Earlier this month, the ABA’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477, addressing attorneys’ obligation to safeguard client information when using email and electronic communications. It’s the first time the ABA has addressed lawyer-client email since 1999. To put that in context, back in ‘99, Y2K was one of the biggest technological concerns, AOL was still spamming your (snail) mailboxes with endless CDs, and Google was still in beta.
Eighteen years later, an update on the ethical implications of email was long overdue. But the ABA’s latest ethics opinion gives us a bit more than just that. It’s a strong, and much needed, reminder of the importance of protecting all confidential client information, not just that in electronic communications.
Formal Opinion 477 101
In the new opinion, the ABA ethics committee concludes that, in the appropriate circumstances, “a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.”
That’s a significant switch from the guidance the ABA issued in 1999. There, the ethics committee found that “due to the reasonable expectations of privacy available to email communications at the time, unencrypted email posed no greater risk of interception or disclosure than other non-electronic forms of communication.”
That was then. Today, with law firm data breaches becoming more common, devices proliferating, and more secure forms of communication available, attorneys will need to consider using “particularly strong protective measures” such as encryption or even non-electronic forms of communication when handling sensitive information.
What measures might be appropriate depends on what “reasonable efforts” are required to prevent inadvertent disclosure or unauthorized access, given the specific situation at hand. The opinion lists five nonexclusive factors that attorneys should consider when making such a determination:
- The sensitivity of the information,
- The likelihood of disclosure if additional safeguards are not employed,
- The cost of employing additional safeguards,
- The difficulty of implementing the safeguards, and
- The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use.)
Further, attorneys may need to discuss those safeguards with their clients and, in some circumstances, obtain a client’s informed consent.
If you haven’t been paying attention to security measures around you electronic communications, then, now’s the time to start reevaluating them.
Duties of Competence and Confidentiality Don’t Stop With Email
But the logic behind the new opinion isn't limited to email.
The opinion is based on the dual duties of confidentiality and competence. Model Rule 1.6 instructs that “a lawyer shall not reveal information relating to the representation of a client” and “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to,” such information. Comments to that rule further explain that such unauthorized access or disclosure does not violate the rule “if the lawyer has made reasonable efforts to prevent the access or disclosure.”
The opinion is also firmly rooted in attorneys’ duty to provide competent representation. Five years ago, that rule, Rule 1.1, was updated with new commentary making it clear that competent representation required lawyers to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology”.
“At the intersection” of these duties, the Committee explains, “lawyers must exercise reasonable efforts when using technology in communication about client matters.”
If those duties, then, require attorneys to consider greater cybersecurity measures in their electronic communications, they could similarly require attorneys to institute stronger safeguards across the board -- wherever the integrity and confidentiality of client information might be implicated.
If a lawyer falls for a phishing scam because he isn’t technologically competent and thus exposes confidential client information, could that be an ethics violation? Possibly, if the attorney hasn’t taken reasonable steps to prevent such a breach.
Similarly, if a firm hasn’t taken steps to safeguard sensitive client data during the discovery process, that too could raise ethical questions. Take, for example, the two reasons law firms are targeted by hackers, according to the ABA:
(1) they obtain, store and use highly sensitive information about their clients while at times utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.
Such valuable client information is particularly concentrated during the discovery process, as parties create virtual treasure troves of information, from trade secrets to health data to sensitive IP, depending on the matter. In more archaic discovery systems, such information may be insufficiently protected and frequently in motion, creating multiple opportunities for breach.
For these reasons, eDiscovery is the “next frontier” for hackers. Indeed, eDiscovery data breaches are already happening, according to Lael D. Andara, patent litigation partner at Ropers Majeski Kohn & Bentley PC. “We just haven't necessarily identified the hacks.” Yet too few lawyers are considering what measures may be reasonably required to prevent such hacks.
So, while the scope of Formal Opinion 477 doesn’t extend to such cases, the principles underlying the ethic commission’s reasoning do. Attorneys should not just “constantly analyze how they communicate electronically about client matters,” but how they’re ensuring the security of client data throughout their practice.
This post was authored by Casey C. Sullivan, Esq., who leads education and awareness efforts at Logikcull. You can reach him at firstname.lastname@example.org or on Twitter at @caseycsull.