ABA Formal Opinion 515: “A Lawyer’s Discretion to Report When a Client Commits a Crime Against the Lawyer or Against Someone Associated with, or Related to, the Lawyer” —

• “A lawyer who is the victim of a crime by a client or prospective client may disclose information relating to the representation to the appropriate authority in order to seek an investigation and potential prosecution of the alleged offender or other services, remedy, or redress. To the extent that the information would otherwise be subject to the lawyer’s duty of confidentiality under Model Rule of Professional Conduct 1.6, the information is subject to an implicit exception to the Rule.”
• “This implicit confidentiality exception also applies when someone associated with the lawyer or related to the lawyer is a victim of the client’s crime and the lawyer is a witness to that crime.”

“Trump expands clash with law firms with order against Perkins Coie” —

• “U.S. President Donald Trump on Thursday signed an executive order suspending security clearances for employees of law firm Perkins Coie and targeting the firm’s business with federal contractors, citing its diversity practices and political activities.”
• “Seattle-founded Perkins Coie has long drawn criticism from Trump allies over its prior work for Trump’s 2016 Democratic election opponent Hillary Clinton.”
• “The order also directed federal officials to investigate other ‘large, influential, or industry leading law firms’ over their compliance with laws against racial discrimination.”
• “‘This executive order will suspend security clearances and access to certain federal resources for that law firm and also launch a holistic review of unlawful DEI (diversity, equity and inclusion) practices at some of the nation’s largest law firms,’ Trump aide Will Scharf said during an Oval Office signing event with reporters.”
• “Perkins Coie in a statement said the executive order is ‘patently unlawful, and we intend to challenge it.'”
• “The executive order targeting Perkins Coie went further, ordering agencies to require that federal contractors must disclose any business with the firm and saying contracts related to that business may be terminated. The order also said Perkins Coie employees’ ability to access federal government buildings would be restricted to protect U.S. interests and national security.”
• “White House officials said federal agencies would refrain from hiring Perkins Coie employees ‘unless specifically authorized’ and block business with contractors that work with Perkins Coie because of the firm’s involvement in ‘partisan lawsuits against the United States.'”
• “Perkins Coie and Covington are among nearly a dozen major U.S. law firms representing clients in lawsuits against the Trump administration, challenging executive actions related to immigration, transgender rights and other issues.”
• “Legal scholars said they were not aware of a U.S. presidential administration ever taking such official actions against specific law firms in the past.”
• “University of Minnesota law professor Richard Painter, who served as associate White House counsel from 2005 to 2007, said he could see no direct connection between law firm diversity initiatives and risks to national security that would entail stripping a law firm’s security clearances.”
• “Perkins Coie is widely known for its legal work for tech companies and other clients. It is defending Alphabet’s Google against a lawsuit by the Republican National Committee accusing the tech giant of sending its emails to users’ spam filters. The firm has represented Amazon in a number of court cases. The companies did not immediately respond to requests for comment.”
• “Its work for Hillary Clinton’s campaign led to criticisms from Trump supporters, including Elon Musk.”

“The Expanding Cyber Liability Landscape for Attorneys: Upstream and Downstream Risks” —

• “Attorneys and law firms face increasing cyber liability from multiple directions, including regulators, state attorneys general, and class action litigants. As stewards of highly sensitive client data, legal professionals are being held accountable not only for their own cybersecurity practices but also for those of their vendors and service providers.”
• “Cybersecurity threats to law firms are intensifying as regulators, clients, and the courts impose stricter requirements on the legal profession’s handling of sensitive data.”
• “Downstream liability, by contrast, arises when clients, affected individuals, or business partners seek damages due to a law firm’s cybersecurity failures, leading to compliance and negligence claims, breach of fiduciary duty lawsuits, or class actions. Attorneys must navigate these risks while maintaining ethical duties to safeguard client information.”
  Regulatory and Enforcement Risks (Upstream Liability)”
• “Federal and State Regulatory Scrutiny”
  • “Regulatory agencies and state authorities are poised to hold attorneys and law firms accountable for cybersecurity failures. Agencies such as the Federal Trade Commission (FTC), the Securities and Exchange Commission (SEC), and state attorneys general have broadened their enforcement actions against businesses, including law firms that fail to maintain reasonable cybersecurity.”
  • “Gramm Leach Blilely Act (GLBA): Revised in 2023, the GLBA Safeguards Rule (16 CFR Part 313) covers those entities involved in activities ‘incidental to…financial activities’ of covered institutions and requires both enhanced breach disclosure and reporting requirements.”
  • “SEC Cybersecurity Compliance Requirements: Effective December 2023, Regulation S-K 106, law firms advising publicly traded companies or handling material nonpublic information (MNPI) must comply with SEC cybersecurity disclosure rules, which require firms to assess and disclose cyber risks and incidents. Advisors to covered companies may similarly be subject to heightened regulatory scrutiny.”
  • “Health Insurance Portability and Accountability Act (HIPAA): When counsel is deemed a business associate of a covered entity and experiences a cybersecurity incident involving a covered entity’s PHI, a law firm is subject to investigation and fines for violations of the HIPAA Security Rule (45 CFR Part 160 and Subparts A and C of Part 164). In 2016, Business Associate Catholic Health Care Services of Philadelphia (CHCS) entered into a settlement with the U.S. Department of Health and Human Services in connection with CHCS’s alleged violation of HIPAA’s Security Rule. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html “
  • “State Attorneys General Actions: State attorneys general (AGs) enforce data breach notification laws and consumer protection statutes. Firms failing to report breaches or safeguard consumer data may face investigations, fines, and consent decrees mandating stronger cybersecurity programs. Enforcement actions against law firms have commenced by the New York Attorney General for violations of the New York SHIELD ACT (General Business Law 899-aa and 899-bb). https://ag.ny.gov/press-release/2023/attorney-general-james-secures-200000-law-firm-failing-protect-new-yorkers”
• “Ethical and Professional Responsibility Risks”
  • “State bar associations and legal ethics committees impose strict obligations on attorneys that unquestionably now include cybersecurity compliance. The ABA Model Rules of Professional Conduct, particularly Rules 1.1 (Competence), 1.6 (Confidentiality), and 5.3 (Supervision of Non-Lawyers), require attorneys to safeguard client data and oversee third-party service providers.”
  • “Failure to implement cybersecurity safeguards can result in disciplinary action, malpractice claims, and reputational damage. Attorneys must not only secure their own systems but also ensure that MSPs entrusted with client data meet equivalent security and compliance standards.”
• “MSP Risks: Upstream Cyber Liability from Service Providers”
  • “Law firms increasingly rely on third parties (MSPs) for document management, cloud storage, e-discovery, and cybersecurity solutions. While these MSP enhance efficiency, they also introduce significant upstream liability risks when they experience breaches or fail to comply with legal and ethical obligations.”
    Common MSP-Related Cyber Risks”
• “Client and Third-Party Litigation Risks (Downstream Liability)”
  • “Law firms are also vulnerable to downstream liability, as clients, clients or customers of clients, and even non-clients affected by a breach, as well as business partners seek legal recourse after cybersecurity incidents.”
• “Common Legal Theories in Cyber Liability Lawsuits”
  • “Negligence Claims: Clients may argue that a law firm failed to implement reasonable cybersecurity measures, leading to a data breach that exposed sensitive information.”
  • “Negligence Per Se: Affected individuals may file claims based on violation of cybersecurity laws even where the laws themselves do not provide a private right of action.”
  • “Breach of Fiduciary Duty: Attorneys owe clients a fiduciary duty of confidentiality. A cyber incident exposing client data can lead to claims that the firm breached this duty.”
  • “Breach of Contract: Engagement agreements often contain confidentiality and data security provisions. A breach may result in contractual liability if security commitments are not met.”
  • “Consumer Protection and Privacy Statutes: Clients may sue under state consumer protection laws, the CCPA, or GDPR, seeking statutory damages for improper handling of their data.”
    “Mitigating Downstream Liability”
• “Provide Client Transparency on Cybersecurity Measures: Firms should educate clients about their cybersecurity practices and clearly define data protection obligations in engagement letters.”
• “To mitigate these risks, attorneys must adopt proactive cybersecurity governance, including service provider risk management, contractual safeguards, regulatory compliance, and robust client data protection strategies. As cyber threats and legal obligations continue to evolve, law firms that prioritize cybersecurity will be best positioned to protect their clients, their reputations, and their legal standing.”