The landscape of data privacy and cybersecurity is constantly changing and evolving. So too is the role of technology in the practice of law and hence, the risk to lawyers and their clients, associated with such technology. It should be no surprise that cyberattacks targeting law firms continue to increase. Law firms hold valuable client information including, trade secret information, proprietary information, financial information and even protected health information. Often, such information is more vulnerable in the hands of law firms than the clients they represent due to less stringent security measures. As a profession, we must strive to uphold the duty owed to clients concerning protection of information as we navigate the digital world.
On May 11, 2017, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477 addressing a lawyer’s obligations to protect client information, including electronically-stored information and data. Focusing on the issue of a lawyer’s duty to secure communication of protected client information, the Committee concluded:
A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.
ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 17-477, at 11 (2017).
In doing so, the Committee looked back to its conclusion in Formal Opinion 99-413 in which it concluded that a lawyer’s use of any form of e-mail was consistent with the duty under Rule 1.6, as to confidentiality of information relating to a client’s representation, because “lawyers have a reasonable expectation of privacy in communications made by all forms of e-mail, including unencrypted e-mail sent on the Internet, despite some risk of interception and disclosure.” Id. at 1 (quoting, ABA Comm. on Ethics & Prof’l Responsibility, Formal Op. 99-413, at 11 (1999)). Noting the changes in technology since 1999, including the ABA’s adoption of the 2012 “technology amendments” to the Model Rules, the Committee sought to update its previous Opinion.
The aptly-coined “technology amendments” approved by the ABA House of Delegates in August 2012 addressed two of the most sacrosanct duties owed to a client by a lawyer – the Duty of Competence and the Duty of Confidentiality. While the ABA did not change the language of Model Rule 1.1 relating to the Duty of Competence, it did modify new Comment  to Rule 1.1. to read:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
August 2012 Amendments to ABA Model Rules of Professional Conduct (emphasis added.) In contrast, the ABA did modify Model Rule 1.6 regarding confidentiality of information relating to the representation, to add new paragraph (c) requiring that: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Id. The revised Comment  to Model Rule 1.6 provided, in part that “[t]he unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.” Id. (Emphasis added.)
Lawyers were then left with the question – what are reasonable efforts? Noting the increase in cyber threats, the Committee, in Formal Opinion 17-477 adopts the language of the ABA Cybersecurity Handbook for a reasonable efforts standard that:
…rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a “process to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.
Formal Op.17- 477, supra at 4 (quoting ABA Cybersecurity Handbook, note 3, at 48-49.) Undertaking a fact-based analysis, the Committee suggests that strong protective measures, such as encryption, may be warranted in some circumstances while at other times for matters of normal or low sensitivity, standard security measures may be appropriate. Id.at 5.
The Committee goes on to offer guidance to lawyers when analyzing how to communicate electronically about client matters and asks lawyers to:
- Understand the Nature of the Threat, including consideration of the sensitivity of a client’s information and whether the client’s matter is a higher risk for cyber intrusion.
- Understand How Client Confidential Information is Transmitted and Where it is Stored, including how the lawyer’s electronic communications are created, where the client data resides and what avenues exist to access that information.
- Understand and Use Reasonable Electronic Security Measures. Such measures may include use of secure internet access methods to communicate, access and store client information, using unique complex passwords which are changed periodically, utilizing firewalls and preventive software on all devices on which client information is transmitted or stored and applying all necessary security patches and updates to software.
- Determine How Electronic Communications About Clients Matters Should Be Protected by discussing with client what levels of security is necessary for electronic communications about client matter.
- Label Client Confidential Information by marking privileged and confidential client communications.
- Train Lawyers and Nonlawyer Assistants in Technology and Information Security.
- Conduct Due Diligence on Vendors Providing Communication Technology.
Formal Op. 17-477, supra. at 5-10.
Using the above as guidance, in each case and, as early as possible in the representation, a lawyer should consider the specific circumstances of his or her representation of a client to assess whether “reasonable efforts” are being taken to protect against the inadvertent or unauthorized disclosure of client information. And, a lawyer should be vigilant and proactive in reevaluating those “reasonable efforts” in the future, as data privacy and cybersecurity risks continue to evolve.
This article was prepared by Holly M. Whalen, Esq. of Cipriani & Werner, P.C. We trust that the above article was useful and thought provoking; however, please note that it is intended a general guide only, not a complete analysis of the issues addressed, and readers should always seek specific legal guidance on particular matters.
For more information on LPL coverage generally and how conflict checking and client selection can affect the exposure of your firm, contact Greg Cooke USI Affinity today.