Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

The Lawyer's Ethical Duties After a Data Breach

March 28, 2019

I read a nice article on JD Supra written by Anton Janik, Jr. of Williams Mitchell and originally published in the 2019 Winter edition of The Arkansas Lawyer. The article explores a lawyer's duties following a data breach, explaining the requirements of ABA Formal Opinion 483, issued in October 2018 and going beyond it to explore practical responses to a breach.

Here's the opening, which references the DLA Pipe ransomware attack.

"Imagine it’s a usual Tuesday morning, and coffee in hand you stroll into your office. Right inside the door, you see a handwritten notice on a big whiteboard which says: All network services are down, DO NOT turn on your computers! Please remove all laptops from docking stations & keep turned off. *No exceptions*

Finding this odd, you turn to your firm receptionist who tells you that the firm was hit with a ransomware attack overnight, and that if you turn on your computer all of your files will be immediately encrypted, subject to a bitcoin ransom.

This really happened. In 2017, DLA Piper was hacked by the NotPetya malware, and until the breach was resolved, the 4,400-attorney law firm was reduced to conducting business by text message and cell phone. The reported scope of the damage remediation included 15,000 hours of overtime IT assistance, but no reported loss of client confidential information."

The article explores the duty to monitor for data breaches and cyberattacks.

It helpfully notes that the term “breach” has many definitions, each driven by the law, regulation or rule through which an event is viewed. The ABA Opinion defines a data breach as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.” The ABA’s definition is broad enough to encompass both the situation where data is actually removed, as well as the situation where the data remains at the law firm but cannot be accessed.

The ABA Opinion only finds an ethical violation where an attorney does not take reasonable efforts to avoid data loss or to detect an intrusion, and where the lack of reasonable effort was the cause of the breach. Although the ABA Opinion does not find there to be an ethical violation if the failure to reasonably act was merely a contributing factor rather than “the cause,” attorneys should be careful to mitigate their exposure by making such reasonable efforts. While it is expected that most attorneys will hire specialized help to monitor for electronic data breaches, it is recommended that complex, rotating passwords be implemented along with multifactor authentication, that all relevant security patches be installed on servers and computers, that computer logs be set to the longest retention period and depth of capture available, and that access rights and logs be regularly checked for unauthorized activity. You should also consider software that monitors access, usage, and data flow across your internal networks, and may also consider improving physical security at the worksite and server rooms.

The article covers stopping the breach, restoring systems and determination what happened and the cause. Best practices (and often your cybersecurity insurance coverage) dictate that your law firm should draft, and regularly train on, a breach response plan which defines personnel roles and procedural steps to employ in assessing and addressing any given breach, including through the use of outside vendors whose use may be contractually prearranged.

When a breach is discovered, the ABA Opinion finds that the duty of competence under Model Rule 1.1 requires the attorney to act reasonably and promptly to stop the breach and mitigate the damage, using “all reasonable efforts” to restore computer operations to be able to continue client services.

The requirement of giving notice of a breach is driven not only by the ethical rules, but also by federal and state law and regulations, and can even be driven by your client’s contractual requirements. Model Rule 1.4 requires that an attorney keep the client “reasonably informed about the status of the matter.”

That disclosure must provide information sufficient for the client to make an informed decision as to what to do next, if anything. At minimum, the attorney must inform the client of the breach, even where the scope is not yet determined, and even if the breach is only reasonably suspected. The attorney should also inform the client what client confidential information was accessed. If the extent is not yet known, that should be communicated as well. Under the ABA Opinion, attorneys have a continuing duty to keep their clients reasonably apprised of material developments in the post-breach investigation that affect client information.

Lawyers should provide notice to former clients whose confidential information has been compromised, and establish paper and electronic document destruction policies that require confidential client information to be securely destroyed after an appropriate interval. Outside of the ethical notice requirements, disclosure to regulators and those affected is driven by federal and/or state regulation and law. In that context, similar to the ethical rules which are triggered when client confidential information is at issue, the duties to provide notice are controlled by the type of data breached. For example, under HIPAA, the loss of “protected health information”—in short, information relating to medical diagnoses or care—triggers the requirement to provide notice. Under HIPAA, you generally have up to 60 days to provide notice to affected persons.

While the article notes that it cannot be comprehensive, it provides a good summary of the ABA opinion for those who haven't had a chance to read the opinion (which should be required reading in your near future).

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson

Sharon D. Nelson, Esq.
President

Subscribe in a Reader

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Ride the Lightning

The Lawyer's Ethical Duties After a Data Breach

Subscribe for More!

Recent Posts

Listen to the Podcast

Disclaimer