Recently, the California Bar Association (“CBA”) published Formal Opinion No. 2020-203[1] concerning a lawyer’s ethical obligations with respect to unauthorized access to electronically stored client information. The onset of the COVID-19 pandemic greatly accelerated the growing trend of storing and maintaining data and information online so that employees and clients can access the data from anywhere in the world at any time. Now, in today’s working world, the reality is nearly all information and data is stored and shared digitally online for ease of access, use, and dissemination.
Unfortunately, a major draw-back of this switch to a cyber paradigm is serious exposure to data breaches as a result of hacking, inadvertence, or theft. Formal Opinion No. 2020-203 outlines how a lawyer is to handle access to client confidential information and anticipation of potential security issues. This article will briefly cover the key aspects addressed in Formal Opinion No. 2020-203.
What is the duty owed by a lawyer to his or her client regarding the use of technology?
At the outset, the CBA reminds lawyers of the ongoing duty of competence (Rule 1.1) and the duty to safeguard clients’ confidences and secrets (Rule 1.6; Cal. Bus. & Prof. Code, § 6068(e)) which impose the requirement that a lawyer must have a basic understanding of the risks posed when using a given technology and (if necessary) obtain help from appropriate experts to assess those risks and take reasonable steps to prevent data breaches.
The requirement is satisfied by learning where and how client information is vulnerable to unauthorized access.
Accordingly, lawyers must assess the risks involved in the use of electronic devices and systems that contain or access client information and must take reasonable precautions to ensure that the information remains secure. Further, this duty extends to law firm managers to make a reasonable effort to establish internal policies and procedures to protect client information from the risk of inadvertent disclosure and data breaches, to monitor such use, and to stay abreast of current trends and risks.
What is a lawyer supposed to do when there is a data breach?
The CBA advises that in the event of a data breach, the lawyer must disclose the breach to the client as soon as reasonably possible to allow the client to take steps to mitigate the breach.[2] The CBA recommends lawyers should undertake reasonable efforts, including the use of experts, to ascertain the amount and sensitivity of the client information involved and the likelihood that the information has been or will be misused to the client’s disadvantage.
What about a suspected data breach?
The CBA again recommends the lawyer take reasonable efforts, including the use of experts, to determine the clients affected, the information at issue, and the potential for harm. The “key principle” to follow is whether the client’s interests have a reasonable possibility of being negatively impacted.
Disclosure is required in situations where a client will have to make decisions relevant to the breach, such as the need to mitigate or minimize the harm, or to analyze how the client’s matter should be handled going forward in light of a breach. When in doubt, the CBA advises that lawyers should err on the side of disclosure and notify a client of a potential breach.
[1] The full opinion can be found at: https://www.calbar.ca.gov/Portals/0/documents/ethics/Opinions/Formal-Opinion-No-2020-203-Data-Breaches.pdf
[2] Separately, a lawyer may also have an obligation to notify a client under California Civil Code section 1798.82 and other federal laws and regulations.