Minding Integrity in the Face of Calamity: Professional Rules of Ethics for Counsel Responding to a Cybersecurity Crisis

New York Law Journal March 4, 2024

Samuel Richardson said, “Calamity is the test of integrity.” In the rush and chaos following a cyber-attack, counsel may not have the rules of ethics in the forefront of their mind, though running afoul of such rules can have negative consequences for attorneys and their clients. If ethics rules are considered as part of advance preparation, they are more likely to be followed in a crisis.

Below we discuss some of the key rules of professional conduct for attorneys to be mindful of in the midst of a breach response.

Competence

Data security laws are in constant flux, technology involved in a cyber incident is often complex, and the approach of regulators has evolved dramatically. Knowing how to deal with these moving pieces under what feels like immense time pressure is a challenge even for those who dedicate their practice to privacy and cybersecurity law.

Under the American Bar Association (ABA) Model Rule 1.1, a lawyer must provide competent representation of a client, which requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation. The rule states that “a lawyer shall not handle a legal matter that the lawyer knows or should know that the lawyer is not competent to handle, without associating with a lawyer who is competent to handle it.”

This does not mean that a lawyer may not provide representation just because it is a novel area for the lawyer. A lawyer can achieve competence through adequate preparation. The required preparation varies based on the complexity of the matter and what is at stake for the client. Some cyber incidents are minor and can be managed without much specialized knowledge. Where an incident has the potential to result in demonstrable harm to the interests of the client, and the client has little time to take critical steps, an in-house attorney may be wise to engage outside counsel with the experience to lead the breach response.

Supervision of Non-Attorneys

Counsel often looks to engage forensic and other consultants to assist the client in containing and remediating a breach. ABA Model Rule 5.3 requires that the work of non-lawyers must be appropriately supervised. Lawyers must give non-lawyers under their supervision instructions regarding the ethical aspects of their engagement, including the obligation not to disclose confidential information. This includes an obligation to appropriately secure the client’s information from unauthorized access, disclosure, loss, or misuse.

ABA Model Rule 1.6 provides that, “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” So, where an attorney brings in the forensic investigator, the attorney may have an obligation to ensure that the investigator is capable, both in terms of performing the investigation and protecting the client’s information. Conducting diligence on third-party vendors in advance of a crisis is a wise approach.

Maintaining Privilege of Forensic Reports

There are several, sometimes competing, ethical issues that drive the relationship between counsel and forensic experts in the wake of a data breach. On the one hand, ABA Model Rule 1.6 provides that attorneys may not knowingly reveal confidential information or use such information to the disadvantage of a client or the advantage of a third person, with limited exceptions. For this reason, it has become routine for counsel to retain forensic consultants in order to maintain privilege over communications relating to the breach investigation and any work product generated by the forensic consultant.

On the other hand, forensic reports are frequently requested by corporate clients that may have been impacted by the breach. ABA Model Rule 4.4 governs respect for third-party rights when representing a client. The comment to Rule 4.4 states that “responsibility to a client requires a lawyer to subordinate the interests of others to those of the client, but that responsibility does not imply that a lawyer may disregard the rights of third persons.”

Recent trends in cases have heightened the tension between Rules 1.6 and 4.4. Courts, with increasing frequency, are finding that forensic breach reports are typically factual in nature, addressing business operational issues, and are not privileged—meaning that a company may not have a valid legal basis to deny a customer’s request for forensic findings. See Leonard v. McMenamins, Case No. C22-0094-KKE, 2023 U.S. Dist. LEXIS 217502 (W.D. Wash. Dec. 6, 2023) (holding that forensic reach report was not privileged work product); Guo Wengui v. Clark Hill, 338 F.R.D. 7 (D.D.C. 2021) (same).

Balancing these ethical and legal questions requires careful consideration. Retaining different consultants—one to manage the technical aspects of the breach and another to address specific legal aspects—is one step that companies can take to privilege opinions while maintaining flexibility to share factual conclusions with third parties.

Paying the Ransom

Ransomware attacks continue to rise globally. To discourage ransomware attacks, the federal government has taken steps to make it more difficult for threat actors to ransom victims. One such step is the Office of Foreign Assets Control (OFAC) directive making it illegal for U.S. companies to make ransom payments to entities that are listed on the OFAC Specially Designated Nationals and Blocked Persons List (SDN), which can include some ransomware gangs.

The OFAC directive can raise a difficult ethical issue for counsel representing ransomware victims. On the one hand, paying the ransom is often in the best financial interests of a client, particularly where a client does not have adequate backup systems and the ransomware has effectively shut down the company’s operations. A lawyer’s duty to zealously represent a client and provide independent and candid advice may militate toward payment of the ransom. On the other hand, Rule 1.2 (Scope of Representation) provides that a lawyer shall not counsel a client to engage, or assist a client, in conduct that the lawyer knows is illegal or fraudulent—such as payment to an organization on the SDN list.

There are, however, some steps that an attorney can take to mitigate this tension. First, counsel may engage a ransomware negotiator to run an OFAC check to ensure that the threat actors are not on the SDN list. Second, Rule 1.2 does not preclude the lawyer from giving an honest opinion about the consequences that appear likely to result from a client’s conduct. OFAC guidance also provides a number of mitigating factors that OFAC will consider when deciding if a payment to a prohibited entity merits sanctions, which counsel can use to frame their legal advice to a client considering a ransom payment.

Company is the Client

Companies that experience cyber breaches often conduct internal investigations to learn what happened and lessen the risk of future breaches. When a company conducts an investigation, communications between an attorney and employee are privileged but it is the company that holds the privilege not the employee. Carelessness about who is inside and outside the scope of privilege can result in a waiver of the privilege. In addition, in-house attorneys managing a cyber incident must be cautious if employees look to them for legal advice.

ABA Model Rule 1.13 (Organization as Client) provides that “When a lawyer employed or retained by an organization is dealing with the organization’s directors, officers, employees…or other constituents, and it appears that the organization’s interests may differ from those of the constituents with whom the lawyer is dealing, the lawyer shall explain that the lawyer is the lawyer for the organization and not for any of the constituents.” Attorneys should give so-called “Upjohn” warnings to remove any doubt that the lawyer speaking to the employee represents the company and not the employee.

Playing Dual Roles

In-house attorneys often play both business and legal roles within an organization. Counsel must be mindful of when they are acting as legal counsel versus, for example, as the compliance officer for an organization, because their role may impact the application of attorney-client privilege, among other issues.

It can be difficult to draw the line between legal advice and business advice. Where a lawyer is asked about the best business strategy to use in the face of a particular legal risk, this is likely business advice rather than legal advice. Others within the organization may have an incorrect belief that the mere presence of a lawyer cloaks any discussion with attorney-client privilege. Unless a communication is made for purposes of obtaining or providing legal advice, it is not covered by privilege. In-house counsel should remind others within their organizations regarding the limits of the application of the privilege and which hat they are wearing—business or legal—when giving advice.

Attorneys are not excused from the rules of professional conduct during a crisis. The rules still apply and the stakes are usually higher. An understanding of how to apply the rules can help in navigating the challenging aftermath of a cybersecurity breach. Laying the groundwork in advance helps attorneys to steer clear of ethical violations and avoid expense and reputational harm to the attorneys and their clients.

"Minding Integrity in the Face of Calamity: Professional Rules of Ethics for Counsel Responding to a Cybersecurity Crisis," by Jennifer J. Daniels and Philip N. Yannella was published in the New York Law Journal on March 4, 2024.