A few years ago there were bar association advisory opinions on whether lawyers could use email or cloud computing. Now almost everyone uses at least a smartphone with cloud computing capability. What should you do if your device is lost or stolen or you suspect that there may have been a data breach? California has released a new advisory opinion. No. 16-0002. The opinion covers a number of situations where the lawyer has reason to fear or believe that client data was accessed by a hacker. The option discusses several examples, from a lost phone (which is recovered quickly) to a missing laptop. The bottom line is that where there is a reasonable suspicion of an intrusion into a device, the lawyer must notify the clients involved.
In one of the examples an attorney visits a cafe and uses what he believes to be the free wifi. The attorney later learns that the “free wifi” network did not belong to the cafe but was the creation of some bad actor or hacker. The attorney realizes that client documents on his device were accessed. What is the lawyer to do?
According to the opinion, once he learns of the data breach the lawyer must notify the client that there was an intrusion into his laptop and that the company’s confidential information was accessed by some unknown person. The opinion insists that lawyers should not be held to a strict liability standard when it comes to data theft or loss. The example above is distinguished from the typical situation where a lawyer leaves his phone or iPad at a restaurant and retrieves it the next day. Since the device is password protected, there is no danger to clients that the missing device was accessed improperly.
The ABA Opinion No. 18-483
ABA Formal Opn. No. 18-483 (Lawyer’s Obligations After an Electronic Data Breach or Cyberattack) provides a useful list of competence-based duties that explain the requirement of “reasonable efforts” in addressing the potential for inadvertent disclosure of confidential client information due to a data breach:
• The obligation to monitor for a data breach: “lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.” Id. at p. 5.
• When a breach is detected or suspected, lawyers must “act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.” Id. at p. 6. A preferable approach is to have a data breach plan in place “that will allow the firm to promptly respond in a coordinated manner to any type of security incident or cyber intrusion.” Id. at p. 6.
• Investigate and determine what happened: “Just as a lawyer would need to assess which paper files were stolen from the lawyer’s office, so too lawyers must make reasonable attempts to determine whether electronic files were accessed, and if so, which ones. A competent attorney must make reasonable efforts to determine what occurred during the data breach.” Id. at p. 7.
ABA Formal Opn. No. 18-483 describes a “data breach” as a “data event where material client confidential information is misappropriated, destroyed, or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.” ABA 18-483 at p. 4.4 Thus, not all events involving lost or stolen devices, or unauthorized access to technology, would necessarily be considered a data breach. Consistent with their obligation to investigate a potential data breach, however, lawyers and law firms should undertake reasonable efforts, likely through the use of individuals with expertise in such investigations, to ascertain, among other things, the identity of the clients affected, the amount and sensitivity of the client information involved, and the likelihood that the information has been or will be misused to the client’s disadvantage. This will assist in determining whether there is a duty to disclose. If the lawyer or law firm is unable to make such a determination, the client should be advised on that fact. Id. at p. 14.
Lawyers and clients may also differ as to what events would trigger the duty to disclose. The key principle, however, in considering whether the event rises to the level of a data breach, is whether the client’s interests have a “reasonable possibility of being negatively impacted.” ABA 18-483 at 11. Certainly disclosure is required in situations where a client will have to make decisions relevant to the breach, such as the need to take mitigating steps to prevent or minimize the harm, or to analyze how the client’s matter should be handled going forward in light of a breach. When in doubt, lawyers should assume that their clients would want to know, and should err on the side of disclosure.
Passwords and Security Measures
If a lawyer failed to protect a device with a password, I believe that there might be grounds for a professional complaint or lawsuit. The opinion does not go this far, but I believe that every device containing client confidences should be protected by a strong password.
If you have a question about an ethics issue, do not hesitate to contact me. The sooner you get impartial advice the better. Many problems can be solved by seeking the advice of a disinterested ethics lawyer.