by David Hricik
ABA Formal Ethics Opinion 483 (Oct. 17, 2018) is here. Like many ABA opinions, it provides a useful roadmap to the issues and how to respond to them (and, in this opinion, some good proactive advice). The opinion addressed the narrow issue of a data breach which results in disclosure of, or destruction of, client confidences as opposed to “ransomware” attacks and the like, where access is denied but the data is not compromised, or access to data is otherwise inhibited or delayed.
The first take away is an obligation to “employ reasonable efforts to monitor” for unauthorized access to client confidences, whether at the office, through vendors, or otherwise.
The second is that the lawyer must act reasonably promptly to stop any breach and mitigate, or rectify, the consequences. In this regard, the opinion suggests creating an “incident response plan with specific plans and procedures” to do so.
Third, the opinion states that the lawyer must determine what, with reasonable care, was compromised, deleted, or misappropriated. And, again, it suggested these be part of the “incident response plan.”
Fourth, it stated that the lawyer who knows, or reasonably should know, a data breach has occurred “must evaluate the notice obligations.” The contours of this turn on whether the data belonged to a current, or former, client. With current clients, the ABA stated that there was an obligation to inform the current client if its data was breached. With former clients, the opinion stated it was “unwilling to require notice to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice.” Then, however, it suggested that lawyers in their engagement letters reach agreement on how to deal with electronic files on termination of a representation, and to recognize that laws — not legal ethics — might require notification.
Finally, if notification is required, the ABA stated the client must be given sufficient information “to make an informed decision as to what to do next, if anything,” including the lawyer’s response to the breach. And, again, the opinion reminds lawyers that a number of laws may require additional disclosure.
Although it does not address it, of course patent lawyers need to be aware of where — in the US or not — data is maintained for export restriction issues and to take reasonable care to protect confidential client information. It’s a good opinion that provides a framework for lawyers to use.
Hmm… even though the internet consists of private property… perhaps in decades to come, governments will include a robust CyberPolice to combat CyberCrime.. after all, crimes committed on private property are still crimes and intervention and investigation are not restricted to activity in public spaces… for now, as in days of old I suppose we must take reasonable steps to lock the doors and employ antitheft and security measures… and notify both the client and the authorities (to the extent they exist) once the breach is discovered.
The FBI has substantial assets devoted to computer crime, and people do go to jail.
“Surely the ABA should guide lawyers to check into applicable local laws ”
Formal Opinion 483 states its limitations:
“It does not address other laws that may impose post-breach obligations, such as privacy laws or other statutory schemes that law firm data breaches might also implicate. Each statutory scheme may have different post-breach obligations, including different notice triggers and different response obligations. Both the triggers and obligations in those statutory schemes may overlap with the ethical obligations discussed in this opinion. And, as a matter of best practices, attorneys who have experienced a data breach should review all potentially applicable legal response obligations.”
As to context though, the next sentence sets the tone of this Formal Opinion:
“However, compliance with statutes such as state breach notification laws, HIPAA, or the Gramm-Leach-Bliley Act does not necessarily achieve compliance with ethics obligations.“
Data owners should be aware that there may be legal notice requirements (in all 50 states) when data containing financial account information or social security information that can be connected to persons is disclosed without authorization.
There are safe-harbor provisions- an important one being that if the data was encrypted when disclosed, notification may not be mandatory. Surely the ABA should guide lawyers to check into applicable local laws regarding such an incident.
Comments are closed.