Law firms often operate as a repository of sensitive client information, from proprietary trade secrets to personal data such as social security numbers and medical information. We also store sensitive emails and other communications that clients intend to and prefer to be kept between themselves and their attorney. As attorneys, our goal is to help our clients; and, the collection of this information is usually geared (or even necessary) to help and protect our clients. And, while businesses expend valuable resources to secure their business infrastructure, with a simple email request, that information is passed to a law firm that could expose sensitive data to whatever security and privacy protections (or lack thereof) that the law firm has in place.

“As custodians of highly sensitive information, law firms are inviting targets for hackers.” See ABA Formal Opinion 483, “Lawyers' Obligations After an Electronic Data Breach or Cyberattack,” at 1 (Oct. 17, 2018), (last visited June 24); see also New York Ethics Opinion 1019, “Confidentiality; Remote Access to Firm's Electronic Files” (Aug. 6, 2014), (last visited June 24). As the practice of law becomes increasingly digital and reliant on technology, law firms need to become the fiduciaries of their client's data, trusted information repositories that take security and privacy seriously. The law firm's own network infrastructures, document management, and third-party relationships are now on the front line of data privacy and security.

ABA Guidance on Cybersecurity and Data Privacy

In ABA Formal Opinion 477, ”Securing Communication of Protected Client Information” (May 11, 2017), the ABA draws support from the duty of competence (ABA Model Rule 1.1) and duty of confidentiality (ABA Model Rule 1.6) to create an affirmative duty on lawyers to take reasonable measures to ensure that electronic communications with clients remain secure and confidential.

At the intersection of a lawyer's competence obligation to keep “abreast of knowledge of the benefits and risks associated with relevant technology,” and confidentiality obligation to make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client,” lawyers must exercise reasonable efforts when using technology in communicating about client matters.

In assessing the very opaque concept of “reasonableness,” the ABA adopts a fact-based approach, balancing the need for consistency and clarity with the flexibility to determine what is truly secure in today's technological environment. The factors outlined include: the sensitivity of the information; the likelihood of disclosure if additional safeguards are not employed; the cost of employing additional safeguards; the difficulty of implementing the safeguards; and the extent to which the safeguards adversely affect the lawyer's ability to represent clients, (citing Comment [18] to Model Rule 1.6(c)).

The ABA emphasizes the need for attorneys to have knowledge, both of potential threats and their own systems and data management practices. The days of blissful ignorance when it comes to technology are behind us: lawyers need to be informed consumers of the technology that drives their practices. Ultimately, their ethical obligations to their clients depends upon it.

In ABA Formal Opinion 483, “Lawyers' Obligations After an Electronic Data Breach or Cyberattack” (Oct. 17, 2018), the ABA addresses the uncomfortable question of a lawyer's obligation to notify their clients when a data breach occurs. A core component of any representation is a duty to keep clients “reasonably informed” about the status of the representation such that a client can make informed decisions regarding that representation.

This duty, conjunction with a lawyer's duty of competence, provides the basis for the obligation that a lawyer “must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.” Without such active monitoring, the discovery of any cyber or privacy breach would be “happenstance” and effectively, a lawyer would not be able to demonstrate compliance with her duty of competence to the client. Further, once a breach or infiltration is discovered, a lawyer must “act reasonably and promptly to stop the breach and mitigate damage resulting from the breach.” 

ABA Opinion 483 distinguishes the notice obligation between current clients and former clients. For current clients, lawyers are obligated to communicate a data breach in order to comply with Module Rule 1.4. Curiously, there is no corresponding express obligation to provide notice of a data breach to former clients. Instead, the ABA encourages lawyers “to reach agreement with clients before conclusion, or at the termination, of the relationship about how to handle the client's electronic information that is in the lawyer's possession.” Absent such an agreement, lawyers should maintain a data retention schedule in order to reduce the amount of data retained for long periods of time, thereby decreasing the potential that former client data will be impacted by a data breach.

Malpractice Claims and the Liability of Lawyers in Securing Client Data

With the expansion of the Model Rules to require a lawyer to take proactive security and privacy measures, the liability risk for lawyers that fail to meet these obligations increases. “Data breaches and cyberthreats involving or targeting lawyers and law firms are a major professional responsibility and liability threat facing the legal profession.” As fiduciaries to our clients, lawyers owe a duty of care to ensure that clients are not harmed by the technology and network infrastructures that lawyers use in their daily practice. The ABA clearly recognizes that an attorney's competence in preserving a client's confidentiality is not a strict liability standard and does not require the lawyer to be invulnerable or impenetrable. Rather, the obligation is one of reasonable efforts. Rule 1.6 is not violated even if data is lost or accessed if the lawyer has made reasonable efforts to prevent the loss or access.

The limitations and boundaries of reasonable care are, as of yet, untested. As the ABA makes clear, there is no one standard that can be used to assess reasonable security and privacy measures: it is a fact-based analysis that will be heavily dependent on the type of information at issue and the resources available to the firm. However, failing to take any precautionary measures, or not conducting at least a perfunctory review of the measures taken, will likely not pass the test.

For lawyers who are just scratching the surface of cybersecurity and data protection, these affirmative requirements to protect client data may seem daunting. Technology has opened up opportunities and efficiencies never before achieved but, too often, the corresponding threats and vulnerabilities of those technologies are disregarded. As trusted advisers to our clients, lawyers have a responsibility to embrace security and privacy protections and continue to maintain that client trust. The bond and confidentiality between attorney and client is sacrosanct and deserves no less.

Jordan L. Fischer is a co-founder and managing partner at XPAN Law Group, a certified Women's Business Enterprise (WBE) and Women Owned Small Business (WOSB). She focuses her practice on international data privacy and cybersecurity and cross-border data management, with a special emphasis in European Union data privacy regulations and the General Data Protection Regulation.