Attorney duties after cyber breach addressed

The American Bar Association Standing Committee on Ethics and Professional Responsibility recently released Formal Opinion 483 that reaffirms the duty that lawyers have to notify clients of a data breach and details reasonable steps for them to take to meet obligations set forth by ABA model rules.

The opinion underscores the importance for lawyers to both plan beforehand for an electronic breach or cyberattack and to understand how model rules come into play when an incident is either detected or suspected.

Specifically, these ABA Model Rules of Professional Conduct might apply to such an incident:

• Model Rule 1.1 (competence), which requires lawyers to develop sufficient competence in technology to meet their obligations under the rules after a breach.

• Model Rule 1.15 (safekeeping property), which requires lawyers to protect trust accounts, documents and property the lawyer is holding for clients or third parties.

• Model Rule 1.4 (communication), which requires lawyers to take reasonable steps to communicate with clients after an incident.

• Model Rule 1.6 (confidentiality), which covers issues dealing with confidentiality of the client-lawyer relationship.

• Model Rule 5.1 (lawyer oversight), which addresses the added responsibilities of a managing partner or supervisory lawyer.

• Model Rule 5.3 (nonlawyer oversight), which addresses the responsibilities of those in supervisory capacities who are nonlawyers.

“When a breach of protected client information is either suspected or detected,” the opinion states, “Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.

“How a lawyer does so in any particular circumstance is beyond the scope of this opinion. As a matter of preparation and best practices, however, lawyers should consider proactively developing an incident response plan with specific plans and procedures for responding to a data breach. The decision whether to adopt a plan, the content of any plan and actions taken to train and prepare for implementation of the plan should be made before a lawyer is swept up in an actual breach.”

The ABA Standing Committee on Ethics and Professional Responsibility periodically issues ethics opinions to guide lawyers, courts and the public in interpreting and applying ABA model ethics rules to specific issues of legal practice, client-lawyer relationships and judicial behavior.


  1. No comments
Sign in to post a comment »