In an article for the New York Law Journal titled, “ABA Formal Opinion 483: What Are a Lawyer’s Obligations After a Data Breach or Cyberattack?,” David Bayne explained the ethical obligations that lawyers face following a data breach or cyberattack on their firm, potentially exposing private client data. Specifically, Bayne addressed the significance of ABA Formal Ethics Opinion No. 483.
Bayne explained that according to the Opinion, preparation is key, “Thus, the first step in addressing a cyber-breach must be taken long before a breach ever occurs. The Opinion recommends that an ‘incident response plan’ be designed to identify and stop a breach, mitigate any loss or theft of data, restore system security and eventually the restore firm’s system itself. Without an incident response plan, a law firm runs the significant risk of needlessly prolonging the exposure of client data to third-parties. ”
Bayne wrapped up with, “While ethics rules vary based on jurisdiction, many states follow the ABA Model Rules. Thus, in such jurisdictions, it is very likely that firms without an incident response plan will be found to have violated Rule 1.6 where material confidential client information is compromised by a cyber-breach […] While law firms largely remain brick and mortar operations, their work product now primarily exists in the digital domain. ABA Opinion 483 is, therefore, mandatory reading for all law firm managers and general counsels.”