The ABA Provides Guidance to Lawyers on How to Handle Breaches of Client Data

by Christina Jaramillo in Advisory Opinion, Attorney Client Relationship, confidentiality, data breach, Outsourcing, Rules of Professional Conduct, Technology. Posted January 9, 2019

Lawyers must take reasonable steps to keep confidential client information secure, and the ABA Standing Committee on Ethics and Professional Responsibility has recently issued a formal opinion—Formal Opinion 483—that reaffirms that duty. The opinion also provides guidance to help lawyers meet this duty. Breaches

The new opinion builds on Formal Opinion 477R, which set forth lawyers’ ethical obligation to take reasonable efforts to secure confidential client information obtained via electroniccommunication. Formal Opinion 483 picks up where Formal Opinion 477R by addressing how lawyers should handle breaches of client data.

Specifically, Formal Opinion 483 directs lawyers as to what to do after a data breach: “[w]hen a breach of protected client information is either suspected or detected, Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.”

Formal Opinion 483 further recommends that lawyers, as a matter of best practices, “consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach.” Moreover, “[t]he decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach (emphasis added).”

The opinion adds that although lawyers may comply with the Model Rules and may take reasonable efforts to prevent disclosure of confidential client information, data breaches will inevitably occur. When they do occur, attorneys “have a duty to notify clients of the breach under Model Rule 1.4 in sufficient detail to keep clients ‘reasonably informed’ and with an explanation ‘to the extent necessary to permit the client to make informed decisions regarding the representation.’”

The bottom-line remains that the lawyer must make reasonable efforts to (1) prevent the breach, (2) determine the extent of the damage, (3) mitigate the loss, and (4) prevent the breach from reoccurring.

Read the full opinion here.

[…] of a non-binding advisory opinion, as has been the case with other jurisdictions such as, Florida, San Francisco, and Delaware, it is important to note that Ohio went a step further and amended its rule regarding […]

Remote Lawyering: New Jersey and Ohio On Board - Legal Ethics Advisor on Remote Work: San Francisco Bar Association Advice in Ethics Opinion 2021-1
Not all jurisdictions have adopted the Model Rule version of the choice of law rule; seems like there might be a different result in at least some of those states. See, e.g., NY RPC 8.5(b)(2)(i) ("If the lawyer is licensed to practice only in this state, the rules to be applied shall be the rules of this state").

Art Lachman on ABA Opinion 499 Green Lights Lawyers’ Passive Investment in Firms with NonLawyer Ownership

M	T	W	T	F	S	S
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31