Maine’s professional ethics commission recently clarified a lawyer’s duties in the event of a data breach or cyberattack, using the American Bar Association’s Formal Opinion No. 483 as guidance.
Like the ABA, Maine found that lawyers should take reasonable efforts to avoid a data breach and must notify clients whose “confidences or secrets are exposed,” but diverged from the ABA’s opinion on one point regarding notification requirements after a breach.
A lawyer’s obligation to provide competent representation includes legal and technological competence, if the lawyer relies on technology to provide legal services, the commission’s opinion said.
And there’s no excuse for technological incompetence, it said. “A baseline understanding of, and competence in, the technology used in the practice of law must be maintained by every lawyer.”
Another attorney obligation—to not reveal a client’s confidence or secret—is also implicated in the event of a data breach, the commission noted. If a data breach or cyberattack occurs and the attorney didn’t competently safeguard the information, the attorney may have violated this obligation.
Furthermore, a lawyer has to instruct and supervise law firm staff on their duties to safeguard client information against loss due to a data breach, the commission said.
Like the ABA, Maine’s commission found that once there’s a breach, a lawyer has to notify clients whose confidential information has been compromised but if differed from the ABA on what clients have to be informed.
In Maine, current and former clients have to be notified in the event of a data breach where confidences may have been exposed. The ABA doesn’t require an attorney to notify a former client if there’s been a breach.
“The duty of confidentiality survives the termination of the client-lawyer relationship,” it said, adding that “a former client is entitled to no less protection and candor than a current client in the case of compromised secrets and confidences.”
Clients don’t have to be notified if no confidential information has been compromised and their representation hasn’t been significantly impacted by the cyberattack, the commission said. In such a case, the lawyer may only have to take reasonable efforts to prevent a reoccurrence, it said.
But if the cyberattack could expose confidential information that presents a risk to public safety, a lawyer can tell third parties and disclose confidential information “in order to prevent reasonably certain substantial bodily harm or death,” it said.
The opinion is Me. Prof’l Ethics Comm’n, Op. No. 220, 4/11/2019.