The ABA's Model Rules of Professional Conduct require lawyers to monitor for and prevent data breaches, determine what occurred, restore systems and inform clients if their sensitive data is breached, according to an opinion penned by the American Bar Association.

Last month, the ABA Standing Committee on Ethics and Professional Responsibility released Formal Opinion 483 that discussed an attorney's ethical obligation if a data breach exposes a client's confidential information. State, federal and international law compliance aren't discussed in the opinion, but compliance with those laws does not “necessarily achieve compliance with ethics obligations,” the ABA said. 

The organization added, “As a matter of best practices, lawyers who have suffered a data breach should analyze compliance separately under every applicable law or rule.”

However, the ABA clarified that an ethical violation doesn't necessarily occur if a cyber intrusion or loss of electronic information is not immediately detected. The ABA wrote that hackers may successfully hide their intrusion “despite reasonable or even extraordinary efforts by the lawyer.”

The organization explained that an ethical violation potentially occurs if a lawyer doesn't take “reasonable efforts” to avoid data loss or to detect a cyber intrusion and that lack of reasonable effort is the cause of the breach.

The ABA uses “reasonable efforts” throughout the opinion when discussing how to ethically deal with current and potential data breaches. It defines reasonable efforts' nature and scope standard based on “The ABA Cybersecurity Handbook” that focuses on security responses rather than specific software needed.

“Although security is relative, a legal standard for 'reasonable' security is emerging,” the ABA said. “That standard rejects requirements for specific measures (such as firewalls, passwords, or the like) and instead adopts a fact-specific approach to business security obligations that requires a 'process to assess risks, identify and implement appropriate security measures responsive to those risks, verify that the measures are effectively implemented, and ensure that they are continually updated in response to new developments.”

Applying the reasoning of Model Rules 5.1 and 5.3 rules, the ABA concluded lawyers must use reasonable efforts to monitor the technology and office resources connected to the internet, external data sources and external vendors providing services relating to data.

The ABA also cited Rule 1.1 as requiring lawyers to act “reasonably and promptly” to stop and mitigate the breach's damage. The ABA suggests but does not require that lawyers also proactively develop an incident response plan with specific plans and procedures for responding to a data breach.

In its opinion, the ABA also stressed the importance of ABA Formal Ethics Opinion 95-398, which found lawyers must contact clients whose data was breached by a third-party vendor. If lawyers are ethically required to disclose a breach by a third party, they are also required to disclose a first-party breach, the committee wrote.

But the committee wrote it's “unwilling to require notice to a former client” or label it an ethical matter, in the absence of a “black letter provision requiring such notice.”

David Atkins, a Pullman & Comley attorney who leads its professional liability section and represents lawyers in ethics and disciplinary matters, said he wasn't surprised by the ABA's reluctance to include disclosure to former clients as a requirement. He said the “black letter provision” could be included in a contractual agreement where a client imposes it be given a notice of a data breach while and after they are a client.