Ethics Panel: 1. Fill Bucket with Ice Water, 2. Pour Over Head
Tech columnist Bob Ambrogi identifies three top takeaways from a new, must-read legal ethics opinion.
If ever there was a rude awakening for luddite lawyers, it is the recently issued opinion of the American Bar Association’s Standing Committee on Ethics and Professional Responsibility on the steps lawyers should take to protect client confidentiality in email and electronic communications.
After Formal Opinion 477 came out on May 4, I wrote a fairly detailed breakdown and analysis of it at my LawSites blog, Nicole Black wrote about it here on ATL last week, and you can find several others who’ve written about it elsewhere. No doubt, it will be much dissected and discussed in the months to come.
Every lawyer should stop whatever he or she is doing and take time to read this opinion. I also hope you’ll read my earlier, more-detailed post about the opinion and those that others have written. That said, I want to review what I see as the opinion’s three most-important takeaways.
The Business Case For AI At Your Law Firm
1. This opinion is as much about technological competence as it is about confidentiality.
August will mark five years since the American Bar Association formally approved a change to the Model Rules of Professional Conduct to make clear that lawyers have a duty to be competent not only in the law and its practice, but also in technology. As of this writing, 27 states have adopted this duty of technology competence.
Even so, we have not had a lot of guidance as to what it means for a lawyer to be competent in technology. In a column here last year, I reviewed a handful of court opinions that have given some shape to the contours of this duty. Those cases, however, dealt with discovery and evidentiary issues and not day-to-day practice.
The subject of Opinion 477 is security and confidentiality of client information, but a key foundation on which it rests is the duty of technology competence. The opinion explicitly cites 2012 Model Rule on technological competency as a reason for the opinion’s issuance, as well as the rule on maintaining confidences.
Sponsored
Legal AI: 3 Steps Law Firms Should Take Now
Navigating Financial Success by Avoiding Common Pitfalls and Maximizing Firm Performance
The Business Case For AI At Your Law Firm
Early Adopters Of Legal AI Gaining Competitive Edge In Marketplace
At the intersection of a lawyer’s competence obligation to keep “abreast of knowledge of the benefits and risks associated with relevant technology,” and confidentiality obligation to make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client,” lawyers must exercise reasonable efforts when using technology in communicating about client matters.
Lawyers have a two-pronged responsibility, this opinion is saying: To protect the confidentiality and security of client information, but also to be sufficiently competent in technology to be able to be able to exercise reasonable efforts to achieve such protection.
I opened this column calling this a rude awakening for luddite lawyers, but let’s face it, it isn’t only the luddites who lack competence in data and cyber security. This opinion is truly a wake-up call for all lawyers.
2. You can no longer be complacent about encryption and security.
This opinion explicitly describes itself as an update to Formal Opinion 99-413, issued in 1999, that concluded that lawyers were not required to encrypt confidential email because they had a reasonable expectation of privacy in all forms of email communications, encrypted or not.
Sponsored
Is The Future Of Law Distributed? Lessons From The Tech Adoption Curve
Early Adopters Of Legal AI Gaining Competitive Edge In Marketplace
This update requires stricter security measures, holding that some circumstances warrant lawyers using “particularly strong protective measures” such as encryption. The opinion declines to draw a bright line as to when encryption is required or as to the other security measures lawyers should take. Instead, it says that lawyers should conduct a “fact-based analysis” that includes evaluation of various factors:
[L]awyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters.
The opinion goes into detail about the considerations that should guide lawyers in conducting this case-by-case analysis of security. You can read them in the opinion and I summarize them in my prior blog post. The key takeaway, however, is that you must be constantly vigilant about security and that you must consider it for each new matter you take on.
3. You should discuss security with your clients.
An important aspect of this opinion is that it very strongly suggests that the lawyer should have a discussion with the client about when to use security measures and what form of security measures to take. In some cases, the opinion says, the client’s informed consent may be required:
Model Rule 1.4 may require a lawyer to discuss security safeguards with clients. Under certain circumstances, the lawyer may need to obtain informed consent from the client regarding whether to the use enhanced security measures, the costs involved, and the impact of those costs on the expense of the representation where nonstandard and not easily available or affordable security methods may be required or requested by the client.
Although the above quote couches the obligation to discuss security with the client by using the non-mandatory “may require” and “may need,” it later uses the stronger “should”:
At the beginning of the client/lawyer relationship, the lawyer and client should discuss what levels of security will be necessary for each electronic communication about client matters.
Later still, the opinion says:
When the lawyer reasonably believes that highly sensitive confidential client information is being transmitted so that extra measures to protect the email transmission are warranted, the lawyer should inform the client about the risks involved. The lawyer and client then should decide whether another mode of transmission, such as high level encryption or personal delivery is warranted. Similarly, a lawyer should consult with the client as to how to appropriately and safely use technology in their communication, in compliance with other laws that might be applicable to the client.
The opinion also says that a client “may insist or require that the lawyer undertake certain forms of communication.”
For most lawyers, these three takeaways will fundamentally change how they handle client communications in their day-to-day practices. Not only must lawyers think about security, but they must also understand it — at least better than most of them do now — and help their clients understand it.
Robert Ambrogi is a Massachusetts lawyer and journalist who has been covering legal technology and the web for more than 20 years, primarily through his blog LawSites.com. Former editor-in-chief of several legal newspapers, he is a fellow of the College of Law Practice Management and an inaugural Fastcase 50 honoree. He can be reached by email at ambrogi@gmail.com, and you can follow him on Twitter (@BobAmbrogi).
