Ethics Tip of the Month
Brought to you by ABA ETHICSearch
How “Ethical” is your Password?
Chances are if it is “password”, or “password1” or “12345678”, you might be close to the line. Splashdata, a purveyor of password management applications, has released its list of the 25 most common and also easiest to crack passwords of 2012 and those three make the most common list. See also the blog entry by Bruce Schneier (Schneier on Security) on password security.
Despite the risks of data breaches, users still aren’t adopting the best possible passwords - probably because so many sites require one and it’s just too much to remember. Users often reuse passwords or create small variations on a theme in their passwords across sites. A weak password used at a low security website, such as a newspaper or magazine website, can allow a hacker to gain a toehold and use the password more easily gleaned there in attempts to gain access to the user’s more sensitive information. Experts advise that a good password is not a name or a word found in a dictionary and combines lower and upper case letters with symbols and numbers.
The ABA Model Rules of Professional Conduct do not articulate standards for passwords, but the care a lawyer should exercise when choosing one can be implied from ABA Model Rules 1.1 Competence and Rule 1.6 Confidentiality. This past August the ABA adopted a number of changes proposed to the Model Rules from the ABA Commission on Ethics 20/20 relating to technology and confidentiality. See Report 105(A) The Commission added a sentence to paragraph 6 of the Comment to Rule 1.1 that states as follows:
“ To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
The Commission also added subsection (c ) to Rule 1.6 Confidentiality that states:
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
New language added to paragraph 19 of the Comment to Rule 1.6 reduces the responsibility of the lawyer if the lawyer has made reasonable efforts to prevent the access or disclosure. Reasonableness here is based on several factors: the sensitivity of the information, the likelihood of disclosure without more safeguards, the cost of additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients. The Comment points out that a client can require special security measures not required by this Rule or may give his informed consent to forgo them.
These additions to the Rules are a sign that the ethical requirements for adequate computer security are moving from general and exhortatory to specific and practical. Most likely the particular standards will be drawn in future court decisions. Meanwhile, as long as lists of weak passwords are being issued and written about, take heed and don’t be a poster child for data breaches caused by a weak password.
© 2013 by the American Bar Association
Do you have a question for ABA ETHICSearch?
It’s easy, fast and free!
Submit question here or call us at 800.285.2221. (press 8)
ABA ETHICSearch is a research service only. We are not acting as your lawyers in this matter. The research assistance we provide is not to be construed as legal advice. Furthermore, the research assistance provided is not comprehensive and the inquirer is responsible for making his or her own final judgment on the ethical and legal issues presented. Please bear in mind that the ABA Model Rules of Professional Conduct and ethics opinions are advisory only. The ethics rules, laws and court decisions of your jurisdiction are controlling.