ABA Issues Opinion - How To Respond to Data Breaches
In 2018, 1,244 data breaches occurred in the U.S. with over 445.6 million records exposed with a cost of $654 billion. Lawyers make a promise to safeguard confidential client data when they enter into an attorney-client relationship. Today’s digital world means taking extra steps to ensure the security of data that lawyers text/email, save to the cloud, or otherwise electronically transmit. But what happens in the unfortunate event of a cyber-attack? Every state has a data breach notification statute that outlines when and how to notify individuals about compromised data. While this and other laws may apply, lawyers also have unique ethical duties to perform regarding data privacy. Failure to fulfill these ethical duties can result in disciplinary actions such as license suspension.
ABA Data Breach Obligations
The American Bar Association (“ABA”) issued Formal Opinion 483 on October 17, 2018 regarding a lawyer’s obligations after a breach involving client data. These obligations require taking a proactive and anticipatory approach in order to diminish the fallout from a cyber-attack and implicates several ethics rules, including Rule 1.1 (competence), Rule 1.6 (confidentiality), Rules 5.1 and 5.3 (supervisory duties), and others.
Opinion 483 follows guidance from 2017 (ABA Formal Opinion 477R), which focused on the importance of keeping client data confidential when communicating over the Internet. As risks increase due to new technologies and digital reliance, the ABA realized that more guidance was necessary on how to react in the event of a breach. If a breach misappropriates, destroys, or otherwise compromises confidential client data, lawyers should take the following steps for remediation:
Data Breach Response Time
Take prompt and reasonable measures to stop the breach and mitigate any resulting damages. While what determines an ‘appropriate’ response will depend on each individual situation, the ABA noted that developing an incident response plan is crucial. An incident response plan will contain specific protocols outlining what members of an organization should do after a breach. Having an incident response plan in place provides an organization with a detailed plan to deploy during a time of crisis, promotes consistency, and minimizes loss. The ABA Opinion noted that a good incident response plan will:
identify and evaluate any potential network anomaly or intrusion; assess its nature and scope; determine if any data or information may have been accessed or compromised; quarantine the threat or malware; prevent the exfiltration of information from the firm; eradicate the malware, and restore the integrity of the firm’s network.
The plan should also identify the roles of all team members involved. After developing the plan, ensure that all employees receive copies of written policies and training opportunities.
Fix The Breach
Take reasonable measures to restore firm operations that the breach affected. While this includes things like system restoration or implementing entirely new systems, organizations should also evaluate, in some circumstances, whether they can get rid of outdated technology in order to decrease the risk of data breaches. Depending on the situation and skill level of internal employees, this may require outside expertise.
How Did This Happen?
Conduct a post-breach investigation. Researching how a breach occurred could help lawyers collect information on how to stop a future breach, limit the fallout from an already executed breach, determine why the breach occurred, and then, how to prevent a repeat occurrence. Evaluating compromised data is also a key part of a post-breach investigation so organizations can determine whom they need to notify. The ABA Opinion noted that lawyers could include how to conduct this investigation in their incident response plan.
Breaking The Bad News
Notify clients of the data breach. The Opinion requires lawyers to notify current clients after a breach if the breached data contains material client confidential information and is “likely to affect the position of the client or the outcome of the client's legal matter.” The notice should require as much information to allow the client to make an informed decision about continued representation as well as information about remediation efforts. Notification requirements do not apply to former clients. Reaching an agreement with former clients about data retention and implementing a document retention policy that would limit exposure is key.
The important thing to note is that a lawyer’s ethical duties surrounding technology breaches and safeguarding data are not absolute. The ABA and most states will analyze each component of compliance under the “reasonableness” standard. As always, lawyers should look to their state ethics boards to determine if it has issued an opinion on this matter and whether the state follows or departs from the ABA, as the state’s stance on an issue is controlling. For example, Maine recently issued an opinion on data-breaches that follows the ABA except for one caveat. In Maine, lawyers must also notify former clients after a breach. In addition to their ethical duties, lawyers must also ensure that they reach compliance under state data breach notification statutes or any other applicable law.
If you found this blog informative, you may enjoy reading SEC Remains Focused on Cybersecurity or The Epiq Angle Blog.