American Bar Association Issues Data Breach Guidance
On October 17, 2018, the American Bar Association (ABA) released Formal Opinion 483 (the Opinion) which formally recognized that lawyers have an ethical duty to notify clients whose confidential information is compromised by a data breach. The Opinion emphasized that ABA Model Rule 1.1 requires lawyers to “provide competent representation” to clients, including staying abreast of “the benefits and risks associated with relevant technology” in order to utilize technology to safeguard client information, avoid data loss, and detect a data breach. The Opinion provides that this rule also requires lawyers to act reasonably and promptly to stop a breach once it is identified and to mitigate resulting damage.
With respect to the duty to notify clients whose confidential information may have been compromised by a data breach, the Opinion delineated a difference between lawyers’ ethical obligations to notify current clients versus former clients:
- Current Clients: ABA Model Rule 1.4 requires lawyers to keep clients “reasonably informed about the status of [a] matter …” The Opinion found that under this provision “an obligation exists for a lawyer to communicate with current clients about a data breach.”
- Former Clients: ABA Model Rule 1.9(c) requires lawyers to maintain the confidentiality of information relating to former clients. That said, the Opinion found that this provision alone does not create an ethical obligation to communicate with former clients about a data breach.
However, the Opinion acknowledged that lawyers, regardless of their ethical obligations, may have statutory obligations to notify individuals following a data breach, such as under the various state breach notification statutes or other laws. It should be noted that the definition of a “data breach” as set forth in the Opinion is broader than the definition under most state statutes, covering instances where “material client confidential information” is compromised or “where the lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired” by a data incident. Consequently, lawyers may have an ethical obligation under the ABA Model Rules to notify current clients of an incident affecting client information even where they may not have a legal obligation to do so. Conversely, a lawyer may not have ethical obligations to notify former clients, but they may have statutory obligations to do so.
The Opinion also provided guidance as to how lawyers may notify clients about a data breach, recognizing that any such notification will “depend on the type of breach that occurs and the nature of the data compromised by the breach.” The Opinion expressly highlighted that any notification must provide enough information for the client to “make an informed decision as to what to do next” and for the client to determine what confidential information, if any, was potentially disclosed. It should be noted that all 50 states now have data breach notification statutes, many of which prescribe the content of the notification. (Lewis Brisbois has an Interactive Data Privacy Statute Map that provides a comprehensive review of these notification statutes, plus other information security standards, for all 50 states, Washington, D.C., Guam, Puerto Rico, the U.S. Virgin Islands, Canada, and Australia).
Finally, the Opinion noted the importance of client termination agreements, document retention schedules, and incident response planning – all of which are now more important than ever before given the various threats to our digital infrastructure. Lawyers should consult with experienced data privacy counsel to ensure that their document retention schedules, incident response plans, and other data privacy-related policies and procedures are in line with what is contemplated by ABA Formal Opinion 483. Similarly, lawyers impacted by a data security incident should consult with experienced counsel well-versed in ethical obligations requiring disclosure to current and/or former clients, and with statutory consumer and regulatory notification obligations.
Lewis Brisbois’ dedicated Data Privacy & Cybersecurity team can help determine your regulatory obligations under this new opinion. Learn more about our team here.