ABA 2018-10-17

After a hacker or data breach exposes client information, what does a lawyer have to do, and must clients be told?

Short answer: The opinion concludes that when a breach involves, or is substantially likely to involve, material client confidential information, the lawyer must notify affected current clients and take other reasonable steps: competently monitoring for breaches, acting promptly to stop and remediate the breach, and determining what happened. The duty to notify current clients rests on Rule 1.4.

Disclaimer: Advisory only. Not binding precedent.

About this page: The plain-English summary, reader guidance, and Q&A below were written by Ezel based on the official ethics opinion. The original opinion (linked at the bottom of this page, or PDF in the sidebar) is the authoritative source for any reliance.

View original ethics opinion (PDF)

ABA Formal Opinion 483: Obligations After a Data Breach or Cyberattack

Short answer: The opinion concludes that when a data breach occurs involving, or having a substantial likelihood of involving, material client confidential information, lawyers have a duty to notify affected clients of the breach and to take other reasonable steps consistent with the Model Rules, including competently monitoring for breaches, acting promptly to stop and remediate the breach and restore systems, and making reasonable efforts to determine what occurred.

Disclaimer: This is an advisory ethics opinion. Advisory opinions are not binding; they interpret the American Bar Association's Model Rules of Professional Conduct and are persuasive authority. This summary is for research purposes only and is not legal advice. Verify current rules before acting on any specific guidance.

About this page: The plain-English summary and Q&A below were written by Ezel based on the official opinion. We do not reproduce the opinion text on this page; follow the linked source for the official text, which controls.

Plain-English summary

The opinion addresses what a lawyer must do before and after an electronic data breach or cyberattack that compromises client information. It builds on Formal Opinion 477R, which described a lawyer's duty to use reasonable efforts when handling client information electronically, and extends that analysis to the post-breach setting.

The opinion grounds the duties in competence and confidentiality. Under Rule 1.1 and Comment [8], lawyers must keep abreast of the benefits and risks of relevant technology and use it to safeguard client information. From that, together with the supervisory duties in Rules 5.1 and 5.3, the opinion derives an obligation to monitor for breaches: "just as lawyers must safeguard and monitor the security of paper files and actual client property, lawyers utilizing technology have the same obligation to safeguard and monitor the security of electronically stored client property and information." It explains that a violation does not necessarily occur simply because an undetected intrusion happens, because criminals can hide intrusions despite reasonable efforts; the concern is a failure to make reasonable efforts.

When a breach is suspected or detected, the opinion holds that "Rule 1.1 requires that the lawyer act reasonably and promptly to stop the breach and mitigate damage," and then restore systems consistent with the Rule 1.6(c) duty to make reasonable efforts to prevent unauthorized disclosure or access. The opinion frames Rule 1.6 as a reasonable-efforts standard rather than strict liability: "Rule 1.6 is not violated even if data is lost or accessed if the lawyer has made reasonable efforts to prevent the loss or access." It also requires the lawyer to make reasonable efforts to determine what happened, so any client disclosure is accurate.

On notice, the opinion rests the duty on Rule 1.4: "when a data breach occurs involving, or having a substantial likelihood of involving, material client confidential information a lawyer has a duty to notify the client of the breach." The minimum content is "that there has been unauthorized access to or disclosure of their information, or that unauthorized access or disclosure is reasonably suspected of having occurred," along with the known or reasonably ascertainable extent, and there is a continuing duty to keep the client apprised of material developments. As to former clients, the opinion declines to impose a notice requirement as a matter of ethics absent a black-letter rule, while pointing to Rule 1.16(d) and encouraging agreements about handling information and record-retention schedules.

In practice

Under this opinion, a lawyer must take reasonable steps to guard against and watch for breaches of electronically stored client information, and when a breach exposes (or is substantially likely to expose) material client confidential information, must act on it. The opinion holds that the lawyer must promptly work to stop the breach, mitigate the damage, restore operations, and make reasonable efforts to determine what was accessed or lost. It holds that affected current clients must be notified under Rule 1.4, with the notice stating that unauthorized access or disclosure occurred or is reasonably suspected and describing the known extent, and that the lawyer must keep the client updated on material developments. The opinion treats Rule 1.6 as a reasonable-efforts standard, so loss of data despite reasonable efforts is not itself a violation, and it does not require notice to former clients as a matter of ethics.

Common questions

Q: If my firm gets hacked and client files are exposed, do I have to tell the clients?

A: Per the opinion, yes, for affected current clients. When a breach involves, or is substantially likely to involve, material client confidential information, Rule 1.4 requires notifying the client of the breach.

Q: Am I automatically in violation if a breach happens?

A: The opinion says no. Rule 1.6 is a reasonable-efforts standard, not strict liability, so a breach despite reasonable efforts to prevent it is not itself a violation; the concern is a failure to make reasonable efforts.

Q: What does the breach notice have to say?

A: The opinion says the minimum is that there has been, or is reasonably suspected to have been, unauthorized access to or disclosure of the client's information, along with the known or reasonably ascertainable extent, and that the lawyer must keep the client informed of material developments.

Q: Do I have to notify former clients too?

A: The opinion declines to require notice to former clients as a matter of legal ethics absent a black-letter rule, while pointing to Rule 1.16(d) and encouraging agreements about handling information and retention schedules.

Background and rules framework

The opinion interprets Model Rule 1.1 (competence, including technology competence under Comment [8]), Model Rule 1.6 (confidentiality, including the 1.6(c) reasonable-efforts duty and Comment [18] factors), and Model Rule 1.4 (communication, the basis for the duty to notify current clients). It applies the supervisory duties of Model Rules 5.1, 5.2, and 5.3, Model Rule 1.9(c) (former-client information), Model Rule 1.15 (safeguarding property), Model Rule 1.16(d) (return of property on termination), and Model Rule 8.4(c) (honesty in disclosure).

Citations and references

Rules of Professional Conduct:

ABA Model Rule 1.1 (competence; technology), 1.6 (confidentiality; 1.6(c))
ABA Model Rule 1.4 (communication; duty to notify clients)
ABA Model Rule 5.1, 5.3 (supervision), 1.9(c) (former clients)
ABA Model Rule 1.15 (safekeeping), 1.16(d) (return of property), 8.4(c) (honesty)

Other opinions cited:

ABA Formal Op. 477R (2017): securing communication of protected client information
ABA Formal Op. 482 (2018): client files in disasters
ABA Formal Op. 95-398 (1995): access of nonlawyers to a lawyer's data

Source

Landing page: ABA Formal Ethics Opinions index
Original PDF: aba-formal-op-483.pdf