Technology

Cybersecurity, Confidentiality, And Lawyers' Ethical Obligations To Their Clients (Part I)

Attorneys need to be keenly aware that their ethical obligations to maintain confidentiality are complicated by technology.

By  
on

Attorneys beware: lawyers know they have a duty to preserve client confidences, but many may not realize how broad and far this duty extends in a digital world. Every attorney knows that attorney-client confidentiality is a keystone to the attorney-client relationship. Clients need to be able to confide in their lawyer, and attorney-client confidentiality encourages this conduct.  In turn,  attorney-client confidentiality provides a mechanism for lawyers to get the information they need to give appropriate advice to their client.  Being keenly aware of their ethical obligations to protect the confidentiality of their client information is one thing, but more and more of this information is being retained beyond the legal pad and within the digital realm. Simply put, attorneys need to be keenly aware that their ethical obligations to maintain such confidentiality are complicated by technology and extend beyond the keyboard.

Although each state incorporates its own rules of professional conduct for its members of the bar, these ethical rules all derive from canons of professional responsibility now embodied in the Model Rules of Professional Conduct of the American Bar Association. These “Model Rules” operate as a model for the legal ethical rules implemented by most state bar associations, so guidance from the ABA on these rules is instructive.  When it comes to the security of confidential client data in this context, the guidance is eye-opening.

Under Model Rule 1.6, “[a] lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is [otherwise] permitted [under this rule].” This rule implies that such information is not limited to confidential information, or even privileged information.  In essence, any “information relating to the representation of a client” must be held in confidence.  No note is made about where such information may reside, but only that such information must remain confidential unless there is client consent to disclosure, disclosure implied by the representation or other exception.

When it comes to technology and client confidential information, the underlying duty of confidentiality remains yet gets more complicated.  The ABA issued Formal Opinion 99-413 in 1999 regarding the use of email, finding that its use to communicate with clients was ethically permissible under the technologies of the day because it was consistent with a reasonable expectation of privacy.  But what about other technologies? In a comment to Model Rule 1.1 addressing a lawyer’s duty of competence in providing legal representation, the ABA Ethics Commission stressed that compliance with the rule requires an attorney to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology” in order to maintain the requisite knowledge and skill for the practice of law. If this sounds like lawyers have a duty to reasonably keep up with technology they are using in their practice, you’re right.

ABA Formal Opinion 477R took the additional step of addressing the evolution of technology and picking up where Formal Opinion 99-413 left off. Specifically, Formal Opinion 477R acknowledges that “legal services now regularly use a variety of devices to create, transmit and store confidential  communications” such as smartphones, tablets and even the cloud, creating opportunities for the inadvertent or unauthorized disclosure of information relating to the representation”, with “[e]ach device and each storage location offer[ing] an opportunity for the inadvertent or unauthorized disclosure of information relating to the representation, and thus implicat[ing] a lawyer’s ethical duties.”  Formal Opinion 477R states that “[a] lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access.” In essence, lawyers must reasonably protect against unauthorized or inadvertent access to such devices and the client confidential information that such devices may contain or otherwise access.

Consistent with the confidentiality obligation as applied to use of technology in legal services, does this ethical obligation extend to any electronic data breach of such confidential information?  The answer is yes.  ABA Formal Opinion 483 was recently issued in October 2018 addressing this very point. Citing Formal Opinion 477R, the guidance affirms the duty that lawyers have to notify clients of a data breach and outlines reasonable steps necessary to meet the ethical obligations set forth by ABA Model Rules.  Although the opinion cites multiple ethical rules that come into play when a a breach of confidential client information “is either suspected or detected,” the lawyer has a duty to take action to “act reasonably and promptly to stop the breach and mitigate damage resulting from the breach….” What does this mean?  It means that notwithstanding any other statutory scheme that may apply to such data breach and impose certain post-breach obligations, the guidance asserts that a lawyer has an ethical duty to take action. 

How lawyers must address such post-breach obligations will depend upon the circumstances of the breach.  More specifically, it “depends on the nature of the cyber incident, the ability of the attorney to know about the facts and circumstances surrounding the cyber incident, and the attorney’s roles, level of authority, and responsibility in the law firm’s operations.”  It is important to note that not all incidents rise to the level of a breach. Under Formal Opinion 483, a “data breach…means a data event where material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”  Under this definition, an unauthorized access to such information that does not exfiltrate the information or otherwise compromise it would not constitute a data breach, but if such access “significantly impaired” the attorney’s ability to perform services on behalf of the client, it would meet the definition.  How each jurisdiction implements such guidance has yet to be seen, but suffice it to say that Formal Opinion 483 should be taken very seriously by every legal practitioner and law firm.

Sponsored

The foregoing sets the foundation for the ethical obligations of lawyers when it comes to the security of their clients’ data. Although the guidance does not focus on how lawyers can comply or what they specifically need to do for compliance, it does stress the need to be proactive.  How can this be done? There are a number of steps that every attorney (and their firm) should take, at a minimum, to be proactive managing their client confidential information that I will outline in a future article.  Until then, each attorney should take heed that their ethical duties to maintain client confidential information require more efforts today than they did in the past, and we have technology to thank for it.

Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.

Sponsored

CRM Banner

Topics

, , , ,