by David Hricik
ABA Formal Ethics Opinion 483 (Oct. 17, 2018) is here. Like many ABA opinions, it provides a useful roadmap to the issues and how to respond to them (and, in this opinion, some good proactive advice). The opinion addressed the narrow issue of a data breach which results in disclosure of, or destruction of, client confidences as opposed to “ransomware” attacks and the like, where access is denied but the data is not compromised, or access to data is otherwise inhibited or delayed.
The first take away is an obligation to “employ reasonable efforts to monitor” for unauthorized access to client confidences, whether at the office, through vendors, or otherwise.
The second is that the lawyer must act reasonably promptly to stop any breach and mitigate, or rectify, the consequences. In this regard, the opinion suggests creating an “incident response plan with specific plans and procedures” to do so.
Third, the opinion states that the lawyer must determine what, with reasonable care, was compromised, deleted, or misappropriated. And, again, it suggested these be part of the “incident response plan.”
Fourth, it stated that the lawyer who knows, or reasonably should know, a data breach has occurred “must evaluate the notice obligations.” The contours of this turn on whether the data belonged to a current, or former, client. With current clients, the ABA stated that there was an obligation to inform the current client if its data was breached. With former clients, the opinion stated it was “unwilling to require notice to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice.” Then, however, it suggested that lawyers in their engagement letters reach agreement on how to deal with electronic files on termination of a representation, and to recognize that laws — not legal ethics — might require notification.
Finally, if notification is required, the ABA stated the client must be given sufficient information “to make an informed decision as to what to do next, if anything,” including the lawyer’s response to the breach. And, again, the opinion reminds lawyers that a number of laws may require additional disclosure.
Although it does not address it, of course patent lawyers need to be aware of where — in the US or not — data is maintained for export restriction issues and to take reasonable care to protect confidential client information. It’s a good opinion that provides a framework for lawyers to use.