ABA Issues New Formal Opinion on Lawyer Obligations After Cyber Breach or Attack
On October 17, 2018, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483 reaffirming the duty that lawyers have to notify clients of a data breach and details reasonable steps for them to take to meet obligations set forth by ABA model rules.
This new opinion emphasizes the importance for lawyers to plan for an electronic breach, or cyberattack, and to understand how the ABA Model Rules play a part when an incident is detected, or suspected. Formal Opinion 483 focuses on an attorney’s ethical obligations after a data breach that relates to the attorney’s representation of the client (as opposed to a breach of other material). Specifically, “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or whether a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”
The ABA Model Rule of Professional Conduct which governs post-breach requirements is Rule 1.4, which requires lawyers to take reasonable steps to communicate with clients after an incident. Other rules, such as Model Rules 1.1 and 1.6, which require lawyers to develop sufficient competence in technology to meet their obligations under the rules after a breach (Rule 1.1) and covers issues dealing with confidentiality of the client-lawyer relationship. (Rule 1.6).
Additionally, the following ABA Model Rules of Professional Conduct might also apply to such an incident:
Model Rule 1.15 (safekeeping property), which requires lawyers to protect trust accounts, documents and property the lawyer is holding for clients or third parties.
Model Rule 5.1 (lawyer oversight), which addresses the added responsibilities of a managing partner or supervisory lawyer.
Model Rule 5.3 (nonlawyer oversight), which addresses the responsibilities of those in supervisory capacities who are nonlawyers.