ABA Opinion Raises Ethics Bar on Cybersecurity

Is the day approaching when the mere act of sending a sensitive client email without encryption could be an ethics violation?

A new ABA opinion suggests as much.

In May, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477. The 11-page opinion covers a range of issues for attorneys to consider in order to protect confidential client information from “nefarious actors throughout the internet.”

The opinion is a deep dive into the ethical parameters of law firm security.

“The ABA’s latest guidance on cybersecurity is a must read that should give pause to every lawyer, law firm IT department and law firm manager,” writes this IP/ethics commentator. “The cyber threat is, unfortunately, a part of our daily practice. As lawyers, we have a duty to deal with it. Top down, it is a management responsibility. And we should be discussing these matters with our clients…. Implementing the ‘right’ cybersecurity measures for a given representation is fast becoming – if it is not here already – a lawyer’s ethical duty.”

Overlapping Ethical Obligations

ABA Formal Opinion 477 arrives at the intersection of three bedrock ethical duties: competence, communication and confidentiality.

The internet – and our 24/7 reliance on smartphones, mobile devices and online technology – has changed how these principles apply to the daily work of a practicing attorney.

In 2012, the ABA revised Model Rule 1.1 (Competence) to require lawyers to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”  North Carolina followed suit by changing its corresponding rule.

The ABA – and North Carolina as well – also tweaked Model Rule 1.6 (Confidentiality) by adding new language: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Now comes ABA Formal Ethics Opinion 477, which goes a step further.

“Reasonable” Efforts Usually Required

In most circumstances, says the ABA, a lawyer may transmit client information over the internet if “reasonable efforts” are made to prevent inadvertent or unauthorized access. But “special security precautions” may be called for when:

• Required by an agreement with the client.
• Required by law.
• Required by the “nature of the information.”

Seven Key Considerations

The opinion lists seven factors to consider when determining the appropriate level of cybersecurity:

1. The nature of the threat. “Client matters involving proprietary information in highly sensitive industries such as industrial designs, mergers and acquisitions or trade secrets, and industries like healthcare, banking, defense or education, may present a higher risk of data theft.”
2. How client confidential info is stored and sent. “Every access point is a potential entry point for a data loss or disclosure. Each access point, and each device, should be evaluated for security compliance.”
3. The use of reasonable electronic security measures. “A lawyer has a variety of options to safeguard communications including, for example, using secure internet access methods to communicate, access and store client information (such as through secure Wi-Fi, the use of a Virtual Private Network, or another secure internet portal), using unique complex Malware/AntiSpyware/Antivirus software on all devices upon which client confidential information is transmitted or stored, and applying all necessary security patches and updates to operational and communications software.”
4. How electronic communications should be protected. “Different communications require different levels of protection. At the beginning of the client-lawyer relationship, the lawyer and client should discuss what levels of security will be necessary for each electronic communication about client matters. Communications to third parties containing protected client information requires analysis to determine what degree of protection is appropriate.”
5. The need to label client information as privileged and confidential. “This can also consist of something as simple as appending a message or ‘disclaimer’ to client emails, where such a disclaimer is accurate and appropriate for the communication.”
6. The need to train lawyers and nonlawyer assistants. “In the context of electronic communications, lawyers must establish policies and procedures, and periodically train employees, subordinates and others assisting in the delivery of legal services, in the use of reasonably secure methods of electronic communications with clients”
7. The need to conduct due diligence on vendors who provide technology services. Guidance in this regard can be found in ABA Formal Opinion 08-451.

Has the internet made it harder to keep up with the ethics rules? What do you think?

Sources:

• ABA Formal Opinion 477 https://www.americanbar.org/content/dam/aba/images/abanews/FormalOpinion477.pdf
• IP/Ethics Law https://www.ipethicslaw.com/to-encrypt-or-not-to-encrypt-that-is-the-question/#.WRWz3CTbIt0.linkedin
• NC State Bar Rule 1.1 https://www.ncbar.gov/for-lawyers/ethics/rules-of-professional-conduct/rule-11-competence/
• NC State Bar Rule 1.6 https://www.ncbar.gov/for-lawyers/ethics/rules-of-professional-conduct/rule-16-confidentiality-of-information/
• ABA Journal http://www.abajournal.com/news/article/ethics_opinion_addresses_attorneys_obligations_secure_client_communications/?utm_source=internal&utm_medium=navigation&utm_campaign=most_read