Newport Beach
Newport Beach
Los Angeles
Las Vegas
San Diego
Walnut Creek
Phoenix
Reno
Denver
North San Diego
Dallas
(949)221-1000 (949)221-1001 20320 S.W. Birch Street Second Floor, Newport Beach CA 92660
(818)712-9800 (818)712-9900 21215 Burbank Blvd. Suite 500, Woodland Hills CA 91367
(702)258-6665 (702)258-6662 1160 N Town Center Dr Suite 250, Las Vegas NV 89144
(619)236-0048 (619)236-0047 501 West Broadway Suite 1700, San Diego CA 92101
(510)540-4881 (510)540-4889 2033 N. Main St. Suite 600, Walnut Creek, Ca 94596
(602)274-1204 (602)274-1205 8950 South 52nd St Suite 201, Tempe AZ 85284
(775)440-2389 (775) 440-2390 50 West Liberty Suite 1090, Reno NV 89501
(720) 779-2500 (303)256-6205 1999 Broadway, Suite 3250, Denver, Colorado 80202
(760)557-2940 (619)389-2993 760 Garden View Ct. Unit #220 Encinitas, CA 92024
(949) 221-1000 (949) 221-1001 1910 Pacific Avenue, Suite 2000 Dallas, Texas 75201

Formal Opinion No. 2020-203: How a lawyer is to handle access to client confidential information and anticipation of potential security issues.

Recently, the California Bar Association (“CBA”) published Formal Opinion No. 2020-203[1] concerning a lawyer’s ethical obligations with respect to unauthorized access to electronically stored client information.  The onset of the COVID-19 pandemic greatly accelerated the growing trend of storing and maintaining data and information online so that employees and clients can access the data from anywhere in the world at any time.  Now, in today’s working world, the reality is nearly all information and data is stored and shared digitally online for ease of access, use, and dissemination.

Unfortunately, a major draw-back of this switch to a cyber paradigm is serious exposure to data breaches as a result of hacking, inadvertence, or theft.  Formal Opinion No. 2020-203 outlines how a lawyer is to handle access to client confidential information and anticipation of potential security issues.  This article will briefly cover the key aspects addressed in Formal Opinion No. 2020-203.

What is the duty owed by a lawyer to his or her client regarding the use of technology?

At the outset, the CBA reminds lawyers of the ongoing duty of competence (Rule 1.1) and the duty to safeguard clients’ confidences and secrets (Rule 1.6; Cal. Bus. & Prof. Code, § 6068(e)) which impose the requirement that a lawyer must have a basic understanding of the risks posed when using a given technology and (if necessary) obtain help from appropriate experts to assess those risks and take reasonable steps to prevent data breaches.

The requirement is satisfied by learning where and how client information is vulnerable to unauthorized access.

Accordingly, lawyers must assess the risks involved in the use of electronic devices and systems that contain or access client information and must take reasonable precautions to ensure that the information remains secure.  Further, this duty extends to law firm managers to make a reasonable effort to establish internal policies and procedures to protect client information from the risk of inadvertent disclosure and data breaches, to monitor such use, and to stay abreast of current trends and risks.

What is a lawyer supposed to do when there is a data breach? 

The CBA advises that in the event of a data breach, the lawyer must disclose the breach to the client as soon as reasonably possible to allow the client to take steps to mitigate the breach.[2]  The CBA recommends lawyers should undertake reasonable efforts, including the use of experts, to ascertain the amount and sensitivity of the client information involved and the likelihood that the information has been or will be misused to the client’s disadvantage.

 

 

What about a suspected data breach?

The CBA again recommends the lawyer take reasonable efforts, including the use of experts, to determine the clients affected, the information at issue, and the potential for harm.  The “key principle” to follow is whether the client’s interests have a reasonable possibility of being negatively impacted.

Disclosure is required in situations where a client will have to make decisions relevant to the breach, such as the need to mitigate or minimize the harm, or to analyze how the client’s matter should be handled going forward in light of a breach.  When in doubt, the CBA advises that lawyers should err on the side of disclosure and notify a client of a potential breach.

[1] The full opinion can be found at: https://www.calbar.ca.gov/Portals/0/documents/ethics/Opinions/Formal-Opinion-No-2020-203-Data-Breaches.pdf

[2] Separately, a lawyer may also have an obligation to notify a client under California Civil Code section 1798.82 and other federal laws and regulations.