ABA-483
|
| In addition to complying with the guidance in ABA LEO 477R (5/11/17) lawyers dealing with a databreach or cyberattack ("a data event where material client confidential information is misappropriated, destroyed, or otherwise compromised, or where a lawyer's ability to perform legal services for which the lawyer is hired is significantly impaired"): (1) must comply with their competence duty, including monitoring for databreaches (making "reasonable efforts," because not immediately detecting a databreach may not constitute an ethics violation); (2) "act reasonably and promptly to stop the breach and mitigate damage resulting from the breach" (and "should consider proactively developing an incident response plan"); (3) make "reasonable attempts to determine whether electronic files were accessed, and if so, which ones"; (4) comply with their confidentiality duty (although lawyers' competence in preserving client confidences "is not a strict liability standard and does not require the lawyer to be invulnerable or impenetrable"), including considering any implied authorization to disclose client confidences to law enforcement to the reasonably necessary to assist in "ending" the breach or recovering stolen information," in light of considerations such as the disclosure's harm to the client); (5) advise current clients about such databreach or cyberattack (whether or not client data deserves protection under Rule 1.15 – which remains an "open question"); (6) in responding to a databreach or cyberattack involving former clients' data, consider "reach[ing] agreement with clients before conclusion, or at the termination, of the relationship about how to handle the client's electronic information that is in the lawyer's possession" (noting that "the Committee is unwilling to require notice [of a databreach or cyberattack] to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice"); (7) consider their obligation to notify clients depending on the type of breach (for instance, lawyers need not alert their clients of a ransomware attack if "no information relating to the representation of a client was inaccessible for any material amount of time, or was not accessed by or disclosed to unauthorized persons"; (8) must comply with state and federal law if "personally identifiable information or others is compromised as a result of a data breach". |