chevron-down Created with Sketch Beta.

GPSolo Magazine

GPSolo Magazine Article Archives

Ethics in a Technical World

John Matthew Murrell

Summary

  • Some of the biggest ethics lapses by attorneys are triggered when they fail to use technology effectively.
  • This article examines the professional rules of conduct and discusses the holistic approach that is necessary to marry ethics and technology.
  • This article also examines the legal ethics surrounding technology and security.
  • Finally, this article examines the legal ethics surrounding the proficient use of technology.
Ethics in a Technical World
iStock.com/SweetBunFactory

Jump to:

The core principles of legal ethics—e.g., the duty of confidentiality, fidelity to the client, candor to the court—have largely remained unchanged over time. But their application and the ethics themselves have evolved as the practice of law and technology have grown more complex. Thus, while a locking file cabinet inside a locked office may have been sufficient to satisfy an attorney’s duty to keep client files secure in 1978, those measures are meaningless in 2023 for a paperless firm whose client files are stored in the cloud. This article examines what it means to be an ethical attorney in a modern, technical world.

First, this article examines the professional rules of conduct and discusses the holistic approach that is necessary to marry ethics and technology. While most attorneys are aware of an explicit duty to be technologically competent, other rules of conduct are equally important in applying ethics to the modern practice of law. Second, this article examines the legal ethics surrounding technology and security. Because the practice of law relies heavily on the use of electronic devices and the Internet, an ethical attorney needs to understand how to keep the firm’s accounts, client files, and client communications secure. Third, this article examines the legal ethics surrounding the proficient use of technology. Some of the biggest ethics lapses of the last decade were triggered because attorneys failed to use technology effectively.

Rules of Professional Conduct in a Technical World

By now, most attorneys are familiar with the 2012 amendment to Rule 1.1, Comment [8], to the American Bar Association (ABA) Model Rules of Professional Conduct (Model Rules), which added a duty of technological competence to an attorney’s duty of competent representation: “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology” (emphasis added). In the decade since that amendment, 40 states have incorporated technological competence into their rules of professional conduct.

While this article explores the scope of that duty, a critical piece of being ethical in a technical world is realizing that modern advancements in technology and the practice of law implicate other rules of professional conduct beyond a duty of technological competence. Thus, being ethical requires attorneys to think critically about how long-standing principles of legal ethics are affected by modern technology.

For example, Model Rule 1.6 imposes a duty of confidentiality on attorneys, including the requirement to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Even without an explicit duty of technological competence, that rule requires attorneys to understand that measures to keep client files secure in 1978—such as a locked filed cabinet—are insufficient for electronic files stored in the cloud.

As a second example, Model Rule 1.4 governs communications with the client, including the duties to “keep the client reasonably informed about the status of the matter” and “promptly comply with reasonable requests for information.” In the era of 24/7 email, the application of this rule has evolved well beyond the days of landline telephone communication and snail mail.

More than any single aspect of technological competency, ethics in an era of technology require attorneys to understand that the approach is a holistic endeavor. Smartphones, laptop computers, and the Internet have revolutionized the manner in which attorneys practice law. Because that technological revolution has touched nearly every aspect of legal practice, ethics in a technical world is much more than the duty of competence. Technology touches everything we do; its effect on the ethical practice of law is equally widespread.

A number of articles and CLEs on technological proficiency are laundry lists of disparate technological “fails” that serve as cautionary tales for practicing attorneys. While those horror stories are important—this section and the next rely on some of them—the laundry list method can fall short in helping attorneys to think about how to approach ethics and technology. With that in mind, fulfilling the duty to be ethical in a technical world requires attorneys to understand and develop two categories of technological competence: security and proficiency.

The Ethical Duty of Security

The first category, security, requires attorneys to understand the interaction between their ethical duties and how the use of technology can risk a breach of those duties if that technology is not used securely. In addition to Rule 1.1’s requirement that attorneys understand the “risks” associated with technology, security implicates the other rules discussed above, including the duty of confidentiality. Security is critical for solo and small firm attorneys for the additional reason that a single breach could be fatal to a solo or small firm. Being an ethical attorney who keeps data, files, communications, and accounts secure can be guided by a few simple principles:

First, be vigilant about security. Above all else, keeping systems secure should be a thought that’s never far from an attorney’s mind. While this section contains a list of best practices that are important tools in the security arsenal, using technology in a secure manner is a broader approach than simply employing a few technological bells and whistles.

For example, when an attorney signs up for a new account, the following questions should be at the forefront of that attorney’s mind: (1) How secure can I make my password for this new account? (2) Would this account be compromised if someone gained access to one of my other accounts, and how can I ensure that doesn’t happen? (3) Are there additional ways to make this account secure beyond the username and password? With that in mind, there are a few ways to be vigilant about security:

  • Lock devices early and often. Every device an attorney uses should be password-protected, those passwords should not be shared with others, and an attorney should ensure that those devices are locked whenever they are not being used. For example, while it may be overkill, I lock my computer whenever I leave my chair, even if my computer is in my locked office with no one else. That habit ensures that anyone who gains access to my computer will not be able to access confidential information. The danger is heightened for cell phones, which are inadvertently left on restaurant tables, checkout counters, and other insecure locations.
  • Limit access to work devices. The corollary to using passwords early and often is to limit access to the devices that contain sensitive information (e.g., work laptop, cell phone) or that are used for attorney business. Even if the people accessing those devices don’t necessarily pose a security risk, the results can still be less than ideal. Consider the lawyer whose young grandchild used his computer and left on a filter that made the lawyer look like a cat when he took part in a teleconference court appearance the next day. But there’s also reason to be concerned from a security standpoint—dozens of popular programs and apps, including children’s games, have later been exposed as spyware tracking the user’s activity and data. Thus, even if a device is shared only with benevolent actors, security can still be compromised.
  • Be wary of free WiFi. Finally, for attorneys who travel (or work in public spaces such as libraries or coffee shops), free WiFi networks pose a substantial security risk. Such networks are inherently insecure; anyone on that network can track every single thing every other user on that network is doing. The best defense is software called a virtual private network (VPN). Quality VPNs cost a few dollars a month, and they are a vital tool in keeping devices secure.

Second, follow security best practices. Whenever possible, attorneys should utilize best practices that make their systems harder to access and, thus, more secure. Those best practices include:

  • Create strong passwords and use a password manager. The best passwords are as long as a system or account will allow, avoid personal information that is easy to guess, differ across accounts from every other password used by that user, and do not rely on common dictionary words. Because attorneys must often maintain a dozen or more accounts, a password manager (e.g., 1Password, Dashlane, etc.) can be a critical tool in creating and remembering good, secure passwords.
  • Utilize two-factor authentication. Two-factor authentication (often abbreviated “2FA”) requires a user to verify his or her identity after entering a username and password; in other words, it requires a second form of authentication from the user. The most common 2FA is a text message to the user’s cell phone containing a six- to eight-digit code that must be entered after the password to gain access to an account. 2FA should be activated on every account and system that contains that feature, which includes every bank and credit card account a firm uses.
  • Employ security software. Reputable, name-brand anti-virus/anti-malware/firewall software is not a blank check to engage in risky behavior, but it is nonetheless an important tool in an attorney’s arsenal to keep his or her devices secure. Windows users have an added bonus here: One of the best Windows security suites is Windows Security, which is free and built into Windows itself.
  • Update frequently. Although a smart device’s constant reminders to update operating systems and software may be annoying, they serve an important purpose: Those updates, more often than not, contain important patches that protect the device from new and emerging security threats. Thus, while the user may not see any added features after updates, the device is nonetheless more secure because of them.

Third, be suspicious of scams. Attorneys are frequently and increasingly targeted by cyber scams. Cyber scams are typically confidence schemes that utilize deception and social engineering more than technical sophistication. From an ethical standpoint, cyber scams are especially scary because a bad actor could use a scam to gain access to an attorney’s or firm’s entire system, meaning that communications, client files, work products, firm bank accounts, and other critical systems are completely compromised.

The most common cyber scam—and arguably the biggest cyber threat to solo and small firms—is phishing. Phishing is a confidence scheme that attempts to trick the user into disclosing confidential information such as a username, password, or account number. One of the most effective phishing scams is the “security breach.” In this scam, the attorney receives an authentic-looking email from a vendor with which the attorney has an account (e.g., Microsoft, Google, Bank of America, Chase) that states the attorney’s account has been compromised and tells the attorney to log in to verify his or her information.

The trick is that the link provided in the email to “fix” the problem is bogus: Instead of taking the target to the actual, legitimate website of the vendor, it takes the attorney to a website that appears legitimate but is actually controlled by the scammers. Ironically, the target’s account is completely secure until the target enters the log-on information into the fake website, at which point the scammer has that information and will use it to get access to the account (and do nefarious things such as change the password, deplete the account, etc.). Phishing comes in various forms (e.g., email, text messages, phone calls) and may target various accounts (email, cloud storage, bank accounts, credit cards, etc.), but the mechanics of the scam are almost always the same: to trick the attorney into giving his or her credentials to an illegitimate source.

Other scams targeting attorneys abound, and the best way to keep abreast of such scams is to stay educated through the ABA and state bars, a number of which keep running blogs on scams targeting attorneys. (See, e.g., Jeffrey Allen & Ashley Hallene, Say “Scram” to Online Scams, GPSolo May/June 2022, at 42; Joanna Herzik, Scams Continue to Target Texas Attorneys, Texas Bar Blog (Dec. 9, 2022); Fraud Alert: New and Old Scams Targeting Attorneys, State Bar of Cal. (last visited Dec. 30, 2022).) Two recent scams to watch out for: (1) the bogus check/settlement scam, in which an attorney is contacted by a client who needs an attorney to receive settlement funds, which invariably will be in the form of a bogus cashier’s check; and (2) impersonation emails, in which the scammer impersonates a known entity (such as a bar association or charity) seeking payment for a donation or an alleged late bill—the payment ends up going to the scammer instead of the legitimate entity.

A great rule of thumb to avoid a number of online scams is to avoid clicking on links in emails whenever possible. If I receive an email from a vendor with whom I have an account (e.g., Chase), I will go to my browser and access my account by going to the legitimate Chase page. It may add a few seconds to my day, but that habit alone ensures that I don’t automatically click on links in emails that may take me to a nefarious website.

The Ethical Duty of Proficiency

Separate from making security a key component of an ethical legal practice in a technical world, attorneys need a basic level of proficiency with computer systems and certain types of software to fulfill their ethical duties. This component of technological competency can be especially daunting to those who consider themselves technologically illiterate, but it doesn’t have to be. Understanding the basics of a few essential pieces of software and a few principles can make an attorney’s practice more ethical. While the following technological skills are by no means exhaustive, an ethical attorney should understand the need for basic proficiency in the following areas.

Redundancy, file storage, and the cloud. A key principle of information technology management is redundancy—critical information and systems should be duplicated and capable of being restored if (and when) hardware fails. The principle is illustrated with a simple question: If your laptop failed right now, how many hours would it set you back, and how catastrophic would that failure be for your practice? The ideal answer should be “a few hours and frustratingly inconvenient, but not catastrophic.” A laptop crash should be capable of being resolved in the amount of time it would take to buy a new laptop and install the necessary software, email accounts, and backed-up files onto that laptop. If a laptop crash would be catastrophic and cost an attorney hundreds of hours, then that attorney is not using technology proficiently.

The corollary to redundancy is that, in a technical world, redundancy should be undertaken with an understanding that anywhere and everywhere client files and communications are found must be secure. As a number of state ethics opinions have noted (and a recent ABA survey detailed), cloud storage is widespread among practicing attorneys but should be chosen with security in mind. The good news is that the commonly used cloud storage services—including Dropbox, Box, Microsoft OneDrive, and Google Drive—use high-end encryption and (importantly) encrypt files in transit and at rest, ensuring that attorneys who use these services in a responsible manner are taking steps to comply with Model Rule 1.1 and Model Rule 1.6.

Email. Some of the worst (and most public) technological blunders occur when attorneys misuse email. Often, the error has little to do with technological sophistication. In a now infamous example, a WilmerHale attorney inadvertently copied a Wall Street Journal reporter on an internal email that contained a memo analyzing a (then) non-public Securities and Exchange Commission investigation into PepsiCo regarding the departure of its general counsel. Though the exact reason for that email error never appears to have been disclosed, it is widely speculated that the Wall Street Journal reporter likely shared a first or last name with someone on WilmerHale’s investigation team, and the autocomplete function on the attorney’s email filled in the reporter’s name instead of the team member’s name after that attorney typed in the first few letters of the name. That error is less common than the dreaded “Reply All” mistake, where attorneys inadvertently disclose confidential communications to everyone on an email chain (e.g., opposing counsel) when their message was intended for a subset of people on that email. These mistakes reflect that being ethical in a technical world can be much more about being careful, thorough, and deliberate than being a technological whiz. Typing the correct email address or selecting the “Reply” button instead of the “Reply All” button doesn’t require a PhD in computer science but does require the user to be careful when using email.

Other electronic communication and file transfers. Speaking of email, one of the technical aspects of that medium that an attorney does need to understand is the levels of security provided by different methods of communicating over the Internet. In ABA Formal Opinion 477R (May 11, 2017; revised May 22, 2017), the ABA Standing Committee on Ethics and Professional Responsibility noted that modern email is secure enough to reliably and ethically communicate to clients. However, the opinion also noted that, in scenarios involving extremely confidential or sensitive information, email might be insufficiently secure, and attorneys may need to employ more secure means of transferring highly confidential information. The opinion also notes that less secure forms of electronic communication, including certain mobile applications, message boards, and insecure networks, may be insufficient to fulfill an attorney’s duty to keep client communications confidential under Model Rule 1.6.

PDF software and redacting confidential information. Aside from email blunders, the other often public technological failure committed by attorneys is the failure to properly redact confidential information from documents. In 2019, Paul Manafort’s attorneys filed a document that contained confidential information regarding the Federal Bureau of Investigation’s investigation into his dealings with foreign individuals. This information had not been properly redacted from that PDF filing; instead, it had been highlighted in black, meaning that the words “underneath” the black highlighting could be copied and pasted into another document—which is exactly what several journalists covering the case did. Ethical attorneys should understand that confidential information that needs to be redacted from a public filing (or a discovery production) can only be properly redacted via a redaction tool in PDF software such as Adobe Acrobat or Nitro Pro.

Other software. Finally, attorneys shouldn’t overlook the ability of everyday software to aid them in being more competent and, thus, more ethical attorneys. For example, while most litigators calendar deadlines in their electronic calendar (e.g., Outlook), setting multiple reminders before important deadlines can ensure that key tasks are completed beforehand and that deadlines never create an unexpected emergency. As a second example, understanding the basics of word-processing software (or employing someone who does) can help attorneys ensure that their work product complies with the varied (and sometimes onerous) formatting and component requirements for certain filings, which can be the difference between a filing being accepted or being rejected at a deadline.

Conclusion

As technology and society evolve, so will legal ethics. Being ethical in a technical world requires both the proper mindset and the acquisition of technological skills. However, that mindset overlaps with the traits a good attorney already possesses, including thoughtfulness, thoroughness, and a healthy skepticism, and the technological skills are skills that nearly anyone can master.

    Author