With the release of Formal Ethics Opinion 482 in September of 2018, the ABA finally made it quite clear. Lawyers do indeed have an ethical duty to develop a disaster recovery plan. Just consider the import of how the Standing Committee on Ethics and Professional Responsibility concluded their opinion when they stated:
“Lawyers must be prepared to deal with disasters. Foremost among a lawyer’s ethical obligations are those to existing clients, particularly in maintaining communication. Lawyers must also protect documents, funds, and other property the lawyer is holding for clients or third parties. By proper advance preparation and taking advantage of available technology during recovery efforts, lawyers will reduce the risk of violating professional obligations after a disaster.”
Speaking frankly, I’ve always assumed this duty existed because I’ve never come across an exception in any of the Model Rules of Professional Conduct that says something along the lines of this rule doesn’t apply if the lawyer happens to be dealing with the aftermath of a disaster. Over the years my only challenge has been in trying to convince other lawyers of the necessity and obligation to put such a plan in place.
With this duty to prepare now firmly established, what rules need to be taken into consideration? Among a few others, Formal Opinion 482 underscored the importance of Rule 1.1 Competence, Rule 1.4 Communications, and Rule 1.15 Safekeeping Property; but I would also encourage you to not overlook Rule 1.3 Diligence and Rule 1.6 Confidentiality. Now, think about all these rules in the context of developing a disaster recovery plan, or if it helps, a business continuity plan.
Start with comment 8 to Rule 1.1 Competence, which in part reads “a lawyer should keep abreast of changes in the law and it’s practice, including the benefits and risks associated with relevant technology.” This means lawyers must not only understand how any technology in use at a firm might be impacted by various disaster scenarios, they must also be able to determine how any relevant technology might be utilized to minimize the impact of various disasters.
Next is Rule 1.3 Diligence, which I see as a no brainer. “A lawyer shall act with reasonable diligence and promptness in representing a client.” There are no exceptions to this rule. So, it should go without saying that any kind of disaster, be it a ransomware attack, a fire, or a category 4 hurricane, can all too easily make it extremely difficult to be prompt in representing your clients. Plan accordingly.
Rule 1.4 Communication makes it clear that lawyers are to keep their clients informed about the status of their matters. This means a lawyer must think through the various disasters scenarios that might occur with the intent of trying try to determine how client contact information could be accessed, used, and by what communication channel. It’s about making sure you can reach your clients in order to advise on whether your representation will continue or if a withdrawal is necessary and also trying to determine how clients can reach you under the various identified disaster scenarios.
Rule 1.4 also requires that clients have enough information to allow them to make informed decisions regarding the representation. This means clients do need to be timely notified if their files or digital information has been compromised or destroyed while in your custody or control. In light of this obligation, you should consider remote access options and the use of cloud-based services, if they are not already in place. Of course, don’t forget to also address how you will you deal with limited or no Internet access.
Taken together, Rule 1.6 Confidentiality and Rule 1.15 Safekeeping Client Property require lawyers to take steps to preserve client confidentiality and exercise reasonable care to protect and, if necessary, restore client information and client property in the event of a disaster. Think about it. If lost documents or property can be restored or reconstructed, client notification isn’t necessary. However, according to Opinion 482, if reconstruction or restoration isn’t possible, notification is necessary if the lost documents or property have intrinsic value or are useful or necessary to continue representation.
Finally, don’t avoid the money issue. You do need to ask what happens if access to financial systems, firm accounts, client funds and the like are limited or not available for a period of time and you should also think about steps you can take to prevent any unauthorized access to your trust account and your business accounts.
In sum, disaster recovery planning is about being proactive. It’s about thinking through the what ifs should something like a cyber-attack, extreme weather event, firm break-in, or a serious accident ever occur and then coming up with a plan that responsibly addresses the associated risks. That said, I can appreciate the headache this obligation might bring about for some; so, here’s another way to look at it. Disaster recovery planning is ultimately about coming up with a plan that allows you to stay in business should the unexpected ever happen. And as we all know, a failure to plan is in reality a plan to fail.
All opinions, advice, and experiences of guest bloggers/columnists are those of the author and do not necessarily reflect the opinions, practices or experiences of Solo Practice University®.