ABA Warns Lawyers That Data Breaches Raise Ethical Issues


The phrase “looking back to the past with an eye on the future” is one that could adequately describe the legal profession’s current attitude towards technological innovation. An industry historically reliant on antiquated methodologies and formal training now has little choice but to embrace the current “Golden Age” of technology. This technological evolution in law is no more readily apparent than in the dramatic changes to legal research (out with the case reporters and in with Westlaw & LexisNexis), writing (“to put pen to paper” now replaced by “to affix fingers to keyboard”), and file retention (goodbye Bankers boxes, hello cloud storage).

With such technological advancement comes innumerable challenges to one of, if not, the most important ethical obligations of an attorney – the protection of client information. The American Bar Association’s Standing Committee on Ethics and Professional Responsibility (“the Committee”) emphasized this point through the  formal guidance issued at near the end of 2018. Titled “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack,” Formal Opinion 483 speaks to the ethical responsibilities of an attorney in lieu of a data breach involving client information.1

 Law Firms: A Treasure Trove of Information

Law firms are a treasure trove of information for hackers. Respective of firm size, any number of attorneys working under one roof represent different areas of practice, and these areas ostensibly mean the presence of all types of sensitive information. Sensitive information like the details of M&A transactions, medical and/or financial records, proprietary trade secrets and corporate strategies, just to name a few, and all representing a tantalizing bounty for bad actors.

And yet, perplexingly, one of the most attractive targets for hackers is also one of the easiest. According to the findings of 2016 survey conducted by notable Information Technology firm LOGICFORCE, law firms’ cybersecurity efforts, or the lack thereof, left them “woefully insecure.”2 In fact, of the 200 law firms surveyed and assessed, approximately 40% were unaware that their firm had suffered a past data breach.3 The ABA’s own 2017 Legal Technology Survey demonstrated many of the same findings. The ABA summarized these findings in the TECHREPORT, which found that 22% of law firm respondents experienced a data breach in 2017 – up from 14% from the previous year.4 In a frightening display of just how vulnerable law firms may be, the International Legal Technology Association 2018 educational conference featured a presentation this past August by a 15-year-old ethical hacker.5 In a matter of minutes the teenager demonstrated with ease a hacker’s ability to infiltrate law firms and their clients. Outside of mere hypotheticals and in the category of a real-world example was the case of global firm DLA Piper and a paralyzing malware attack.6 To think, a fairly innocuous start to a summer day in 2017 ended with one the world’s largest law firms non-operational for weeks to come.7

Backed by frightening statistics and concrete examples of cyber vulnerability, the Committee was left with little choice but to conclude that “[d]ata breaches and cyber threats involving or targeting lawyers and law firms are a major professional responsibility and liability threat facing the legal profession.”8 

Formal Opinion 483

Issued in October of 2018, Formal Opinion 483 (“Opinion”) addresses an attorney’s ethical obligations after a data breach involving client information. The Opinion builds upon a previous opinion9 by the ABA which required attorneys to adopt reasonable security measures when transmitting client information over the Internet. However, the ABA makes a point to clarify the narrow scope of 483 — namely that the guidance offered pertains only to a lawyer’s ethical obligations and not any accompanying legal obligations pursuant to various data security and privacy statutory frameworks (e.g., state breach notification laws, HIPAA, Gramm-Leach Bliley Act, etc.). Instead, the breach of client information gives rise to attorney obligations under the Model Rules of Professional Conduct (“Model Rules”).

While the ABA finds various Model Rules pertinent to a data breach (e.g., Rule 1.1, Rule 1.4, Rule 1.6, Rule 5.1 and Rule 5.3), the vast majority of the Opinion focuses on an attorney’s ethical obligations concerning competency, confidentiality, and communication.

   Competent Representation Before, During, and After a Data Breach

The bedrock of Formal Opinion 483 concerns an attorney’s competency before, during, and after a data breach. As the Opinion points out, technological modifications made to Rule 1.1 back in 2012 represented the Committee’s acknowledgement that a lawyer’s competency in the practice of law depends increasingly upon technology and an understanding of its accompanying risks and benefits. With regards to a lawyer’s data breach responsibilities, the ABA enunciates the belief that a competent lawyer is: (i) one who actively monitors for a data breach; (ii) stops a breach and restores systems; and (iii) determines what happened post-breach.

   Monitoring for A Data Breach

A lawyer’s ability to monitor for a data breach depends upon “reasonable efforts” to monitor technology and office resources like the Internet, external data sources, and third-party vendors. The ABA, in large part, has refrained from any bright-line rules on what exactly constitutes “reasonable efforts,” but rather proposed a fact-specific approach to business security obligations that

“Requires a ‘process’ to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”10

Thus, the ABA clarifies that ethical violations in the context of a data breach depend entirely upon an attorney’s reasonable efforts and not the occurrence of a breach itself. As the Opinion points out, “[A]n ethical violation does not necessarily occur if a cyber-intrusion or loss of electronic information is not immediately detected . . .” but rather a “. . . lack of reasonable effort [by the attorney] is the cause of the breach.”11

   Stop and Restore

The Committee admits it’s not the appropriate authority to advise attorneys on how best to stop a breach and mitigate the damages. However, the Opinion denotes that a data breach incident response plan is not a bad place to start. Unfortunately, statistics show law firms too often fail to heed this advice. In fact, the 2017 ABA Legal Technology Survey revealed that only 42% of respondents had any sort of disaster recovery plan in the first place.12

 Inherent to any incident response is business continuity. For law firms under siege of a cyberattack or data breach, business continuity would speak to the organization’s ability to maintain essential functions like the provision of client services even after an incident.  As the ABA instructs, an attorney’s response to a data breach requires reasonable efforts to restore computer operations to a level that can once again capably service clients’ needs. The aforementioned cyberattack on DLA Piper is an example of how costly and time-consuming the restoration process for a law firm can be. A malware infection of DLA Piper’s network and systems cost the company more than 15,000 hours of paid overtime for its IT Department.13 Even without the loss of any client data, the attack prompted a firm-wide shut down that included the loss of email, billing, payment, and human resource protocols, and prompted the firm’s chief information officer to remark that the attack put “the future of the entire business at stake.”14

 The goal of the restoration process gives rise to the confidentiality obligations of Rule 1.6. Under Rule 1.6(c), lawyers must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of the client.15 The Opinion addresses an amendment by the Committee made in 2012 to Comment [18]. As Comment [18] points out, the unauthorized access to, or the inadvertertent or unauthorized disclosure of, information relating to a client is not in and of itself an ethical violation so long as the lawyer has made reasonable efforts to prevent the access or disclosure.16

As the ABA points out, examples of reasonable efforts could include the restoration of systems or the implementation of new technology. Using DLA Piper as an example, the firm’s  reasonable efforts since the 2017 attack have included structural changes to its IT architecture and the exploration of using new cloud hosting technology.17

    Determine What Occurred

After an attorney successfully stops a data breach and restores information and systems, the ABA implores an attorney to utilize reasonable efforts in gathering more information on the breach. Post-breach information gathering should ensure the breach has, in fact concluded, and evaluate what data, if any, was lost. This fact-finding process ultimately contributes to how the lawyer should best disclose the breach to clients consistent with the obligations of communication and honesty in accordance with Rule 1.4 and Rule 8.4.

   Communicating with Present (but not Former) Clients About a Breach

Rule 1.4 obligates an attorney to communicate with current clients about a data breach. The Committee holds that acts of misappropriation, destruction, or the compromise of confidential client information are all within the purview of a data breach incident, and therefore a data breach incident requires disclosure to current clients only. Notably, the ABA refrains from any requirement that an attorney contact former clients over a data breach because — while Rule 1.9(c) requires a lawyer not to “. . . reveal information relating to a [past] client”18 — absent from the Model Rules is any guidance on what steps a lawyer should take to notify former clients of the information revealed. Therefore, the Committee abstains from any requirement that an attorney notify a former client of a breach.19 This decision to do so, as the ABA points out, is strictly a matter of ethical consideration and does not take into account other legal obligations an attorney may have (e.g., data privacy laws, common law duties, or contractual arrangements with and to former clients).20

Regardless of whether an attorney took reasonable steps to prevent the disclosure of a client’s information, the Model Rules nevertheless require communication and disclosure of the incident to a client. A breach that necessitates disclosure thereby invokes a question concerning the nature and extent of an attorney’s communication with the client. The Committee declares that the nature and extent of a lawyer’s communication depends upon two mutually exclusive factors. The first factor concerns the type of breach incident an attorney suffers, and the second pertains to the nature of the compromised data. The Opinion provides two examples to highlight this point. Whereas a ransomware attack of a lawyer’s office file server requires no notice if client information was neither accessed nor disclosed, the same is not true for a lawyer who knows or suspects of a bad actor’s access or disclosure of client information.

At a bare minimum, Rule 1.4 requires a disclosure and/or notice to current clients that communicates that unauthorized access to or even suspected disclosure of their information did occur and that provides enough details as to allow the client to make an informed decision on what, if anything, to do next. Additionally, the Committee cites the need (if at all possible) for lawyers to provide clients with details on the extent to which their information was accessed or disclosed. Beyond these basic parcels of information, the Opinion suggests disclosure notices inform clients of lawyers’ plan to respond to the breach from a reactive (i.e., efforts taken thus far to recover information) and proactive (i.e., future efforts to increase data security) standpoint. This advice from the ABA on breach notice largely tracks many of the state breach notification statutes which do set out minimum requirements for the notice’s content. Requirements such as: a brief description of the breach incident; the information at issue; and a description of the actions the organization has taken to contain the breach and protect data from further unauthorized access.

Conclusion

The ABA closes the Opinion with the reminder that attorneys can do almost everything right and still suffer a data breach. In today’s cyber-centric environment of “not if but when,” threats and data breaches are all but a given. At the end of the day and for purposes of ethical considerations, the most important thing an attorney can do with cyber threats and breaches is take reasonable steps of prevention and notify current clients when necessary.

Have any questions about cybersecurity law? Feel free to contact me or follow me on Twitter @CyberSecureAtty.     

 

NOTES

1. ABA Comm. On Ethics & Prof’l Responsibility, Formal Op. 483 (2018) (“Lawyers’ Obligations After an Electronic Data Breach or Cyberattack”).

  1. Law Firm Cybersecurity Scorecard: Q1, 2017,” LOGICFORCE, at https://www.logicforce.com/2018/03/28/law-firm-cyber-security-scorecard/.
  2. Id.
  3. David G. Riles, “2017 Security,” American Bar Association (Dec. 1, 2017), https://www.americanbar.org/groups/law_practice/publications/techreport/2017/security/
  4. Rhys Dipshan, “How a Teenager Can Hack Your Law Firm,” Legaltech News (Aug. 21, 2018, 2:26 p.m.), https://www.law.com/legaltechnews/2018/08/21/how-a-teenager-can-hack-your-law-firm/
  5. Jeff John Roberts, “Law Firm DLA Piper Reels Under Cyber Attack, Fate of Files Unclear,” Fortune (Jun. 29, 2017), http://fortune.com/2017/06/29/dla-piper-cyber-attack/
  6. Jonathan Crowe, “How One of the World’s Largest Law Firms Was Paralyzed by Petya,” Barkley Protects Inc. (July 2017), https://blog.barkly.com/dla-piper-petya-ransomware-attack
  7. Supra note 1 at 1.
  8.  ABA Comm. On Ethics & Prof’l Responsibility, Formal Op. 477R (2017) (“Securing Communication of Protected Client Information”).
  9. Jill D. Rhodes & Vincent I. Polley, the ABA Cybersecurity Handbook: A Resource For Attorneys, Law Firms, and Business Professionals 73 (2d ed. 2018).
  10. Supra note 1, at 5.
  11. Supra note 4.
  12. Ry Crozier, “DLA Piper paid 15,000 hours of IT overtime after NotPetya attack,” (May 8, 2018, 11:55 a.m.), https://www.itnews.com.au/news/dla-piper-paid-15000-hours-of-it-overtime-after-notpetya-attack-490495
  13. Adam Janofsky, “DLA Piper CIO on ‘Petya’ Attack: ‘The Future of the Entire Business Was At Stake,’” The Wall Street Journal (Dec. 13, 2017, 4:04 p.m), https://blogs.wsj.com/cio/2017/12/13/dla-piper-cio-on-petya-attack-the-future-of-the-entire-business-was-at-stake/
  14.  Model Rules of Prof’L Conduct R. 1.6(c) (2018).
  15. Id. cmt. [18] (2018).
  16. Supra note 10.
  17. Model Rules of Prof’L Conduct R. 1.9(c)(2) (2018).
  18. See ABA Comm. On Ethics & Prof’l Responsibility, Formal Op. 483, at 13. “The Committee is unwilling to require notice to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice.”
  19. Id.