Neighborhood watches are extremely helpful if you want to keep your community safe a protected from crime. Concerned residents can work together to monitor and fight against potential crime. It can be potentially tricky at times because crime is ever evolving and advancing. But, making an effort to thwart crime before it happens is crucial. Your neighborhood watch may not always be 100% successful, but you are definitely more prepared than if you sat ideally waiting for crime to happen.
Having preparations in place for a data breach is like having a neighborhood watch. You want to work with others to have measures in place to prevent an attack but also have a plan in place if an attack does happen. In both cases, it’s a logical measure to have in place. You always want to try your best to mitigate any potential problems. Does your firm have a plan in place to handle this kind of problem?
What is ABA Formal Opinion 483
Just last month the ABA Standing Committee of Ethics and Professional Responsibility released Formal Opinion 483 that discusses how attorneys and law firms should handle data breaches, before, during, and after an attack. The ABA knows that no plan is foolproof, but they do expect lawyers to take proactive measures when it comes to protecting sensitive client data, and that you must disclose all breaches.
The organization also stated, “As a matter of best practices, lawyers who have suffered a data breach should analyze compliance separately under every applicable law or rule.” Firms not only have to monitor and prevent data breaches, but if a violation happens, they must also determine what occurred, restore systems, and inform clients of a sensitive data breach.
This does not mean that following state, federal, and international laws means you are compliant with ABA ethics. Instead breached firms should “analyze compliance separately under every applicable law.”
The good news is that a breach has taken place at your firm, you are not automatically prone to an ethical violation. Hackers may still successfully gain entry, despite the best effort of a lawyer. When a lawyer does not take “reasonable efforts” to prevent a data loss or detect an attack, then they a violating the ABA Code of Ethics.
What is “Reasonable Effort”?
You may be wondering what the ABA considers to be a lawyer’s reasonable efforts. These efforts are:
- Make reasonable efforts to understand the risks and benefits of technology relevant to the practice of law
- Monitor for breaches
- Hold electronic property at the same value as physical property
- Implement reasonable precautions to limit vulnerabilities
- Act reasonably and promptly to stop a breach and mitigate damage
- After a violation, investigate its cause and evaluate notice obligations
- Provide current, affected clients with notice of such data breach
Is Your Firm Prepared?
Just like a neighborhood watch, it’s important for lawyers to have a plan in place as you prepare to respond to an attack. Ways your firm can prepare can include:
- Develop an incident response plan and define clearly define roles
- Analyze compliance on an ongoing basis
- Be aware of regulatory and statutory notice requirements
- Reach an agreement with clients before the conclusion of services, or when client-attorney relationship terminates, about how to handle the client’s electronic information still in attorney’s possession
- Absent agreement otherwise, maintain physical and electronic document retention schedules in compliance with applicable rules
- Inform clients affected by a breach about the lawyer’s plan to respond to the incident
With Formal Opinion 483, it is important to note that lawyers are not required to alert former clients of a breach unless black letter law requires otherwise. Also, a breach that gives a hacker limited access to information for an insignificant amount of time, or consists of non-confidential or publicly available information, does not rise to the level of a data breach requiring disclosure to a client.
Make sure you are aware of both the Rules of Professional Responsibility and local and federal privacy laws since there may not always be overlap.
Ready to Take the Next Steps?
So, at this point, you’re most likely wondering, what does this mean for my firm and me. If you already are taking the necessary precautions, then there’s not much to do. You should be proud that your firm is a step ahead and thinking about safety. If your firm doesn’t have these efforts in place, you should consider looking into a Security Operations Center (SOC). It’s okay to ask for help. Working with an outside firm to manage your SOC can help you detect any threats before they happen. If a breach does occur, you’ll be prepared and have a plan in place to begin mitigating damage.