The American Bar Association issued a Formal Ethics Opinion this week saying that lawyers and law firms are required to notify their current clients of data breaches and cybersecurity attacks that could have materially compromised the clients' information.

Seems kind of obvious, but that doesn't mean it doesn't need to be said.

According to the opinion, legal practitioners are to take reasonable steps to prevent a data breach or cyber attack from occurring at all. However, the opinion acknowledges that breaches can occur despite the best efforts of the practitioner. In the event of a breach in which it appears that material information relating to the client may have been compromised, the practitioner should notify the client as soon as possible.

The opinion would not require notification of past clients, but I am sure that practitioners would want to notify past clients as well if their data were potentially affected.

Generally, here is what the ABA would require, or recommends, for legal practitioners:

*Take reasonable measures to ensure the security of clients' information. (The ABA doesn't recommend any specific measures or products.)

*Proactively adopt document retention/destruction policies and include those in their written agreements with clients. (For example, if a client's information will be purged from the system five years after the representation ends, that should be specified at the beginning of the representation, or as soon as possible.)

*In the event of a breach that may have compromised material information about a client, promptly notify current clients of the breach "in sufficient detail to keep the clients 'reasonably informed' and with an explanation 'to the extent necessary to permit the client to make informed decisions regarding the representation.'"

*If material information about past clients may have been compromised, provide similar notification to past clients as appropriate.

*Provide follow-up notifications to clients as needed.

*Ensure compliance with any applicable state or territorial laws relating to data breaches. According to the ABA opinion, all 50 states, as well as the District of Columbia, Puerto Rico, Guam, and the Virgin Islands, have such requirements.

ABA opinions are not legally binding, but they are influential and are often adopted by state bars when establishing their own binding standards of attorney conduct.

Image Credit: From flickr, Creative Commons license, by Blue Coat Photos.