The Model Rules of Professional Conduct provide that “[t]o maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Model Rules of Prof’l Conduct R. 1.1 cmt. 8. Maintaining computer security is both a business responsibility and an ethical obligation for all lawyers. Additionally, attorneys are charged with the ethical obligation to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. Id. R. 1.6(c). The need for attorneys to maintain current security protocols for the technology used in their offices has never been more pressing.
Computer “hackers” have infiltrated thousands of computer systems from private individuals to government entities, and litigation firms have increasingly been targeted. A recent article highlights the story of several firms involved in litigation arising out of the 9/11 attack, including the ransoming of sensitive and confidential information that had been on the firms' systems. Dan Packel, “Dark Overlord” Hack Shows Mounting Cyber Risks for Law Firms, The American Lawyer (Jan. 07, 2019). In another case, hackers destroyed files of global law firm DLA Piper in 2017, requiring expensive and time-consuming reconstruction of systems and documents.
These types of attacks led to the publication of ABA Comm. on Professional Ethics and Grievances, Formal Op. 483 (2018), which offers guidance to attorneys on how to ethically handle the aftermath of such an attack and triggers existing ethical obligations when a data breach occurs involving a “substantial likelihood of involving material client information.” While other obligations may arise under privacy laws or regulations if Health Insurance Portability and Accountability Act information is stored on a law firm's computer systems, the obligations addressed by the ABA Opinion involve the ethical obligations a firm holds to remain competent, protect confidences of the client, and promptly communicate with clients. The opinion encourages attorneys to adopt and follow a “paper and electronic document retention schedule, which meets all applicable laws and rules, to reduce the amount of information relating to the representation of former clients that the lawyers retain.”
Notification to current clients is required, regardless of the security measures taken by the firm.
In a data breach scenario, the minimum disclosure required to all affected clients under Rule 1.4 is that there has been unauthorized access to or disclosure of their information, or that unauthorized access or disclosure is reasonably suspected of having occurred. Lawyers must advise clients of the known or reasonably ascertainable extent to which client information was accessed or disclosed. If the lawyer has made reasonable efforts to ascertain the extent of information affected by the breach but cannot do so, the client must be advised of that fact.
While any law firm may suffer a security breach regardless of the safeguards put in place by a reasonable law office management, attorneys have an ethical obligation to take reasonable steps to safeguard their emails and computer data systems, and to promptly notify their clients should a breach occur.