Your laptop or smartphone containing client confidences is lost or stolen. Or, you learn that the public Wi-Fi that you accessed yesterday without using a Virtual Private Network (VPN) was a fake internet portal set up by hackers. Even worse, your firm is a casualty of a spearfishing attack that results in ransomware locking the firm’s computers.
These are some of the straight-out-of-the-headlines scenarios that The State Bar of California’s Standing Committee on Professional Responsibility and Conduct recently addressed in Formal Opinion No. 2020-203 (the Opinion). The Opinion describes a lawyer’s ethical obligations with respect to unauthorized access by third persons to electronically stored confidential client information in the lawyer’s possession.
First, the duties of competence and to safeguard client confidences require lawyers to have a basic understanding of the risks posed when using technology. See California Rules of Professional Conduct (CRPC) 1.1, 1.6; Bus. & Prof. Code §6068(e); Cal. State Bar Formal Opn. No. 2015-193; see also Comment  to ABA Model Rule 1.1. This means lawyers should understand how confidential client information may be vulnerable to unauthorized access for each type of electronic device that is used by the law firm.
Second, law firms should consider preparing a data breach response plan that informs stakeholders how to respond when a breach occurs.
Third, referring to ABA Formal Opn. No. 18-483 (Lawyer’s Obligations After an Electric Data Breach or Cyberattack), lawyers have a duty to use “reasonable efforts” to address data breach risks. These efforts include: (1) the duty to monitor for a data breach, (2) the duty to promptly stop the breach and mitigate damage and (3) the duty to investigate and determine what happened.
Note, however, that “not all events involving lost or stolen devices, or unauthorized access to technology, would necessarily be considered a data breach.” Opinion, at p. 7. Rather, a data breach for the purposes of the Opinion means “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.” The lawyer must make a reasonable effort to ascertain the nature and ramifications of the event, including whether client confidences were likely accessed by unauthorized persons.
Fourth, the duty to supervise requires lawyers with managerial authority to reasonably establish internal policies and procedures to protect client confidences from data breach. See CRPC 5.1 and 5.3. Law firms should also provide practical training to attorneys and staff on how to protect data, by building a culture of security awareness and practices.
Fifth, the Opinion instructs lawyers that the duty to keep clients “reasonably informed about significant developments” includes disclosing a data breach as soon as reasonably possible. Opinion, at pp. 6-7; see also CRPC 1.4(a)(3); Bus. & Prof. Code §6068(m); ABA Formal Opn. No. 18-483 at p. 10.
Finally, lawyers should be mindful of data breach notification requirements under Civil Code § 1798.82 and other applicable data breach laws.
About the Author:
Joanna L. Storey is an attorney with Hinshaw & Culbertson where she focuses her practice on professional liability and risk management for lawyers. She is a Certified Information Privacy Professional/United States (CIPP/US) and advises clients on compliance with privacy-related laws, rules, and regulations.