The ABA’s issuance of Formal Ethics Opinion 482 in September of 2018 finally made it quite clear. Lawyers have an ethical duty to develop a disaster recovery plan. Consider the import of how the Standing Committee on Ethics and Professional Responsibility concluded their opinion when they stated:
“Lawyers must be prepared to deal with disasters. Foremost among a lawyer’s ethical obligations are those to existing clients, particularly in maintaining communication. Lawyers must also protect documents, funds, and other property the lawyer is holding for clients or third parties. By proper advance preparation and taking advantage of available technology during recovery efforts, lawyers will reduce the risk of violating professional obligations after a disaster.”
Speaking frankly, I’ve always assumed this duty existed because in any of the Model Rules of Professional Conduct I’ve never come across an exception that says something along the lines of, ‘this rule doesn’t apply if the lawyer happens to be dealing with the aftermath of a disaster.’ Over the years my only challenge has been in trying to convince other lawyers of the necessity and obligation to put such a plan in place.
With this duty to prepare now firmly established, what rules need to be taken into consideration? Among a few others, Formal Opinion 482 underscored the importance of Rule 1.1 Competence, Rule 1.4 Communications, and Rule 1.15 Safekeeping Property; but I would also encourage you to not overlook Rule 1.3 Diligence and Rule 1.6 Confidentiality. Think about all these rules in the context of developing a disaster recovery plan, or if it helps, a business continuity plan.
Start with comment 8 to Rule 1.1 Competence, which in part reads, “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” This means lawyers must not only understand how any technology in use at a firm might be impacted by various disaster scenarios, they must also be able to determine how any relevant technology might be utilized to minimize the impact of various disasters.
Next is Rule 1.3 Diligence, which I see as a no brainer. “A lawyer shall act with reasonable diligence and promptness in representing a client.” There are no exceptions to this rule; and it should go without saying that experiencing a fire, flood, ransomware attack, or hurricane can all too easily make it extremely difficult to be prompt in representing your clients. Therefore, lawyers are to consider all possible disaster scenarios they potentially face and plan accordingly.
Rule 1.4 Communication makes it clear that lawyers are to keep their clients informed about the status of their matters. This means lawyers must think through the various disaster scenarios that might occur with the intent of trying to determine how client contact information could be accessed and used, and by what communication channels. It’s about making sure they can reach their clients in order to advise on whether their representation will continue or if they must withdraw. Similarly, lawyers should try to determine how their clients can reach them under the various identified disaster scenarios.
Rule 1.4 also requires that clients have enough information to allow them to make informed decisions regarding the representation. This means clients need to be timely notified if their files or digital information has been compromised or destroyed while in a lawyer’s custody or control. In light of this obligation, lawyers should consider implementing remote access options and cloud-based services, if they are not already in place. Of course, lawyers should also think through their options if they are forced to deal with limited or no internet access.
Taken together, Rule 1.6 Confidentiality and Rule 1.15 Safekeeping Client Property require lawyers to take steps to preserve client confidentiality and exercise reasonable care to protect and, if necessary, restore client information and client property in the event of a disaster. Think about it. If lost documents or property can be restored or reconstructed, client notification isn’t necessary. However, according to Opinion 482, if reconstruction or restoration isn’t possible, notification is necessary if the lost documents or property have intrinsic value or are useful or necessary to continue representation.
Finally, don’t avoid the money issue. Lawyers do need to ask and answer the following questions. What do we do if access to financial systems, firm accounts, client funds and the like are limited or not available for a period of time and what steps can we take to prevent any unauthorized access to our trust and business accounts?
In sum, disaster recovery planning is about being proactive. It’s about thinking through the what-ifs should something like a cyber-attack, extreme weather event, firm break-in, or a serious accident ever occur and then coming up with a plan that responsibly addresses the associated risks. That said, I can appreciate the headache this obligation might bring about for some; so, here’s another way to look at it. Disaster recovery planning is ultimately about coming up with a plan that allows you to stay in business should the unexpected ever happen. Because, as we all know, a failure to plan is, in reality, a plan to fail.