Do you have a question about legal ethics that affects your practice? ETHICSearch can help. For quick and confidential research assistance, click here to send your questions.
Office equipment that never forgets
By Peter Geraghty, director, ETHICSearch and
Sue Michmerhuizen, ETHICSearch Counsel
You are the managing partner in a small firm of five lawyers. You started practice as a solo practitioner six years ago and made yourself competitive by using computer and cellphone technology for research, work while out of the office and instant communication with clients. Most of this equipment has the capacity to store vast amounts of information.
Over the years, your hard work coupled with your innovative use of technology has grown the firm. In addition to your partners, you now also employ three paralegals and four secretaries and have moved to larger offices with more sophisticated computer-based office equipment.
Every day, the lawyers in the firm are on the move between courts, administrative hearings and real estate closings, and the paralegals often go to court for filings and research, using laptops, tablets and cellphones to keep in touch with the office and clients. Sometimes, they take their laptops home with them to work on client matters.
Keeping up with the rapid developments in technology is challenging, and it seems as though every six months you need to upgrade some of these devices to keep current. Bringing in new equipment means that you must discard the old, and you have concerns about how to do this properly. You also realize that you aren’t certain about just what computers and other electronic devices the firm owns, which employees are using them and whether they are all under the firm’s control.
What obligations do you have to monitor firm personnel’s use of electronic equipment?
What are your obligations to see that the obsolete equipment is properly recycled or disposed of?
By themselves, laptops, tablets, smartphones, thumbdrives and other equipment are just tools. However, vast amounts of data can be carried around in these small devices, and when they contain confidential client information, lawyers have an obligation under Model Rule 1.6 Confidentiality of Information to take steps to protect that information from inadvertent or unauthorized disclosure when they are discarded, recycled, lost or stolen. One commentator states that hundreds of laptops are stolen every day (See Tom Mighell, The Cyber-Ethical Criminal Defense Lawyer (Or, How Not to Commit Malpractice with Your Technology), 73 TEX BJ 540 (2010)). These new devices and the technology they support have created a new and constantly evolving landscape that can outpace a lawyer’s ability to understand the threats that they pose to information security and the types of safeguards that should be in place to prevent disclosure.
ABA Ethics 20/20 Commission
In 2009, then-ABA President Carolyn B. Lamm established the ABA Ethics 20/20 Commission (Ethics 20/20) and gave it the broad mandate of reviewing and proposing amendments to the ABA Model Rules in light of emerging new technologies and the globalization of the practice of law. At the ABA Annual Meeting in Chicago last year, the ABA House of Delegates adopted the Commission’s Report 105(C) (report submitted to the House is available here) that proposed a number of amendments to the Model Rules relating to the impact of new technologies on a lawyer’s ability and obligations to preserve client confidentiality.
While these amendments did not change the substance of the Model Rules with regard to a lawyer’s obligations to protect client confidences, they did clarify the steps lawyers should take to protect them when using new technologies to both store confidential information and to communicate with clients.
Ethics 20/20’s amendments to the Rules include a new paragraph 8 to the Comment to Rule 1.1 Competence that states as follows:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
Ethics 20/20 also added a new subpart (C) to Rule 1.6 that states that a lawyer should take steps to prevent the inadvertent and unauthorized disclosure of confidential client information. Building on the work of the ABA Ethics 2000 Commission (E2K), it also amended paragraphs 18 and 19 of the Comment to Rule 1.6 that provides guidance as to the reasonable efforts and precautions a lawyer can take to protect client confidences in the current era of emerging technologies. Excerpts from these paragraphs state:
 … The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use) …
 When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this rule. Whether a lawyer may be required to take additional steps to comply with other laws, such as state and federal laws that govern data privacy, is beyond the scope of these rules.
State and Local Bar Association Ethics Opinions
There have been some state bar opinions that have addressed confidentiality concerns with portable electronic devices. See, e.g., California State Bar Opinion 2010-179 (2010). This opinion addressed, among other things, whether a lawyer can use his personal laptop to communicate with clients using a coffee shop’s Wi-Fi connection. The opinion stated that he could do so but may be required to take protective measures such as the use of a firewall, data encryption and wireless encryption to protect against disclosure. Depending on the sensitivity of the information, the lawyer might also be required to explain the risks of disclosure to the client and get the client’s informed consent before using the device. The California Committee also stated that the lawyer could use his laptop on his home Wi-Fi so long as the lawyer took steps to ensure that the system was secure.
Other opinions address confidentiality concerns when lawyers discard or recycle these devices. See Florida State Bar Opinion 10-2 (2010). (When disposing of portable electronic devices such as laptops, printers, memory sticks or any other device that has a hard drive or the capacity to store data, the lawyer should act to ensure that all data has been removed from them.) Accord, Alabama State Bar Opinion 2010-2 (2010).
While confidentiality concerns in the technology context may seem as though they are new to the profession, ABA, state and local bar ethics committees and courts have been issuing opinions that have addressed similar concerns when disposing of client paper files, some of which were issued long before the rise of the electronic data-storing devices in today’s law offices. See, e.g., Disciplinary Counsel v. Shaver, 904 N.E.2d 883 (2009) (lawyer reprimanded for leaving boxes of client files next to dumpster). See also ABA Informal Opinion 1384 (1977) (“In disposing of a file, a lawyer should protect the confidentiality of information.”), New Jersey State Bar opinion 692 (2002) (lawyers should be careful when disposing of paper files and that “simply placing them in the trash would not suffice”), New York State Bar Opinion 641 (1993), Oregon Ethics Op. 2005-141 (2005), West Virginia Ethics Op. 2002-01 (2002) and Wisconsin Ethics Op. 98-1 (1998).
Duty of Supervision
Under Rule 5.1 Responsibilities of Partners, Managers and Supervisory Lawyers, managing lawyers in a firm partner have an obligation to ensure that all lawyers in the firm conform to the Rules of Professional conduct. Under Rule 5.3 Responsibilities Regarding Nonlawyer Assistance, lawyers with managerial responsibilities also have an obligation to ensure that any nonlawyers employed by the firm comport themselves in accordance with the lawyer’s ethical obligations under the Rules. ABA Formal Opinion 95-398 (1995) addressed some of these issues stating that when a lawyer grants access to its computer network to an outside computer maintenance company, it must verify that it has in place confidentiality policies to protect client confidences. Accord, Florida Opinion 10-2 (2010). The Florida Bar opinion also addressed the types of safeguards a firm should have in place to protect the information from disclosure, including having an inventory of the devices owned by the firm and which information is stored on any given device, and which staff members have access to them or use them regularly.
In 2010, the Ethics 20/20 Commission Working Group on the Implications for New Technologies suggested certain precautions lawyers should take when using portable devices:
… providing adequate physical protection or having methods for deleting data remotely in the event that a device is lost or stolen, encouraging the use of strong passwords (See the February 2013 ETHICSearch Tip of the Month “How Ethical Is Your Password?”); purging data from devices before replacement; installing safeguards to combat viruses, malware and spyware; erecting firewalls; ensuring frequent backups of data; updating computer operating systems to ensure that they contain the latest security protections; configuring software and network settings to minimize security risks; encrypting sensitive information and identifying (and, when appropriate, eliminating) metadata from electronic documents before sending them; and avoiding public “Wi-Fi hot spots” when transmitting confidential information.
- From MODEL RULES: ETHICS 20/20 COMMISSION INVITES COMMENTS ON ISSUES RAISED BY GROWING USE OF INTERNET, 26 LMPC 586, 2010 WL 3759955 (L.M.P.C.)
For further information on steps to take to protect client confidentiality on portable devices, see Jason Gonzalez and Linn Freedman, Mobile Devices and Attorney Ethics: What Are the Issues? 27 LMPC 792 (2011) and Tom Mighell, The Cyber-Ethical Criminal Defense Lawyer (Or, How Not to Commit Malpractice with Your Technology), 73 TEX BJ 540 (2010), in which the author suggests that due to the fact that hundreds of laptops are stolen every day, precautions lawyers should take to protect information stored on laptop hard drives include using strong passwords, and the installation of software that would alert the firm when a stolen computer is logged on to the Internet and that can remotely wipe clean the hard drive.
For further information on a broad range of issues as they relate to cybersecurity generally, see the Cyber Security Resources page that has been created by the ABA Cybersecurity Legal Task Force available here.
Back to top
EYE ON ETHICS
that never forgets
Simple project management tools
for your practice
A ‘common sense’ approach to litigation
AROUND THE ABA
Moving to a new firm involves complex financial, ethical issues
Young lawyers: Strategies for success in your first
ABA experts offer strategies on limiting, managing cybersecurity breaches
Alternative fee arrangements grow
Understanding the key elements of a conflict waiver
5 time management tips for achieving balance
Virtual lawyer shares advice on managing a law firm in cyberspace
Accuracy and timing
are key to become
a successful debtor’s attorney, experts say
U.S. strengthens regulations on background checks in light of financial crisis
Expand your network.
Join a committee!
Protect yourself from the unexpected