Your firm’s computer network has been hacked and client data either exposed or likely exposed. What’s a law firm to do? The legal and regulatory reporting obligations are numerous, complex and are ignored at the firm’s peril, but ABA Formal Ethics Opinion No. 483 reminds lawyers that there are also independent ethical obligations triggered when a cyber-attack compromises confidential client information or incapacitates a law firm’s computers or network.
First and foremost, the duty of competence (Model Rule 1.1) “require[s] lawyers to understand technologies that are being used to deliver legal services to their clients … [and lawyers] must use and maintain those technologies in a manner that will reasonably safeguard property and information that has been entrusted to the lawyer.” (This obligation is discussed in depth in ABA Formal Ethics Opinion No. 477R (May 22, 2017) (Securing Communication of Protected Client Information).) Model Rules 5.1 and 5.3 impose an “obligation to safeguard and monitor the security of electronically stored client property and information.”
