On May 22, 2017, the ABA Standing Committee on Ethics and Professional Responsibility issued a new formal opinion on Securing Communication of Protected Client Information. See ABA Formal Op. 477R (May 22, 2017). In so doing, the committee updated a 1999 opinion on the topic because “the role and risks of technology in the practice of law have evolved” over time.
The regulatory framework governing a lawyer’s use of electronic technology for communication is built on reasonableness. A lawyer must be competent by exercising the knowledge, skill, thoroughness, and preparation “reasonably necessary” for the representation. See ABA Model Rule 1.1. Further, a lawyer must use “reasonable efforts” to prevent the inadvertent or unauthorized discolsure of client information. See ABA Model Rule 1.6(c). To comply with these standards, a lawyer must keep “abreast of knowledge of the benefits and risks associated with relevant technology.” See ABA Model Rule 1.1, cmt. 8. What is “reasonable,” of course, changes with the circumstances. Among the factors a lawyer should consider in handling electronic information are the following:
- the sensitivity of the information;
- the likelihood of disclosure if additional safeguards are not employed;
- the cost of employing additional safeguards;
- the difficulty of implementing the safeguards; and,
- the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.
See ABA Model Rule 1.6, cmt. 18. Given these indeterminate standards, what’s a lawyer to do? The opinion offers this advice.
First, a lawyer needs to understand the nature of the threats to security. If the information in question is at high risk for cyber intrusion (such as information relating to trade secrets, mergers, and the like), then “greater effort is warranted” to protect the information.
Second, a lawyer needs to understand how electronic communications are created, where the data is stored, and what “avenues exist to access the information.” Only then can the lawyer evaluate each device and access point for vulnerabilities.
Third, a lawyer needs to “understand and use reasonable electronic security measures.” This is probably the most practical advice in the opinion. For example, a lawyer should understand how to use “secure internet access methods to communicate, access and store client information (such as through secure Wi-Fi, the use of a Virtual Private Network, or another secure internet portal), using unique complex passwords, changed periodically, implementing firewalls and anti-Malware/AntiSpyware/Antivirus software on all devices upon which client confidential information is transmitted or stored, and applying all necessary security patches and updates to operational and communications software.”
Fourth, a lawyer needs to use “different levels of protection” when called for by the circumstances. If information is highly sensitive, “a lawyer should encrypt the transmission,” “consider the use of password protection for any attachments,” or “consider the use of a well vetted and secure third-party cloud based file storage system to exchange documents normally attached to emails.”
Fifth, a lawyer should mark sensitive communications as “privileged and confidential.” Such a “clear and conspicuous” label could trigger an inadvertent recipient’s obligations under Model Rule 4.4(b) to “promptly notify” the sender of the error.
Sixth, a lawyer should “establish policies and procedures, and periodically train employees, subordinates and others assisting in the delivery of legal services, in the use of reasonably secure methods of electronic communications with clients.” A lawyer should also assure that vendors retained by the lawyer protect client information.
In conclusion, the opinion advises that a lawyer should get informed consent from the lawyer’s client “as to how to appropriately and safely use technology in their communication.” For example, I include this language in my engagement agreement: “Lawyer and Client will communicate with one another using unencrypted email and mobile telephones. Both understand that there are risks to confidentiality associated with these means of communication.”
My takeaway from the opinion is this: unencrypted email and ordinary cloud-storage facilities (such as Dropbox) are almost always fine. “Special security precautions” are necessary only when “required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.” Which is to say, über-security measures needn’t be used often. But, ordinary digital hygiene is required. And unfortunately, practices that are “ordinary” to those with basic technological competence—things like using complex passwords, enabling two-factor authentication, and regularly updating software—are sometimes not ordinarily used by ordinary lawyers. Therein lies the true risk to client data integrity and confidentialtiy.