March 2012 | Special Edition: Disaster Law – Preparing Law Firms and Clients for Issues in Cyberspace
Cybersecurity for Attorneys: Understanding the Ethical Obligations
As attorneys continue to embrace the latest technology, it is critical for them to understand and address the ethical obligations that go with it. This applies to the very latest technology, like SmartPhones and cloud computing, as well as other current technology, like laptops, remote access, wireless networks, and USB drives, that attorneys have been using for a number of years. At the core of these obligations is the duty of confidentiality.
Threats to data in computers, mobile devices, and information systems used by attorneys are at an all-time high. They range from lost or stolen laptops or mobile devices, to dishonest, disgruntled, or untrained insiders, to sophisticated hacking attacks. There have been numerous recent reports about these threats to attorneys in the news media, legal press, and information security publications. A recent article reported that 80 law firms were hacked during 2011. In November of 2011, the FBI met with major law firms to deal with the rising number of law firm computer intrusions, warning them that hackers see attorneys as a back door to the valuable data of their corporate clients. Attorneys’ ethical obligations include understanding and dealing with these threats.
The duty of competence (ABA Model Rule 1.1) requires attorneys to know what technology is necessary and how to use it. The duty of confidentiality (ABA Model Rule 1.6) is one of an attorney’s most important ethical responsibilities. Together, these rules require attorneys using technology to take competent and reasonable measures to safeguard client data. This duty extends to all use of technology, including computers, mobile devices, networks, technology outsourcing, and cloud computing.
Model Rule 1.1 covers the general duty of competence. It provides that “A lawyer shall provide competent representation to a client.” This “requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” It includes competence in selecting and using technology. It requires attorneys who lack the necessary technical competence for security (many, if not most attorneys) to consult with qualified people who have the requisite expertise.
Model Rule 1.6 generally defines the duty of confidentiality. It begins as follows:
Rule 1.6 broadly requires protection of “information relating to the representation of a client;” it is not limited to confidential communications and privileged information. Disclosure of covered information generally requires express or implied client consent (in the absence of special circumstances like misconduct by the client).
The Ethics 2000 revisions to the Model Rules added Comment 16 to Rule 1.6. This comment requires reasonable precautions to safeguard and preserve confidential information:
The Comment references Model Rule 5.1 (Responsibilities of a Partner or Supervisory Lawyer) and Model Rule 5.3 (Responsibilities Regarding Nonlawyer Assistant), which are also important in attorneys’ use of technology. Partners and supervising attorneys are required to take reasonable actions to ensure that those under their supervision comply with these requirements.
Model Rule 1.4, Communications, also applies to attorneys’ use of technology. It requires appropriate communications with clients “about the means by which the client's objectives are to be accomplished,” including the use of technology. It requires keeping the client informed and, depending on the circumstances, may require obtaining “informed consent.” It requires notice to a client of compromise of confidential information relating to the client.
An early example is State Bar of Arizona, Opinion No. 05-04 (July 2005) (Formal Opinion of the Committee on the Rules of Professional Conduct). It requires “competent and reasonable steps to assure that the client’s confidences are not disclosed to third parties through theft or inadvertence” and “competent and reasonable measures to assure that the client’s electronic information is not lost or destroyed.” It further notes that “an attorney must either have the competence to evaluate the nature of the potential threat to the client’s electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence.”
Additional examples include New Jersey Advisory Committee on Professional Ethics, Opinion 701, “Electronic Storage and Access of Client Files” (April, 2006), State Bar of Arizona, Opinion No. 09-04 (December, 2009): “Confidentiality; Maintaining Client Files; Electronic Storage; Internet” (Formal Opinion of the Committee on the Rules of Professional Conduct); State Bar of California, Standing Committee on Professional Responsibility and Conduct, Formal Opinion No. 2010-179; and Pennsylvania Bar Association, Committee on Legal Ethics and Professional Responsibility, Formal Opinion 2011-200, “Ethical Obligations for Attorneys Using Cloud Computing/Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property” (November, 2011). In addition to this Pennsylvania opinion, there are now several ethics opinions on attorneys’ use of cloud computing, which involves cyber security, outsourcing, and a number of additional ethical considerations.
The key professional responsibility requirements from these opinions are competent and reasonable measures to safeguard client data, including an understanding of limitations in attorneys’ competence, obtaining appropriate assistance, continuing security awareness, and ongoing review as technology, threats, and available security evolve over time.
The Revised Draft proposes adding the underlined language to the Comment to Model Rule 1.1 Competence:
It proposes adding the following new subsection (underlined) to Model Rule 1.6 Confidentiality of Information:
The draft recommends the following changes to Comment  to this rule:
These proposed revisions are clarifications rather than substantive changes. They add additional detail that is consistent with the present rules and comments, ethics opinions, and generally accepted information security principles.
Information Security Basics
An equally important concept is that security requires training and ongoing vigilance and attention. It must go beyond a onetime “set it and forget it” approach.
Security starts with a risk assessment to identify anticipated threats to the information assets, including an inventory of information assets to determine what needs to be protected. The next step is development and implementation of a comprehensive information security program to employ reasonable physical, administrative, and technical safeguards to protect against identified risks. This is the most difficult part of the process. It must address people, policies and procedures, and technology. It needs to include assignment of responsibility, training, ongoing security awareness, monitoring for compliance, and periodic review and updating.
The requirement for lawyers is reasonable security, not absolute security. New Jersey Ethics Opinion 701 states “’[r]easonable care,’ however, does not mean that the lawyer absolutely and strictly guarantees that the information will be utterly invulnerable against all unauthorized access. Such a guarantee is impossible…” Recognizing this, the Ethics 20/20 proposal includes “…[t]he unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”
Security involves balancing and trade-offs to determine what risks and safeguards are reasonable under the circumstances. The analysis includes the sensitivity of the information, the risks, and available safeguards (including their cost, difficulty of implementation, and effect on usability of the technology). There is frequently a trade-off between security and usability. Strong security often makes technology very difficult to use, while easy to use technology is frequently insecure. The challenge is striking the correct balance among all of these often competing factors. This aspect of security is also recognized by the Ethics 20/20 proposal.
The Commission is exploring the use of a central ABA resource to advise attorneys on reasonable security. The Law Practice Management Section currently provides helpful resources on cyber security, including this webzine, Law Practice magazine, ABA TECHSHOW and other continuing legal education programs.
1 Bruce Schneier, Secrets and Lies - Digital Security in a Networked World (John Wiley & Sons, Inc. 2000) at p. xii.
David G. Ries is a partner in the Pittsburgh, PA, office of Thorp Reed & Armstrong, LLP, where he practices in the areas of environmental, commercial and technology litigation. He is a member of the ABA Law Practice Management Section Council and regularly speaks and writes on technology law and ethics issues, including a new book, with Sharon Nelson and John Simek, Locked Down: Information Security for Lawyers (American Bar Association 2012).
LAW PRACTICE TODAY
John D. Bowers, Fox Rothschild LLP
Micah U. Buchdahl, HTMLawyers
Andrea Malone, White and Williams LLP
BOARD OF EDITORS
Lourdes Flora Brezo-Martinez, Greenberg Traurig LLP
Andrea Cannavina, LegalTypist, Inc.
Margaret M. DiBianca, Young Conaway Stargatt & Taylor, LLP
Nicholas Gaffney, Infinite Public Relations, LLC
Katy M. Goshtasbi, Puris Image
Jeremy Kridel, Indiana Court of Appeals
Allison C. Shields, Legal Ease Consulting, Inc.
Gregory H. Siskind, Siskind Susser, P.C.
Wendy L. Werner, Werner Associates LLC
Send us your feedback here.