat or malware;
- prevent the exfiltration of information from the firm;
- eradicate the malware;
- restore the integrity of the firm’s network; and
- Help personnel minimize loss or theft of information and disruption of services caused by incidents.
- implement internal policies and procedures designed to safeguard confidential client information and critical business systems;
- implement tools resigned to monitor technology resources for any unauthorized access or intrusions (including those maintained by external vendors); and
- provide appropriate oversight for any lawyers and non-lawyers relating to information technology and information security.
Should an incident occur, the Opinion indicates that lawyers should promptly respond to the incident by:
- investigating the incident;
- taking reasonable steps to contain the incident and prevent any further unauthorized access or exposure; and
- mitigating any damage caused by the incident.
Based on the findings of the investigation, according to the Opinion, lawyers must next assess the nature and scope of impact of the incident to assess whether the incident affects any material client confidential information or significantly impairs their ability to perform legal services. If, so lawyers must communicate with affected clients and, depending on the circumstances, provide appropriate follow-up communications updating clients on new, relevant developments.