ABA Approves Changes to Technology-Related Ethics
August 14, 2012 | | |The headline could read “ABA drags lawyers, kicking and screaming, into the 21st Century,” but that would not tell the whole story. In reality, for the past decade or more, lawyers have increasingly relied on technology to practice law, but that reliance has grown so incrementally that its potential impact on ethical responsibilities may not have been considered.
Enter the ABA Commission on Ethics 20/20, which studied the way various factors – most importantly, technology – have changed how lawyers practice law. Several months ago, the commission issued a report[1] to the American Bar Association’s House of Delegates proposing amendments to a number of the Model Rules of Professional Conduct (the “Rules”).[2]
The ABA has just approved those proposals at its recently-concluded annual meeting in Chicago. Although they technically will not apply to attorneys practicing in New York, they are noteworthy for this state’s lawyers because they may be persuasive here and, in fact, ultimately may be adopted as part of the New York Rules of Professional Conduct.[3] They are, at the very least, a wake-up call to New York lawyers that even the “Luddites” among us must consider the impact of technology on our practices.
Technology’s Impact
As the commission recognized, lawyers now communicate with clients electronically, and not just by phone, fax, letter, or in person. Lawyers now store confidential client information on mobile devices such as laptops, tablets, smartphones, and flash drives – and on the “cloud” – and not just on papers locked in file cabinets or in office computers. And lawyers have websites and blog on the Internet, use social networking sites, and even advertise with new online methods such as pay-per-click. Given these realities, a number of changes to the Rules and comments thereto were adopted to address two particular areas of concern – protection of client information and the attorney-client relationship.
Protecting Client information
Rule 1.6(a) states that a lawyer has a duty not to reveal “information relating to a client’s representation,” except for the circumstances described in Rule 1.6(b). The rule, however, did not identify the ethical obligation a lawyer might have to prevent such a revelation, a concern that becomes particularly acute in regard to electronically stored information. The addition of Rule 1.6(c) changed that. The new rule requires that lawyers make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Thus, as the amendments to Comment 16 make clear, “reasonable” efforts by the attorney to protect client information will be considered “competent” for purposes of Rule 1.6, even if unintentional disclosure does occur.
The commission offered three examples that could lead to the unintended disclosure of client information. First, information could be inadvertently disclosed, such as when an email is sent to a wrong person. Second, information could be accessed without authority, such as when a third party “hacks” into a law firm’s network or a lawyer’s email account. Third, information could be disclosed when employees or other personnel release it without authority, such as when an employee posts a client’s information on the Internet.
Comment 16 now sets forth a non-exclusive list of factors that lawyers should consider when determining whether their efforts are reasonable, including the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). In addition, Comment 16 recognizes that some clients may require the lawyer to implement special security measures not required by the rule or may give informed consent to the use of security measures that would otherwise be prohibited by the rule. Comment 16 provides a final caution – compliance with Rule 1.6 does not vitiate attorneys’ obligations under federal and state law regarding privacy and/or notice requirements in the event of a privacy breach.
A series of smaller but key changes also were adopted to address confidentiality concerns. For example, a lawyer’s duty to provide “competent representation” is stated in Rule 1.1 and amplified in Comment 6, which previously specified that, to remain competent, lawyers need to “keep abreast of changes in the law and its practice.” The commission concluded that, to keep abreast of changes in law practice in a digital age, lawyers must understand basic features of relevant technology. For example, as the commission noted, a lawyer would have difficulty providing competent legal services in today’s environment without knowing how to use email or create an electronic document. Accordingly, the phrase “including the benefits and risks associated with relevant technology” was added to the topics on which a lawyer must “keep abreast.”
In the commission’s view, Comment 6 already inherently encompassed an obligation to remain aware of changes in technology that affect law practice. Nevertheless, the express reference to technology is intended to offer greater clarity to practitioners and emphasize the importance of staying up to date as to the benefits and risks that technology presents to the modern law practice.
Another incremental change was made to Part (b) of Rule 4.4 (Respect for Rights of Third Persons) which addresses the particular ethical issues associated with the inadvertent disclosure of confidential information. Previously, this rule imposed on lawyers the duty to notify the sender if they received “documents” that they knew or reasonably should have known were inadvertently sent to them.
The commission concluded that the word “document” was inadequate to express the various kinds of information that could be inadvertently sent in a digital age, including for example, emails, flash drives, metadata,[4] etc. Therefore, the word “document” was replaced with a phrase that is commonly used in the context of discovery: “document or electronically stored information.” Indeed that phrase now appears throughout the many rules and comments that were amended.
Comment 2 to Rule 4.4 now defines the phrase “inadvertently sent” as when “a document or electronically stored information … is accidentally transmitted, such as when an email or letter is misaddressed or a document or electronically stored information is accidentally included with information that is intentionally transmitted.” Comment 2 also now addresses the issue of metadata. It states that the receipt of metadata triggers the notification duties of the rule, but only when the receiving lawyer knows or has reason to believe that the metadata was inadvertently sent.[5]
The commission next dealt with “screening,” the purpose of which is to assure the affected parties that confidential information known by a personally disqualified lawyer remains protected. Rule 1.0(k) defines “screening” as the need to effectuate timely procedures to isolate the information from access by the disqualified individual. The rules intend that an effective screen may be erected to avoid the imputation of a conflict of interest to others in the firm, under Rules 1.10, 1.11, 1.12, and 1.18.
The commission found that because advances in technology have made client information more accessible to the whole firm, the process of effective screening now requires more than simply placing relevant physical documents in an inaccessible location – electronic information must be protected as well. By the expedient addition of the phrase “including information in electronic form,” Comment 9 now explicitly makes it clear that the process of screening must address both physical documents and electronically stored information.[6]
Lawyer-Client Relationships
When a lawyer’s first substantive contact with a potential client was face-to-face, it was relatively easy to determine when a communication gave rise to a prospective client-lawyer relationship. Now, such a relationship can arise in many different ways: a lawyer’s website might ask a person to send information about his or her injury; a lawyer might exchange information with someone on a blog; or a lawyer might use his or her social networking page to provide advice to “friends.”
The prior version of Rule 1.18 (Duties to Prospective Client) stated that a “discussion” is necessary to give rise to a prospective client-lawyer relationship. In the commission’s opinion, that implied a two-way verbal exchange such as an in-person meeting or a telephone conversation. The commission stated that “discussion” did “not capture the idea that Internet-based communications can, in some situations, give rise to a prospective client relationship.”
By swapping out “discusses” for “consults,” the rule now clarifies that a prospective client-lawyer relationship may arise even when an oral discussion between a lawyer and client has not taken place. This small change was, however, accompanied by substantial revision to Comment 2, which now explains that consultation giving rise to a prospective client relationship can arise when an individual provides a response to “written, oral or electronic communications” by the lawyer that specifically invites the submission of information about a potential representation without clear and reasonably understandable warnings and cautionary statements that limit the lawyer’s obligation. Conversely, a prospective client relationship is unlikely to be created when an individual acts unilaterally and provides case specific information in response to an advertisement that only lists the attorneys’ credentials, areas of practice, educational background, or provides “legal information of general interest.”
Similar concerns were addressed by the alterations to Rule 7.3, which was retitled “Solicitation of Clients” instead of “Direct Contact with Prospective Clients,” as well as to its comments. Of particular interest is the new Comment 1 to Rule 7.3, which defines a “solicitation” as a “targeted communication” that is directed to a specific person and offers to provide legal services, but excludes communications from a lawyer that are directed to the general public, “such as through a billboard, an Internet banner advertisement, a website or a television commercial, or if it is in response to a request for information or is automatically generated in response to Internet searches.” Thus, the comment clarifies that advertisements automatically generated in response to a person’s Internet searches about legal issues are not “solicitations.”
Finally, because the means of communication between lawyer and client have become so varied, the commission believed that the last sentence of Comment 4 to Rule 1.4 (Communication), stating “[c]lient telephone calls should be promptly returned or acknowledged,” was inadequate. It now states: “Lawyers should promptly respond to or acknowledge client communications” reflecting the impact of technology such as email, texting, and the like on the way lawyers and clients now communicate.
Conclusion
In addition to the amendments to the rules, the commission asked the ABA Center for Professional Responsibility to create “a centralized user-friendly website with continuously updated and detailed information about confidentiality-related ethics issues arising from lawyers’ use of technology, including information about the latest data security standards.” The commission concluded that this kind of web-based resource is “critical,” given that rule-based guidance and ethics opinions “are insufficiently nimble to address the constantly changing nature of technology and the regularly evolving security risks associated with that technology.”
This website, in the commission’s view, should identify the key issues that lawyers should consider when using technology in their practices, such as the administrative, technical, and physical safeguards that should be employed. The commission also envisions a resource that highlights additional cutting-edge and more sophisticated topics, and that includes regularly updated information about security standards (such as the identification of standards-setting organizations) so that lawyers can more easily determine whether the technology that they employ is compliant with those standards.
The website and the changes to the Model Rules reflect the continuing importance of technology to the practice of law – and the concomitant need for lawyers to be aware of client confidentiality and client relationship issues that result. As technology continues to evolve and become ever more central to the practice, lawyers in New York, and across the country, must continue to think about, analyze, and respond to these issues as part of their day-to-day practice.
[1] See, http://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20120508_ethics_20_20_final_hod_introdution_and_overview_report.authcheckdam.pdf.
[2] See, http://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/model_rules_of_professional_conduct_table_of_contents.html. The ABA’s prior “global review” of the Rules took place in 2002.
[3] See, http://www.nysba.org/Content/NavigationMenu/ForAttorneys/ProfessionalStandardsforAttorneys/NYRulesofProfessionalConduct4109.pdf.
[4] Metadata is generally defined as “data about data” and is commonly understood to be hidden information that is automatically created in connection with any electronic document which may include the data’s means of production, editorial history, routing path, etc.
[5] The new language about metadata does not resolve a more controversial question: whether a lawyer should be permitted to look at metadata in the absence of consent or court authority to do so. Several ethics opinions, including ABA Formal Opinion 06-442 (2006), have concluded that Rule 4.4 does not prohibit a lawyer from reviewing metadata under those circumstances, but other ethics opinions, including from New York (N.Y. State Bar Ass’n Comm. on Prof’l Ethics, Ethics Op. 749 at *3 (2001); NYCLA Comm. on Prof’l Ethics, Ethics Op. 738 (2008)) have reached the opposite conclusion and have said that lawyers should typically not be permitted to look at an opposing party’s metadata in the absence of consent or a court order. The amendments did not address when it is permissible to look at inadvertently disclosed data, but leaves it to the “professional discretion” of the receiving lawyer to determine whether a document or electronic stored information should be returned unread.
[6] A similarly simple change was made to Rule 1.0(n) by substituting “electronic information” for “email” in its litany of what may constitute a “writing.” The commission reasoned that the prior definition was not sufficiently expansive given the wide range of methods that lawyers now use (or are likely to use in the near future) when memorializing an agreement, such as to written consents to conflicts of interest.
This article is reprinted with permission from the August 14, 2012 issue of the New York Law Journal. Copyright ALM Properties, Inc. Further duplication without permission is prohibited. All rights reserved.
