Lawyers May Need to Inform Former Clients of Data Breaches
| Author | Amy Mattson |
| Pages | 8-8 |
awyers must notif y both current
and former clie nts when a data
breach occurs invol ving mate-
rial client information, accord-
ing to Opinion No . 220
by the Maine Profess ional Ethics
Commission . The stance departs
from ABA Formal O pinion No. 483,
which requires informing only current
clients of a cybe rattack. Th ough the
Maine commis sion agreed with th e
ABA’s analysis about current clients,
it concluded tha t the state’s rules
caused expanded client notification
obligations.
In Opinion 48 3, the ABA Standing
Committee on Ethi cs and Professional
Responsibilit y reviewed Model Rule 1.9
addressing du ties to former clients and
Rule 1.16 disc ussing confidentiality of
information. I t concluded that because
neither rule de scribes what steps a
lawyer should ta ke if a breach involved
electronic inf ormation relating to a for-
mer client, “[t]h e Committee is unwill-
ing to require notice to a for mer client
as a matter of legal e thics in the ab-
sence of a black let ter provision requir-
ing such notice.”
Lawyers shoul d follow, however, best
practices in handling clients’ electronic
files, which may include adopting docu-
ment retention sch edules, said the com-
mittee. It also c autioned that attorneys
may have other obligatio ns under data
privacy laws, com mon law, and contract
law that require the m to tell former cli-
ents if a breach com promised their
information.
Maine’s commiss ion held that for-
mer clients are “e ntitled to no less pro-
tection and can dor than a current
client in the case o f compromised se-
crets and confid ences.” Maine Rule of
Professional Conduct 1.9 diers from
ABA Model Rul e 1.9 by stipulating that
an attorney shoul d not reveal confi-
dences or secret s of a former client.
“The duty of co nfidentiality survives
the termination of th e client-lawyer re-
lationship,” the co mmission said. The
Lawyers May Need to Inform Former
Clients of Data Breaches
lawyer must time ly inform a former
client if a cyberat tack or data breach
exposed client con fidences, the opin-
ion stated.
The Maine comm ission agreed with
the ABA opinion th at lawyers need not
tell clients if the br each compromised
no confidentia l information and a cy-
berattack di d not significantly aect
their represen tation. A lawyer’s ethical
obligation in that c ase would be lim-
ited to reasonable e orts to prevent
a reoccurrence , the commission said.
For example, a lawye r or law firm may
need to install o r update security sys-
tems or get added d ata breach pre-
vention and techno logy training, the
Maine opinio n stated.
“The Maine o pinion uses the word
‘when’ and not ‘ if’ in reference to cy-
berattacks ,” says John M. Barkett,
Miami, FL, coc hair of the ABA Section
of Litigation’s Ethics & Prof essionalism
Committee. “Attorneys c annot avoid a
data breach,” h e opines.
Nicole M. Reid , Orlando, FL, sub-
committee coch air of the Section
of Litigation’s Professi onal Liability
Litigation Commi ttee, agrees and
notes practices of a ny size can be tar-
gets. “Although ma ny solo practi-
tioners and sm all firm owners think
they will never be a likely ta rget of
hacking, that i s absolutely not the
case.Hacker s understand that small
firms often have les s-secure technolo-
gy measures, a nd that makes them an
easy target,” Re id says.
To detect and minimize data
breaches, “ train the people who
use your systems to reco gnize how
a hacker can gain a ccess and train
them to underst and when an email is
a phishing ema il,” Barkett suggests.
He also encour ages attorneys to de-
ploy enhanced se curity protocols and
check in with techn ology vendors.
“Two-factor authenti cation is some-
thing lawyers ne ed to consider. And
if you are at a small firm , confirm that
your IT vendor is tak ing steps that
By Amy Mattson, Litig ation News Asso ciate Editor
permit you to comply wit h the rules of
professional conduct,” Barkett says.
But when a data bre ach happens,
“a lawyer must act re asonably and
promptly to stop the brea ch and to
mitigate damage re sulting from the
breach,” Reid n otes. “Generally, the
process should include identification
and evaluation of the i ntrusion, sup-
pression of the thre at/malware, a de-
termination of what d ata may have
been accesse d or compromised, and
restoration of the inte grity and security
of the firm’s network ,” she says.
Additionally, Reid emphasizes the
need for eec tive communication with
clients. “I f the lawyer has been able to
identify what c lient information was
accessed or disc losed, that informa-
tion should be conveyed .If the lawyer
has made reaso nable eorts to deter-
mine the extent of the i nformation ac-
cessed, but ha s been unable to do so,
the client shoul d be advised of that as
well,” Reid says.
Lawyers shoul d consider a com-
prehensive approach to cybersecuri-
ty and client noti fication after a data
breach. “You nee d to look at all facts
and circumstances, including the na-
ture of breach, how it h appened, and
whether it compro mises a client’s
confidence in you r ability to protect
them. Lawyer s must also look at their
individual st ate ethics rules and opin-
ions to determine th eir disclosure ob-
ligations and dis cern whether their
state follows the guid ance from Maine
or the ABA,” con cludes Barkett.
RESOURCES
David G. Ries , “2018 Cybersec urity,”
TechReport 2018 (Jan. 28, 2019).
Jason Tashea, “ABA et hics opinion oers
guidance on d ata breaches,” ABA J .
(Oct. 17, 2018).
8 | S ECTION OF LITIGATION
Published in Litigation News Volume 46, Number 2, Wint er 2021. © 2021 by the Americ an Bar Association. Re produced with per mission. All rights res erved. This infor mation or any portio n thereof may not be c opied or disseminated in any
form or by any means or sto red in an electronic da tabase or retrieval sy stem without the ex press writt en consent of the Amer ican Bar Associatio n.
ETHICS STR UGGLES IN THE LEGAL WOR LD
To continue reading
Request your trial