On October 17, 20180 the American Bar Association issued ABA formal opinion 483 addressing attorneys’ ethical obligations after a data breach that involves information relating to the representation of a client.
According to the Opinion, compliance with the obligations imposed by the Model Rules of Professional Conduct depends on the nature of the incident, the applicable facts and circumstances, the attorney’s roles, her level of authority, and responsibility in the law firm’s operations.
The opinion analyses the:
- duty of competence, which includes an obligation to monitor for a data breach, to act reasonably and promptly to stop the breach and restore systems, and to determine what occurred like they would be required to do in a post-breach investigation that took place through physical means;
- duty of confidentiality, which may not be violated – even if data is breached – “if the lawyer has made reasonable efforts to prevent the loss or access;”
- duty to provide notice of the data breach, which varies also considering record retention requirements relating to a current or former client.
More on American Bar Association issued ABA formal opinion 483 is available here.