When It Comes To Cybersecurity, Solos Need Best Practices, Not Ethics

Would you teach firefighters theory, or give them hoses?

privacy online privacy cyber privacy keyboard in chainsThese days, it’s a dangerous world out there for lawyers doing business online.

Two weeks ago, I wrote about two hapless law firms — one that fell victim to ransomware attacks that shut the firm down for three weeks, the other that wound up wiring several hundred thousand dollars payment for a house  on behalf of his client to a fake account instead of to the seller. Meanwhile, earlier this month, the ABA released Formal Opinion 477, which cautions that lawyers may need to consider more secure measures of communicating with clients than just standard, unencrypted email. Formal Opinion 477 represents a sharp departure from the ABA’s position back in Formal Opinion 99-413 which concluded that because lawyers have a reasonable expectation of privacy in communicating by email, “it follows that [use of email] is consistent with the lawyers’ obligation to protect the confidentiality of client communications.”

Although Formal Opinion 477 does not exactly forbid lawyers from using email, most of the regular legal tech commentators — Bob Ambrogi, Nicole Black, and Jim Calloway all concur that the opinion requires enhanced  precautions when using email — which might take the  form of email encryption (Calloway), communication with clients in secure portals (Black), or following special requests for security made by clients (Ambrogi).

Unfortunately, even with Formal Opinion 477’s eleven pages of guidance and detailed blogger commentary, the ABA’s new views on use of email will go unheeded by the solo lawyers who most need the guidance. After all, the lawyers who actually track ABA ethics decisions or follow legal tech blogs are already practicing “safe security.” It’s the vast majority of solo lawyers who are only now coming on board with technology or who lack the time or interest to keep up with legal tech blogs who will remain uninformed, to the detriment of their clients. And even though twenty-six states now impose on lawyers a duty of technology competence, that’s a rather amorphous standard that’s difficult to clearly define or enforce.

Nor is it a solution to make technology a required component of mandatory CLE — a “full-employment-for-consultants” measure that the Florida Bar adopted last year. Again, the lawyers most likely to skimp on security are those struggling financially and working round the clock — so even if they manage to find a cheap or free CLE on technology, most likely, they won’t have the time to implement any security measures after the program is over.

So what can we do to ensure that lawyers adopt the enhanced security measures endorsed by ABA Formal Opinion 477? Why not take the ethics out of technology?

I realize that my suggestion seems counter-intuitive, but hear me out. The problem with making something as important as security the subject of legal ethics is that ethics are inherently mushy-gushy because they’re intended to govern the gray matters where lawyers must exercise discretion. Moreover, in most cases involving ethical dilemmas — such as potential conflicts of interest or the risk of clients perjuring themselves on the stand — lawyers have days or weeks to research the issues or discuss them over with colleagues.

Sponsored

Computer security doesn’t work that way. Lawyers send and receive emails every hour of every day, and each time they do so without proper precaution, they expose themselves and their clients to grave risk. Busy lawyers in this situation need checklists and online tutorials and readily accessible manuals so that they quickly and at little or no cost put in place a security system that works for their firm.

With ABA Formal Opinion 477 now released, other states are likely to follow suit with their own pronouncements on the ethics of lawyers’ use of email. Each state will devote countless hours to drawing upon obscure ethics decisions in jurisdictions across the country and issuing its own 20-page ruling that busy solos don’t have the time to read, and in any event, is more likely to raise more questions than it answers. Wouldn’t it simply be easier, not to mention far more useful, for ethics regulators to combine their efforts and release a step-by-step checklist or manual of best practices for lawyers to follow when communicating electronically with clients?

Security in a digital age is too important an issue to leave to legal ethics. Just as we’d never dream of sending firefighters into a raging inferno armed with only a tome on the history of fire or a chemistry treatise on the law of thermodynamics instead of a ladder and hoses, we shouldn’t be trying to fend off the digital parade of horribles that arise from security breaches — the ransomware and identity-theft and hacking and phishing — with a dull-as-paste academic discourse on the duty of confidentiality. Instead, if we’re really serious about protecting attorney-client confidences in the digital age, let’s at least arm lawyers with real weapons they can use to shield themselves and their clients.


Carolyn ElefantCarolyn Elefant has been blogging about solo and small firm practice at MyShingle.comsince 2002 and operated her firm, the Law Offices of Carolyn Elefant PLLC, even longer than that. She’s also authored a bunch of books on topics like starting a law practicesocial media, and 21st century lawyer representation agreements (affiliate links). If you’re really that interested in learning more about Carolyn, just Google her. The Internet never lies, right? You can contact Carolyn by email at elefant@myshingle.comor follow her on Twitter at @carolynelefant.

Sponsored