The Ethics of Dealing with a Data Breach

Ellen Lockwood, ACP, RP

Ellen Lockwood, ACP, RP

It seems that at least once a week there is a report of a company experiencing a data breach. These data breaches are the result of hackers infiltrating a company’s computer networks specifically to access confidential information.

Because of the nature of their work, law firms have quite a bit of confidential information regarding their clients. This makes law firms particularly appealing targets for cyberattacks. Recently, several well-known law firms were the subject of cyberattacks. The hackers were likely seeking confidential information to utilize for insider trading schemes.

Attorneys and their staff have an ethical responsibility to maintain the confidentiality of client information. Comment 8 of Rule 1.01 of the Texas Disciplinary Rules of Professional Conduct states in part that “each lawyer should strive to become and remain proficient and competent in the practice of law, including the benefits and risks associated with relevant technology” (emphasis added). This includes storage of the information, restricting access to the information, and controlling confidential information when communicating with clients. Attorneys and their staff should research the appropriate technology and best practices, and update their methods as appropriate.

Unfortunately, despite efforts to keep confidential information safe, it is more and more likely that law firms will experience a data breach. When a data breach occurs, attorneys and their staff should be aware of the ethical responsibilities and legal obligations they owe the firm’s clients.

The ABA recently released its formal ethics opinion 483 describing attorneys’ ethical obligations when suffering a data breach, specifically identifying the following:

• obligation to monitor for a data breach
• stopping the breach and restoring systems
• determining what occurred

The opinion further states that if an attorney knows or should know a data breach has occurred, the firm should review the rules regarding proper notification to current clients and former clients.

The communication by the law firm to current and former clients regarding the data breach will depend on the type of cyberattack and exactly what data was revealed during the cyberattack. Any notification should include a description of how the law firm will be addressing the data breach, whether it is possible to recover the information and how that will be accomplished, and the firm’s plan to increase data security. The opinion also states the firm has an obligation to keep client advised of the foregoing if it affects the client’s data.

Attorneys should review the relevant federal and state statutes if a client’s personal identifying information was revealed during the breach. Depending upon the type of confidential information that was breached, there may also be privacy and statutory laws that require specific actions, such as HIPAA and the Gramm-Leach-Bliley Act. Law firms should familiarize themselves with the relevant laws and be prepared to review and comply with them in the event of a data breach.

With almost constant cyberattacks, law firms should assume the question is when, not if, a data breach will occur, and be prepared to address the legal, as well as the ethical responsibilities, of a data breach.

Ellen Lockwood, ACP, RP, is the Chair of the Professional Ethics Committee of the Paralegal Division and a past president of the Division. She is a frequent speaker on paralegal ethics and intellectual property and the lead author of the Division’s Paralegal Ethics Handbook published by Thomson Reuters.