Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

ABA Releases Opinion on Lawyers’ Obligations After a Cyberattack

October 22, 2018

On October 17th, The ABA released Formal Opinion 483, entitled "Lawyers' Obligations After an Electronic Data Breach or Cyberattack." While several sources have mentioned the new opinion, it is clear that a lot of folks, including me, are still studying it.

This opinion builds on the standing committee's Formal Opinion 477R released in May 2017, which set forth a lawyer's ethical obligation to secure protected client information when communicating digitally.

The new opinion states: "When a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach."

The ethics opinion implicates Model Rule 1.1 (competence), Model Rule 1.4 (communications), Model Rule 1.6 (confidentiality of information), Model Rule 1.15 (safekeeping property), Model Rule 5.1 (responsibilities of a partner or supervisory lawyer) and Model Rule 5.3 (responsibilities regarding nonlawyer assistance).

There is a "rule of reason" overtone to the opinion, which states, "As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach," states the opinion. "The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach."

This is of course what cybersecurity experts have said for a very long time – and, in our experience, all large firms tend to have an incident response plan. The smaller firms? Not so much.

The opinion also recommends, in a footnote, that firms should have data retention policies that limit their possession of personally identifiable information. We certainly agree with that. Lots of firms have "zombie" data – data they don't know they have until there is a data breach.

Since data breaches cannot entirely be avoided, the opinion says, "When they do (have a breach), they have a duty to notify clients of the data breach under Model Rule 1.4 in sufficient detail to keep clients 'reasonably informed' and with an explanation 'to the extent necessary to permit the client to make informed decisions regarding the representation.'"

There is much more worthy of discussion in the opinion. When I get my trusty highlighter and time to think, I'll be back.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson