As a legal professional, you must maintain the confidentiality of your clients’ information. This duty extends to electronic data, such as emails, documents, and other digital records. However, with the rise of cyberattacks, protecting your clients’ confidentiality has become more challenging than ever.

Understanding Cyberattacks

Cyberattacks can take many forms, from phishing scams to malware infections to ransomware attacks. Hackers may attempt to steal sensitive information, such as financial records, trade secrets, or personal data. They may also seek to disrupt your systems or hold your data hostage for ransom.

The Duty of Confidentiality

Lawyers have a duty to maintain the confidentiality of their clients’ information. This duty is codified in the Minnesota Rules of Professional Conduct, which require lawyers to protect confidential client information from unauthorized access or disclosure.

How a Lawyer Can Help

An experienced lawyer can help you protect your clients’ confidentiality in several ways. First, they can advise you on best practices for securing electronic data, such as encryption, multi-factor authentication, and secure cloud storage. They can also help you develop and implement policies and procedures for responding to cyberattacks, such as incident response plans and data backup protocols.

Responding to Cyberattacks

In the event of a cyberattack, it is crucial to respond quickly and effectively to mitigate the damage and protect your clients’ confidentiality. This may involve engaging a cybersecurity expert to assess the scope of the attack and identify any vulnerabilities in your systems. It may also involve notifying your clients of the breach and working with them to mitigate any harm caused by the attack.

In summary, protecting your clients’ confidentiality in the cyberattack age is an ongoing challenge for legal professionals. However, by understanding the nature of cyberattacks, adhering to the duty of confidentiality, working with an experienced lawyer, and developing a comprehensive response plan, you can take steps to protect your clients’ confidential information and minimize the impact of any cyberattacks that may occur.


Frequently Asked Questions

Q:           I deal with large amounts of secret client data. What are my obligations to safeguard this information in light of cyber threats?

A:            As lawyers increasingly rely on technology to communicate with clients and store sensitive information, they must take steps to protect against cyber threats and ensure that client data is secure. Rule 1.6(a) of the Minnesota Rules of Professional Conduct states that “a lawyer shall not knowingly reveal information relating to the representation of a client.” It further provides that a lawyer “shall make reasonable efforts to prevent the inadvertent or unauthorized access to information relating to the representation of a client.” The American Bar Association’s standing committee on ethics and professional responsibility noted, in formal opinion 477R, that a lawyer would not violate the rules of professional conduct so long as these reasonable efforts are undertaken. However, the opinion notes that in some circumstances a heightened duty may arise. For example, if required by law or agreement with the client, or when the nature of the information requires a greater level of security. The reality is when under cyberattack, disclosures can take place despite the reasonable efforts of the lawyer.

Q:           What factors go into determining if I took reasonable efforts to prevent disclosure during a cyberattack?

A:            There are several factors that go into this determination. Sensitivity of information, the likelihood of disclosure if additional safeguards are not employed, cost of employing additional safeguards and whether encryption is warranted, among others. However, the determination of reasonable efforts is really fact-based and lawyers should evaluate each case separately to ensure they comply.

Q:           If I take reasonable efforts and the information is disclosed through a cyberattack, am I subject to discipline in Minnesota?

A:            There are no court opinions on this topic in Minnesota. However, the comment to Rule 1.6 of the ABA’s Model Rules of Professional Conduct makes clear that lawyers are not subject to discipline any time secret client information was disclosed inadvertently or without authority during a cyberattack.

Q:           Assume I was cyberattacked. What are my professional obligations under the Minnesota Rules of Professional Conduct?

A:            First, you have a duty to keep your client informed. Rule 1.4 provides that you “must keep the client reasonably informed” about the status of their matter. Contact the client and inform them what happened and what you are doing to protect their confidential information. Next, implement your Incident Response Plan (you have one of those, right?) and determine the extent of the attack. Finally, contain the attack and focus on preventing further harm. Measures to take range from simply changing passwords to the more complex such as isolating the affected computer from the network. See Bench & Bar of Minnesota, March, 2019, Hickey and Alluri.

If you have questions about protecting your clients from cyberattacks, contact Joseph Wetch at 612.336.9335 or