Lawyers, like others in business, must comply with the data security and data breach notification laws of the 50 states that are applicable to their practices. But, according to the American Bar Association, their obligations do not end there. On October 17, 2018, the ABA issued Ethics Opinion 483 titled Lawyers’ Ethical Obligations After an Electronic Data Breach or Cyberattack.
Ethics Opinion 483 does not supplant existing laws. Instead, it imposes additional obligations that go far beyond what the title suggests. It requires lawyers to:
- Have very specific proactive cybersecurity measures in place; and
- Respond in a specific manner to any data event where material client information is misappropriated, destroyed, or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.
The obligations imposed by Ethics Opinion 483 are substantial, especially when considering the “significantly impaired” aspect. For a more detailed explanation about these requirements and how to comply with them, see the Texas Bar Journal’s 2018 Cybersecurity & Data Privacy Law Update.