For Lawyers It's Your Ethical Duty To Report A Breach
The American Bar Association issued guidance that on its “Model Rules of Professional Conduct that require lawyers to monitor for and prevent data breaches, determine what occurred, restore systems and inform clients if their sensitive data is breached.” The ABA also stressed that meeting compliance obligations does not mean you meet the ethical standard, an attorney must make, you guessed it, “reasonable efforts” to avoid the loss of client data.
What I find most interesting in this article is the statement by the ABA that says “Although security is relative, a legal standard for ‘reasonable’ security is emerging.” That it is, as I have rambled on in previous post about the writing being on the wall. The more standards that are out there that require companies to instill basic security measures, in addition to all the case law, a true sense of what is “reasonable” has already emerged.
The ABA goes on to say “That (reasonableness) standard rejects requirements for specific measures (such as firewalls, passwords, or the like) and instead adopts a fact-specific approach to business security obligations that requires a ‘process to assess risks, identify and implement appropriate security measures responsive to those risks, verify that the measures are effectively implemented, and ensure that they are continually updated in response to new developments.”
Wow, and there you have it.