Risk Update

(Security Week) Lawyer Edition — Safeguarding Standards and Breach Response Responsibilities

David G. Ries, of counsel at Clark Hill reminds all: “Safeguarding Client Data: An Attorney’s Duty to Provide ‘Reasonable’ Security” —

  • “Confidential data in computers and information systems, including those used by attorneys and law firms, faces greater security threats today than ever before… Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and also often have contractual and regulatory duties to protect confidential information.”
  • “The ABA has issued two formal ethics opinions on security topics since the 2012 rules amendments. ABA Formal Opinion 477, “Securing Communication of Protected Client Information” (May 2017), while focusing on electronic communications, also explores the general duties to safeguard information relating to clients in light of current threats.”
  • “In October, the ABA published Formal Opinion 483, ‘Lawyers’ Obligations After an Electronic Data Breach or Cyberattack.’ It reviews lawyers’ duties to safeguard data and concludes ‘[w]hen a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations under these model rules.'”
  • “Law firms are increasingly obtaining cyberinsurance to transfer some of the risks of confidentiality, integrity and availability of data in their computers and information systems. This emerging form of insurance can cover gaps in more traditional forms of insurance, covering areas like restoration of data, incident response costs, and liability for data breaches.”

ABA issues new guidance on lawyer obligations after a cyber breach or attack” —

  • “‘How a lawyer does so in any particular circumstance is beyond the scope of this opinion. As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach. The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach.'”
  • “In addition, lawyers should recognize that in the event of a data breach involving former client information, data privacy laws, common law duties of care, or contractual arrangements with the former client relating to records retention, may mandate notice to former clients of a data breach. A prudent lawyer will consider such issues in evaluating the response to the data breach in relation to former clients.”