7
York State Bar Association Ethics Opn. No. 842 (2010) (involving a data breach of a cloud
storage provider); ABA Formal Opn. No. 95-398.
ABA Formal Opn. No. 18-483 describes a “data breach” as a “data event where material client
confidential information is misappropriated, destroyed, or otherwise compromised, or where a
lawyer’s ability to perform the legal services for which the lawyer is hired is significantly
impaired by the episode.” ABA 18-483 at p. 4.
/
Thus, not all events involving lost or stolen
devices, or unauthorized access to technology, would necessarily be considered a data breach.
Consistent with their obligation to investigate a potential data breach, however, lawyers and
law firms should undertake reasonable efforts, likely through the use of individuals with
expertise in such investigations, to ascertain, among other things, the identity of the clients
affected, the amount and sensitivity of the client information involved, and the likelihood that
the information has been or will be misused to the client’s disadvantage. This will assist in
determining whether there is a duty to disclose. If the lawyer or law firm is unable to make such
a determination, the client should be advised on that fact. Id. at p. 14.
Lawyers and clients may also differ as to what events would trigger the duty to disclose. The
key principle, however, in considering whether the event rises to the level of a data breach, is
whether the client’s interests have a “reasonable possibility of being negatively impacted.” ABA
18-483 at p. 11. Certainly disclosure is required in situations where a client will have to make
decisions relevant to the breach, such as the need to take mitigating steps to prevent or
minimize the harm, or to analyze how the client’s matter should be handled going forward in
light of a breach. When in doubt, lawyers should assume that their clients would want to know
and should err on the side of disclosure.
C. If Disclosure to Clients is Required, When and What Must be Disclosed?
In all cases involving a data breach, disclosure to clients must be made as soon as reasonably
possible so that the affected clients can take steps to ameliorate the harm.
/
For example,
affected clients might want or need to change passwords and modify or delete online accounts.
However, it may be reasonable for the lawyer, through the use of a security expert, to attempt
to ascertain the nature and extent of the potential breach prior to communicating this
information to the client. The more that is known related to the breach, including exactly what
information might have been accessed, the better the response plan. Given the obligation to
preserve client confidences, secrets and propriety information, it is appropriate to assume that
/
The Committee believes this description is useful in understanding what constitutes a data breach
for the purpose of this opinion and discussion, and has adopted the same approach here.
/
Lawyers and law firms should also consider notifying insurance carriers as soon as possible of any
circumstances giving rise to a potential breach to put the carrier on notice. While typically such acts are
only covered by specific Cyber Coverage policies, not Lawyer’s Professional Liability (LPL) or Commercial
General Liability (CGL) policies, these policies typically have fairly short time limits within which notice
must be given.