In 2018, the American Bar Association Standing Committee on Ethics issued its Formal Opinion 18-483, which outlines a framework for when law firms are ethically obligated to notify clients of data breaches jeopardizing the security of their confidential information. In its ethics opinion, the ABA noted that law firms should employ reasonable efforts to monitor the security of their information, and advised lawyers to “act reasonably and promptly to stop the breach and mitigate damage from the breach.” Law firms should, as a matter of professional responsibility, have data breach plans in place in order to remediate cyber intrusions.
In addition, the committee wrote that, “an obligation exists for a lawyer to communicate with current clients about a data breach.” However, not all cyber episodes require client notification. While a cyber intrusion which does not gain access to client confidential information needn’t be disclosed, “disclosure will be required if material client information was actually or reasonably suspected to have been accessed, disclosed or lost in a breach.”
