Today's New York Times describes a Citibank report that is critical of law firms for failing to reveal cybersecurity breaches. According to the Times, the report also warns "bank employees [to] be mindful that digital security at many law firms, despite improvements, generally remains below the standards for other industries."
In my view, the story highlights two distinct, but related, cybersecurity issues. The first is the increasing difficulty of preserving client's confidences in a digital age. Not too long ago, the duty of confidentiality required not much more than tight lips and locked cabinets. The recent addition of Model Rule 1.6(c) (see also Comments [18]-[19]) was intended to remind lawyers that they now need to do a bit more to satisfy their the duty of confidentiality. Rule 1.6(c), however, only requires "reasonableness" when safeguarding client confidences, and sophisticated clients may want cybersecurity protocols that are considerably more robust. For example, there may be a fairly large gap between what is reasonable under Rule 1.6(c) and what a large financial services client might expect and demand.
The second cybersecurity issue concerns a lawyer's duty to report a breach. Although breaches can occur even when using the most sophisticated security procedures, the Times story suggests that many law firms are nevertheless reluctant to report the problems to the government as well as to clients. Regarding the latter, lawyers have a duty to keep their clients informed about the status of a matter, and it seems to me that such a duty could be interpreted to mean that lawyers should notify their clients when their confidential information has been compromised. Moreover, an increasing number of statutes (federal and state) now impose such a duty. That said, a lawyer's ethical duty to report a breach to a client shouldn't turn on a strained reading of Rule 1.4 or whether the lawyer happens to be subject to one of the small number of reporting statutes. As an ethical matter, there may be a need for greater clarity on this issue, either in the rules or elsewhere.