Lawyers have an ethical duty to safeguard confidential information in the cloud
Catherine Sanders Reach of the Chicago Bar Association prefers ethics opinions that provide multiple scenarios because that “gives people a definitive way to plug in.” Photograph by Wayne Slezak.
The updated Model Rules have been adopted by 28 U.S. jurisdictions, according to the ABA Center for Professional Responsibility’s Policy Implementation Committee. However, state ethics committees are split on whether to add specifics or keep it general.
A 2014 Kentucky Bar Association opinion on cloud computing and confidentiality exemplified the general approach when it didn’t take a stand on a particular practice because “technology evolves every day.”
The general approach is not on account of the new rules, however. A New Jersey ethics opinion from 2006 stated there’s a reluctance to create an interpretation or requirement “tied to a specific understanding of technology that may very well be obsolete tomorrow.” In support of this conclusion, it referenced a 1983 opinion that called personal computers a novelty and focused on confidentiality issues raised by floppy disks, “the prevailing data storage device” at that time.
On the other hand, many states have tried to provide more specific guidance and considerations for lawyers. Catherine Sanders Reach, director of law practice management and technology at the Chicago Bar Association, says she understands why some bars want to write more general opinions. But she prefers those that provide multiple scenarios because “it gives people a definitive way to plug in.”
As an example, she points to a Texas Center for Legal Ethics opinion from 2015 regarding whether email should be used to send confidential information.
While determining that a lawyer could ethically communicate confidential information via email, the opinion provided a half-dozen circumstances in which heightened security may be prudent, including whether the email is sent from a public or borrowed computer, whether there was reason to think people outside the matter could access the receiving email account, and whether there was reason to think law enforcement may read the email—with or without a warrant.
LEARNING PROCESS
Other states have made separate attempts to provide more specific guidance, including ways to consider a cloud computing vendor, the use of public Wi-Fi, and how to discard old devices that store data. These efforts, Pera argues, are broadly helpful, but lawyers routinely want more.
“Many lawyers I talk to say, ‘Tell me what cloud providers I can use, and which I can’t,’ ” he says. But Pera does not think ethics opinions are the place for this discussion, saying that the “day that kind of guidance came out, it would be on the path to obsolescence.”
At the core of Pera’s concern is that lawyers’ adoption of technology, and the technology itself, is constantly changing. The ABA’s Commission on Ethics 20/20, which recommended the updates to the Model Rules, also acknowledged this by including a comment that extended attorney competency to include technology.
Comment 8 of Rule 1.1 says, “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
To Pera, this means attorneys have to use technology they understand, find tech gurus to shore up their knowledge, and use easy and inexpensive—if not free—security measures to decrease risk whenever they can.
Using Harleysville as an example, he says, “we would never have that case” if the insurer made the easy choice to create a password.
To help lawyers understand cybersecurity, CLEs are popping up around the country. However, the Florida Bar has gone above and beyond. In September 2016, the Florida Supreme Court adopted the amended ABA Model Rule 1.1. At the same time, the Florida Bar became the first state bar association to require at least three hours of CLE training in a technology program over three years.
Adriana Linares, a technology consultant to the Florida Bar, told the ABA Journal’s Legal Rebels Podcast in late 2017 that the bar wanted to use mandatory CLEs to signal that technology is important and worth paying attention to. While cybersecurity is only one component of provided classes, Linares says the response from members is “overwhelmingly positive.”
Following Florida’s lead, the Pennsylvania Bar Association in January recommended the state supreme court adopt a technology CLE requirement of one hour every two years.
Technology “is an important area for lawyers given our responsibilities,” says Dan Harrington, chair of the PBA’s Legal Ethics & Professional Responsibility Committee.
He says the adoption of this requirement would benefit lawyers and their clients, and it’s not clear whether the state supreme court will approve this recommendation.
Regardless of whether technology CLEs are mandatory, Nelson of Sensei Enterprises says everyone should be attending the classes. “If you don’t attend one cybersecurity CLE a year, you’re likely doing yourself a disservice,” she says, adding that putting in this work can go a long way. “Anytime you’re getting better in cybersecurity, you’re doing pretty well.”
Correction: Michael McCabe is the co-vice chair of the Ethics and Professional Responsibility Committee of the ABA Intellectual Property Law Section, not the vice chair of the Standing Committee on Ethics and Professional Responsibility as previously reported.
This article was published in the April 2018 issue of the ABA Journal with the title "Cloudy Ethics: Lawyers have an ethical duty to safeguard clients’ confidential information—a task that’s become more complicated as the cloud becomes more ubiquitous."
