The breaches and ransomware attacks continue, with all industries in the cross-hairs of the bad actors. The attacks include lawyers.
Over the past 25 years, the way lawyers conduct business has significantly changed, with the bulk of communications with clients being digital. In recent years, the American Bar Association’s model rules of professional conduct have been modified to add comments with respect to technical competence in light of the digital world we live in. However, the Nevada Rules of Professional Conduct, Rule 1.0A, states in part:
“The preamble and comments to the ABA model rules of professional conduct are not enacted by this rule but may be consulted for guidance in interpreting and applying the Nevada rules of professional conduct, unless there is a conflict between the Nevada Rules and the preamble or comments.”
Nevada has Rule 1.1, competence, which is the language of the ABA Model Rule 1.1. Comment 8 to ABA Model Rule 1.1 provides:
“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
As the Nevada Rules note, the comments may be consulted for guidance. Lawyers in all jurisdictions are going to have to better understand the technologies they are using, the protections they provide to information and also better understand their obligations when a breach occurs.
For example, lawyers in solo practices or in firms of any size would be wise to take a look at a recent Securities and Exchange Commission lawsuit filed against Covington & Burling LLP.
The suit seeks to have the law firm release the list of 298 SEC-regulated clients who may have been subject to the cyberattack on the law firm.
The SEC suit also addresses issued raised by Rule 1.6 about revelations about clients, and dismisses arguments that Covington raised. The case is believed to be a first of its kind and raises interesting issues of lawyers’ obligations.
A number of model rules combine to impose on lawyers a duty to be reasonable in safeguarding client information, including Rule 1.6(c), which provides:
“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
ABA Formal Opinion 483 provides that when a breach occurs, “an obligation exists for a lawyer to communicate with current clients about a data breach,” citing to Rule 1.4(a)(3), requiring lawyers to “Keep the client reasonably informed about the status of the matter.”
Nevada lawyers should take steps to fully understand their duties and obligations and steps they can and must take to avoid a situation that can destroy their reputations in the age of digital privacy. The SEC and other agencies are watching, and we must be ever vigilant in protecting our clients’ information.
Dan Cotter is with Howard & Howard Attorneys, PLLC. The experienced attorney has served in a variety of legal roles in his career, including as general counsel of a large life insurance company, as well as extensive experience in private practice. He has been working on privacy and cybersecurity issues since 1996, including development of terms and conditions and disclaimers on Fortune 500 websites in the late 1990s. He has been the chief privacy officer of several companies and law firms and has extensive experience as in-house counsel.