The obligation for lawyers to keep and protect a client’s secrets is nearly as old as the profession itself. But the proliferation of technology has complicated what steps lawyers must take to satisfy this obligation. As the technology changes, so do the rules for lawyers. On May 4, 2017, the American Bar Association Standing Committee on Ethics and Professional Responsibility published ABA Formal Ethics Opinion 477, outlining the latest guidance for dealing with and protecting client information. Here are three take-aways from the opinion:
- Understand your system and how you transmit and store confidential client information.
ABA Formal Opinion 477 does not impose a greater or different duty to protect client information based on the way it is communicated or the place it is stored. Rather, it extends the existing core duties to apply in a more complicated technological world. And there is simply no way to navigate those complicated waters without first understanding the boat you are in. Lawyers need to understand exactly where the information is being stored—servers, clouds, computers, tablets, smartphones, etc. Then they must understand how that information can be accessed, and how it is treated when it is used in communications. Every device and storage location offers vulnerability for inadvertent or unauthorized access.
- Competent representation means knowing the latest technology.
The duty of competent representation has been around for a very long time, but the scope of that duty is expanding. As technology changes, so does its impact on the practice of law—and lawyers are obligated to keep up with and understand these changes. ABA Opinion 477 states:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
The language of the opinion suggests that lawyers will no longer be able to just outsource IT decisions on cyber security. It seems to charge every lawyer with the requirement to know and learn about how information is being stored and how to protect it.
- What constitutes a reasonable effort is fact-specific.
Lawyers must take reasonable measures to protect confidential information, but ABA Opinion 477 rejects a litmus test approach. Instead, it says that defining reasonable measures requires a fact-based approach that includes a process to assess risks, identify and implement appropriate security measures responsive to those risks, and ensure that they are continually updated in response to new developments. The opinion adopts the following factors set forth in Model Rule 1.6(c) Comment 18 as guidance for “reasonable efforts:”
- Sensitivity of the Information;
- The likelihood of disclosure if additional safeguards are not employed;
- The cost of employing additional safeguards;
- The difficulty of implementing the safe guards; and
- The extent to which the safeguards adversely affect the lawyer’s ability to represent clients.
This fact based analysis means that particularly strong protective measures, like encryption, are warranted in some situations but that less security will suffice in others.
The real problem with this approach for lawyers is that it makes the lawyer decide how much protection is warranted—which creates a situation ripe for Monday-morning-quarterbacking. The adequacy of the protection will only be scrutinized if it fails and there is a breach. And the protection level that the lawyer chooses will be scrutinized at with the benefit of hindsight—and almost certainly will be criticized, given that it failed.
The days of being able to just assume that you are covered because your law firm or IT department is handling everything may be at an end. Every lawyer should read ABA Formal Rule 477 and make sure that they know exactly how thick the ice is. And make sure the client knows what steps are being taken and what steps are not.