eDiscovery Daily Blog

What’s a Lawyer’s Duty When a Data Breach Occurs within the Law Firm: Cybersecurity Best Practices

When I spoke at the University of Florida E-Discovery Conference last month, there was a question from the live stream audience about a lawyer’s duty to disclose a data breach within his or her law firm.  I referenced the fact that all 50 states (plus DC, Guam, Puerto Rico and the Virgin Islands) have security breach notification laws, but I was not aware of any specific guidelines or opinions relating to a lawyer’s duty regarding data breach notification.  Thanks to an article I came across last week, I now know that there was a recent ABA opinion on the topic.

An article written by Anton Janik, Jr. of Williams Mitchell and originally published in the 2019 Winter edition of The Arkansas Lawyer and republished on JD Supra (The Lawyer’s Duty When Client Confidential Information is Hacked From the Law Firm, hat tip to Sharon Nelson’s terrific Ride the Lightning blog for the reference) takes a look at a lawyer’s duties following a data breach and discusses the requirements of ABA Formal Opinion 483, which was issued in October 2018.

Janik begins his article by referencing the DLA Piper NotPetya ransomware attack in 2017, as follows:

“Imagine it’s a usual Tuesday morning, and coffee in hand you stroll into your office. Right inside the door, you see a handwritten notice on a big whiteboard which says: All network services are down, DO NOT turn on your computers! Please remove all laptops from docking stations & keep turned off. *No exceptions*

Finding this odd, you turn to your firm receptionist who tells you that the firm was hit with a ransomware attack overnight, and that if you turn on your computer all of your files will be immediately encrypted, subject to a bitcoin ransom.”

That’s what happened to DLA Piper and the 4,400-attorney law firm was “reduced to conducting business by text message and cell phone” until the situation was resolved, requiring 15,000 hours of overtime IT assistance, though they sustained no reported loss of client confidential information.

Of course, as you probably know by reading this blog, the DLA Piper situation isn’t unique.  A recent American Bar Association report stated that 22% of law firms reported a cyberattack or data breach in 2017, up from 14% the year before.

The ABA Opinion discusses three duties under its Model Rules: the duty of competence, the duty of communication, and the duty of confidentiality. While the ABA Opinion focused narrowly upon the ethical duties it sees arising between an attorney and client, it is important that you understand “the types of data you work with, and keep yourself abreast of what laws, regulations and contractual provisions govern its loss” (I just pointed you to a resource for breach notification laws up above).

Janik’s article covers stopping the breach, restoring systems and determination what happened and the cause. Best practices (and often your cybersecurity insurance coverage) dictate that your law firm should draft, and regularly train on, a breach response plan which defines personnel roles and procedural steps to employ in assessing and addressing any given breach, including through the use of outside vendors whose use may be contractually prearranged.

When a breach is discovered, the ABA Opinion finds that the duty of competence under Model Rule 1.1 requires the attorney to act reasonably and promptly to stop the breach and mitigate the damage, using “all reasonable efforts” to restore computer operations to be able to continue client services.  And, Model Rule 1.4 requires that an attorney keep the client “reasonably informed about the status of the matter.”

So, now I know – which means you know too.  :o)

So, what do you think?  Were you familiar with ABA Formal Opinion 483?  Does your firm have a formalized breach response plan?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.