On October 17, 2018, the American Bar Association issued Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, which addresses the duties and obligations to inform clients when a data breach or cyberattack occurs.
Under the Duty of Competence the lawyer has an obligation to monitor for a data breach, stop the breach and restore systems, and determine what occurred.
There are five factors guiding the lawyer in the duty of confidentiality: the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyers' ability to represent clients.
The lawyers' obligations to provide notice of data breach are spelled out for current and former clients.
Breach notification requirements address the type of breach, the sufficiency of disclosure to allow the client to make an informed decision, and as a best practice the lawyer should inform the client of the plan to respond to the data breach.
Should PII, or personally identifiable information be compromised, the lawyer should evaluate the obligations under state and federal law.
Formal Opinion 483 relies upon Model Rules 1.1, 1.4, 1.6, 5.1 and 5.3 and Formal Opinion 477R (Securing Communication of Protected Client Information).
A copy of Formal Opinion 483 may be accessed from the ABA.
https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba_formal_op_483.pdf
A listing of state security breach notification laws may be accessed from the National Conference of State Legislatures. http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
The Texas state laws affecting data breach may be accessed in the Texas Business & Commerce Code at §§ 521.002, 521.053
No comments:
Post a Comment