The Ubiquitous Threat of a Data Breach Your Ethical Duties to Mitigate the Risks
Attempted and actual data breaches involving attorneys and their clients are increasing in frequency, sophistication and severity. Lawyers need to protect clients’ privileged communications and other sensitive information. Employing the right strategies and tools can help reduce the risks of a data breach. This article addresses the ethical issues that can arise, the applicable ethical rules and provides practical tips to assist you if you encounter a data breach.
The Ethical Issues of a Data Breach for Attorneys/Law Firms
Attorneys’ use of computers, cloud storage and portable electronic devices is now ubiquitous and has increased the risk of unauthorized user access to client confidential information. This risk extends from the solo firm practitioner who may have lost her cell phone she uses to email and text clients to a 100-person law firm whose offsite cloud server is hacked by a cybercrime syndicate. A Verizon 2023 data breach investigation report found that “74% of breaches involve the human element which includes social engineering attacks, errors or misuse.” Yes, you are only one click away from a cyber breach. The consequences can be extensive and lead to serious legal issues including the inability to access firm information due to the installation of ransomware, the revelation of attorney-client communications due to compromised email accounts, public leaks of privileged information and potential legal malpractice lawsuits.
Your Ethical Obligations
It is your duty to protect client data and to disclose an error if a breach occurs. Under California Rule of Professional Conduct 1.1 (Competence), you have a duty to understand the benefits and risks associated with the technology you use. Rule 1.6 (Confidential Information of a Client) and Business & Professions Code Section 6068(e) mandate that you safeguard your clients’ confidences and secrets and make reasonable efforts to protect such information from unauthorized disclosure or destruction. Finally, if a data breach occurs, Rule 1.4(a)(3) which governs communications with clients, and Business & Professions Code Section 6068(m) require you to disclose the breach to your client. This is part of your duty to report “significant developments” in the representation.
The California State Bar Committee on Professional Responsibility and Conduct (COPRAC) has issued a Formal Opinion No. 2020-203 which discusses these various rules and statutes. It provides “hypothetical” scenarios to assist attorneys in navigating the ethical issues that can occur if there is a data breach. In their opinion, they point out that “while attorneys are not required to become technology experts and master the complexities and deficiencies of the security features of each technology available,” attorneys owe clients a duty to have a basic understanding of the technology they use. The committee also recommended the use of “someone who possesses the necessary knowledge, such as an information technology consultant.”
In addition, the American Bar Association Standing Committee on Ethics and Professional Responsibility has authored a 16-page Formal Opinion No. 483 entitled “Lawyers Obligations after an Electronic Data Breach or Cyber Attack”. It discusses many of the same issues and rules that the COPRAC opinion addressed.
Practical Tips to Mitigate Your Risk
To comply with your professional obligations and standards, you and your firm should implement the following strategies to mitigate data security risks. They include the following:
(1) Prepare a Cyber Security Plan. Create a “best practices” policy for remote access, use of email and texts, and use of social media. The plan should also include how you will remedy a cyber attack.
(2) Use Technology Safeguards.
This may involve implementing user authentication and limiting user access.
(3) Perform Periodic Training and Monitoring.
To keep ahead of the hackers and cybercriminals, attorneys should employ training to educate themselves and staff on data breach risks. In addition, periodic monitoring should occur to ensure that the technology used to protect information is updated.
(4) Implement third-party vendor checks – Many attorneys use third-party billing programs, office management software, and offsite server file storage. It is extremely important before using these services and vendors to ensure they have reasonable security protections in place since they will have access to confidential client information.
(5) Secure your mobile devices – Your cell phone, laptop computer or electronic tablet should have strong password protection, multi-factor authentication, and a “lost and found” feature if the device is lost or stolen. The COPRAC opinion cited in Section II provides a real-life scenario describing an attorney’s use of a coffee shop’s public Wi-Fi network which allowed a hacker to gain access to a client’s patent application.
(6) Obtain client consent to use electronic communications and limit file retention in your fee agreement – In your written fee agreement it is advisable to include provisions for client consent for the use of electronic communication. You should also include a provision outlining your client file retention policy. There is no California Rule of Professional Conduct that states how long you must retain a client’s file. Therefore, a contractual provision in your fee agreement can explain how long the file is retained and how the client can retrieve it. This is advisable since the longer the file is retained, the longer it is susceptible to a data breach or cyber attack. The State Bar website has sample form fee agreements with these optional clauses for your use.
(7) Purchase cyber liability insurance – many errors and omissions policies have cyber liability protection. Although the type of coverage varies depending on the insurance company, typically the policy will cover the following: (1) privacy liability coverage providing a defense and indemnity if a lawsuit is filed (2) regulatory cost coverage which pays for fines and penalties from state and federal agencies and (3) security breach response coverage which provides notice to clients and may also include credit monitoring if the breach concerns financial information.
Technology is a critical component of our legal profession. Its use produces many benefits which improve communication with our clients. Its use also produces challenges and risks. As a result, we must consider and address them so we can fulfill our ethical duties to our clients. Understanding the ethical rules that apply to data breaches and use of these practical tips can go a long way to reducing your risk of a data breach.