Samuel C. Stretton. Samuel C. Stretton.

If a data breach occurs, notify your clients of the breach immediately.

I believe my computer system has been hacked or breached. What are my obligations in terms of telling my clients?

The starting point for the answer is found in Rule of Professional Conduct 1.4 titled “Communications.” Under Rule 1.4(a)(3), a lawyer has to keep a client reasonably informed about the status of the case. Then under Rule 1.4(b)(2), one has to reasonably consult with a client about objectives. Obviously, a breach of data or infringement on the confidentiality of the attorney-client relationship is a major issue and the client has to be consulted. The lawyer is then going to have some obligations to repair the damage and make sure this doesn't happen again pursuant to the requirement in Rule 1.1, the Competence Rule. Apparently, this issue of hacking is happening frequently since the American Bar Association issued on Oct. 17, Formal Opinion 483 talking about what the lawyer's duties are when there is a breach of data or some kind of hacking or computer attack.

The opinion notes that law firms are “inviting targets for hackers.” The American Bar Association notes its earlier Formal Opinion 477-R about a lawyer's ethical duties to use reasonable efforts when communicating about clients' information on the internet. The current new Opinion 483 then deals with the attorney's obligations when there's been a “data breach when a data breach exposes client confidential information.” The opinion does note there are certain laws about a breach also that lawyers should review in addition to the opinion. The opinion initially discusses Rule 1.1 about competent representation. It notes competent representation includes understanding the impact of technology on the practice of law. The opinion notes that this requires lawyers to understand technologies that are being used to deliver legal services and to understand how to protect the information.

The opinion makes it the obligation of the lawyer to monitor any data breach. If the clients' information is impacted by the breach or misappropriated, destroyed, compromised, etc., then the lawyer's ability to represent the client is impaired according to the opinion. The opinion also notes the supervisory Rules 5.1 through 5.3 requiring lawyers to supervise lawyers and nonlawyers to ensure they comply with the Rules of Professional Conduct, which would include not violating confidentiality. According to the American Bar Association's Ethics Committee, lawyers have to use reasonable efforts to monitor their staff and the staff's use of technology.

The committee notes that a lawyer has to “act reasonably and properly to stop the breach and mitigate damage resulting from the breach.” The committee suggests the lawyers have in place a plan to utilize when there is a breach subsequently. The lawyer then according to the committee has the obligation to make all the reasonable efforts to restore the computer operations to continue to represent their clients. The panel notes Model Rule of Professional Conduct 1.6(c) which states that a lawyer has to make reasonable efforts to prevent the inadvertent or unauthorized disclosure or unauthorized access to information. This language is found at Pennsylvania Rules 1.6(d). Reasonable efforts must be made to restore the technology systems with the implementation of new technology.

The committee note the lawyer also has to attempt to find out what was actually taken or stolen. The lawyer has to gather the information or hire someone who is capable of discovering the extent of the hacking.

The lawyer needs the client's consent to disclose to law enforcement the data breach. With or without the client's consent, the lawyer according to the committee may disclose only such information as is reasonably necessary to assist in stopping the breach or to recover the stolen information. In other words, the lawyer has to still protect client confidentiality under Rule 1.6.  In terms of the breach, the committee indicates that for current clients there has to be communication and the lawyer has to keep the clients reasonably informed about the data breach under Rule 1.4.

Of interest is the reference to Rule of Professional Conduct 1.15, involving funds and property. The committee stated there should be no distinction between hard copies of clients' files and electronic copies. Both have to be maintained and protected. In terms of former clients, the committee noted the rules don't provide any direct guidance under the data breach situation in terms of a former client. But, it notes that Rule 1.9(c) provides that a lawyer can't reveal clients' information or former clients' information. The American Bar Association Committee was “unwilling to require notice to a former client as a matter of legal ethics in the absence of a black letter provision requiring such notice.”

Pennsylvania Rule of Conduct 1.9 has similar language to the model rules. The committee discussed Rule 1.16(d) involving the termination of representation or discharge of a lawyer. The committee noted that Rule 1.16(d) has been interrupted as permitting lawyers to establish appropriate data destruction policies to avoid retaining clients' files and property indefinitely. The committee encouraged lawyers to reach agreements with their past clients as to how to handle electronic information still in the lawyer's possession. The committee also noted this responsibility still will require notice to a former client.

In terms of extent of the communication with the client, it depends on the size of the breach. The committee noted the following: “The disclosure must be sufficient to provide enough information for the client to make an informed decision as to what to do next, if anything.”

But, the lawyer has to continue to keep the client advised as the situation develops with the data breach.

The American Bar Association opinion is an important one, but will become even more important as time goes on due to greater use of computers and the greater sophistication of computer hackers.

This still raises the question, should lawyers be emailing and texting and using cellphones to communicate with their clients unless they have extensive and complicated security protection. Most lawyers don't and relatively minor security protections apparently can be easily broken and hacked.

Doctors aren't allowed to transmit patient information electronically unless it's extremely secure nor are they allowed to have electronic communications with their patients. Perhaps someday lawyers are going to be put in the same position because no one can ensure these electronic communications cannot be breached.

The new American Bar Association's formal opinion is a good read and every lawyer should be aware of it. The most important practice point is that clients have to be notified of data breaches. The practice of law with the use of modern technology has come a long way. But lawyers now must accept responsibility to protect and preserve client confidentiality.

Protect yourself by getting the fee agreement notice signed.

I know under Rule 1.5(b) of the Rules of Professional Conduct a lawyer must send the client a written notice of the fee. Does that notice have to be signed by the client?

Obviously, the best practice is to always have in writing the fee arrangement. This is now a mandatory requirement and has been for about 25 years under Rule of Professional Conduct 1.5(b). That rule states as follows: “When the lawyer is not regularly representing the client, the basis or rate of the fee shall be communicated to the client in writing, before a written or reasonable time after commencing the representation.”

That rule is important because the fee letter should be essentially signed contemporaneous with the retention of the lawyer. The better practice is to send the fee letter after meeting with the client. Perhaps a week or so can pass, but it gets very questionable if a number of weeks pass before the fee arrangement is communicated in writing.

What is more important and not always understood is that the fee document doesn't have to be a written agreement. Many lawyers use fee agreements and perhaps that's a good policy. But, the document only has to set forth what the fee arrangement is. As a result, there is no requirement that the client signed the fee notice or letter.

Comment 1 to Rule 1.5 notes a written statement concerning the fee reduces the possibility of misunderstanding. The Comment also notes that giving the client a simple memorandum or a copy of the lawyer's customary fee schedule is sufficient if it sets forth the rate of the fee.

But, a fee letter can be much more. It's important in the fee letter or agreement, if it's signed, to set forth the nature and scope of the employment. For instance, in a civil or criminal case, it's important to note somewhere that the representation and fee charge does not include appeals or post-trial motions or sentencing or arguments in appellate courts, etc. Without doing so, the client might be misled to believe that when they pay the fee the lawyer is going to represent them through the trial and on all appeals without additional charge.

Having a client sign that document removes any question as to whether or not the client received it. Of course, with the technology of emailing and faxing, etc., there can also be additional proofs that the client received the fee letter.

But, there are other advantages for having the client sign. The client's signature removes any question that the client received and reviewed the agreement. Also, under Rule 1.15 of the Rules of Professional Conduct, if the lawyer is using a nonrefundable fee arrangement, the client has to sign the nonrefundable agreement. In other words, a lawyer can put in their fee letter that the fee is nonrefundable and explain that to the client. But if the client doesn't sign, that is not sufficient to allow the fee to be nonrefundable under Rule 1.15. Therefore, if the lawyer doesn't put the money in the IOLTA account until earned, even though the magic words “nonrefundable” are used, it doesn't count unless the client signs the fee letter.

Therefore, the required practice is to have either a fee agreement or fee letter or some documentation in writing given to the client which sets forth the fee arrangement. But, a better practice might be to have the client sign the fee letter for all the above reasons and to remove any confusion. Too many times, in attorney disciplinary matters, the client has come in and said they didn't have or never saw a fee agreement when the lawyer says they did. A signed copy removes that problem. Further, every lawyer who practices regularly knows that the clients can be your worst enemies if it's in their interest to do so. Therefore, lawyers have to practice law defensively and also protect themselves and a signed fee agreement is a good way of doing so.

Chester County lawyer Samuel C. Stretton has practiced in the area of legal and judicial ethics for more than 35 years. He welcomes questions and comments from readers. If you have a question, call Stretton directly at 610-696-4243 or write to him at 301 S. High St. P.O. Box 3231, West Chester, Pennsylvania, 19381.