Hitting “Send” on an e-mail sometimes can be a bit daunting for a lawyer. Depending on the contents of the e-mail and its attachments, the e-mail might unintentionally disclose confidential client information or accidentally reveal it to the wrong person. Lawyers also may be uneasy about technological risks to the confidentiality of client files if the files are electronic and are accessed online, hosted on third-party servers, or stored in the “cloud.” Conversely, lawyers also can be concerned about what to do when they are or appear to be an unintended recipient of electronic information from opposing counsel or parties, or if they unexpectedly receive possibly confidential information from a potential client or someone purporting to be one.
Preserving the confidentiality of client information, within the framework of the applicable law, is one of a lawyer’s core duties. That principle is reflected in Preamble  of the ABA Model Rules of Professional Conduct, which states that: “In all professional functions a lawyer should be competent, prompt and diligent. A lawyer should maintain communication with a client concerning the representation. A lawyer should keep in confidence information relating to the representation of a client except so far as disclosure is required or permitted by the Rule of Professional Conduct or other law.” [Emphasis added] Not only ethics rules but also the law of professional responsibility, rules of procedure/evidence, and data privacy statutes, among other bodies of law, may bear on confidentiality obligations.
The ABA Commission on Ethics 20/20, which was appointed in 2009, has made the intersection of technology and the practice of law one of its areas of focus. The Commission presented six Resolutions to the ABA House of Delegates in August 2012, all of which were adopted (some with minor friendly amendments). One of the Commission’s six Resolutions dealt with “Technology and Confidentiality,” and three of the other five Resolutions related in part to this subject. The Commission, through its proposals, sought to state and clarify general rules, but it also sought to provide some practical guidance, although it had to be mindful of the level of detail that is suitable for ethics rules and of the risk that more specific language can unwisely hamstring lawyers and become obsolete. Now that the Model Rules have been amended, each state will next consider these amendments and decide whether to adopt them.
Lawyers as Senders of Information
The Commission’s Technology and Confidentiality Resolution made housekeeping changes to modernize language of the Model Rules and to state general principles. Among other amendments, it revised Comment  of Rule 1.1, the rule on “Competence,” to indicate that a lawyer should keep abreast of “the benefits and risks associated with relevant technology. . . .” The proposal also added a new subsection (c) to Rule 1.6, the main rule on “Confidentiality of Information” as to current clients, to provide: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
The proposal also added information of a somewhat more practical nature, moreover, by rewriting Comment  to Rule 1.6 to state as follows:
Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision or monitoring. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forego security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other laws, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of these Rules. For a lawyer’s duties when sharing information with nonlawyers outside the lawyer’s own firm, see Rule 5.3, Comments -.
The proposal also added some overlapping language to Comment  to Rule 1.6.
So, for example, a lawyer who herself uses, or has an associate or secretary use, redlining software to revise a document based on client comments before sending the document to an opponent should determine if the redlining is intended to be disclosed, and, if not, should employ “reasonable efforts” to prevent erroneous disclosure of client confidences. Similarly, a lawyer also must take reasonable efforts to make sure that a person or firm to whom a task involving client confidences has been outsourced acts competently to prevent unauthorized access and inadvertent or unauthorized disclosure.
The Commission’s Resolutions also addressed the subject of outsourcing, one aspect of which is confidentiality of information, as reflected above, as well as the disclosure of confidential information for purposes of conflicts checks in situations involving potential movement of lawyers from one firm to another and law firm combinations, recognizing appropriate disclosure for that purpose.
Lawyers as Recipients of Information
The Commission also sought to address lawyers as recipients of information in two fundamentally different scenarios. With respect to a lawyer who receives information from an opponent or counter-party, the proposal revised Comment  to Rule 4.4, the rule on “Respect for Right of Third Persons,” to modernize language and to try to increase clarity on what it means for a document or information to be “inadvertently sent.” The revisions to Comment  conclude with this new clarifying statement: “Metadata in electronic documents creates an obligation under this Rule only if the receiving lawyer knows or reasonably should know that the metadata was inadvertently sent to the receiving lawyer.” Revisions to Comment  reflected that a lawyer may return, or delete, inadvertently sent electronic information, unread, in many instances.
Electronic information is not sent only among and by parties and counsel and their opponents and counter-parties. The Commission proposal also addressed the lawyer as recipient of information from a potential client or from a person, whether individually or on behalf of an entity, seeking to be clothed in the protections afforded a potential client.
The proposal revised Model Rule 1.18 (Duties to Prospective Client) to make clear that it applies only to a person, whether individually or on behalf of an entity, that has “reasonable expectation that the lawyer is willing to discuss the possibility of forming a client-lawyer relationship. . . .”
The proposal, further, added a helpful new Comment  to Rule 1.18 that not only elaborates on that principle but gives lawyers some practical advice about setting up their websites to reduce the risks of receiving, and of being disqualified from representing a different person or entity by virtue of receiving, such information:
A person becomes a prospective client by consulting with a lawyer about the possibility of forming a client-lawyer relationship with respect to a matter. Whether communications, including written, oral, or electronic communications, constitute a consultation depends on the circumstances. For example, a consultation is likely to have occurred if a lawyer, either in person or through the lawyer’s advertising in any medium, specifically requests or invites the submission of information about a potential representation without clear and reasonably understandable warnings and cautionary statements that limit the lawyer’s obligations, and a person provides information in response. . . . In contrast, a consultation does not occur if a person provides information to a lawyer in response to advertising that merely describes the lawyer’s education, experience, areas of practice, and contact information, or provides legal information of general interest. Such a person communicates information unilaterally to a lawyer, without any reasonable expectation that the lawyer is willing to discuss the possibility of forming a client-lawyer relationship, and is thus not a “prospective client.”
The Commission’s Website
In addition to proposing now-adopted changes to the Model Rules, the Commission has also set up a website (www.americanbar.org/Ethics2020) with practical information on technology and other aspects of the practice of law.
The Commission is very open to suggestions of ways in which its website could be helpful. If you have ideas on that front, please send them to the Commission (firstname.lastname@example.org) or feel free to forward them to me as a Co-Chair of the Solo, Small Firm and General Practice Division’s Ethics and Professional Responsibility Committee.