Lawyers and cybersecurity: What are your ethical obligations?
If you’re practicing law in 2019, there’s no escaping technology. One way or another, you’re using technology as part of your day-to-day practice, whether it’s the internet, email, mobile devices, or cloud-based legal software. Technology is an unavoidable - and as a result, so too is the possibility of cyberattacks and breaches.
In the wake of the Equifax and Capital One breaches, along with countless other breaches that have come to light in recent years, experts warn that it’s not a matter of if you’ll be breached, but when. With that in mind, what’s a lawyer to do when it comes to cybersecurity? What are your ethical obligations and how do you ensure that your firm is in compliance?
This very issue was addressed by the Maine Bar Association in Opinion No. 220 earlier this year. In that opinion, the Professional Ethics Commission answered the following question: “What are a lawyer’s ethical obligations to understand the risks posed by technology, to prevent a cyberattack or data breach, and to respond once one occurs?”
According to the Commission, lawyers have an ethical obligation to take steps to prevent breaches from occurring and a corresponding set of duties that are triggered once a breach occurs.
At the outset, the Commission addressed lawyers obligations to prevent a cyberattack, and emphasized the importance of technology competence: “The overriding obligation is to know what the technology does, what it does not, and how to use it safely…Keeping abreast of practice changes means seeking education on evolving technology on a regular basis in order to maintain competence in its use.”
Notably, the Commission explained that while lawyers who lack technological expertise are permitted to outsource this requirement, they must nevertheless have a basic understanding of the technology being used: “A lawyer who lacks individual competence to evaluate and employ safeguards to protect client confidences and secrets should seek education from an expert or associate with another lawyer who is competent…However, the Commission does not mean to suggest that it endorses a complete ignorance of technology just because an associated lawyer or staff member knows all about it. A baseline understanding of, and competence in, the technology used in the practice of law must be maintained by every lawyer.”
Next the Commission turned to breaches, explaining that absolute security is an impossibility: “(T)he standard for measuring ethical conduct is not one of strict liability, but reasonableness.”
According to the Commission, breach prevention involves a two-step process: “(1) supervising the use of technology by lawyers and staff to ensure it is consistent with their training and instruction, and (2) monitoring the status of the technology itself in order to reveal attacks and breaches as soon as reasonably detectible.”
It’s also important to prepare for a breach and ensure that a plan is in place to address a breach or cyberattack. That’s why the Commission recommended “creating a plan to address known or suspected security breaches, including the identification of persons to be notified.”
According to the Commission, once a cyberattack or breach occurs, lawyers’ ethical obligations include: 1) taking reasonable actions to stop or contain the attack or breach, 2) investigating the attack or breach, and 3) notifying affected current and former clients.
Note that while the Maine Commission advised that former clients must be notified, a different conclusion was reached in ABA Formal Opinion 483 (online: https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_op_483.pdf), which was handed down in October 2018. In that opinion, the ABA Committee explained that it was “unwilling to require notice to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice.”
Accordingly, in light of the conflicting conclusions on this issue, if you aren't a Maine attorney, I would recommend that you carefully review your jurisdiction's laws, regulations, and ethical guidelines to determine whether notifying former clients of a breach is required.
Does your firm have a plan in place to address cyberattacks and breaches? If not, what are you waiting for? You can take steps to prevent a breach and ensure that your firm is prepared should one occur. But in order to be prepared, you need a plan. And what better time than now?
Nicole Black is a Rochester, New York attorney, author, journalist, and the Legal Technology Evangelist at MyCase law practice management software for small law firms. She is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a Thomson Reuters treatise. She writes legal technology columns for Above the Law and ABA Journal and speaks regularly at conferences regarding the intersection of law and technology. You can follow her on Twitter at @nikiblack or email her at [email protected].