Hello everyone and welcome to this Ethics Alert which will discuss recent (October 17, 2018) American Bar Association Formal Opinion 483 which provides guidance to lawyers before and when there has been a cyber breach or hack. The opinion is here: https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_op_483.pdf
Just like to rest of our digital world, lawyers are susceptible to cyber hacking/breaches when using digital devices and programs or otherwise using the internet. The ABA Opinion confirms the duty that lawyers have to attempt to prevent such hacks and breaches and also the lawyer’s obligation to notify clients of a data hack/breach.
The opinion provides the reasonable steps that lawyers can take to meet their obligations under the ABA model rules and emphasizes the importance for lawyers to plan for an electronic breach or cyberattack and discusses how model rules may apply when an incident is either detected or suspected. According to the opinion, the following Model Rules of Professional Conduct would potentially apply:
Rule 1.1 (competence), requiring lawyers to develop sufficient competence in technology to meet their obligations under the rules after a breach; Rule 1.15 (safekeeping property), requiring lawyers to protect trust accounts, documents and property the lawyer is holding for clients or third parties; Rule 1.4 (communication), requiring lawyers to take reasonable steps to communicate with clients after an incident; Rule 1.6 (confidentiality), regarding issues of confidentiality in the client-lawyer relationship; Rule 5.1 (lawyer oversight), which sets forth the responsibilities of a managing partner or supervisory lawyer and; Rule 5.3 (nonlawyer oversight), which sets forth the responsibilities of supervisors who are nonlawyers.
The opinion states that “(w)hen a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach…(h)ow a lawyer does so in any particular circumstance is beyond the scope of this opinion.”
“As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach. The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach.”
Bottom line: This ABA opinion addresses and discusses a lawyer’s obligations in attempting to prevent a cyber hack or breach and also provides guidance regarding the lawyer’s obligations if a breach/hack occurs. All lawyers should be addressing serious issue this now and should consult their state/jurisdiction’s ethics rules to insure compliance.
Be careful out there.
Disclaimer: this Ethics Alert is not an advertisement, does not contain any legal advice, and does not create an attorney/client relationship and the comments herein should not be relied upon by anyone who reads it.
Joseph A. Corsmeier, Esquire
Law Office of Joseph A. Corsmeier, P.A.
29605 U.S. Highway 19, N., Suite 150
Clearwater, Florida 33761
Office (727) 799-1688
Fax (727) 799-1670