Much has been written in recent years about lawyers' duties to preserve the confidentiality of client information under the rules of professional conduct and to take reasonable precautions to strengthen cybersecurity in order to avoid data breaches. Executing those duties has become more difficult amid an increase in the frequency and sophistication of state-sponsored and criminal cyberattacks directed at law firms and their clients. Further complicating matters for lawyers is knowing when disclosure to clients of a law firm data breach is required by the rules of professional conduct even though the threat of exfiltration or loss of client confidential data is in doubt. We will examine American Bar Association opinions that offer some guidance on when client notification of a data breach is appropriate to ensure protection of client confidentiality and minimize exposure to legal malpractice liability. ABA Ethics Rules to be addressed will be Ethics Opinions 477R and 498 (2021)
In addition, we will discuss the requirements of Bar Associations in various states and analyze law firms' exposure to potential professional liability.