What Should You Do If Your Device Is Hacked?

A few years ago there were bar association advisory opinions on whether lawyers could use email or cloud computing. Now almost everyone uses at least a smartphone with cloud computing capability. What should you do if your device is lost or stolen or you suspect that there may have been a data breach? California has released a new advisory opinion. No. 16-0002. The opinion covers a number of situations where the lawyer has reason to fear or believe that client data was accessed by a hacker. The option discusses several examples, from a lost phone (which is recovered quickly) to a missing laptop. The bottom line is that where there is a reasonable suspicion of an intrusion into a device, the lawyer must notify the clients involved.

In one of the examples an attorney visits a cafe and uses what he believes to be the free wifi. The attorney later learns that the “free wifi” network did not belong to the cafe but was the creation of some bad actor or hacker. The attorney realizes that client documents on his device were accessed. What is the lawyer to do?

According to the opinion, once he learns of the data breach the lawyer must notify the client that there was an intrusion into his laptop and that the company’s confidential information was accessed by some unknown person. The opinion insists that lawyers should not be held to a strict liability standard when it comes to data theft or loss. The example above is distinguished from the typical situation where a lawyer leaves his phone or iPad at a restaurant and retrieves it the next day. Since the device is password protected, there is no danger to clients that the missing device was accessed improperly.

The ABA Opinion No. 18-483

ABA Formal Opn. No. 18-483 (Lawyer’s Obligations After an Electronic Data Breach or Cyberattack) provides a useful list of competence-based duties that explain the requirement of “reasonable efforts” in addressing the potential for inadvertent disclosure of confidential client information due to a data breach:

• The obligation to monitor for a data breach: “lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.” Id. at p. 5.

• When a breach is detected or suspected, lawyers must “act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.” Id. at p. 6. A preferable approach is to have a data breach plan in place “that will allow the firm to promptly respond in a coordinated manner to any type of security incident or cyber intrusion.” Id. at p. 6.

• Investigate and determine what happened: “Just as a lawyer would need to assess which paper files were stolen from the lawyer’s office, so too lawyers must make reasonable attempts to determine whether electronic files were accessed, and if so, which ones. A competent attorney must make reasonable efforts to determine what occurred during the data breach.” Id. at p. 7.

ABA Formal Opn. No. 18-483 describes a “data breach” as a “data event where material client confidential information is misappropriated, destroyed, or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.” ABA 18-483 at p. 4.4 Thus, not all events involving lost or stolen devices, or unauthorized access to technology, would necessarily be considered a data breach. Consistent with their obligation to investigate a potential data breach, however, lawyers and law firms should undertake reasonable efforts, likely through the use of individuals with expertise in such investigations, to ascertain, among other things, the identity of the clients affected, the amount and sensitivity of the client information involved, and the likelihood that the information has been or will be misused to the client’s disadvantage. This will assist in determining whether there is a duty to disclose. If the lawyer or law firm is unable to make such a determination, the client should be advised on that fact. Id. at p. 14.

Lawyers and clients may also differ as to what events would trigger the duty to disclose. The key principle, however, in considering whether the event rises to the level of a data breach, is whether the client’s interests have a “reasonable possibility of being negatively impacted.” ABA 18-483 at 11. Certainly disclosure is required in situations where a client will have to make decisions relevant to the breach, such as the need to take mitigating steps to prevent or minimize the harm, or to analyze how the client’s matter should be handled going forward in light of a breach. When in doubt, lawyers should assume that their clients would want to know, and should err on the side of disclosure.

Passwords and Security Measures

If a lawyer failed to protect a device with a password, I believe that there might be grounds for a professional complaint or lawsuit. The opinion does not go this far, but I believe that every device containing client confidences should be protected by a strong password.

If you have a question about an ethics issue, do not hesitate to contact me. The sooner you get impartial advice the better. Many problems can be solved by seeking the advice of a disinterested ethics lawyer.


West Virginia Suspends Criminal Lawyer for 120 Days for Failing To Meet Appeal Deadlines

The case is captioned Lawyer Disciplinary Board v. Sayre, 18-0617, West Virginia Supreme Court. Sayre represented a client in a case where the client was convicted of attempted murder. Sayre missed several deadlines in the appeal process. The court set forth the facts as follows:

The events that led to Mr. Sayre’s conduct underlying this disciplinary proceeding first originated in 2016 when Mr. Sayre was appointed to be counsel in a criminal matter arising in Wood County. An order adjudging Mr. Sayre’s client guilty upon a jury verdict of guilty to the offense of second-degree murder was entered by the Circuit Court of Wood County on March 14, 2016. Mr. Sayre and another attorney were then appointed as appellate counsel. On March 15, 2016, Mr. Sayre filed a request for transcripts in the case. Three days later, he filed a notice of appeal with the Supreme Court of Appeals of West Virginia. A scheduling order was entered by the Supreme Court of Appeals of West Virginia on April 1, 2016, setting the deadline for perfecting the appeal as July 15, 2016.

Mr. Sayre did not perfect the appeal before the deadline. On July 22, 2016, a notice of intent to sanction was entered by this Court, directing him to perfect the appeal within ten days and show good cause as to why the appeal was not timely perfected. On August 9, 2016, Mr. Sayre filed a motion to extend the deadline and requested an additional sixty days to perfect the appeal, noting that he had received the trial transcript within the past thirty days. His motion was granted, and the deadline for perfecting the appeal was extended to September 15, 2016.

Mr. Sayre filed two more motions to extend the deadline to perfect the appeal—both of these motions were untimely. In his motion dated September 16, 2016, he requested an additional sixty days to perfect the appeal and asserted that he had not been able to completely review the transcripts or obtain feedback from his client to complete the brief. This motion was granted, and he was ordered to perfect the appeal on or before October 17, 2016. Later, on October 26, 2016, he filed another motion to extend, citing an overload of appointed work and a recent illness, and advised that he would have the appeal perfected by October 28, 2016. Mr. Sayre did not file the appeal by October 28, 2016, and the Court entered another notice of intent to sanction on November 4, 2016, directing him to file the brief within fifteen days, and show cause as to why the appeal was not perfected timely. Mr. Sayre filed his brief on January 4, 2017. This Court considered the appeal on the merits and issued a unanimous decision affirming the order sentencing Mr. Sayre’s client.

Sayre was found to have engaged in the violations of the following rules:

A Statement of Charges was issued against Mr. Sayre, and filed with this Court on July 9, 2018. It set forth the following alleged violations of the West Virginia Rules of Professional Conduct: Rules 1.1[6] and 1.2(a)[7] for failure to provide competent representation to his clients consistent with their stated objectives of timely pursuing appeals; Rule 1.3[8] for failure to diligently pursue his clients’ appeals; Rules 1.4(a)[9] and 1.4(b)[10] for failure to adequately keep his clients informed and for failure to communicate; Rule 3.2[11] for failure to make efforts to expedite appeals consistent with the desires of his clients; Rules 3.4(c)[12] and 8.4(d)[13]because he repeatedly violated the Rules of Appellate Procedure by failing to comply with multiple orders issued by the Supreme Court of Appeals of West Virginia

Sayre was also charge with exchanging text messages of a sexual nature with another criminal client. This was found to violate Rule 1.8(j) and 8.4(a).