ABA Issues New Guidance on Confidentiality and the Use of Technology
May 17, 2017 | |The American Bar Association’s Standing Committee on Ethics and Professional Responsibility recently issued a Formal Opinion, providing updated recommendations regarding lawyers’ obligations when using technology resources to communicate with clients and to protect confidential client information.
Since 1999, the Committee has advised that the ABA Model Rules of Professional Conduct permit an attorney to transmit information relating to the representation of a client over the internet. This guidance remains in place today. Formal Opinion 477 was intended to supplement that broad guidance, in light of the increasing role of technology in legal practice and the growing cybersecurity threats faced by attorneys.
Although the ABA’s Model Rules of Professional Conduct are not, in and of themselves, legally binding, most states and territories have adopted some or all aspects of the Model Rules as part of the ethical standards to be followed in their jurisdiction. For example, effective in 2009, New York adopted a highly modified version of the ABA Model Rules as its Rules of Professional Conduct, which differs substantially from the ABA Model Rules. Nevertheless, the ABA’s Formal Opinion provides guidance for lawyers to consider under the standards of their own jurisdiction in order to safeguard the sanctity of attorney-client confidentiality from inadvertent waiver or deliberate intrusion.
Formal Opinion 477
The Formal Opinion notes that no greater or different duties of confidentiality are imposed based upon the method by which a lawyer communicates with a client. However, because law firms may present a target-rich environment for hackers, how lawyers continue to comply with their “core duty” of confidentiality in an ever-changing technological world requires “some reflection.” The Opinion acknowledges that lawyers are not and cannot be expected to be guarantors of data safety, but suggests that lawyers undertake “reasonable efforts” to prevent inadvertent or unauthorized access to client information. Undertaking such reasonable efforts may require at least a basic understanding of the typical uses of technology by the law practice and their clients. Under a recent revision to the Model Code, competence in practice includes an obligation to keep abreast of relevant technological developments pertinent to the practice of law.
The Committee does not take the position that an attorney is required to use any particular security measure, such as firewalls, passwords or encrypted emails, in order to comply with the obligation to make “reasonable efforts” to secure client information. Instead, the Opinion recommends that attorneys employ a fact-based analysis of what may constitute “reasonable efforts” to protect client confidences under the particular circumstances. Such analysis may include a variety of factors depending on the circumstances, such as the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of additional safeguards, the difficulty of implementing the safeguards and the extent to which additional safeguards may adversely affect the lawyer’s ability to represent the client.
Another factor that may be germane to the analysis is whether the attorney’s practice areas or clients are of particular interest to data thieves. For example, attorneys who represent clients in areas such as industrial design, mergers and acquisitions or trade secrets, may be in possession of client information that is attractive to hackers. Likewise, attorneys who represent clients in regulated industries such as healthcare, banking, defense or education, may have access to data that is governed by confidentiality standards in addition to those that arise in the context of the attorney-client relationship. Accordingly, the Opinion suggests that “reasonable efforts” may mean that greater security efforts be considered based on the client’s status and regulatory requirements.
In addition, the Opinion recommends that attorneys should develop an understanding both of their own information systems and reasonable electronic security measures that may be implemented. Attorneys should generally be aware of how their firm’s electronic communications are created, stored and accessed, and should consider implementing various methods to safeguard client communications. This recommendation should not be interpreted, however, to impose a requirement that attorneys need to become security experts or information technologists in order to competently provide legal services.
Moreover, the Opinion does not mandate the use of any particular measure or tool. It does, however, note that available options include using secure internet access methods (such as secure Wi-Fi, the use of virtual private networks or other secure portals), using unique complex passwords, requiring passwords to be changed periodically, implementing firewalls and anti-malware/anti-spyware/antivirus software on all devices upon which client confidential information is transmitted or stored, regularly updating software, using methods to remotely disable lost or stolen devices, encrypting data physically stored on devices and multi-factor authentication to access firm systems.
Because different communications may require different levels of protection, the Committee suggests that at the beginning of the client-lawyer relationship, the client and lawyer may want to discuss what levels of data security will be followed. Routine communications sent electronically may not warrant anything more than basic measures. However, if particularly sensitive client communications or documents must be transmitted, additional protection, such as the use of password protections or secure third-party cloud-based storage systems, may be preferable.
Attorneys should also consider whether a particular client’s lack of technological sophistication or limitations on technology may put communications at risk. For example, a client’s routine use of computers or devices that may be accessed or controlled by third parties may endanger the attorney-client privilege or act as an unintended waiver by the client as to the confidentiality of the clients’ communications. This may arise, for example, in certain jurisdictions, in employment disputes, if a client employs a work email account to communicate with his or her attorney or in divorce matters, if a spouse knows the password to the client’s email account.
The Opinion further suggests that client communications be marked as “Privileged and Confidential” so as to alert any unintended recipients that the communication was intended to be confidential. Under Model Rule 4.4(b), an attorney who knows or reasonably should know that he or she has received an inadvertently sent document is required to promptly notify the sending lawyer.
Reasonable efforts by attorneys in supervisory or managerial roles may also require inquiry into how employees will handle client data. Responsibilities may include, for example, enactment of policies, employee training and follow-up. Attorneys may also want to exercise due diligence when vetting vendors for retention by clients who do not select and negotiate with the vendors themselves.
Finally, the Opinion notes that what constitutes a reasonable effort to safeguard confidential information may be modified by agreement with the client. A client may mandate increased efforts to protect security by insisting that an attorney undertake heightened security measures that are not required by the Model Rules; or an attorney may waive certain security measures by giving informed consent to use a means of communication that would otherwise be prohibited.
In sum, the new Opinion does not discuss a one-size-fits-all solution to data security, instead recognizing that attorneys are practicing in a range of technological and risk environments. Every practitioner should also be aware of the distinctions between the Model Rules and the ethical standards of his/her jurisdiction. (A state-by-state summary of the variance between state rules and Model Rules can be found here). All legal practitioners need to be conscious of the risks related to the electronic transmission and storage of client communications and confidential information and to make reasonable efforts to avoid inadvertent or unauthorized disclosures.
To read the entire opinion, click here.
This article also appeared in the July/August issue of Pratt’s Privacy & Cybersecurity Law Report.
