This article was reprinted with permission from Business Law Today.
Much has been written in recent years about lawyers’ duties to preserve the confidentiality of client information under the rules of professional conduct and to take reasonable precautions to strengthen cybersecurity in order to avoid data breaches. Executing those duties has become more difficult amid an increase in the frequency and sophistication of state-sponsored and criminal cyberattacks directed at law firms and their clients. Further complicating matters for lawyers is knowing when disclosure to clients of a law firm data breach is required by the rules of professional conduct even though the threat of exfiltration or loss of client confidential data is in doubt. Below we examine opinions of the American Bar Association that offer some guidance on when client notification of a data breach is appropriate to ensure protection of client confidentiality and minimize exposure to legal malpractice liability. In addition, we will be discussing the requirements of bar associations in various states, and analyzing law firms’ exposure for potential professional liability.
Recently several large international law firms have been hacked by foreign nationals seeking information in furtherance of an insider trading ring. A prominent Chicago law firm was sued in a class action alleging that it failed to maintain adequate safeguards to protect client confidential information. A New York entertainment law firm was subject to a ransomware attack in which the attackers claimed to have stolen privileged data about many of the firm’s high-profile clients. Panamanian law firm Mossack Fonseca was infamously hacked; the leaked documents published on the internet included the names of a number of the firm’s high profile government clients, their shell corporations and financial transactions, raising the specter of an alleged illegal money laundering scheme. The massive data breach and attendant unwelcome publicity coined the phrase “the Panama Papers” and inspired the Netflix movie The Laundromat, in which Meryl Streep portrayed a widow who was bilked by a client of the firm.
Against this backdrop, the organized bar has implemented guidelines, including published ethics opinions on cybersecurity, including reasonable measures to prevent data breaches—and ensuing professional liability.
But what should lawyers do when the unthinkable occurs, and their firm is the victim of a data breach, or is held hostage by a ransomware attack? What obligations do lawyers have to notify their clients that their confidential data has been or may have been compromised or accessed by a hacker?
ABA Ethics Opinion 483
In 2018, the American Bar Association Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483, which provides guidance on law firms’ duties to notify clients of data breaches under the ABA Model Rules of Professional Conduct. The Ethics Committee, in its opinion, wrote that, “an obligation exists for a lawyer to communicate with current clients about a data breach.” However, not all cyber episodes require client notification. Rather, Formal Opinion 483 defines a data breach as a cyber episode in which “material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”
Formal Opinion 483 further notes:
“[N]o notification is required if the lawyer’s office file server was subject to a ransomware attack but no information relating to the representation of a client was inaccessible for any material amount of time, or was not accessed by or disclosed to unauthorized persons. Conversely, disclosure will be required if material client information was actually or reasonably suspected to have been accessed, disclosed or lost in a breach.”
So, it would appear, that Formal Opinion 483 is arguably inconsistent, leading to the question: Is mere access sufficient to trigger a duty to provide notification, or must there be a reasonable suspicion of tampering with or misappropriation of the data? Some guidance is given by state ethics opinions, which, like the ABA, suggest that lawyers have a duty to investigate and disclose the existence of a data breach to clients whose material confidential information is known to have been accessed or exfiltrated by an unauthorized intruder. As will be seen, the law firm’s duty to provide client notice may exist even in situations in which the data penetration did not result in exfiltration of or damage to the client’s data.
Other Ethics Opinions
An earlier ABA Ethics Opinion, Eth. Op. 95-398, addressed a law firm’s obligation to notify a client when a third party document storage vendor sustains an intrusion which exposes client confidential information, concluding that a lawyer may be obligated to notify the underlying client of an unauthorized intrusion which “could reasonably be viewed as a significant factor in the representation, for example where it is likely to affect the position of the client or the outcome of the client’s legal matter…”
The New York State Bar Association Committee on Professional Ethics has similarly concluded that a lawyer must notify affected clients of information lost through an online cloud data storage provider. N.Y. State Bar Ass’n Eth. Op. 842 (2010), According to the NYSBA, “If the lawyer learns of any breach of confidentiality by the online storage provider, then the lawyer must investigate whether there has been any breach of his or her own clients’ confidential information, notify any affected clients, and discontinue use of the service unless the lawyer receives assurances that any security issues have been sufficiently remediated.”
The Maine Bar Association Professional Ethics Committee addressed client notification in its Ethics Opinion 220, which determined that client disclosure was fact-specific in the event of a law firm data breach, but could be triggered by mere exposure rather than actual pilfering or manipulation of client data. According to the Maine Bar:
“Notification requirements under the Maine Rules of Professional Conduct arise when confidences or secrets are exposed or the breach significantly impairs or impacts the representation of a client. A cyberattack or data breach alone may give rise to a duty to notify clients, depending on the circumstances. . . . Once the scope of an attack or breach is understood, the lawyer must promptly and accurately make an appropriate disclosure to the client.”
Thus, under the Maine Rules of Professional Conduct, mere exposure of client confidential information may be sufficient to trigger a disclosure obligation.
The Michigan State Bar has recently concluded that a law firm material data breach triggers an obligation to give notice to its clients. According to the Michigan Bar Ethics Opinion RI 381:
“A lawyer has a duty to inform a client of a material data breach in a timely manner. . . . A data breach is “material” if it involves the unauthorized access, destruction, corruption, or ransoming of client ESI protected by [Michigan Rule of Professional Conduct] 1.6 or other applicable law, or materially impairs the lawyer’s ability to perform the legal services for which the lawyer has been hired. The duty to inform includes the extent of the breach and the efforts made and to be made by the lawyer to limit the breach.”
Thus, at least under the guidance furnished by the Michigan Bar Association, if the lawyer can determine which clients’ data have been compromised, then, assuming that the pilfered or exposed data are material, those clients should be notified. The law firm should also promptly investigate and remediate the breach.
Professional Liability Concerns
In addition to compliance with the rules of professional conduct, there are also professional liability issues, inasmuch as a disgruntled client could bring a claim that its confidential information was insufficiently safeguarded, or that it was not timely notified of the breach. In such cases, adverse publicity could be generated by the mere filing of a public complaint.
For example, in March 2020, a lawsuit was filed by Hiscox Insurance Company against law firm Warden Grier for breach of contract, breach of fiduciary duty and malpractice. Hiscox accuses the law firm of failing to notify it of a major data breach in 2016, in the course of which client confidential information was penetrated by an intruder, posted on the dark web, and held for ransom, which the firm paid. Hiscox Ins. Co. Inc. & Hiscox Syndicates Ltd. v. Warden Grier, LLP (2020). According to Hiscox’s complaint, the law firm learned of the data breach in December 2016, but did not notify clients for over 16 months that their personal identifying information had been accessed by the Dark Overlord intruder and posted to the dark web. Julia Weng, Hiscox Hack Suit Advances as Warden Grier Loses Dismissal Bid, Data Breaches.net, July 25, 2020. In July 2020, a federal district court denied Warden Grier’s motion to dismiss Hiscox’s complaint, ruling that the complaint states a cause of action for breach of contract and breach of implied contract, reasoning that the carrier’s litigation management guidelines constituted a binding contract which required the law firm to take specified precautions to protect the security of clients’ PII. Hiscox Ins. Co. Inc. & Hiscox Syndicates Ltd. v. Warden Grier, LLP, Case No. 4:20-cv-00237-NKL (W.D. Mo. Jul. 23, 2020). The law firm did not move to dismiss the negligence cause of action, which remains intact.
In 2016, a former client of Chicago law firm Johnson & Bell filed a class action alleging that the firm engaged in malpractice by its failure to maintain adequate standards of cybersecurity. The class action alleged that the firm, which portrays itself as an expert in advising clients about cybersecurity, was itself negligent in protecting its own clients’ data security, by its failure to properly encrypt an online attorney time tracking system and the use of a virtual private network. The purported class representatives alleged that they were damaged by the risk that their confidential information might be compromised at some point in the future. After denial of the law firm’s motion to dismiss, the court directed the parties to participate in confidential arbitration.
In addition to professional liability concerns, law firms should be mindful of statutory obligations imposed on all businesses. For example, Massachusetts enacted a pioneering data protection law in 2010 known as “Standards for the Protection of Personal Information of Residents of the Commonwealth,” which requires companies doing business in Massachusetts to encrypt personal data and to retain and store digital and physical records and implement network security controls to protect sensitive consumer information. The Massachusetts law broadly applies to: “Every person that owns or licenses personal information about a resident of the Commonwealth,” and requires such persons to develop “a comprehensive information security program that it is written in one or more readily accessible parts,” and contains safeguards to protect and encrypt confidential consumer information.
Lawyers who represent insurance companies, in particular, should take note of cybersecurity regulations promulgated in 2017 by the New York Department of Financial Services, which regulates the insurance industry. These new cybersecurity rules, which apply to all entities under DFS jurisdiction, including insurance companies, insurance agents and banks, require encryption of all non-public information held or transmitted by the covered entity, and require each regulated company to appoint a chief information security officer (“CISO”), who must report directly to the board of directors and issue an annual report, setting forth an assessment of the company’s cybersecurity compliance and any identifiable risks for potential breaches.
Of particular interest to law firms which represent financial institutions or are retained by insurance companies is §500.11 of the new DFS regulations, which requires each covered entity to “implement written policies and procedures designed to ensure the security of information systems and non-public information that are accessible to, or held by third-parties doing business with the covered entity.” See 23 NYCRR Section 500. Thus insurance companies which provide access to personal identifying information to third-party vendors must certify not only that their own information systems are adequate, but also that the information security systems of vendors, presumably including law firms, with whom they do business are also secure and protected. In other words, law firms who do business with regulated financial service companies are expected to comply with the cybersecurity standards of their represented clients.
As explained above, the rules of professional conduct require a fact-based inquiry and disclosure to those clients whose material data is known or reasonably suspected to have been accessed by an intruder. A law firm’s duty to notify clients about a data breach depends on the severity of the breach, the level of knowledge the lawyer has, and the materiality of the improperly accessed data. The consensus of the organized bar, as exemplified in the ethics opinions discussed above, recommends client notification of a data breach affecting clients’ confidential data which are material and reasonably suspected to have been accessed, disclosed or lost.
The materiality of the data, and their importance to the client, are fact-specific. For example, if the intruder accessed the first draft of a brief filed 18 months ago in a closed case, ABA Ethics Opinion 483 probably would not require notice. On the other hand, a nonpublic client’s private financial statement, current merger plans, misconduct by the client’s CFO or a nonpublic sexual harassment complaint would probably be the sort of information that a corporate client would reasonably consider material, and expect to be notified about in the event of a breach. In addition, lawyers should ensure that they comply with clients’ litigation management guidelines, which may require notifications in situations broader than those required in bar association ethics opinions.
Law firms should proactively prepare for a future cyber intrusion, and can mitigate their risk by preparing a breach notification plan. In the event of a breach, law firms can avoid or mitigate professional malpractice claims by notifying their cyber insurance carriers, and by undertaking a prompt and thorough investigation and employing third party breach mitigation experts. Prompt and diligent disclosure to clients of the breach may also help mitigate the risk and severity of litigation.
Barry Temkin is a partner at Mound Cotton Wollan & Greengrass in New York, an adjunct Professor of Law at Fordham University School of Law, and immediate past Chair of the New York County Lawyers’ Association Committee on Professional Ethics.
Jennifer Goldsmith is Vice President, Professional Liability Claims, at Ironshore Insurance, an attorney at law, and a graduate of The George Washington University Law School.
David Standish is a graduate of New York Law School, an attorney at law, and an Assistant Vice President and Cyber/Tech Claims Manager at Ironshore Insurance.
The views expressed in this article are the authors’ alone, and do not reflect the views of Ironshore Insurance, Fordham University or the New York County Lawyers’ Association. The foregoing information is for informational purposes only. It is not a substitute for legal advice from a licensed attorney, nor does it create an attorney-client relationship. The authors disclaim all liability arising out of this resource.