In May 2017, the ABA Standing Committee on Ethics and Professional Responsibility released an opinion providing guidelines that practicing attorneys should follow to ensure that communications with their clients are protected, and not subject to cybersecurity breaches. The opinion states that attorneys must make “reasonable efforts” to ensure their client communications are secure. See ABA Comm. On Ethics & Prof’l Responsibility, Formal Op. 477R (2017) (hereinafter referred to as the “ABA Opinion”).
The opinion suggests that a lawyer must generally make reasonable efforts to protect against inadvertent or unauthorized access when transmitting client information over the internet, including email. Id. at 1. The opinion also emphasizes that under certain circumstances, a lawyer may be required to take special security precautions when required by law, or when the nature of the information requires a higher degree of security. Id.
The ABA opinion focuses on how Model Rules of Professional Conduct 1.1, 1.6, and 1.4 relate to a lawyer’s duty to protect client information from cyber threats. In 2012, Model Rule 1.1, competency, was amended to include a technology clause. Comment 8 to the rule expounds that lawyers must remain aware of the benefits and risks associated with relevant technology. See Model Rules of Prof’l Conduct R. (“Rule”) 1.1 (2016). As technology evolves, a lawyer’s understanding of technology must also evolve in order to ensure compliance and provide competent representation.
Lawyers must also be aware of technological changes in order to uphold their duty of confidentiality. Rule 1.6 provides that, “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Rule 1.6(c). The opinion distinguishes that what constitutes a reasonable effort is not a “hard and fast rule”, but rather a flexible set of factors that are weighed on a case by case basis. ABA Opinion p. 4. These factors include: the sensitivity of information, the likelihood of disclosure if additional safeguards are not employed the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients. Id. at 4-5.
By applying these factors, the ABA Committee gives the example that an attorney may need to use encrypted email when communicating with clients in certain situations, but not others. Id. The opinion stresses that client communications through unsecure networks, applications, and mobile devices could equally put sensitive client information at risk. Id. Attorneys should assess the risk of inadvertent disclosure of client information before connecting to unsecure networks, using computers and servers without anti-virus software, and sending unencrypted communications.
The Ethics Committee also highlights the importance of discussing the risks of technology with both clients and outside vendors under Model Rule 1.4. Practicing attorneys should communicate with clients and outside vendors about the dangers and prevention of inadvertent disclosures. In addition, attorneys should mark all electronic communication containing sensitive information as “privileged” or “confidential.” ABA Opinion p. 8. Supervisory attorneys are responsible for monitoring subordinate attorneys, clients, and outside vendors, to ensure compliance with these rules.
To ensure compliance with the Rules of Professional Conduct, attorneys should stay up-to-date and educated about technological advances, as they are responsible for employing up-to-date procedures to address and prevent inadvertent disclosures in accordance with the Rules of Professional Conduct. In the world of increasing cyber security threats, attorneys must make well-informed decisions and implement appropriate procedures to protect their client’s information. Practicing attorneys should analyze and discuss with their clients, on a case-by-case basis, the best ways to communicate by electronic means.