Skip to main content

ABA Explains Lawyers’ Ethical Obligations for Data Security and Data Breach

March 12, 2019

Lawyers, like others in business, must comply with the data security and data breach notification laws of the 50 states that are applicable to their practices. But, according to the American Bar Association, their obligations do not end there. On October 17, 2018, the ABA issued Ethics Opinion 483 titled Lawyers’ Ethical Obligations After an Electronic Data Breach or Cyberattack

Ethics Opinion 483 does not supplant existing laws. Instead, it imposes additional obligations that go far beyond what the title suggests. It requires lawyers to:

  1. Have very specific proactive cybersecurity measures in place; and
  2. Respond in a specific manner to any data event where material client information is misappropriated, destroyed, or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.

The obligations imposed by Ethics Opinion 483 are substantial, especially when considering the “significantly impaired” aspect. For a more detailed explanation about these requirements and how to comply with them, see the Texas Bar Journal’s 2018 Cybersecurity & Data Privacy Law Update.

This blog post was drafted by Shawn Tuma, a Partner in the Dallas – Collin County, TX office of Spencer Fane LLP. For more information, visit