This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

bubbagump

All Posts
| 1 minute read

The Risk of Data Breaches

featured image

Get in touch

Avatar

Get in touch

Avatar

With droves of confidential information and a potential lack of technical sophistication, law firms are a key target for bad actors looking to access and monetize sensitive information, through phishing emails, wire transfer scams, and other illicit means.  Once such method is the ransomware attack – in which a third party obtains access to a firm’s network or data and threatens to expose it or delete it unless the firm pays a ransom.  Unlike in movies or on television, these scammers rely primarily on human frailty or ignorance, rather than on super-genius computer hacking skills.  In many cases, an employee will receive a legitimate looking email, click on a link, and follow instructions to enter a password or some other key information.  In doing so, the employee unwittingly provides the scammer with enough information to penetrate the firm’s systems and gain control.

There are best practices that law firms should implement to guard against these types of invasions, some of which are discussed in this cybersecurity report from the New York State Bar Association https://nysba.org/app/uploads/2020/03/NYSBA-Cyber-Alert-031220.pdf).  But that’s not what this post is about.  This post is about what happens after your law firm’s system has been breached.  In other words, what duties does a law firm have to notify clients that a data breach has occurred?  We will get to that question; but first, a cautionary tale.

Does Rule 1.4 require lawyers to notify clients when their confidential information has been breached by hackers?  Not surprisingly, the answer is yes.  In a 2018 ethics opinion https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_op_483.pdf, the ABA ethics committee opined that “[w]hen a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their ethical obligations under these Model Rules.” ABA Ethics Op. 483 (2018).

Does Rule 1.4 require lawyers to notify clients when their confidential information has been breached by hackers? Not surprisingly, the answer is yes. In a 2018 ethics opinion https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_op_483.pdf, the ABA ethics committee opined that “[w]hen a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their ethical obligations under these Model Rules.” ABA Ethics Op. 483 (2018).

Get in touch

Avatar

Get in touch

Avatar

Latest Insights