Login | February 21, 2020

ABA issues formal ethics opinion on cyber attacks against attorneys

Technology for Lawyers

Published: August 23, 2019

As we know, almost all of the top 50 law firms have been hacked in the last year or two. Lazy data security causes lawsuits and ethical violations; maybe this new rule will help prevent that.

About 25 years after I published my first piece on the potential of cyberattacks against law firms (when most law firms weren’t even connected to the internet yet), the ABA has promulgated ABA Formal Opinion 483,: “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack.” It details the responsibilities of attorneys to both prevent cyberattacks and to appropriately respond to them once they are detected.

The new rule covers actions that attorneys need to take to avoid ethical problems in relating to stored client data. Not to beat a dead horse to death, but attorneys have had an ethical obligation under Model Rules 1.1, 5.1 and 5.3 to safekeep this data; the new rule just breaks down the actual actions lawyers should be taking to conform to that obligation.

Part 1 of the rule details efforts lawyers should take to prevent data breaches. Lawyers are only under an obligation to take ‘reasonable” actions to guard against data theft. There is no absolute responsibility, and “reasonable” is not defined granularly (because, I assume, that term changes as technology changes). What is new here is a step-by-step guide to protecting client data after the attorney-client relationship is terminated.

Part 2 of the opinion deals with what lawyers should do after a breach is detected or suspected. The first step is to stop the breach, and then determine what happened and the extent of damage. Next is notice to clients, along with a duty to keep the clients apprised on an ongoing basis of developments.

Because the standard of care here is “reasonable,” clients may have a difficult time proving either an ethical violation or breach of contract or some kind of tort if all of these steps are followed. But we’ll see.

The opinion is available on the ABA website, or a Google search will bring up a link to a PDF. Will lawyers now take data security seriously? Who knows? If nothing else, this is a selling point now for law office computer security folks.