by Carole J. Buckner
Every day, lawyers see new data breach issues reported in the media. Lawyers and law firms are phished, hacked, and subjected to ransomware as cyber criminals target law firms looking for sensitive information. According to the ABA, 26% of respondents to a 2019 cyber security survey reported that their firms experienced a data security breach. John G. Loughnane, 2019 Cybersecurity (Oct. 16, 2019), https://www.americanbar.org/groups/law_practice/publications/techreport/abatechreport2019/cybersecurity2019/.
Recent schemes have included emails supposedly from a court clerk, actually containing malware, and an email supposedly from a managing partner asking that all employee names and social security numbers be entered, to which an employee responded with a spreadsheet. Some potential data breaches involve lost or stolen cell phones or laptops. The same ABA survey reported that just 31% of law firms who will be called upon to respond to a potential cyber event have an incident response plan. In 2019, 33% of responding firms indicated they have cyber insurance. This article surveys many of the important ethical obligations lawyers have in dealing with cybersecurity and discusses important practical considerations for lawyers in dealing with client data in their legal practices.
The State Bar’s Standing Committee on Professional Responsibility and Conduct (COPRAC) recently proposed Formal Opinion Interim No. 16-0002 (the “Interim Opinion”) dealing with the lawyer’s ethical obligations pertaining to unauthorized access by third parties to electronically stored confidential client information. Although the ethical duty of confidentiality generally leaps to mind first when a lawyer considers cybersecurity, there are other equally important ethical duties, including the duty of competence, the duty to keep client property safe, the duty to disclose significant developments to the client, and the ethical responsibility of managers within a law firm.
Competence and Diligence
At the most fundamental level, lawyers must address data security in a competent manner. See Cal. Rules of Prof’l Conduct (CRPC) 1.1. Lawyers can satisfy their obligations to act competently by acquiring the learning needed to do so, or by associating with other professionals. Id. In addition, lawyers have a duty to act with reasonable diligence in representing a client. CRPC 1.3. These duties include the obligations to supervise subordinate lawyers and nonlawyers. CRPC 5.1-5.3. These obligations require lawyers to keep abreast of “the risks and benefits associated with technology,” ABA Model Rules of Prof’l Conduct, (ABAMR) R. 1.1, Comment  and to “make reasonable efforts to prevent inadvertent and unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” ABA Formal Op. 477R (ABA 17-477R) at 4 (2017). Further, lawyers must “understand basic features of relevant technology.” ABA Formal Op. 18-483 (ABA 18-483) at 3 (2018). The competent lawyer must also properly maintain technologies so as to protect confidential information. ABA 18-483 at 4.
What constitutes “reasonable efforts” depends on multiple factors, including the sensitivity of the information, methods of communication employed, and available security measures for each method. ABA 17-477R at 4. Lawyers must engage in a process of risk assessment, implement appropriate measures, and continually update and monitor for effectiveness. Id. This can include updating software versions and timely implementation of patches, monitoring access as well as insider use, segmenting access to data based on the need to know, proper management of passwords, and determining in consultation with clients any heightened needs for security. Failure to implement readily available user-friendly security options may be considered unreasonable. Interim Opn. at 5.
Implementation of software allowing remote tracking, locking and wiping of laptops and mobile phones is reasonable where a firm allows remote work. Interim Opn. at 5. Encryption and enhanced security safeguards may be warranted in some circumstances, depending upon expense. ABA 17-477R at 5. Some matters may require avoiding technology use entirely. Id. Higher risk of data theft may be present in certain types of engagements, such as industrial design, mergers and acquisitions or trade secrets, and in particular industries, such as banking, defense, and healthcare. Id. Reasonable measures also include implementation and monitoring of firewalls, anti-virus software, and anti-malware software on all devices on which client data is stored. ABA 17-477R at 6-7. Lawyers have a duty to monitor technology internally and to monitor external vendors providing services related to data and the use of data in order to be able to effectively address data breaches. ABA 18-483 at 5.
Management Should Establish Effective Cyber Policies
First and foremost, managers of law firms of whatever size have an obligation to adopt reasonable measures to safeguard and monitor the security of client information. CRPC 5.1; Interim Opn. at 5. This may include policies and procedures on the use of phones and laptops, document retention and access, password protection, remote work, and use of public Wi-Fi. In addition, periodic training and testing of law firm personnel is appropriate. Policies could also prohibit storage of confidential information on laptops and phones. Interim Opn. at 7. Periodic training of all law firm personnel regarding use of data security is appropriate. ABA 17-477R at 9.
Training can be particularly important in dealing with phishing schemes which involve emails presented as if they are legitimate, tricking the recipient to click on a link or attachment, activating a virus or malware. The hypothetical in the Interim Opinion posits a receptionist clicking on an email ostensibly from the firm’s IT service provider. Once the receptionist clicked on the attachment, ransomware installed itself on the firm’s computers which immediately locked up and displayed a message demanding that money be transferred via cryptocurrency. The firm paid the ransom and regained access to its data. Security experts determined that no client information was accessed. Interim Opn. at 2-3. Frequent training can combat such incidents.
Cyber insurance is another important law firm management consideration, given that traditional insurance coverage may exclude data breach incidents. It is important that technology staff participate in preparing the cyber insurance application, which can be quite detailed. Misrepresentations in applications can trigger an argument to void coverage. Columbia Casualty Company v. Cottage Health System, U.S.D.C. Case No. 2:15-cv-03432 (C.D. Cal. May 7, 2015). Cyber insurance typically provides both first party coverage and third party coverages. First party coverage can provide for the expenses associated with incident response, such as forensic consultants, and loss mitigation. Some cyber insurance policies provide coverage for extortion associated with ransomware, including in some cases, ransom payments. Systems failure and business loss interruption are also covered by many cyber policies. Cyber insurance also provides third party coverage, including expenses associated with regulatory investigations as well as litigation.
Unlike some traditional insurance policies, cyber insurance policy coverages vary significantly and it is important to understand the policy. All insurance policies include exclusions from coverage. A cyber policy may include an act of war exclusion, and at least one insurance carrier has taken the position that the exclusion applies to actions by hostile governments. Mondelez Intern’l, Inc. v. Zurich Am. Ins. Co., 2018 WL 4941760 (Ill. Cir. Ct. 2018). Contractual liability may also be excluded from coverage. P.F. Chang’s China Bistro v. Federal Ins. Co., 2016 U.S. Dist. LEXIS 70749 (D. Az. 2016). A final, critical consideration in obtaining cyber insurance is the amount of coverage to obtain.
Incident Response Planning
Law firms should “consider preparing an incident response plan” and “consider proactively establishing protocols for responding to and addressing potential data breaches.” Interim Opn. at 4, 5; ABA 18-483 at 6. Having a written plan before an actual incident occurs will help to facilitate an effective response to the incident in a coordinated manner. A strong incident response plan should detail the internal and external resources needed to respond to a cyber breach, to include legal counsel specializing in privacy and data security, forensic consultants, public relations resources, human resources and information technology specialists, as well as insurance contacts and law enforcement contacts. Gathering information about the breach is necessary to allow lawyers to make appropriate disclosure to clients that comply with the lawyer’s duties not to mislead third parties (CRPC 4.1), the general duty of honesty (CRPC 8.4), and the duty of communication (CRPC 1.4). Any data incident response can be handled more efficiently with advance planning. Cyber insurance coverage may provide data breach coaches, so contact with the cyber insurance carrier will be a priority. Knowing which forensic consultants are approved by the insurance carrier allows additional advance preparation.
Given the risk of regulatory investigations and class action litigation, part of any effective incident response plan should consider preservation of attorney-client privilege and work product protection. A dual investigation in the Target data breach successfully preserved attorney-client privilege. In re Target Corp. Customer Data Security Breach Litig., MDL No. 14-2522 (D. Minn. 2015). As to communications with forensic consultants, there is no privilege where the company first hires the consultant; however, where the consultant is first hired by outside counsel, the privilege applies. Compare In re Premera Blue Cross Customer Data Sec. Breach Litig., 296 F.Supp.3d 1230 (D. Or. 2017) and In re Experian Data Breach, 2017 U.S. Dist. LEXIS 162891 (C.D. Cal. 2017).
Confidentiality, Remote Work and Lost/ Stolen Devices
The duty of confidentiality requires that we protect the confidential information of our clients, at every peril to ourselves. Cal. Bus. & Prof. Code § 6068(e); CRPC 1.6. The ABA recently expanded the duty of confidentiality to address technology by providing that the lawyer must take reasonable precautions to competently safeguard client information against unauthorized access by third parties and unauthorized disclosure by taking reasonable efforts to prevent access and disclosure. ABAMR 1.6, Cmt. 18. Reasonableness is determined by consideration of a number of factors including the sensitivity of the information, cost of employing additional safeguards, and the extent to which safeguards adversely impact the ability of the lawyer to represent the client.
Working remotely with portable devices can trigger security issues. Policies should prohibit the use of public Wi-Fi for client work. The Interim Opinion posits a hacker setting up a fake internet portal in a coffee shop spoofing the coffee shop’s portal, allowing a hacker to access patents on the attorney’s computer. Interim Opn. at 3, 8. Such an intrusion constituted a significant development, requiring disclosure to the client. Id. at 8; citing ABA 18-483 at 14.
Given the foreseeability of lost or stolen laptops or mobile phones, the ability to remotely lock and erase a device should be implemented. Biometric passwords should also be considered to reduce the chance of intrusion into a lost or stolen device. Interim Opn. at 8. Where a mobile phone or laptop is lost and later recovered, firms should consider examining the item when it is recovered to determine whether any unauthorized access took place. Id.
The 2019 ABA Survey found that 44% of respondents use file encryption, 38% use email encryption. While encryption of communications is not required for routine email, it may be appropriate in some circumstances, depending on the nature of the information communicated and the desires of the client. ABA 17-477R (2017).
Law firms often work with vendors in a wide variety of scenarios, including using vendors to store confidential client information. Lawyers have an ethical duty to supervise nonlawyers, whether or not employed in the same firm, to assure compliance with professional obligations. CRPC 5.3. In dealing with vendors, “reasonable efforts” are required to comply with the duty of competence in dealing with technology. ABA 17-477R, at 10. Firms must evaluate their business relationships with vendors to assure that cybersecurity issues are adequately addressed. Diligence and supervision in the selection of vendors is required. ABA Formal Op. 08-451. Lawyers must examine a vendor’s protocols and practices for handling confidential data, including monitoring of the services being provided. ABA 17-477R, at 10.
Notification of Current and Former Clients
Lawyers have an ethical duty to keep “clients” informed regarding “significant developments” relating to their representation. CRPC 1.4; Cal. Bus. & Prof. Code 6068(m). In keeping the client informed, the attorney is required to “explain a matter to the extent reasonably necessary to permit the client to make informed decisions.” CRPC 1.4(b). Data theft is considered a significant development as is any data incident that results in an impairment of the client’s representation. Of course, not all data breaches result in loss of client data. This is something that can be determined by lawyers with the assistance of a forensic expert specializing in such investigations. Interim Opn. at 6. In order to make a determination regarding what must be disclosed to the client as a matter of the lawyer’s ethical obligations, a lawyer must consider whether there is a “reasonable possibility of the client’s interests being negatively impacted.” ABA 18-483. A disclosure would be appropriate where a client will need to make decisions relevant to the breach in order to mitigate harm to the client. Interim Opn. at 6. Where disclosure is required by the ethical duty to keep the client informed regarding significant developments, such disclosure must be made in a timely manner. Id. At a minimum, the lawyer should disclose to affected clients that unauthorized access or disclosure of information has occurred, or is reasonably likely to have occurred, with sufficient information to allow clients to make an informed decision about what to do, if anything. ABA 18-483, 14. In addition, the lawyer should inform the client of plans for responding to the data breach, including information to improve data security and any intended efforts to recover information. Id.
The proposed Interim Opinion provides that where a laptop or mobile device is lost or stolen, the firm must first evaluate whether there is a risk of loss of confidential information. Where the user did not store confidential information on the device, there will be no such risk. Having a policy in this regard will substantially mitigate the potential risk to clients, assuming of course that such policy is followed. Where a biometric password is used, such as facial recognition or a thumbprint, such that the device could not be opened by a hacker or thief, an attorney would have additional reasonable assurance that client data was not accessed. Where a lost or stolen device is set up so that it can be remotely located, locked, and/or wiped by deleting confidential information, access to the device would also be unlikely. Under circumstances where a lawyer has such protective measures in place, accordingly, notification to the client would not be required. Interim Opn. at 7. Not surprisingly, the Interim Opinion suggests that such measures be implemented. In the event the lawyer confirms unauthorized access to information, notification is required. Interim Opn. at 8.
Where a malware or ransomware incident occurs, the lawyer should consider whether any confidential information was accessed or obtained, and whether any impairment of client service resulted. Interim Opn. at 8. To do this in a competent manner, a forensic consultant should evaluate whether client information was obtained as a result of the incident. If no confidential information is accessed, and the delay involved in mitigating a malware or ransomware incident is not material to clients, notification would not be necessary. Id.
Notification to a former client (as opposed to a current client) regarding a data breach is not settled as a matter of ethics rules, although attorneys may have statutory obligations that will apply. The ABA was “unwilling to require notice to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice.” ABA 18-483 at 13. Instead, lawyers are encouraged to implement best practices regarding document retention to reduce the amount of information retained by lawyers regarding former clients. Id.
Law firm data breaches are a matter of “when,” not “if.” ABA 17-477R. Proper attention to training of personnel, management of vendors, and vigilant implementation and monitoring is required. Obtaining cyber insurance is prudent. Advance preparation for handling a data breach incident is essential.
Carole J. Buckner is a Partner and General Counsel at Procopio, Cory, Hargreaves and Savitch LLP, and a member of the firm’s Privacy and Data Security Team. She serves on the OCBA’s Professionalism and Ethics Committee. Carole can be reached at email@example.com.