Every day, clients entrust their lawyers with confidential information. Whether in a matrimonial dispute, high-stakes corporate acquisition, commercial litigation, criminal defense matter, or any other sensitive legal issue, clients rely on their lawyers to safeguard information that could be detrimental or embarrassing to the client if disclosed. A lawyer’s ethical obligation to protect such confidential information is embodied in Rule 1.6 of the Rules of Professional Conduct (“RPCs”), which states in relevant part that “a lawyer shall not knowingly reveal confidential information.” The duty of confidentiality is not limited, however, to intentional disclosures. Rule 1.6(c) also requires a lawyer to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to” confidential information.
As methods used to transmit and store information become more technologically advanced, however, the efforts required to protect confidential information from “inadvertent or unauthorized disclosure” must evolve. Protecting confidential information is no longer just about locking file drawers and office doors (although that’s still a good idea). It is also about maintaining good data security practices and having a plan to deal with data security breaches. Unfortunately, lawyers have a reputation – fair or unfair – for being technological luddites, despite the fact that Comment [8] to Rule 1.1 (Duty of Competence) requires lawyers to “keep abreast of the benefits and risks associated with the technology the lawyer uses to provide services to clients or to store or transmit confidential information.”
Technological competence has become even more critical during this Covid-19 crisis, where many law firms are operating entirely on a remote basis. Lawyers and staff alike are accessing information from remote work spaces and many of them using unfamiliar technologies, often with little preparation or training. This wholesale transition to remote work took place virtually (no pun intended) overnight and has placed an unprecedented burden on most law firms’ technological capabilities.
The Risk of Data Breaches
With droves of confidential information and a potential lack of technical sophistication, law firms are a key target for bad actors looking to access and monetize sensitive information, through phishing emails, wire transfer scams, and other illicit means. Once such method is the ransomware attack – in which a third party obtains access to a firm’s network or data and threatens to expose it or delete it unless the firm pays a ransom. Unlike in movies or on television, these scammers rely primarily on human frailty or ignorance, rather than on super-genius computer hacking skills. In many cases, an employee will receive a legitimate looking email, click on a link, and follow instructions to enter a password or some other key information. In doing so, the employee unwittingly provides the scammer with enough information to penetrate the firm’s systems and gain control.
There are best practices that law firms should implement to guard against these types of invasions, some of which are discussed in this cybersecurity report from the New York State Bar Association https://nysba.org/app/uploads/2020/03/NYSBA-Cyber-Alert-031220.pdf). But that’s not what this post is about. This post is about what happens after your law firm’s system has been breached. In other words, what duties does a law firm have to notify clients that a data breach has occurred? We will get to that question; but first, a cautionary tale.
The Case of the Missing Data Breach Notification
In 2016, the Kansas City law firm of Warden Grier LLP suffered a ransomware attack by a notorious hacker group known as The Dark Overlord, according to a Complaint https://www.databreaches.net/wp-content/uploads/Hiscox_complaint.pdf filed in federal court last Friday. Warden Grier allegedly paid off the hackers, which enabled the firm to regain control of its systems. Although Warden Grier notified federal authorities, the firm allegedly did not notify Hiscox Insurance, a client that routinely hired Warden Grier to defend claims against Hiscox’s insureds. According to Hiscox, it only learned of the hacking incident in 2018, when a Hiscox employee stumbled across some client-related information posted on the dark web. Hiscox alleges that Warden Grier breached its contractual obligations and its fiduciary duties by failing to notify the company of the data breach and seeks $1.5 million in damages.
Are Law Firms Required to Notify Clients of a Data Breach?
A law firm that experiences a ransomware attack or other data security breach should take several immediate steps, such as hiring a data security consultant, conducting an investigation, and – in most cases – reporting the incident to relevant criminal authorities. It should not be forgotten that the law firm is – first and foremost – the victim of a crime. In reality, this does not always happen. Many companies quietly pay off the extortionist in order to regain control of their systems and avoid embarrassment https://www.law360.com/articles/1123819. Even if the firm decides not to report the incident to authorities, it should conduct an internal investigation, because without knowing what information an intruder might have accessed or stolen, the firm cannot determine whether it has a duty to notify clients, individuals, and regulators of a data breach. If an investigation reveals that client information was, in fact, breached, this likely triggers a duty to notify the client, at a minimum. There are multiple sources for this duty, each of which may have different – although overlapping – standards. These sources include: contractual obligations, Rules of Professional Conduct, data breach notification statutes, and/or international law such as the General Data Protection Regulation (“GDPR”). The firm should also consider whether risk management factors might favor notification, even where there is no clear duty to notify in a particular circumstance. We address each of these considerations below.
Does the Firm Have a Contractual Duty to Notify a Client of a Data Breach
As with any professional relationship, one of the first places to look for duties is the contract that governs the relationship. Most attorney-client relationships are governed by some sort of engagement letter. Where the client is a large corporation or insurance company, the relationship may also be subject to outside counsel guidelines or similar terms and conditions. Therefore, even if a law firm’s standard engagement letter is silent with respect to data breach notifications, the firm should also check if there are any outside counsel guidelines that might apply to the situation. In Hiscox v. Warden Grier, for example, Hiscox alleges that Warden Grier signed “Terms of Engagement” that required the firm to “retain either the originals or copies of all file documents relating to the claim” and to “have in place an appropriate disaster recovery plan with appropriate back-up to ensure the continuity of services in the event of a disaster.” Although the Terms of Engagement did not explicitly require “notification,” the Complaint alleges that Warden Grier breached the Terms of Engagement by, among other things, failing “to conduct and prompt and adequate investigation” into the data breach, which should have included “notifying Hiscox” of the breach. In some circumstances, a company’s outside counsel guidelines may go further than Hiscox’s Terms of Engagement to expressly require notification.
Do the Rules of Professional Conduct Require Notification?
The RPCs are obviously another key place for lawyers to look for duties to clients. Each U.S. jurisdiction has adopted its own version of the RPCs, based primarily on the ABA Model RPCs, with some variations. In New York’s version of the RPCs, as in the Model RPCs, Rule 1.4 governs the duty to communicate with clients. New York’s Rule 1.4(a)(1)(iii) states, for example, that lawyers must “promptly” inform clients of “material developments” in their legal matters and Rule 1.4(a)(3) requires lawyers to “keep the client reasonably informed about the status of the matter.”
Does Rule 1.4 require lawyers to notify clients when their confidential information has been breached by hackers? Not surprisingly, the answer is yes. In a 2018 ethics opinion https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_op_483.pdf, the ABA ethics committee opined that “[w]hen a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their ethical obligations under these Model Rules.” ABA Ethics Op. 483 (2018). Opinion 483 is worth reading for its analysis and helpful advice on how to protect against data breaches and how to deal with them once they occur. For the purposes of this post, however, the bottom line is that Rule 1.4 requires prompt notification to clients when a law firm suffers a data breach that compromises client information
Do Data Breach Notification Statutes Require Notification?
All 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted statues requiring notification in the event of a data breach. Additionally, there are sector-specific statutes, such as the Health Insurance Portability and Accountability Act (“HIPAA”), which include breach notification requirements. Depending on the type of data that is compromised and certain thresholds, a law firm may have obligations to notify under these state or federal statutes. These obligations may include notifying individuals, regulators, and even media and credit bureaus. For instance, under the New York State breach notification statute—recently amended by the SHIELD Act—if the “private information” of any New York resident is subject to unauthorized access, both the individual that such data relates to and certain state agencies, including the New York Attorney General, must be notified. Some states, including New York, require notification to a regulator if even one individual’s information is compromised. Accordingly, firms that experience data breaches must engage in a complex legal analysis to determine whether notification requirements are triggered and what deadlines apply. Moreover, different states have a variety of different thresholds. For example, California requires that the Attorney General be notified if the “personal information” of more than 500 CA residents is compromised. Failure to timely notify the appropriate people under these statutes may lead to regulatory enforcement actions, statutory damages, and possibly class action lawsuits.
Does International Law Require Notification?
The data breach notification analysis is not simply a matter of domestic law. Depending on the information compromised and the nature of a law firm’s clients, foreign regulations with extraterritorial reach may trigger a duty to notify (including severe penalties for failure to do so). The most notorious example is the GDPR, the comprehensive data protection and privacy regulation of the European Union. Unlike many state breach notification statutes, the GDPR uses an extremely broad definition of “personal data” and requires a “risk of harm” analysis to determine whether individuals or regulators must be notified. If so, the law requires that relevant authorities be notified within 72 hours after discovery of the breach. The regulation provides for fines as high as €20 million or 4 percent of the total worldwide turnover of the preceding financial year, whichever is greater.
Do Risk Management Considerations Support Notification?
When we advise law firm clients on their ethical or fiduciary obligations, we often point out that there are things you must do and then there are things you probably should do. Those are not necessarily the same things. The gap between “must do” and “probably should do” is where “risk management” does its most important work. For example, a law firm that experiences a ransomware attack may conduct a thorough investigation, which is inconclusive as to whether client information was accessed or stolen. Could a law firm reasonably conclude that it has no duty to notify clients of the breach, under the foregoing authorities? Perhaps so. On the other hand, should the law firm notify clients of the data breach, while reassuring them that – after a thorough investigation – the firm has found no conclusive evidence that client information was compromised? Either option carries different risks. If the law firm chooses not to notify its clients, and they later discover that there was a breach, this will likely undermine the clients’ faith in the law firm. It could lead to embarrassing and costly litigation, loss of business, reputational harm, and possibly even disciplinary action. On the other hand, if the firm chooses to notify its clients, that could open up a can of worms better left closed. There is a chance the incident will never come to light, no one will ever be harmed, and no one will be wiser. Choosing between these two options is an important decision that will depend on the facts and circumstances, as well as the firm’s appetite for risk. Our one recommendation is not to make this important decision without getting advice from a trusted advisor outside the law firm.
Conclusion
Some experts predict that the Covid-19 pandemic will forever change the way that people work. Even after the crisis abates, many businesses, including law firms, may increasingly rely on remote work arrangements. In other words, we may all adjust to certain aspects of this “new normal” and may even come to prefer them (hopefully not the toilet paper hoarding). We must wait to see if that prediction comes true. Either way, law firms will certainly continue to rely on technology to share and store client information. That will require law firms, not only to take reasonable steps to minimize the risk of data breaches and similar incursions, but to promptly investigate any data breaches and notify clients if their confidential information has been compromised.
