The State Bar of California Standing Committee on Professional Responsibility and Conduct recently issued a formal opinion on an attorney’s obligations with regard to client confidential information that is stored electronically. The opinion found that lawyers must take reasonable steps to secure their electronic systems to minimize the risk of unauthorized access. They should also stay abreast of changes in technology and recommended cybersecurity controls.
In the event of a data breach, attorneys must conduct an investigation to determine which clients may have been affected and notify those clients of any potential impact. The committee recommends that lawyers implement an incident response plan to meet these obligations and identify any gaps in security.
The ethics committees of the American Bar Association (ABA) and state bar associations frequently issue public opinions in response to lawyers’ requests for advice. Such opinions are not enforceable as law but offer insight into how a bar association interprets various provisions of its ethics rules and any other applicable laws or regulations. The California State Bar opinion interprets a lawyer’s responsibility for data protection in the context of the duties of competency, confidentiality, and disclosure, and related provisions of the Business and Professions Code.
- A lawyer shall not intentionally, recklessly, with gross negligence, or repeatedly fail to perform legal services with competence.
A lawyer’s most basic responsibility is to deliver legal services competently. This rule applies primarily to a lawyer’s knowledge and skill, methods and procedures, and preparation in the handling of a legal matter. However, it also extends to how attorneys conduct their business. Today, that generally includes the use of information technology.
If a lawyer is going to use technology to store a client’s confidential information, he or she must make a reasonable effort to monitor the security of the technology and related services. The lawyer must also respond promptly to a suspected data breach to determine which files, if any, were accessed.
An attorney may hire IT professionals to install, manage, and operate technology tools. Ultimately, however, the responsibility lies with the attorney to oversee nonlawyer staff and ensure that their work is performed in a manner consistent with the lawyer’s professional and ethical obligations (Rule 5.3). The rule applies to third-party consultants and technology service providers as well as employees of the lawyer’s firm.
- A lawyer shall not reveal information protected from disclosure by Business and Professions Code section 6068, subdivision (e)(1) unless the client gives informed consent, or the disclosure is permitted [to prevent a criminal act].
Maintaining the confidentiality of client information is one of a lawyer’s most important responsibilities. The trust relationship is what encourages clients to communicate truthfully and completely so that the attorney may advise them. California Business and Professional Code § 6068(e)(1) makes the gravity of this responsibility clear: The lawyer must protect a client’s secrets “at every peril to himself or herself.”
Disclosing confidential information can have dire legal consequences. If a lawyer reveals such information in a nonprivileged communication, the attorney-client privilege may be forfeited (see also: California Evidence. Code 954). However, the Restatement (Third) of the Law Governing Lawyers § 79, Comment h, states that privilege is not waived if the lawyer “took precautions reasonable in the circumstances to guard against such disclosure.”
What is “reasonable” varies from jurisdiction to jurisdiction, but most ethics rules stop short of recommending specific security measures. Instead, bar associations expect attorneys to assess risks based upon the sensitivity of the information and the vulnerability of a device or system to unauthorized access. Lawyers should also have a basic awareness of available security tools and stay abreast of changes in technology and emerging security threats.
- A lawyer shall: (3) keep the client reasonably informed about significant developments relating to the representation.
California ethics rules and Business and Professions Code § 6068(m) establish a broad requirement for lawyers to communicate with clients and disclose relevant information. The ABA has concluded that a lawyer has a duty to disclose a data breach “where material client confidential information is misappropriated, destroyed, or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”
As part of their investigation of a security event, attorneys should use this guidance to analyze whether disclosure is required. Certainly, a lawyer has a duty to disclose if the data breach materially impacts the client’s interests, the client will need to make decisions, or the lawyer’s representation of the client will change because of the breach. When in doubt, the attorney should err on the side of disclosure.
Lawyers may be legally required to notify clients of a data breach under California Civil Code § 1798.82 and similar laws in other states. Notification may also be required under federal regulations such as the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, and international laws such as the EU General Data Protection Regulation.
Technology Plays an Essential Role in a Lawyer’s Representation of Clients
As a result, lawyers must be aware of the risk that confidential client data might be exposed in a security breach. Ethics rules and various laws and regulations require that attorneys take steps to minimize that risk and notify clients should a data breach occur. Opinions by the California State Bar and other bar associations can serve as a guide for complying with these responsibilities.
Learn More About the Law and Technology
The nation’s first online law school, Concord Law School offers single law courses in law and technology, including:
- ADR and technology
- Cyber law
- Cybersecurity law
- Intellectual property
We also offer two online legal degrees: the Juris Doctor, which trains you to become a California-licensed attorney; and the Executive Juris Doctor, a doctorate in law for those who wish to build their legal expertise without becoming a practicing attorney.*
To learn more about our online law degrees and courses, request more information today.