If you’re an attorney who has been paying only marginal attention to the online security of your confidential client communications, perhaps this month’s ruling from the American Bar Association’s Standing Committee on Ethics and Professional Responsibility will persuade you to take a closer look.
The opinion, which provides guidance to lawyers on protecting client confidentiality in electronic communications, brings this issue to the forefront and bolsters my belief that the need for attorneys to build their digital literacy is vital, especially in this era of ever-changing technology. Upon reading the opinion, I thought of three practical takeaways important for lawyers to understand and act on in the immediate future. But before I share those takeaways, let’s recap the ruling.
Formal Opinion 477 updates formal opinion 99-413 and considers the “technology amendments” made to the Model Rules in 2012, namely updates to the Rule 1.1, Duty of Competence, and Rule 1.6, Confidentiality of Information.
In 2012, the Model Rules updated a lawyer’s duty of competence to include staying current on the benefits and risks associated with relevant technology. It also modified a lawyer’s duty of confidentiality by adding a new duty in paragraph 1.6(c): “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
In making a reasonable efforts determination, Rule 1.6(c) Comment  offers the following factors to guide attorneys:
- the sensitivity of the information,
- the likelihood of disclosure if additional safeguards are not employed,
- the cost of employing additional safeguards,
- the difficulty of implementing additional safeguards, and
- the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
The opinion doesn’t go as far as to make specific recommendations as to what steps lawyers should take to protect client information, but does offer seven considerations to guide lawyers.
- Understand the nature of the threat.
- Understand how client confidential information is transmitted and where it is stored.
- Understand and use reasonable security measures.
- Determine how electronic communications about clients matters should be protected.
- Label client confidential information.
- Train lawyers and non-lawyer assistants in technology and information security.
- Conduct due diligence on vendors providing communication technology.
For a more comprehensive discussion of these factors, you can read Opinion 477 here or Bob Ambrogi’s summary of the opinion on his LawSite’s blog.
Here are my takeaways:
Vet your vendors.
There are more than a few unscrupulous technology vendors ready to make a quick dollar off of lawyers. Model Rule 5.5 imposes a duty on lawyers with direct supervisory authority over a nonlawyer to make “reasonable efforts to ensure that [the nonlawyer’s conduct] is compatible with the professional obligations of the lawyer.’ Model Rule 1.3 addresses a lawyer’s obligation when outsourcing services.
In the context of electronic communications, the opinion suggests lawyers use the following factors to vet vendors:
- Reference checks and vendor credentials,
- Vendor’s security policies and protocols,
- Vendor’s hiring practices,
- Use of confidentiality agreements,
- Vendor’s conflicts check system to screen for adversity, and
- The availability and accessibility of a legal forum for legal relief of violations to the vendor agreement.
It also outlines the factors to consider when assessing a lawyer’s professional obligations when using an Internet-based service to store client information. These factors include:
- The education, experience and reputation of the nonlawyer,
- The nature of the services involved,
- The terms of any arrangements concerning the protection of client information, and
- The legal and ethical environments of the jurisdictions in which the services will be performed, particularity with regard to confidentiality.
Map the path of client communications.
The opinion provides that “a lawyer should understand how their firm’s electronic communications are created, where the client data resides, and what avenues exist to access that information.” It further states that “each access point, and each device, should be evaluated for security compliance.”
A good exercise for lawyers is to map out the path of client communications to identify any potential points where access to the information might be compromised, including:
- How communications are created,
- Whether employees or third parties under their supervision have access to the communication,
- What devices they use, and their clients use, to access the communications,
- Where information is stored, and
- What security measures are in place at each point in the process.
Develop formal policies and train staff accordingly.
The opinion provides that, “In the context of electronic communications, lawyers must establish policies and procedures, and periodically train employees, subordinates and others assisting in the delivery of legal services, in the use of reasonably secure methods of electronic communications with clients.” The opinion further states that lawyers have an obligation to follow up and ensure methods are being implemented, while also periodically reassessing and updating these policies.
Smart lawyers will take this advice to heart. Comment  to Model Rule 1.6 explains that, “The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation…if the lawyer has made reasonable efforts to prevent access or disclosure.”
Lawyers are well-served by proactively investing time and resources to develop a formal approach to their ethical obligations around the protection of electronic communications with clients. As the opinion says, hacking and data loss are questions of “when, not if.” Take steps to ensure you and your firm are ready.