Some answers are so obvious that you are left wondering why the question needed to be asked in the first place. Like “should a client pay a fee it agreed to in advance?” Or, “should an attorney try his or her best to prevail?”
And now this: the ABA’s Standing Committee on Ethics and Professional Responsibility issued an advisory opinion earlier this month instructing lawyers who suffer a data breach that exposes “material client information” to notify clients of the breach and take additional measures to protect the confidentiality of the compromised information. Obvious? We think so.
When we advise clients about their data protection obligations, we often suggest that compliance is strengthened when data security strategies align with an organization’s culture. For law firms, this should be relatively easy: lawyers learn (we hope in law school) that they have an ethical obligation under Model Rule 1.6 to preserve the confidentiality of their clients’ information. In today’s world, that surely means that the lawyer and her firm should take appropriate measures to protect the information from cyber thieves and other threats to the security and confidentiality of a client’s confidential information.
Likewise, our duty of communication (Model Rule 1.4), coupled with our confidentiality obligations, should make it a no-brainer that when a breach occurs, the affected clients should be told.
Nevertheless, in its Formal Opinion 483 the Committee devotes 16 pages to state and support this conclusion. (Interestingly, the Committee primarily relies on rules dealing with competent representation and technological aptitude, and only secondarily refers to the duty of confidentiality.) The opinion does contain instruction that, while hardly novel or visionary, provides sound advice:
- A firm should implement technological and other measures to detect intrusions into its data systems;
- A firm should develop, implement and test a data incident response plan. As we’re fond of saying, the time for a pilot to learn how to deal with catastrophic engine failure is not when the plane is hurtling to the ground from 30,000 feet.
- The firm should promptly take measures to restore the affected systems and close the breach. (Don’t just stand by and do nothing!)
- The firm should, alone or in concert with skilled cyber forensics professionals, determine how and why the breach occurred. (Again, don’t just scratch your head.)
- The firm should notify current clients whose data are compromised. Oddly, the Committee stated that it is “unwilling” to impose that obligation with regard to former clients.
- The opinion provides guidance on what the client notification should contain. Importantly, the opinion reminds lawyers that they may have additional notification obligations under federal and state data breach notification laws that apply, yes, even to lawyers.
Opinion 483 provides useful, if obvious, direction on our duties in response to a data breach. It hardly lays out a truly comprehensive set of best practices for safeguarding client information, but it does point in the right direction.