Are you taking “reasonable efforts” to keep your clients’ information safe from a data breach?
In 2017, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477R, which “explained a lawyer’s ethical responsibility to use reasonable efforts when communicating client confidential information using the Internet.” More recently, in October of 2018, the same Standing Committee issued Formal Opinion 483, providing new guidance “on an attorney’s ethical obligations after a data breach.”
Under these Formal Opinions, lawyers must not only safeguard client data, but they must now also notify a client if a data breach exposes their confidential information.
The recent Foley & Lardner incident serves as a reminder that law firms “remain high-priority targets of hackers, ransomware and, more recently, nefarious miners of cryptocurrency.” According to Lawyers Mutual, 22 percent of law firms experienced a cyberattack or data breach in 2017. That’s up from 14 percent a year ago.
Law firms need to prioritize cybersecurity and begin taking preventive measures. Ignoring these realities will expose your firm and clients to potentially significant liabilities.
Nature of the Cyberthreat
It almost seems common to hear that an organization has been hacked. However, the legal sector stands out among others due to its large cache of sensitive client data, which makes law firms an attractive target for hackers.
“From patent disputes to employment contracts, law firms have a lot of exposure to sensitive information. This confidential information is often stored on on-premise enterprise systems at law firms. This makes them an attractive target for hackers that want to steal consumer information and corporate intelligence. For an example of this, look no further than the Panama Papers – ‘…an unprecedented leak of 11.5 million files from the database of the world’s fourth biggest offshore law firm’,” wrote Dan Steiner in CIO.
As previously noted, in response to the increase in sensitivity to cybersecurity and data breach risks, ABA Standing Committee on Ethics and Professional Responsibility expanded upon a lawyer’s ethical responsibility to secure client information when communicating digitally to now also address a lawyer’s ethical obligation to a client after a data breach exposes their confidential information.
This latest ethics opinion – Formal Opinion 483 — includes new guidance for lawyers to meet this obligation when handling post breach measures.
Depending on the incident and the lawyer’s knowledge regarding the incident, Formal Opinion 483 references five rules imposed by the Model Rules of Professional Conduct.
- Model Rule 1.1 requires duty of competence. A lawyer must have the legal knowledge, skill, thoroughness and preparation for the representation of a client. This includes the understanding the basic features of relevant technology.
- Model Rule 1.4 addresses a lawyer’s requirement to keep clients “reasonably informed” on the status of their matter.
- Model 1.6 focuses on the client and lawyer relationship in which a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.
- Model 5.1 highlights the responsibilities of a partner or supervisory lawyer to make reasonable efforts to ensure that the firm has effective measures in place, conforming to the Rules of Professional Conduct.
- Model 5.3 discusses the responsibilities of a law firm to have effective measures giving reasonable assurance that nonlawyers’ conduct is equal to the obligations of a lawyer.
Applying these pre-existing obligations in the context of a data breach, the ABA Standing Committee noted that “[c]ompliance with the obligations imposed by the Model Rules of Professional Conduct, as set forth in this opinion, depends on the nature of the cyber incident, the ability of the attorney to know about the facts and circumstances surrounding the cyber incident, and the attorney’s roles, level of authority, and responsibility in the law firm’s operations.”
One thing to note is that Formal Opinion 483 references – but does not otherwise address — other laws that may impose post-breach obligations, “such as state breach notification laws, HIPAA, or the Gramm-Leach-Bliley Act.” Instead, the ethics opinion states that “[e]ach statutory scheme may have different post-breach obligations, including different notice triggers and different response obligations.”
Additional research and expert consultation may be required, and it is best practice to analyze compliance separately under every applicable law or rule.
Recommended Reasonable Efforts
There are various steps you can take to prevent or reduce the possibility of a data breach.
Your first order should be to see if any of your firms’ processes that involve technology are updated and secure.
“The opinion states that these efforts may include restoring or implementing technology systems where it is practical, but also declining a technology solution if a task does not require it. The idea here being that internet-enabled services increase a firm’s vulnerabilities,” wrote Jason Tashea in the ABA Journal. As stated in Model Rules 5.1 and 5.3, lawyers must make reasonable efforts to establish internal policies and procedures to detect and resolve conflicts of interest. Monitoring and updating any technological processes within your firm are an easy way to achieve this.
It’s easier for hackers to find and exploit vulnerabilities if they exist, leaving the issue to be magnified when the software publisher or device manufacturer no longer provides support for the product. Old software and devices substantially increase the chances of a data breach because they haven’t been updated to address the latest security threats.
Clients are becoming more tech-savvy and are seeking lawyers who are implementing more secure methods to safeguard their data. In fact, a Microsoft survey found 91 percent of people would stop doing business with a company because of its outdated technology.
Implementing secure communication and collaboration tools like email encryption and secure client portals are a simple way to protect client data.
For example, email encryption is built into many web-based platforms, like Google’s Gmail and Microsoft’s Outlook. There’s another option known as PGP encryption for lawyers seeking more secure communication methods. Secure online client portals that are built in to other software programs is another method to further protect your client’s data.
Communication with clients is key to their representation. As Formal Opinion 477R addresses, lawyers are responsible for protecting client information when communicating digitally. It’s best practice to utilize the tools available to secure — and possibly also encrypt — any digital communications between you and your client.
A report published by Above the Law states that “email is the weakest link for many law firms, with phishing emails being one of the most common types of hacking encountered by lawyers.” Phishing scams or attacks is the practice of fraudulently sending emails from what appears to be a reputable person or company to deceive the recipient into sharing protected client information.
Under Rule 1.6, lawyers are required to preserve the confidentially of information and to prevent the inadvertent disclosure of information relating to the representation of a client. Firms should train their staff on how to recognize and avoid phishing scams or attacks. Keeping your staff up to date on the appropriate handling of sensitive firm as well as client data is as important as keeping software and hardware systems current.
Alternatively, law firms can retain a cyber consultant. Cybersecurity experts can assess your law firm’s vulnerabilities, create incident response measures, and help you set up ways to protect your data. Measures like these are usually conducted by gauging if your law firm can detect or respond to simulated cyber-attack, and then providing practical recommendations to handle your cyber security moving forward.
Even with preventive measures in place, data breaches may still occur.
If this is the case, under Rule 1.4 and as Formal Opinion 483 addresses, lawyers are required to act reasonably and promptly to stop the breach and to mitigate any damage. It is their duty to inform clients of the data breach to the extent that a client can make informed decisions regarding the representation.
Having a protocol in place that everyone is aware of if a data breach occurs is essential for law firms. You will be able to better handle the incident to mitigate risks.
For example, the American Bar Association shares six steps to consider for an incident response plan.
- Verify what happened.
- Who is in charge of the investigation?
- Solve the immediate problem (usually getting hackers out of your network) while preserving the evidence.
- Determine whether you should call in outside experts or use internal resources.
- If a data breach has taken place, what steps does the law require you to take?
- Harden your security so this particular incident can’t happen again.
This acts as a starting point for law firms, and can be strengthened and tailored moving forward.
Data breaches have become prevalent in recent years. It is important to note that cybersecurity is a moving target and your commitment to safeguarding client data should thus be ongoing. Furthermore, it is reasonable to expect that the ABA Standing Committee and state attorney regulators will continue to refine and revise Formal Opinion 483 as technology and related threats evolve.
As one author recently wrote in the ABA Journal, “[m]any of the first ethics opinions on this topic wisely recognized that technology would change over time… with ethics committees acknowledging that accepted security standards would likely change as technology advanced and more secure options became available.”
It is best to be proactive rather than reactive in these situations. Have a plan in place in the event of a data breach. This will allow you to respond quickly and competently in the event of a breach event. Above the Law reports that “it is predicted that by 2020, 60 percent of businesses’ technology budgets will be devoted to detection and response.” The costs associated with a data breach, however, can be far greater.