1.2 Potential Consequences and Liability for Law Firms from a Data Breach

1.2 Potential Consequences and Liability for Law Firms from a Data Breach

A cybersecurity incident can cause serious trouble for a law firm, including lawsuits, ethical violations, negative publicity, reputational damage, regulatory fines, and/or disgruntled clients. On top of that, there is the cost of any necessary forensic investigation and breach notification, as well as the potentially tremendous amount of valuable attorney time lost. This section surveys some potential consequences and sources of liability when a law firm is the victim of a data breach.

1.2.1 Ethical Violations May Result from a Cyber Breach

1.2.a Privilege and Confidentiality

Inadequate data security or protection of privacy arguably constitutes a failure to fulfill a law firm's duty of confidentiality. Under Rule 1.6 of the ABA Model Rules of Professional Conduct, "a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent."¹⁹ Lawyers must "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."²⁰

Rule 1.6(c), however, does not address whether attorneys have to tell their clients about a data breach. The law governing lawyers suggests that lawyers must self-report a breach in which client data is exposed if the breach results from the lawyers' negligence.²¹ Professor Benjamin Cooper, in discussing Rule 1.6, Rule 1.4 (communications with the client), and the fiduciary law governing the lawyer-client relationship, states: "If the lawyer's conduct of the matter gives the client a substantial malpractice claim against the lawyer, the lawyer must disclose that to the client."²²

Indeed, the ABA Model Rule is written broadly enough that it likely requires disclosure of a breach even if the lawyer did not personally act negligently in exposing the data. Further, various doctrines of secondary liability mean attorneys can be held liable for malpractice due to negligent defects in information security systems caused by subordinate employees.²³ Thus, even if an IT employee at a law firm negligently caused or allowed a security breach through which a client was harmed, the client could have a viable malpractice claim against the lawyers and firm responsible for managing that IT employee, such that the lawyers likely would be required to disclose the breach to the client.²⁴

In this regard, Model Rule 5.3, governing law firm responsibilities related to nonlawyers, suggests that attorneys may be liable for ethical violations by their subordinate IT personnel:

A lawyer shall be responsible for conduct of such a person that would be a violation of the Rules of Professional Conduct if engaged in by a lawyer if:

1. the lawyer orders or, with the knowledge of the specific conduct, ratifies the conduct involved; or
2. the lawyer is a partner or has comparable managerial authority in the law firm in which the person is employed, or has direct supervisory authority over the person, and knows of the conduct at a time when its consequences can be avoided or mitigated but fails to take reasonable remedial action.²⁵

Ignorance of IT personnel's negligent actions likely will not be a successful defense against a claim for failing to disclose a law firm data breach, given the requirements of Rule 1.6 discussed earlier,²⁶ as well as the further requirement of Rule 5.3 that "a lawyer having direct supervisory authority over the non-lawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer."²⁷

Examining these two rules in conjunction, it is clear that lawyers in a managerial position at a law firm must oversee IT personnel action regarding client data, and make sure those actions are compatible with the professional obligations of the lawyer, to avoid possible ethics violations. As Professor Cooper has observed, "firms have a duty under Rules 1.1 and 1.6 to effectively protect their clients' information. If a firm is negligent in carrying out that duty because it has been lax with its security, and that resulted in client files being disclosed, it is potentially a prob-lem."²⁸ Even if a firm has a very good security system, he states, "the attorney absolutely has a duty to inform clients under 1.4 that their confidential information has been compromised."²⁹

Accordingly, a strong³⁰ security program may help shield a firm from an ethics violation caused by not appropriately protecting client data, and it may help them defend against a negligence charge, but it has no impact on an attorney's ethical requirement to inform clients of security incidents. A good security program does, however, reduce the likelihood that such a painful conversation will have to take place.

1.2.b Competence

Inadequate cybersecurity systems can also raise competence issues. Model Rule 1.1 requires that a "lawyer shall provide competent representation to a client."³¹ "Competent representation" means "the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation."³² The ABA recently amended Comment 8 to Model Rule 1.1 to emphasize that "a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology"³³ (added language indicated by italics).

Furthermore, the ABA published Resolution 109 in 2015, calling for firms to "develop, implement, and maintain an appropriate cybersecurity program."³⁴ The ABA's adopted resolution encourages firms to "create cybersecurity programs that are tailored to the nature and scope of the [firm] and the information to be protected."³⁵ The resolution also encourages firms to regularly conduct threat assessments, "create controls based upon these assessments, create response plans for possible cyber-attacks, and establish relationships and share information with external organizations, where appropriate, as a method of addressing the problem of cyber-attacks."³⁶

Based on Comment 8 and Resolution 109, adequate cybersecurity protection now appears to be a material part of the "skill, thoroughness and preparation" expected from competent legal counsel. Thus, in the event of a data breach, law firms may face liability and sanction for breach of the ethical duty of competence, in addition to any other ethical violations or legal claims against the law firm related to the disclosure of confidential information.

1.2.2 Lawsuits Brought by Clients

Law firms that are victims of cyber breaches can be held liable for a number of common law claims brought by clients whose data was exposed. Possible causes of action include malpractice, negligence, breach of fiduciary duty, and fraud. Although case law regarding law firm data breaches is sparse, attorneys now may have a greater duty of care with respect to information security than in the past, in light of the abundance of recent data breaches and the ABA's recent comments and resolutions.³⁷

Since the late 19th century, attorneys have been held to what courts have described as an "ordinary" standard of care in representing their clients. ³⁸ In other words, as it is frequently expressed, an attorney must exercise that degree of care, skill, and diligence which is commonly possessed and exercised by attorneys in practice in the jurisdiction.³⁹ As the recent comments to the ABA Model Rules and Resolution 109 suggest, "ordinary care" for attorneys now seems to include some degree of care with respect to information security. Attorneys should proceed...