Oct. 9, 2020
Working remotely? Data breaches and attorney duties
The California State Bar’s Committee on Professional Responsibility and Conduct has issued a new formal opinion, 2020-203, that addresses issues associated with attorneys’ ethical obligations in the face of a data breach.
As a result of the coronavirus pandemic, working remotely has become the "new normal" for many attorneys. Now, more than ever, attorneys are accessing confidential client information and documents from personal devices, such as laptops, tablets, and smartphones, or accessing confidential client information in public areas or through public networks. Not surprisingly, as remote work remains the norm, so increases the risk of data breaches and unauthorized, third-party access to confidential client information. In consideration of this "new normal" and the risks associated with it, attorneys should reacquaint themselves with their ethical obligations in this regard.
The California State Bar's Committee on Professional Responsibility and Conduct (COPRAC) has issued a new formal opinion, 2020-203, that addresses issues associated with attorneys' ethical obligations in the face of a data breach. According to that opinion, attorneys have a duty of competence and confidentiality when using electronic devices in their practice, and also have a duty of disclosure regarding data breaches or unauthorized, third-party access that is detrimental to a client's interests.
These ethical obligations require that attorneys understand the risks of unauthorized access regarding their electronic devices, know of ways in which they can protect against unauthorized access, and apply safeguards to protect against such risks. Further, if a data breach occurs despite the attorney's reasonable efforts to protect against unauthorized access, and that data breach negatively impacts a client's interests, the attorney is under an obligation to disclose that breach to the affected client.
The Duty of Competence and Confidentiality
It is no surprise that attorneys owe clients a duty of competence and a duty of confidentiality. See California Rules of Professional Conduct, Rules 1.1 and 1.6; see also Business and Professions Code Section 6068(e). While these duties are often evaluated in the context of providing legal services, they also apply to other areas within an attorney's practice. For example, an attorney has a duty of competence and confidentiality regarding the use of electronic devices.
Indeed, as with substantive knowledge of the law, an attorney must also have a basic understanding of the benefits and risks associated with the technology used throughout the attorney's practice. See COPRAC Formal Opinion Nos. 2015-193 and 2010-179. This obligation requires that an attorney "learn where and how confidential client information is vulnerable to unauthorized access," and that the attorney do so with regard to "each type of electronic device or system" incorporated in the attorney's practice. COPRAC Formal Opinion No. 2020-203.
To ensure one is fulfilling one's duty of competence and confidentiality with regard to the use of electronic devices, one should: (1) understand how the use of a device creates the risk of unauthorized access; (2) be knowledgeable as to the protective strategies used to minimize such risk; and (3) implement reasonable security measures to address the potential risks. COPRAC Formal Opinion No. 2020-203. Taking these steps will help mitigate the risks and threats associated with unauthorized third-party access, which can vary based on the device used and the data thief's attack strategies.
Of course, these obligations are in addition to an attorney's obligation to monitor for a data breach, act reasonably and promptly to stop the breach and mitigate any damage, and investigate and determine what occurred during the data breach, as addressed in ABA Formal Opinion No. 18-483.
In fact, the risk assessment obligations regarding data breaches do not end with the individual attorney. If an attorney has a managerial or supervisory role, the attorney must make a reasonable effort to establish internal policies and procedures designed to protect confidential client information from the risk of a data breach. See ABA Formal Opinion No. 18-483; see also California Rules of Professional Conduct, Rules 5.1 and 5.3.
The Duty of Disclosure
Rule 1.4(a)(3) of the California Rules of Professional Conduct and Section 6068(m) of the Business and Professions Code require an attorney to keep its client reasonably informed of significant developments regarding the attorney's representation of the client. As with an attorney's duty of competence and confidentiality, the duty of disclosure also applies when an attorney uses electronic devices in its practice. In this context, a "significant development" that triggers the duty of disclosure includes the misappropriation, destruction, or compromise of confidential client information, or a data breach that has significantly impaired the attorney's ability to provide legal services to its client. See ABA Formal Opinion No. 18-483.
Notably, not all events involving lost or stolen devices, or unauthorized access to devices, result in a data breach. For example, the theft of a device could result in a significant impairment of an attorney's ability to provide legal services, even if the thief never accesses the device or the confidential data contained therein. However, if an attorney suspects that a breach may have occurred, the attorney must take reasonable efforts to identify: (1) the affected client; (2) the amount and sensitivity of the client information involved; and (3) the likelihood that the information has been, or will be, misused to the client's disadvantage. COPRAC Formal Opinion No. 2020-203.
The key principle in evaluating whether an event triggers the duty to disclose is if there is a reasonable possibility that the client's interests will be negatively impacted. ABA Formal Opinion No. 18-483. When in doubt, attorneys should err on the side of disclosure, and disclose the data breach to the affected client as soon as possible and provide enough information to the client to allow the client to make informed decisions in response to the suspected breach. COPRAC Formal Opinion No. 2020-203.
As attorneys navigate the practice of law in this "new normal," it is ever important to be conscious of one's ethical obligations regarding the potential risk of unauthorized, third-party access to confidential client information. Familiarizing oneself with the electronic devices used in one's practice, implementing reasonable security measures, having a plan to respond to potential data breaches, and disclosing a data breach if it negatively affects one's client, will ensure that attorneys comply with their ethical duties and protect their client's confidential information.