When the pandemic hit, most lawyers began to work from home, oftentimes exclusively. Many continue to do so today out of necessity or preference. As a result, practicing law virtually is a newfound reality and many law firms have begun to invest in the technology needed to support it.
Of course, now that lawyers are working remotely more than ever, technology competence and cybersecurity have become all the more important. Lawyers need to understand both the technology their firms have implemented and what to do in the event of an unexpected breach of confidential client data.
Because these issues are of the utmost importance in 2020, it’s no surprise that the Colorado Bar issued an ethics opinion over the summer addressing the ethical duties of lawyers in the event of a cyberattack that results in a breach. This issue was squarely addressed in CBA Formal Opinion 141.
At the outset of this opinion, the Colorado Bar Association Ethics Committee set forth the standard of care that lawyers must meet when safeguarding confidential client information. The committee explained that “Colo. RPC 1.6(c) requires ‘[a] lawyer [to] make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.’”
Importantly, the committee emphasized that the duty of reasonable care does not require absolute security. Lawyers are not expected to meet this impossible standard and instead, “competence in preserving a client’s confidentiality is not a strict liability standard and does not require the lawyer to be invulnerable or impenetrable. Rather, the obligation is one of reasonable efforts to prevent the loss or access.”
The committee then turned to the ethical obligations of lawyers and the steps they need to take in order to prevent cyberattacks and mitigate damage when a breach occurs. According to the committee, lawyers “must make reasonable efforts to prevent, monitor for, halt, and investigate any security breach involving data that the lawyer controls. What is reasonable depends upon the circumstances. Given the fluid nature of technological advance and the means of exploitation, what is reasonable will evolve over time.”
Next, the committee explained the factors lawyers need to take into account when determining how to sufficiently protect confidential client information. Issues that need to be considered include “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).”
The committee then moved on to discuss the different types of data breaches that lawyers need to protect their firms against. The committee explained that “a data breach may take one of three forms, namely, an intrusion that: (1) results in the misappropriation of electronically stored information (ESI); (2) destroys or alters ESI; or (3) causes ESI to become temporarily or permanently inaccessible, such as with a crypto-locking attack.”
Next, the committee discussed the ethical duties of lawyers in the event of a breach. According to the committee, lawyers have an obligation to create a breach mitigation plan that should be implemented upon discovery of the cyberattack: “A lawyer has an obligation to act reasonably and promptly to stop a data breach once discovered and to attempt to mitigate any damage. See ABA Formal Op. 483, p. 6 (citing Rule 1.1). Colorado lawyers should develop an incident response plan of reasonable scope in advance of any breach to meet that obligation.”
Of note is that the committee explained that while the duty of reasonable care requires prompt action, “an ethical violation does not necessarily occur if a cyber-intrusion or loss of electronic information is not immediately detected.”
Finally, the committee clarified that the breach notification obligation applies to current clients if material client confidential information was impacted by the breach. However, the committee concluded that when it comes to the breach of former clients’ data, there is no ethical obligation to notify them of said breach, but “as a matter of best practices, lawyers are encouraged to reach agreement with clients before conclusion, or at the termination, of the relationship about how to handle the client’s electronic information that is in the lawyer’s possession.”
This opinion is worth reading in its entirety since it offers food for thought and helpful guidance that is all the more important in the midst of a pandemic that has resulted in lawyers increasingly relying on technology to get the job done. Colorado lawyer or not, I would suggest that you take heed of the advice offered in the opinion and take steps to ensure that your firm’s data is sufficiently protected and that your firm has a breach mitigation and notification plan in place in the unlikely event of a cyberattack. After all, as I always say, better safe than sorry.
Nicole Black is a Rochester, New York attorney, author, journalist, and the Legal Technology Evangelist at MyCase legal practice management software. She is the nationally recognized author of “Cloud Computing for Lawyers” (2012) and co-authors “Social Media for Lawyers: The Next Frontier” (2010), both published by the American Bar Association. She also co-authors “Criminal Law in New York,” a Thomson Reuters treatise. She writes regular columns for Above the Law, ABA Journal, and The Daily Record, has authored hundreds of articles for other publications, and regularly speaks at conferences regarding the intersection of law and emerging technologies. She is an ABA Legal Rebel, and is listed on the Fastcase 50 and ABA LTRC Women in Legal Tech. She can be contacted at [email protected].