ABA Opinion 483 on the duties related to data breaches

Last October, the ABA Committee on Professional Responsibility published Formal Opinion 483 to provide guidance on how lawyers should handle data breaches before, during, and after an event. In short, lawyers must take proactive steps to protect sensitive client data and they must disclose material data breaches.

You can read the opinion here.  Here is a summary by the National Law Review:

The ABA states that data breaches pose a “major professional responsibility and liability threat” to the entire legal profession.  It defines a data breach as “a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”  When there is data breach, attorneys must first comply with state and federal legislation. Next, attorneys must disclose a breach to a current client if (a) that client’s material, confidential information is or reasonably may have been compromised (e.g., unauthorized access, use, theft, or destruction), or (b) the breach has materially disrupted the attorney’s ability to serve the client (e.g., ransomware limiting access to client information for any material amount of time). In essence, lawyers must notify clients when incidents like ransomware materially impair operations—even when there is no evidence of exfilatrated or compromised data.  Here, strong defense mechanisms include up-to-date, accessible, and easily restorable back-ups to fend off disruption of legal services

For some commentary on the opinion go here:

Faughnan on Ethics (on the relationship between the opinion and Model Rules 1.15 and 4.4)

Above the law

Lawyer Ethics Alerts Blog