Standing Committee on Professional Responsibility and Conduct Formal Opinion No. 2020-203 Data Breaches

THE STATE BAR OF CALIFORNIA

STANDING COMMITTEE ON

PROFESSIONAL RESPONSIBILITY AND CONDUCT

FORMAL OPINION NO. 2020-203

ISSUE: What are a lawyer’s ethical obligations with respect to unauthorized

access by third persons to electronically stored confidential client

information in the lawyer’s possession?

DIGEST: Lawyers who use electronic devices which contain confidential client

information must assess the risks of keeping such data on electronic

devices and computers, and take reasonable steps to secure their

electronic systems to minimize the risk of unauthorized access. In the

event of a breach, lawyers have an obligation to conduct a reasonable

inquiry to determine the extent and consequences of the breach and to

notify any client whose interests have a reasonable possibility of being

negatively impacted by the breach.

AUTHORITIES

INTERPRETED: Rules 1.1, 1.4, 1.6, 5.1, 5.2, and 5.3 of the Rules of Professional Conduct

of the State Bar of California.

Business and Professions Code sections 6068(e) and 6068(m).

Civil Code section 1798.82.

INTRODUCTION

Data breaches resulting from lost, stolen or hacked electronic devices and systems are a reality

in today’s world. There are important ethical concerns when data breaches happen to lawyers

and law firms since such events may involve the potential loss of, or unauthorized access to,

confidential client information

and, thus, may require a lawyer to take certain remedial steps

to protect the client.

In Cal. State Bar Formal Opn. No. 2015-193, the Committee on Professional Responsibility and

Conduct (“Committee”) discussed lawyers’ ethical obligations when dealing with e-discovery. In

Unless otherwise indicated, all references to “rules” in this opinion will be to the Rules of

Professional Conduct of the State Bar of California.

The phrase “confidential client information” in this opinion includes not only attorney-client

privileged communications, but more broadly all client information protected from disclosure under

Business and Profession Code section 6068(e)(1) and rule 1.6.

Cal. State Bar Formal Opn. No. 2010-179, the Committee discussed ethical issues that arise

when a lawyer accesses confidential client information on a laptop over public Wi-Fi or a home

Wi-Fi network. In both opinions, the Committee adopted an approach that posed questions

lawyers should consider in order to comply with the duties of competence and confidentiality.

In light of ever-changing technology, the Committee concluded that an ongoing engagement

with that evolving technology in the form of security issues to consider and reconsider was

preferable to a “bright line” or categorical approach.

This opinion extends that analysis to a broad range of cyber risks associated with the use of

electronic devices and systems that contain confidential client information and connect to the

internet and, thus, are theoretically accessible to anyone with an internet connection.

STATEMENT OF FACTS

Attorney A

Attorney A’s laptop is stolen. Attorney A did not store confidential client information on the

laptop, but only used the laptop to access such information remotely. Also, the laptop could not

be accessed without biometric authentication. Attorney A’s law firm also installed software on

the laptop that allowed it to be remotely locked down and erased. As soon as Attorney A

realizes that the laptop has been stolen, Attorney A contacts law firm’s IT department and

receives confirmation almost immediately that the laptop has been located, locked down, and

wiped clean.

Attorney B

At the end of a busy day, Attorney B realizes that Attorney has lost Attorney’s smartphone.

Attorney B regularly uses the smartphone to email and text clients and to access certain

practice management software applications related to clients. The smartphone is only

protected by a 4-character password and not any biometric security system. Attorney B does

not have any software installed on the smartphone that allows it to be remotely tracked, locked

down, and/or wiped clean.

Before going to bed, Attorney B remembers that Attorney left the smartphone in a tote bag at

the restaurant where Attorney had dinner with a friend. Attorney B immediately calls the

restaurant, but it is closed. Attorney B goes to the restaurant when it opens the next morning

and retrieves Attorney’s bag and smartphone which, the manager tells Attorney, was locked in

a cabinet overnight. Nothing appears to be missing and the smartphone is still in the pocket of

the bag where Attorney had left it.

Law Firm C

Law Firm C is a four member firm specializing in corporate law. Law Firm’s receptionist

routinely receives emails sent to the firm (rather than to a specific attorney or staff member)

and routes them to the appropriate person. Just before the end of the business day, the

receptionist receives an email from a business purporting to be Law Firm’s IT provider. The

email looked entirely genuine and asked the receptionist to click on the attachment to allow

the firm to do routine maintenance on Law Firm’s server. Receptionist did so which resulted in

ransomware being installed on Law Firm’s network, immediately locking up the Law Firm’s

computers, and displaying a message demanding that a sum of money be transferred

electronically by cryptocurrency to unlock Law Firm’s computers. Law Firm C pays the ransom

and regains access to its data. In consultation with security experts, Law Firm C determines that

no client information was accessed and none of the matters being handled by Law Firm are

negatively impacted by the delay.

Attorney D

Attorney D is outside counsel for a life sciences technology company (“Company”) for whom

Attorney has been working on obtaining several very important patents. While on vacation,

Attorney D goes to a coffee shop to check personal and work emails. Attorney D's laptop is not

encrypted. Instead of using a virtual private network or personal hotspot to connect to the

internet, Attorney accesses the shop’s public Wi-Fi network. Unknown to patrons or coffee

shop staff, a hacker has set up a fake internet portal that resembles the one provided by the

coffee shop. Attorney D does not realize that Attorney actually logged on to that fake Wi-Fi

network.

Attorney D returns to the same coffee shop the next day and notices a sign warning patrons

about the fake Wi-Fi. After returning to the office the following week, Attorney D has the law

firm’s technology team examine the laptop. The technology team concludes that someone had

accessed certain files on the laptop related to Company’s patents while Attorney D was

connected to the fake Wi-Fi network. Since Attorney D did not review those files on that day, it

appears reasonably likely that an unauthorized user had done so.

DISCUSSION

A. Duty of Competence and Confidentiality

The duty of competence (rule 1.1) and the duty to safeguard clients’ confidences and secrets

(rule 1.6 and Bus. & Prof. Code, § 6068(e)) require lawyers to make reasonable efforts to

protect such information from unauthorized disclosure or destruction. The threshold

requirement is for lawyers to have a basic understanding of the “benefits and risks associated

with relevant technology.” Cal. State Bar Formal Opn. No. 2015-193; see also Comment [8] to

ABA Model Rule 1.1.

This general principle requires lawyers to have a basic understanding of

Although the California rules do not include a Comment similar to Comment [8] of ABA Model Rule

1.1, the Committee cited to that Comment in support of the Committee’s analysis in Formal Opn. 2015-

193. At the time this opinion was published, the Board of Trustees has adopted for submission to the

California Supreme Court for approval, a new Comment [1] to rule 1.1 which states: “The duties set forth

the risks posed when using a given technology and, if necessary, obtain help from appropriate

technology experts on assessing those risks and taking reasonable steps to prevent data

breaches which potentially can harm clients.

The threshold obligation to understand the risks

is satisfied by learning where and how confidential client information is vulnerable to

unauthorized access. This inquiry must be made with respect to each type of electronic device

or system as they have been or are incorporated into the lawyer’s practice.

For example, computer systems can be breached by inadvertently clicking on a link in a

seemingly legitimate “phishing” email or text message or by installing an unvetted software

application which can install malicious software on the system. Portable electronic devices can

be accessed if security precautions, such as passwords, are disabled or inadequate. Data on a

laptop computer can be accessed if the laptop is connected to a public or other inadequately

secured network and if the data is not properly protected. And the threats vary and widen as

data thieves develop their attack strategies and as technologies develop. Thus, lawyers must

understand how their particular use of electronic devices and systems pose risks of

unauthorized access, they must be knowledgeable about the options available at any given

point in time to minimize those risks (including how best to store or control access to said

information), and they then must implement reasonable security measures in light of the risks

posed. In addition, because law firms are frequent targets, law firms should consider whether

rule 5.1 requires law firms to prepare a data breach response plan so that all stakeholders know

how to respond when a breach occurs.

ABA Formal Opn. No. 18-483 (Lawyer’s Obligations After an Electronic Data Breach or

Cyberattack) provides a useful list of competence-based duties that explain the requirement of

“reasonable efforts” in addressing the potential for inadvertent disclosure of confidential client

information due to a data breach:

· The obligation to monitor for a data breach: “lawyers must employ reasonable efforts to

monitor the technology and office resources connected to the internet, external data

sources, and external vendors providing services relating to data and the use of data.”

Id. at p. 5.

in this rule include the duty to keep abreast of the changes in the law and its practice, including the

benefits and risks associated with relevant technology.”

This Committee recognizes that while lawyers are not required to become technology experts and

master the complexities and deficiencies of the security features of each technology available, lawyers

owe clients a duty to have a basic understanding of the protections afforded by the technology used in

their practice. If a lawyer lacks the necessary competence to assess the security of the technology, the

lawyer must seek additional information, or consult with someone who possesses the necessary

knowledge, such as an information technology consultant. (Cal. State Bar Formal Opn. Nos. 2012-184,

2010-179.)

ABA Formal Opn. No. 18-483 at pp. 6-7, and the ABA Cybersecurity Handbook, identify various

considerations in developing a data breach response plan.

· When a breach is detected or suspected, lawyers must “act reasonably and promptly to

stop the breach and mitigate damage resulting from the breach.” Id. at p. 6. A

preferable approach is to have a data breach plan in place “that will allow the firm to

promptly respond in a coordinated manner to any type of security incident or cyber

intrusion.” Id. at p. 6.

· Investigate and determine what happened: “Just as a lawyer would need to assess

which paper files were stolen from the lawyer’s office, so too lawyers must make

reasonable attempts to determine whether electronic files were accessed, and if so,

which ones. A competent attorney must make reasonable efforts to determine what

occurred during the data breach.” Id. at p. 7.

The duty to make reasonable efforts to preserve confidential client information does not create

a strict liability standard nor does the duty “require the lawyer to be invulnerable or

impenetrable.” ABA Formal Opn. No. 18-483 at p. 9. The precise nature of the security

measures that attorneys are expected to take depends on the circumstances. But, as the ABA

has noted, “a legal standard for ‘reasonable’ security is emerging. That standard rejects

requirements for specific security measures (such as firewalls, passwords, or the like) and

instead adopts a fact-specific approach to business security obligations that requires a ‘process’

to assess risks, identify and implement appropriate security measures responsive to those risks,

verify that the measures are effectively implemented, and ensure that they are continually

updated in response to new developments.” Id. (quoting from the 2017 ABA Cybersecurity

Handbook at p. 73).

“Reasonable efforts” are those which are reasonably calculated under the circumstances to

minimize particular identified risks. For example, when law firm personnel work on client

matters remotely, the law firm must ensure that all data flowing to and from those remote

locations and the firm’s servers or cloud storage is adequately secured. The particular method

or methods selected (VPN, encryption, etc.) will reflect the firm’s due consideration of the risks,

the relative ease of use of different security precautions, time that would have to be spent

training staff, and the like. Some security precautions are so readily available and user-friendly

(such as the ability to locate and lock down portable devices in the event of loss or theft), that

failure to implement them could be deemed unreasonable. Others will require a deeper

assessment.

Finally, in law firms with subordinate lawyers, the lawyers with management or supervisory

responsibilities should be aware of their obligations under rules 5.1 and 5.3. Rule 5.1(a)

requires lawyers with “managerial authority in a law firm [to] make reasonable efforts to

ensure that the firm has in effect measures giving reasonable assurance that all lawyers in the

firm comply with these rules and the State Bar Act.” Thus, lawyers with managerial authority

within a law firm must make a reasonable effort to establish internal policies and procedures

designed to protect confidential client information from the risk of inadvertent disclosure and

data breaches as a result of technology use, which includes monitoring the use of technology

and office resources connected to the internet and external data sources. ABA Formal Opn. No.

18-483. The law firm should also consider whether they are required to proactively establish

protocols for responding to and addressing potential data breaches. Rule 5.1(b) requires

supervisory attorneys to ensure that subordinate attorneys within the firm comply with the

rules and policies and procedures established by the firm. And rule 5.3 makes these principles

applicable to non-lawyer staff.

Thus, part of the risk assessment process should include reasonable efforts to ensure that all

firm members appreciate the risks involved in keeping confidential client information on

electronic systems and the steps that the firm’s managers have implemented to minimize the

risk of unauthorized disclosure. Because the risk-assessment process is on-going, particularly

with the introduction of new technologies and new threats, this duty would require managers

and supervisors to establish ongoing and evolving protective measures with respect to the use

of its technology, and regularly monitoring the same, and to keep subordinate lawyers and staff

up to date as new measures are implemented.

However, under rule 5.2, subordinate lawyers have independent ethical obligations to protect

confidential client information as part of their duty of competence. Thus, subordinate lawyers

should not blindly follow firm technological rules that are unreasonable or rely on the absence

of a firm rule where there should be one. See Comment to rule 5.2.

B. Duty of Disclosure

Rule 1.4(a)(3) and Business and Professions Code section 6068(m) require attorneys to keep

their clients

“reasonably informed about significant developments” relating to the attorney’s

representation of the client. Neither rule nor case law define what events qualify as

“significant.” (See, e.g., Tuft et al., Cal. Practice Guide: Professional Responsibility (The Rutter

Group 2018) Ch. 6-B, § 6:128, acknowledging that what is “significant” under these provisions

varies with each client’s needs and the nature of the representation.) Nevertheless, the

relevant authorities have uniformly concluded that the misappropriation, destruction, or

compromising of confidential client information, or a cyber breach that has significantly

impaired the lawyer’s ability to provide legal services to clients, is a “significant development”

that must be communicated to the client. See, e.g., ABA Formal Opn. No. 18-483 at p. 10; New

This opinion focuses on current clients and does not address the duty of disclosure owed to former

clients. For discussion concerning a lawyer’s duty to notify a former client of a data breach, compare

ABA Formal Opn. No. 18-483 at pp. 13-14 (declining to impose a duty to notify a former client under the

Model Rules of Professional Conduct, while noting that data privacy laws, common law duties of care

and contractual arrangements with clients may give rise to such a duty) and Maine Professional Ethics

Commission Opinion No. 220 “Cyberattack and Data Breach: The Ethics of Prevention and Response”

issued on April 11, 2019 (opining, based on its interpretation of Maine’s Rules of Professional Conduct,

Rule 1.9, that “a former client is entitled to no less protection and candor than a current client in the

case of compromised secrets and confidences. A former client must be timely notified regarding a

cyberattack or data breach that has, or may have, exposed the client’s confidences or secrets.”)

York State Bar Association Ethics Opn. No. 842 (2010) (involving a data breach of a cloud

storage provider); ABA Formal Opn. No. 95-398.

ABA Formal Opn. No. 18-483 describes a “data breach” as a “data event where material client

confidential information is misappropriated, destroyed, or otherwise compromised, or where a

lawyer’s ability to perform the legal services for which the lawyer is hired is significantly

impaired by the episode.” ABA 18-483 at p. 4.

Thus, not all events involving lost or stolen

devices, or unauthorized access to technology, would necessarily be considered a data breach.

Consistent with their obligation to investigate a potential data breach, however, lawyers and

law firms should undertake reasonable efforts, likely through the use of individuals with

expertise in such investigations, to ascertain, among other things, the identity of the clients

affected, the amount and sensitivity of the client information involved, and the likelihood that

the information has been or will be misused to the client’s disadvantage. This will assist in

determining whether there is a duty to disclose. If the lawyer or law firm is unable to make such

a determination, the client should be advised on that fact. Id. at p. 14.

Lawyers and clients may also differ as to what events would trigger the duty to disclose. The

key principle, however, in considering whether the event rises to the level of a data breach, is

whether the client’s interests have a “reasonable possibility of being negatively impacted.” ABA

18-483 at p. 11. Certainly disclosure is required in situations where a client will have to make

decisions relevant to the breach, such as the need to take mitigating steps to prevent or

minimize the harm, or to analyze how the client’s matter should be handled going forward in

light of a breach. When in doubt, lawyers should assume that their clients would want to know

and should err on the side of disclosure.

C. If Disclosure to Clients is Required, When and What Must be Disclosed?

In all cases involving a data breach, disclosure to clients must be made as soon as reasonably

possible so that the affected clients can take steps to ameliorate the harm.

For example,

affected clients might want or need to change passwords and modify or delete online accounts.

However, it may be reasonable for the lawyer, through the use of a security expert, to attempt

to ascertain the nature and extent of the potential breach prior to communicating this

information to the client. The more that is known related to the breach, including exactly what

information might have been accessed, the better the response plan. Given the obligation to

preserve client confidences, secrets and propriety information, it is appropriate to assume that

The Committee believes this description is useful in understanding what constitutes a data breach

for the purpose of this opinion and discussion, and has adopted the same approach here.

Lawyers and law firms should also consider notifying insurance carriers as soon as possible of any

circumstances giving rise to a potential breach to put the carrier on notice. While typically such acts are

only covered by specific Cyber Coverage policies, not Lawyer’s Professional Liability (LPL) or Commercial

General Liability (CGL) policies, these policies typically have fairly short time limits within which notice

must be given.

reasonable clients would want to be notified if any of that information was acquired or

reasonably suspected of being acquired by unauthorized persons.

With respect to the details of a required disclosure, the attorney “shall explain a matter to the

extent reasonably necessary to permit the client to make informed decisions” as to what to do

next, if anything. (Rule 1.4(b)). “In a data breach scenario, the minimum disclosure required to

all affected clients under Rule 1.4 is that there has been unauthorized access to or disclosure of

its information, or that unauthorized access or disclosure is reasonably suspected of having

occurred. Lawyers must advise clients of the known or reasonably ascertainable extent to which

client information was accessed or disclosed.” ABA 18-483 at p. 14.

Lawyers may also have notification obligations under Civil Code section 1798.82 and federal

and international laws and regulations such as HIPAA and the EU General Data Protection

Regulation.

D. The Factual Scenarios

Although Attorney A’s laptop is stolen and it could be used to access confidential client

information, the risk of unauthorized access to such information was mitigated by Attorney A

and law firm’s policies for addressing these types of cyber risks. First, Attorney A did not store

confidential client information on the laptop, but only used the laptop to access such

information remotely. Second, Attorney A had a biometric security system on the laptop

reducing the chances that it could be hacked by an unauthorized user. Third, Attorney A’s law

firm had the ability to quickly and easily locate, lock, and wipe clean the laptop, almost

guaranteeing that there was no unauthorized access to any confidential client information.

Under these facts, where there is no evidence of unauthorized access or harm, Attorney A

would not have a duty to disclose to any client the fact that Attorney lost the laptop.

Attorney B’s temporary loss of a smartphone, under these circumstances, is unlikely to be

considered a data breach, particularly if Attorney B can obtain assurances from the restaurant

owner/staff that only the restaurant had access to it and that no one accessed the phone’s

contents after Attorney B left. Because it does not appear that the data on Attorney B’s phone

was misappropriated, destroyed, or compromised, the temporary loss of the phone is unlikely

to constitute a significant development and no duty to disclose would likely be triggered.

Under these circumstances, however, Attorney B and Attorney B’s law firm should consider

whether it should require all law firm attorneys to have stronger passwords, or use biometric

security systems on firm issued smartphones, or if the law firm should prohibit their attorneys

from accessing client data, including emails, on the attorneys’ personal smartphones. The firm

should also consider requiring all smart phones used for firm matters to have software installed

to locate, lock, and wipe devices if they are lost or stolen, and specific protocols for managing

such scenarios. Next time, Attorney B may not be so confident in Attorney’s assessment that no

client data was accessed, particularly if the phone is one day stolen. For example, it is possible

that Attorney B’s cell phone provider could have locked down the phone remotely, but

Attorney B did not consider this option or look to the law firm for advice on handling this

situation. Finally, when electronic devices are temporarily lost or misplaced, the law firm should

consider whether its policies should include requiring its IT team to examine those devices once

the device is recovered in order to determine whether any unauthorized access took place.

The situation of Law Firm C involves a common entry point for hackers: malware attached to a

seemingly legitimate email, also referred to as “phishing.” Given the ubiquity of this method of

gaining access, solo practitioners and firms must consider implementing reasonable

precautions, such as staff and attorney trainings warning of this risk and protocols for handling

incoming emails. Law Firm C has certainly been inconvenienced by the cyber breach, but the

firm has confirmed that none of its clients were actually or potentially harmed because no

confidential client information was accessed, and the short delay did not impair the firm’s

attorneys from continuing to provide necessary legal services to its clients. Therefore, the firm

would not be required to disclose the incident. On the other hand, if the consultant could not

preclude actual or potential unauthorized access, a risk of client harm remains and disclosure

would be required.

Attorneys who keep confidential information on their devices ought to be aware that accessing

public Wi-Fi or other unsecure networks may open another access point for hackers. This is

illustrated by Attorney D’s exposing confidential information to anyone with the ability to

electronically “eavesdrop” on the Attorney’s keystrokes. Attorneys who work on client matters

remotely must consider the risks of harm and take reasonable precautions, as discussed above,

to prevent unauthorized disclosure. Cal. State Bar Formal Opn. No. 2010-179 at p. 6 (discussing

the use of a laptop in unsecured and secured settings). Attorney D’s failure to secure their

online communications exposed confidential information to a hacker and it is unknown if, or to

what extent, the hacker would or could use such information. It is this Committee’s view that

Attorney D risked violating the duties of confidentiality and competence by using a public

wireless connection without taking appropriate precautions, such as the use of encryption, a

VPN or other protective measures. (Cal. State Bar Formal Opn. No. 2010-179.)

Since the law firm was able to confirm the unauthorized access of confidential client

information, Attorney D and the law firm must notify the client, Company, as soon as possible.

Although it is unknown if or how the hacker might use the information, because of the sensitive

nature of the information to Company’s business, the misappropriation would constitute a

significant development and require appropriate notice to the client. “[D]isclosure will be

required if material client information was actually or reasonably suspected to have been

accessed, disclosed or lost in a breach.” ABA 18-483 at p. 14.

Once a disclosure is made, Attorney D and the law firm can evaluate with Company the

likelihood that the information will used by the hacker and may decide to speed up the timeline

for obtaining the relevant patents related to the information that was inadvertently disclosed

to mitigate potential harm.

Of course, the event would also require Attorney D and the law

In addition, because Attorney D’s handling of confidential client information may constitute an error

giving rise to a potential malpractice claim, Attorney D and law firm should also consider whether a

firm to take appropriate remedial steps in terms of evaluating the firm’s policies related to

attorney’s accessing firm devices from unsecured locations. It should also consider reinforcing

policies requiring attorneys to promptly address any irregularities or suspicions related to

potential data breaches with the firm’s technology officers as soon as they are discovered.

CONCLUSION

The use of computers and portable electronic devices by lawyers is now ubiquitous and has

increased the risk of client confidential client information being accessed by unauthorized

users. Lawyers must assess the risks involved in the use of electronic devices and systems that

contain, or access, confidential client information and to take reasonable precautions to ensure

that that information remains secure. This duty extends to law firms whose managers must

make a reasonable effort to establish internal policies and procedures designed to protect

confidential client information from the risk of inadvertent disclosure and data breaches as a

result of technology use, to monitor such use, and to stay abreast of current trends and risks.

The creation of a data breach response plan may also be required to identify the risks posed to

the firm’s then-current use of technology and feasible precautions.

This opinion is issued by the Standing Committee on Professional Responsibility and Conduct of

the State Bar of California. It is advisory only. It is not binding upon the courts, the State Bar of

California, its Board of Trustees, any persons, or tribunals charged with regulatory

responsibilities, or any licensee of the State Bar.

conflict of interest has arisen between the law firm and client such that the law firm should also comply

with rule 1.7 in disclosing this significant development to client. (See also Cal. State Bar Formal Opn. No.

2019-197).