Ezel / Ethics Opinions / CABAR
CABAR 2019-04-11

What are a California lawyer's ethical duties to prevent and respond to a data breach involving confidential client information?

Short answer: Per California Formal Opinion 2020-203, lawyers must assess the risks of keeping confidential client information on electronic devices and take reasonable steps to secure those systems. After a breach, lawyers must conduct a reasonable inquiry into the extent and consequences and must notify any client whose interests have a reasonable possibility of being negatively impacted.
Currency note: this opinion is from 2019
Subsequent statutory amendments, court decisions, or later opinions or rule amendments may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.
Disclaimer: Advisory only. Not binding precedent.
About this page: The plain-English summary, reader guidance, and Q&A below were written by Ezel based on the official ethics opinion. The original opinion (linked at the bottom of this page, or PDF in the sidebar) is the authoritative source for any reliance.
View original ethics opinion (PDF)

State Bar of California COPRAC Formal Opinion 2020-203: Data Breaches and Client Notice

Short answer: The opinion concludes that lawyers using electronic devices that contain or access confidential client information must assess the risks and take reasonable steps to secure those systems, and that after a breach they must investigate and notify any client whose interests have a reasonable possibility of being negatively impacted.

Disclaimer: This is an advisory ethics opinion. Advisory opinions are not binding; they interpret the State Bar of California's rules of professional conduct and are persuasive authority. This summary is for research purposes only and is not legal advice. Verify current rules before acting on any specific guidance.

About this page: The plain-English summary and Q&A below were written by Ezel based on the official opinion. The opinion text is reproduced at the bottom; the official source (linked) controls.

View original opinion

Plain-English summary

The opinion addresses what a California lawyer must do when an electronic device or system that contains or can access confidential client information is exposed to unauthorized third-party access. It works through four factual scenarios: a biometrically-secured laptop with remote wipe; a misplaced smartphone briefly out of the lawyer's possession; a firm-wide ransomware attack through a phishing email; and a hacker exploiting public Wi-Fi to access patent files. The committee applies California Rules 1.1, 1.4, 1.6, 5.1, 5.2, and 5.3, along with Business and Professions Code sections 6068(e) and 6068(m).

Per the opinion, the duty of competence and the duty to safeguard client confidences require lawyers to have a basic understanding of the benefits and risks of the technology they use, to learn where and how their devices are vulnerable, and to implement reasonable security measures responsive to those risks. The committee draws on ABA Formal Opinion 18-483 and the ABA Cybersecurity Handbook to describe a "process" standard: assess risks, identify and implement appropriate measures, verify they work, and update them as threats evolve. The opinion notes that law firms are frequent targets and that Rule 5.1 may require a managerial lawyer to prepare a written data-breach response plan.

On disclosure, the opinion holds that a data breach (defined per ABA 18-483 as the misappropriation, destruction, or compromise of material client information, or an episode that significantly impairs the lawyer's ability to render services) is a "significant development" that must be communicated to the client under Rule 1.4(a)(3) and Business and Professions Code section 6068(m). The trigger for disclosure is whether the client's interests have a "reasonable possibility of being negatively impacted." The opinion states that when in doubt, lawyers should assume their clients would want to know and err on the side of disclosure. Disclosure must be made as soon as reasonably possible, with the minimum disclosure being that there has been or is reasonably suspected to have been unauthorized access or disclosure of client information.

The opinion's four scenarios show the analysis applied: Attorney A (biometric laptop, remote wipe confirmed) has no duty to disclose; Attorney B (briefly misplaced smartphone, no evidence of access) is unlikely to be required to disclose; Law Firm C (ransomware with no client data accessed and no service impairment) has no duty to disclose; and Attorney D (confirmed unauthorized access of patent files through a fake Wi-Fi hotspot) must notify the client as soon as possible. The opinion expressly limits itself to current clients and does not decide the duty owed to former clients.

In practice

Under this opinion, the analysis turns on a fact-specific assessment rather than a categorical rule. The committee identifies the relevant factors as the technology in use, the security measures implemented, what is known about whether information was actually or potentially accessed, and the sensitivity of the information to the client. Per the opinion, the duty to make reasonable efforts to preserve confidential information is not strict liability and does not require lawyers to be "invulnerable or impenetrable." The committee further notes, citing Rule 5.1, that managerial lawyers may be required to establish internal policies and procedures and a written data-breach response plan.

The opinion holds that, under the California rules as they stood at the time of the opinion, disclosure to a client is required where unauthorized access to material client information is confirmed or reasonably suspected and the client's interests have a reasonable possibility of being negatively impacted. The opinion notes that lawyers and clients may differ on when disclosure is owed and that erring on the side of disclosure is the appropriate course where doubt exists.

Common questions

Q: Does California require a lawyer to notify a client every time a device is lost or stolen?

A: No. Per the opinion, a lost or stolen device only triggers a disclosure duty when the event qualifies as a data breach, defined as the misappropriation, destruction, or compromise of material client information or an event that significantly impairs the lawyer's ability to render services. The Attorney A scenario (biometric authentication and confirmed remote wipe) and the Attorney B scenario (smartphone briefly misplaced, no evidence of access) illustrate cases where no disclosure duty was triggered.

Q: What standard does the opinion apply to a lawyer's pre-breach security obligations?

A: A "reasonableness" standard, drawn from ABA Formal Opinion 18-483 and the 2017 ABA Cybersecurity Handbook. The opinion describes this as a process: assess risks, identify and implement appropriate security measures responsive to those risks, verify they are effectively implemented, and update them in response to new developments. The committee rejects bright-line requirements such as mandatory firewalls or passwords in favor of this fact-specific approach.

Q: When must the disclosure be made and what must it say?

A: As soon as reasonably possible. Per the opinion, the minimum disclosure required under Rule 1.4 is that there has been unauthorized access to or disclosure of client information, or that unauthorized access or disclosure is reasonably suspected. Lawyers must advise the client of the known or reasonably ascertainable extent to which information was accessed or disclosed. The opinion notes that the lawyer may take reasonable time, through a security expert, to ascertain the nature and extent before communicating.

Q: Does the opinion impose duties on managerial and supervisory lawyers specifically?

A: Yes. Rule 5.1(a) requires lawyers with managerial authority to make reasonable efforts to ensure firm-wide compliance, which the opinion holds includes establishing internal policies and procedures to protect confidential information and monitoring technology and external data sources. Rule 5.1(b) applies to supervisory lawyers and Rule 5.3 extends these principles to nonlawyer staff. The opinion notes that subordinate lawyers retain an independent duty under Rule 5.2 not to blindly follow unreasonable firm rules.

Q: Does the opinion address the duty to notify former clients of a data breach?

A: No. The committee expressly limits the opinion to current clients and notes that ABA Formal Opinion 18-483 declined to impose a duty under the Model Rules, while Maine Opinion 220 (April 11, 2019) reached the opposite conclusion under Maine Rule 1.9. The opinion observes that data privacy laws, common-law duties of care, and contractual arrangements may give rise to such a duty.

Background and rules framework

The opinion interprets California Rules of Professional Conduct 1.1 (competence), 1.4 (communication), 1.6 (confidentiality), 5.1 (managerial responsibilities), 5.2 (subordinate lawyers), and 5.3 (nonlawyer assistants), together with Business and Professions Code sections 6068(e) (duty to maintain client secrets) and 6068(m) (duty to keep clients reasonably informed of significant developments). The opinion also references Civil Code section 1798.82 (California breach-notification law) as one source of notice obligations external to the ethical rules.

The committee draws on ABA Formal Opinion 18-483 (Lawyer's Obligations After an Electronic Data Breach or Cyberattack) for its operative standards, and treats two earlier California opinions as foundational: Formal Opinion 2010-179 (laptops on public and home Wi-Fi) and Formal Opinion 2015-193 (e-discovery and technology competence). The opinion notes that, at the time of publication, the Board of Trustees had adopted for submission to the California Supreme Court a new Comment [1] to Rule 1.1 stating that competence includes "the benefits and risks associated with relevant technology."

Citations and references

Rules of Professional Conduct:

  • California Rule 1.1 (competence)
  • California Rule 1.4 (communication; specifically 1.4(a)(3) and 1.4(b))
  • California Rule 1.6 (confidentiality)
  • California Rules 5.1, 5.2, 5.3 (managerial, subordinate, and nonlawyer supervision)
  • Comment [8] to ABA Model Rule 1.1 (technology-competence comment)

Statutes:

  • California Business and Professions Code section 6068(e)
  • California Business and Professions Code section 6068(m)
  • California Civil Code section 1798.82 (breach-notification law)
  • HIPAA and EU General Data Protection Regulation (referenced as external notification sources)

Other opinions cited:

  • ABA Formal Op. 18-483: lawyer's obligations after an electronic data breach
  • ABA Formal Op. 95-398: notice to clients of unauthorized disclosure
  • Cal. State Bar Formal Op. 2010-179: confidentiality of client information on laptops accessing public Wi-Fi
  • Cal. State Bar Formal Op. 2012-184: virtual law office and confidentiality duties
  • Cal. State Bar Formal Op. 2015-193: ethical duties in e-discovery
  • Cal. State Bar Formal Op. 2019-197: conflict of interest after lawyer error
  • New York State Bar Op. 842 (2010): data breach of a cloud storage provider
  • Maine Professional Ethics Commission Op. 220 (April 11, 2019): cyberattack and former-client notification

See also

Source

Original opinion text

Reproduced from the official source for research purposes. The linked source is authoritative.

THE STATE BAR OF CALIFORNIA
STANDING COMMITTEE ON
PROFESSIONAL RESPONSIBILITY AND CONDUCT
FORMAL OPINION NO. 2020-203

ISSUE: What are a lawyer's ethical obligations with respect to unauthorized
access by third persons to electronically stored confidential client
information in the lawyer's possession?

DIGEST: Lawyers who use electronic devices which contain confidential client
information must assess the risks of keeping such data on electronic
devices and computers, and take reasonable steps to secure their
electronic systems to minimize the risk of unauthorized access. In the
event of a breach, lawyers have an obligation to conduct a reasonable
inquiry to determine the extent and consequences of the breach and to
notify any client whose interests have a reasonable possibility of being
negatively impacted by the breach.

AUTHORITIES
INTERPRETED: Rules 1.1, 1.4, 1.6, 5.1, 5.2, and 5.3 of the Rules of Professional Conduct
of the State Bar of California.

                     Business and Professions Code sections 6068(e) and 6068(m).

                     Civil Code section 1798.82.

                                         INTRODUCTION

Data breaches resulting from lost, stolen or hacked electronic devices and systems are a reality
in today's world. There are important ethical concerns when data breaches happen to lawyers
and law firms since such events may involve the potential loss of, or unauthorized access to,
confidential client information and, thus, may require a lawyer to take certain remedial steps
to protect the client.

In Cal. State Bar Formal Opn. No. 2015-193, the Committee on Professional Responsibility and
Conduct ("Committee") discussed lawyers' ethical obligations when dealing with e-discovery. In
Cal. State Bar Formal Opn. No. 2010-179, the Committee discussed ethical issues that arise
when a lawyer accesses confidential client information on a laptop over public Wi-Fi or a home
Wi-Fi network. In both opinions, the Committee adopted an approach that posed questions
lawyers should consider in order to comply with the duties of competence and confidentiality.
In light of ever-changing technology, the Committee concluded that an ongoing engagement
with that evolving technology in the form of security issues to consider and reconsider was
preferable to a "bright line" or categorical approach.

This opinion extends that analysis to a broad range of cyber risks associated with the use of
electronic devices and systems that contain confidential client information and connect to the
internet and, thus, are theoretically accessible to anyone with an internet connection.

                                 STATEMENT OF FACTS

Attorney A

Attorney A's laptop is stolen. Attorney A did not store confidential client information on the
laptop, but only used the laptop to access such information remotely. Also, the laptop could not
be accessed without biometric authentication. Attorney A's law firm also installed software on
the laptop that allowed it to be remotely locked down and erased. As soon as Attorney A
realizes that the laptop has been stolen, Attorney A contacts law firm's IT department and
receives confirmation almost immediately that the laptop has been located, locked down, and
wiped clean.

Attorney B

At the end of a busy day, Attorney B realizes that Attorney has lost Attorney's smartphone.
Attorney B regularly uses the smartphone to email and text clients and to access certain
practice management software applications related to clients. The smartphone is only
protected by a 4-character password and not any biometric security system. Attorney B does
not have any software installed on the smartphone that allows it to be remotely tracked, locked
down, and/or wiped clean.

Before going to bed, Attorney B remembers that Attorney left the smartphone in a tote bag at
the restaurant where Attorney had dinner with a friend. Attorney B immediately calls the
restaurant, but it is closed. Attorney B goes to the restaurant when it opens the next morning
and retrieves Attorney's bag and smartphone which, the manager tells Attorney, was locked in
a cabinet overnight. Nothing appears to be missing and the smartphone is still in the pocket of
the bag where Attorney had left it.

Law Firm C

Law Firm C is a four member firm specializing in corporate law. Law Firm's receptionist
routinely receives emails sent to the firm (rather than to a specific attorney or staff member)
and routes them to the appropriate person. Just before the end of the business day, the
receptionist receives an email from a business purporting to be Law Firm's IT provider. The
email looked entirely genuine and asked the receptionist to click on the attachment to allow
the firm to do routine maintenance on Law Firm's server. Receptionist did so which resulted in
ransomware being installed on Law Firm's network, immediately locking up the Law Firm's
computers, and displaying a message demanding that a sum of money be transferred
electronically by cryptocurrency to unlock Law Firm's computers. Law Firm C pays the ransom
and regains access to its data. In consultation with security experts, Law Firm C determines that
no client information was accessed and none of the matters being handled by Law Firm are
negatively impacted by the delay.

Attorney D

Attorney D is outside counsel for a life sciences technology company ("Company") for whom
Attorney has been working on obtaining several very important patents. While on vacation,
Attorney D goes to a coffee shop to check personal and work emails. Attorney D's laptop is not
encrypted. Instead of using a virtual private network or personal hotspot to connect to the
internet, Attorney accesses the shop's public Wi-Fi network. Unknown to patrons or coffee
shop staff, a hacker has set up a fake internet portal that resembles the one provided by the
coffee shop. Attorney D does not realize that Attorney actually logged on to that fake Wi-Fi
network.

Attorney D returns to the same coffee shop the next day and notices a sign warning patrons
about the fake Wi-Fi. After returning to the office the following week, Attorney D has the law
firm's technology team examine the laptop. The technology team concludes that someone had
accessed certain files on the laptop related to Company's patents while Attorney D was
connected to the fake Wi-Fi network. Since Attorney D did not review those files on that day, it
appears reasonably likely that an unauthorized user had done so.

                                         DISCUSSION

A. Duty of Competence and Confidentiality

The duty of competence (rule 1.1) and the duty to safeguard clients' confidences and secrets
(rule 1.6 and Bus. & Prof. Code, § 6068(e)) require lawyers to make reasonable efforts to
protect such information from unauthorized disclosure or destruction. The threshold
requirement is for lawyers to have a basic understanding of the "benefits and risks associated
with relevant technology." Cal. State Bar Formal Opn. No. 2015-193; see also Comment [8] to
ABA Model Rule 1.1. This general principle requires lawyers to have a basic understanding of
the risks posed when using a given technology and, if necessary, obtain help from appropriate
technology experts on assessing those risks and taking reasonable steps to prevent data
breaches which potentially can harm clients. The threshold obligation to understand the risks
is satisfied by learning where and how confidential client information is vulnerable to
unauthorized access. This inquiry must be made with respect to each type of electronic device
or system as they have been or are incorporated into the lawyer's practice.

For example, computer systems can be breached by inadvertently clicking on a link in a
seemingly legitimate "phishing" email or text message or by installing an unvetted software
application which can install malicious software on the system. Portable electronic devices can
be accessed if security precautions, such as passwords, are disabled or inadequate. Data on a
laptop computer can be accessed if the laptop is connected to a public or other inadequately
secured network and if the data is not properly protected. And the threats vary and widen as
data thieves develop their attack strategies and as technologies develop. Thus, lawyers must
understand how their particular use of electronic devices and systems pose risks of
unauthorized access, they must be knowledgeable about the options available at any given
point in time to minimize those risks (including how best to store or control access to said
information), and they then must implement reasonable security measures in light of the risks
posed. In addition, because law firms are frequent targets, law firms should consider whether
rule 5.1 requires law firms to prepare a data breach response plan so that all stakeholders know
how to respond when a breach occurs.

ABA Formal Opn. No. 18-483 (Lawyer's Obligations After an Electronic Data Breach or
Cyberattack) provides a useful list of competence-based duties that explain the requirement of
"reasonable efforts" in addressing the potential for inadvertent disclosure of confidential client
information due to a data breach:

  • The obligation to monitor for a data breach: "lawyers must employ reasonable efforts to
    monitor the technology and office resources connected to the internet, external data
    sources, and external vendors providing services relating to data and the use of data."
    Id. at p. 5.

  • When a breach is detected or suspected, lawyers must "act reasonably and promptly to
    stop the breach and mitigate damage resulting from the breach." Id. at p. 6. A
    preferable approach is to have a data breach plan in place "that will allow the firm to
    promptly respond in a coordinated manner to any type of security incident or cyber
    intrusion." Id. at p. 6.

  • Investigate and determine what happened: "Just as a lawyer would need to assess
    which paper files were stolen from the lawyer's office, so too lawyers must make
    reasonable attempts to determine whether electronic files were accessed, and if so,
    which ones. A competent attorney must make reasonable efforts to determine what
    occurred during the data breach." Id. at p. 7.

The duty to make reasonable efforts to preserve confidential client information does not create
a strict liability standard nor does the duty "require the lawyer to be invulnerable or
impenetrable." ABA Formal Opn. No. 18-483 at p. 9. The precise nature of the security
measures that attorneys are expected to take depends on the circumstances. But, as the ABA
has noted, "a legal standard for 'reasonable' security is emerging. That standard rejects
requirements for specific security measures (such as firewalls, passwords, or the like) and
instead adopts a fact-specific approach to business security obligations that requires a 'process'
to assess risks, identify and implement appropriate security measures responsive to those risks,
verify that the measures are effectively implemented, and ensure that they are continually
updated in response to new developments." Id. (quoting from the 2017 ABA Cybersecurity
Handbook at p. 73).

"Reasonable efforts" are those which are reasonably calculated under the circumstances to
minimize particular identified risks. For example, when law firm personnel work on client
matters remotely, the law firm must ensure that all data flowing to and from those remote
locations and the firm's servers or cloud storage is adequately secured. The particular method
or methods selected (VPN, encryption, etc.) will reflect the firm's due consideration of the risks,
the relative ease of use of different security precautions, time that would have to be spent
training staff, and the like. Some security precautions are so readily available and user-friendly
(such as the ability to locate and lock down portable devices in the event of loss or theft), that
failure to implement them could be deemed unreasonable. Others will require a deeper
assessment.

Finally, in law firms with subordinate lawyers, the lawyers with management or supervisory
responsibilities should be aware of their obligations under rules 5.1 and 5.3. Rule 5.1(a)
requires lawyers with "managerial authority in a law firm [to] make reasonable efforts to
ensure that the firm has in effect measures giving reasonable assurance that all lawyers in the
firm comply with these rules and the State Bar Act." Thus, lawyers with managerial authority
within a law firm must make a reasonable effort to establish internal policies and procedures
designed to protect confidential client information from the risk of inadvertent disclosure and
data breaches as a result of technology use, which includes monitoring the use of technology
and office resources connected to the internet and external data sources. ABA Formal Opn. No.
18-483. The law firm should also consider whether they are required to proactively establish
protocols for responding to and addressing potential data breaches. Rule 5.1(b) requires
supervisory attorneys to ensure that subordinate attorneys within the firm comply with the
rules and policies and procedures established by the firm. And rule 5.3 makes these principles
applicable to non-lawyer staff.

Thus, part of the risk assessment process should include reasonable efforts to ensure that all
firm members appreciate the risks involved in keeping confidential client information on
electronic systems and the steps that the firm's managers have implemented to minimize the
risk of unauthorized disclosure. Because the risk-assessment process is on-going, particularly
with the introduction of new technologies and new threats, this duty would require managers
and supervisors to establish ongoing and evolving protective measures with respect to the use
of its technology, and regularly monitoring the same, and to keep subordinate lawyers and staff
up to date as new measures are implemented.

However, under rule 5.2, subordinate lawyers have independent ethical obligations to protect
confidential client information as part of their duty of competence. Thus, subordinate lawyers
should not blindly follow firm technological rules that are unreasonable or rely on the absence
of a firm rule where there should be one. See Comment to rule 5.2.

B. Duty of Disclosure

Rule 1.4(a)(3) and Business and Professions Code section 6068(m) require attorneys to keep
their clients "reasonably informed about significant developments" relating to the attorney's
representation of the client. Neither rule nor case law define what events qualify as
"significant." (See, e.g., Tuft et al., Cal. Practice Guide: Professional Responsibility (The Rutter
Group 2018) Ch. 6-B, § 6:128, acknowledging that what is "significant" under these provisions
varies with each client's needs and the nature of the representation.) Nevertheless, the
relevant authorities have uniformly concluded that the misappropriation, destruction, or
compromising of confidential client information, or a cyber breach that has significantly
impaired the lawyer's ability to provide legal services to clients, is a "significant development"
that must be communicated to the client. See, e.g., ABA Formal Opn. No. 18-483 at p. 10; New
York State Bar Association Ethics Opn. No. 842 (2010) (involving a data breach of a cloud
storage provider); ABA Formal Opn. No. 95-398.

ABA Formal Opn. No. 18-483 describes a "data breach" as a "data event where material client
confidential information is misappropriated, destroyed, or otherwise compromised, or where a
lawyer's ability to perform the legal services for which the lawyer is hired is significantly
impaired by the episode." ABA 18-483 at p. 4. Thus, not all events involving lost or stolen
devices, or unauthorized access to technology, would necessarily be considered a data breach.
Consistent with their obligation to investigate a potential data breach, however, lawyers and
law firms should undertake reasonable efforts, likely through the use of individuals with
expertise in such investigations, to ascertain, among other things, the identity of the clients
affected, the amount and sensitivity of the client information involved, and the likelihood that
the information has been or will be misused to the client's disadvantage. This will assist in
determining whether there is a duty to disclose. If the lawyer or law firm is unable to make such
a determination, the client should be advised on that fact. Id. at p. 14.

Lawyers and clients may also differ as to what events would trigger the duty to disclose. The
key principle, however, in considering whether the event rises to the level of a data breach, is
whether the client's interests have a "reasonable possibility of being negatively impacted." ABA
18-483 at p. 11. Certainly disclosure is required in situations where a client will have to make
decisions relevant to the breach, such as the need to take mitigating steps to prevent or
minimize the harm, or to analyze how the client's matter should be handled going forward in
light of a breach. When in doubt, lawyers should assume that their clients would want to know
and should err on the side of disclosure.

C. If Disclosure to Clients is Required, When and What Must be Disclosed?

In all cases involving a data breach, disclosure to clients must be made as soon as reasonably
possible so that the affected clients can take steps to ameliorate the harm. For example,
affected clients might want or need to change passwords and modify or delete online accounts.
However, it may be reasonable for the lawyer, through the use of a security expert, to attempt
to ascertain the nature and extent of the potential breach prior to communicating this
information to the client. The more that is known related to the breach, including exactly what
information might have been accessed, the better the response plan. Given the obligation to
preserve client confidences, secrets and propriety information, it is appropriate to assume that
reasonable clients would want to be notified if any of that information was acquired or
reasonably suspected of being acquired by unauthorized persons.

With respect to the details of a required disclosure, the attorney "shall explain a matter to the
extent reasonably necessary to permit the client to make informed decisions" as to what to do
next, if anything. (Rule 1.4(b)). "In a data breach scenario, the minimum disclosure required to
all affected clients under Rule 1.4 is that there has been unauthorized access to or disclosure of
its information, or that unauthorized access or disclosure is reasonably suspected of having
occurred. Lawyers must advise clients of the known or reasonably ascertainable extent to which
client information was accessed or disclosed." ABA 18-483 at p. 14.

Lawyers may also have notification obligations under Civil Code section 1798.82 and federal
and international laws and regulations such as HIPAA and the EU General Data Protection
Regulation.

D. The Factual Scenarios

Although Attorney A's laptop is stolen and it could be used to access confidential client
information, the risk of unauthorized access to such information was mitigated by Attorney A
and law firm's policies for addressing these types of cyber risks. First, Attorney A did not store
confidential client information on the laptop, but only used the laptop to access such
information remotely. Second, Attorney A had a biometric security system on the laptop
reducing the chances that it could be hacked by an unauthorized user. Third, Attorney A's law
firm had the ability to quickly and easily locate, lock, and wipe clean the laptop, almost
guaranteeing that there was no unauthorized access to any confidential client information.
Under these facts, where there is no evidence of unauthorized access or harm, Attorney A
would not have a duty to disclose to any client the fact that Attorney lost the laptop.

Attorney B's temporary loss of a smartphone, under these circumstances, is unlikely to be
considered a data breach, particularly if Attorney B can obtain assurances from the restaurant
owner/staff that only the restaurant had access to it and that no one accessed the phone's
contents after Attorney B left. Because it does not appear that the data on Attorney B's phone
was misappropriated, destroyed, or compromised, the temporary loss of the phone is unlikely
to constitute a significant development and no duty to disclose would likely be triggered.

Under these circumstances, however, Attorney B and Attorney B's law firm should consider
whether it should require all law firm attorneys to have stronger passwords, or use biometric
security systems on firm issued smartphones, or if the law firm should prohibit their attorneys
from accessing client data, including emails, on the attorneys' personal smartphones. The firm
should also consider requiring all smart phones used for firm matters to have software installed
to locate, lock, and wipe devices if they are lost or stolen, and specific protocols for managing
such scenarios. Next time, Attorney B may not be so confident in Attorney's assessment that no
client data was accessed, particularly if the phone is one day stolen. For example, it is possible
that Attorney B's cell phone provider could have locked down the phone remotely, but
Attorney B did not consider this option or look to the law firm for advice on handling this
situation. Finally, when electronic devices are temporarily lost or misplaced, the law firm should
consider whether its policies should include requiring its IT team to examine those devices once
the device is recovered in order to determine whether any unauthorized access took place.

The situation of Law Firm C involves a common entry point for hackers: malware attached to a
seemingly legitimate email, also referred to as "phishing." Given the ubiquity of this method of
gaining access, solo practitioners and firms must consider implementing reasonable
precautions, such as staff and attorney trainings warning of this risk and protocols for handling
incoming emails. Law Firm C has certainly been inconvenienced by the cyber breach, but the
firm has confirmed that none of its clients were actually or potentially harmed because no
confidential client information was accessed, and the short delay did not impair the firm's
attorneys from continuing to provide necessary legal services to its clients. Therefore, the firm
would not be required to disclose the incident. On the other hand, if the consultant could not
preclude actual or potential unauthorized access, a risk of client harm remains and disclosure
would be required.

Attorneys who keep confidential information on their devices ought to be aware that accessing
public Wi-Fi or other unsecure networks may open another access point for hackers. This is
illustrated by Attorney D's exposing confidential information to anyone with the ability to
electronically "eavesdrop" on the Attorney's keystrokes. Attorneys who work on client matters
remotely must consider the risks of harm and take reasonable precautions, as discussed above,
to prevent unauthorized disclosure. Cal. State Bar Formal Opn. No. 2010-179 at p. 6 (discussing
the use of a laptop in unsecured and secured settings). Attorney D's failure to secure their
online communications exposed confidential information to a hacker and it is unknown if, or to
what extent, the hacker would or could use such information. It is this Committee's view that
Attorney D risked violating the duties of confidentiality and competence by using a public
wireless connection without taking appropriate precautions, such as the use of encryption, a
VPN or other protective measures. (Cal. State Bar Formal Opn. No. 2010-179.)

Since the law firm was able to confirm the unauthorized access of confidential client
information, Attorney D and the law firm must notify the client, Company, as soon as possible.
Although it is unknown if or how the hacker might use the information, because of the sensitive
nature of the information to Company's business, the misappropriation would constitute a
significant development and require appropriate notice to the client. "[D]isclosure will be
required if material client information was actually or reasonably suspected to have been
accessed, disclosed or lost in a breach." ABA 18-483 at p. 14.

Once a disclosure is made, Attorney D and the law firm can evaluate with Company the
likelihood that the information will used by the hacker and may decide to speed up the timeline
for obtaining the relevant patents related to the information that was inadvertently disclosed
to mitigate potential harm. Of course, the event would also require Attorney D and the law
firm to take appropriate remedial steps in terms of evaluating the firm's policies related to
attorney's accessing firm devices from unsecured locations. It should also consider reinforcing
policies requiring attorneys to promptly address any irregularities or suspicions related to
potential data breaches with the firm's technology officers as soon as they are discovered.

                                          CONCLUSION

The use of computers and portable electronic devices by lawyers is now ubiquitous and has
increased the risk of client confidential client information being accessed by unauthorized
users. Lawyers must assess the risks involved in the use of electronic devices and systems that
contain, or access, confidential client information and to take reasonable precautions to ensure
that that information remains secure. This duty extends to law firms whose managers must
make a reasonable effort to establish internal policies and procedures designed to protect
confidential client information from the risk of inadvertent disclosure and data breaches as a
result of technology use, to monitor such use, and to stay abreast of current trends and risks.
The creation of a data breach response plan may also be required to identify the risks posed to
the firm's then-current use of technology and feasible precautions.

This opinion is issued by the Standing Committee on Professional Responsibility and Conduct of
the State Bar of California. It is advisory only. It is not binding upon the courts, the State Bar of
California, its Board of Trustees, any persons, or tribunals charged with regulatory
responsibilities, or any licensee of the State Bar.