Lawyers’ Duty to Prevent A Data Breach
No business wants to lose its operating, financial, and customers’ data. But for lawyers, preventing such a loss isn’t just a good business practice, its an obligation under the rules of professional conduct require it, i.e., an ethical obligation.
In Why Lawyers need Data Security, the Lawyerist blog cites the ABA Model Rules of Professional Responsibility, Rules 1.6 (Confidentiality) & 1.15 (Safekeeping Client Property):
Confidentiality – Rule 1.6(c)
All of Model Rule 1.6 is relevant to protecting client information, but section (c) is the most on-point. Lawyers have an obligation to protect their client data from unauthorized third-party access. The lengths a lawyer should go to do this are debatable (it’s discussed in Comment [18]). However, the easier the practice, or the more sensitive the information, the more likely it’s required.
Model Rule 1.6(c)
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Safekeeping Client Property (Rule 1.15)
In addition to limiting access to client data, a lawyer must also keep client data safe from unintended destruction. This isn’t always the first thing that a lawyer thinks of in regard to data security. But, since a client file (and the information within) is the client’s property, Model Rule 1.15 applies. Therefore, lawyers have a duty to keep client files safe. This includes destruction, loss, corruption, and even loss of access (a ransomware attack).
Model Rule 1.15(a):
(a) A lawyer shall hold property of clients or third persons that is in a lawyer’s possession in connection with a representation separate from the lawyer’s own property. Funds shall be kept in a separate account maintained in the state where the lawyer’s office is situated, or elsewhere with the consent of the client or third person. Other property shall be identified as such and appropriately safeguarded. Complete records of such account funds and other property shall be kept by the lawyer and shall be preserved for a period of [five years] after termination of the representation.
The Blanch Law Firm also cites other ABA Model Rules 1.1 and Opinions:
The ABA issued formal opinion 483 in October, 2018. It found that Model Rule 1.1 – which required duty of competence in the representation of a client (which includes legal knowledge, skill, thoroughness, and preparation) – imposes a mandate on the attorney to have a level of competence, not only in the areas of law but in the technology that it requires in order to provide the legal service to the client.
In Opinion 95–398, the American Bar Association held that attorneys can and may be held liable for data breaches based upon hacking.
That opinion is based on ABA Model Rules 1.4; 1.6; and 5.3. It concluded that the attorney has an ethical duty to protect a client confidential information which includes:
- discovery;
- email communications;
- credit card information;
- bank statements; and
- any other information obtained from the client related to representation.
Further, because attorneys have an ethical duty to ensure that non-attorney staff and contractors conduct themselves in a manner consistent with the attorney’s ethical obligations, the attorney can also be held responsible for a data breach in the event that they do have an IT company or cyber security company who doesn’t properly conduct themselves, i.e. make reasonable efforts to protect the client’s information.
Blanch points out that “each state has adopted its own version of a professional code of conduct for attorneys”, but “we do not see much difference in the rules” vs. the ABA’s guidance, although “provisions in some states governing the issue may be inconsistent with” the ABA’s guidance.