Lawyers must secure client communications from cyber breaches
In May, the ABA Standing Committee on Ethics and Professional Responsibility released an opinion that says lawyers must make reasonable efforts to ensure that communications with their clients are secure and not subject to inadvertent or unauthorized cybersecurity breaches.
Formal Opinion 477 (PDF) updates Formal Opinion 99-413, which was issued in 1999 before the widespread use of tablet devices, smartphones and cloud storage.
“It is an important opinion because there have been many changes in the cybersecurity realm,” says Peter Geraghty, senior counsel and ETHICSearch director with the ABA Center for Professional Responsibility. “There have been all kinds of new applications that have come into play. It is important to address these new developments and how they might apply to lawyers’ day-to-day practices.”
The new opinion explains: “Each device and each storage location offer an opportunity for the inadvertent or unauthorized disclosure of information relating to the representation and thus implicate a lawyer’s ethical duties.”
These duties include competency, confidentiality and communication. In the ABA Model Rules of Professional Conduct, Rule 1.1, which focuses on competency, includes a technology clause added in 2012. Comment 8 to the rule provides that lawyers must stay abreast of “the benefits and risks associated with relevant technology.”
Ethics expert Peter A. Joy, a professor at Washington University School of Law in St. Louis, thinks the opinion should have done more to discuss competency.
“The opinion quotes the comment to Model Rule 1.1 on keeping up with technology, but few lawyers really understand what keeping abreast of technology really means,” he says. “Some may think knowing how to use the technology, like the internet or email, is enough. They may fail to realize that using the internet provided by their favorite coffee shop or at the airport to communicate with clients is not secure.”
‘Reasonable Efforts’ APPROACH
The bulk of the opinion addresses lawyers’ obligations to ensure the confidentiality of client information. In 2012, Rule 1.6 was amended to add a new paragraph (c): “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 18 to the rule says such unauthorized access or inadvertent or unauthorized disclosure of client info “does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”
Citing the ABA Cybersecurity Handbook, the opinion explains that reasonable effort is a fact-specific inquiry. It requires examining the sensitivity of the information, the risk of disclosure without additional precautions, the cost of extra measures, the difficulty of adding safeguards, and whether more safeguards adversely affect the lawyer’s ability to represent the client. The opinion adds that lawyers must adopt a process to systematically assess and address cyberrisks.
Generally, lawyers may use unencrypted email when they communicate with clients routinely, the opinion says, but only if they have “implemented basic and reasonably available methods of common electronic security measures.”
The phenomenon of cyberthreats, particularly in “highly sensitive industries, such as industrial designs, mergers and acquisitions or trade secrets, and industries like health care, banking, defense or education, may present a higher risk of data theft.” In such higher-risk scenarios, reasonable effort will likely mean that “greater effort is warranted.” For example, “particularly strong protective measures, like encryption, are warranted in some circumstances.”
The opinion provides seven considerations for guidance, including understanding the nature of the threat; how client confidential information is transmitted and stored; the use of reasonable electronic security measures; how electronic communications should be protected; the need to label client information as privileged and confidential; the need to train lawyers and nonlawyer assistants in technology and cybersecurity; and the need to conduct due diligence on vendors who provide technology services.
“Overall, I think it is a fantastic opinion, particularly with regard to its treatment of lawyers’ obligations regarding confidentiality,” says legal ethics scholar Eli Wald, a professor at the University of Denver’s Sturm College of Law. “In general, ethics opinions are meant to explain the applicable rules of professional conduct. Facing increased cyberrisks, this opinion provides clear and useful guidance on when lawyers may need to do more to ensure that client communications are secure. The opinion does a great job of clarifying and explaining in practical terms what lawyers must do to comply with the confidentiality and competence rules pertaining to cybersecurity.”
When TO PIPE UP
The opinion also briefly addresses communication, covered by Rule 1.4. The opinion says lawyers should inform clients about inherent risks when they transmit “highly sensitive confidential client information.” The opinion notes that “Model Rule 1.4 may require a lawyer to discuss security safeguards with clients.”
For example, the opinion says that if a lawyer reasonably thinks highly sensitive confidential client information is being transmitted such that “extra measures” are needed for protection, the lawyer should inform the client and discuss options.
“The lawyer and client then should decide whether another mode of transmission, such as high-level encryption or personal delivery, is warranted,” the opinion reads. “Similarly, a lawyer should consult with the client as to how to appropriately and safely use technology in their communication, in compliance with other laws that might be applicable to the client.”
“Lawyers need to communicate with clients about cyberrisks from the initial meeting and then periodically thereafter,” Joy says. “First and foremost, there needs to be a discussion about whether and when email will be used.”
Wald thinks the opinion could have done a better job of explaining when lawyers must communicate to clients in the event of a security or a data breach. In a 2016 law review article, “Legal Ethics’ Next Frontier: Lawyers and Cybersecurity,” published in the Chapman Law Review, Wald argues that legal ethics rules should mandate that lawyers disclose “to clients when their confidential information was, or is, reasonably believed to have been accessed by an unauthorized party.”
The difficulty in this area for lawyers, Wald says, is that often with a security breach, lawyers don’t know who hacked their devices or server, nor do they know exactly what confidential client information was accessed.
“The opinion correctly points out that Model Rule 1.4 may require a lawyer to discuss security safeguards with a client,’’ Wald says. “However, after reading this opinion, a lawyer may reasonably ask, ‘When exactly do I need to communicate to a client about security risks and breaches?’ The opinion could have given more guidance to lawyers as to under what circumstances they should communicate with clients about cyberthreats, security breaches, compromised confidential information and possible remedies.”
This article appeared in the July 2017 issue of the ABA Journal with the headline "21st-Century Standards: Lawyers must secure client communications from cyber breaches."