The core principles of legal ethics—e.g., the duty of confidentiality, fidelity to the client, candor to the court—have largely remained unchanged over time. But their application and the ethics themselves have evolved as the practice of law and technology have grown more complex. Thus, while a locking file cabinet inside a locked office may have been sufficient to satisfy an attorney’s duty to keep client files secure in 1978, those measures are meaningless in 2023 for a paperless firm whose client files are stored in the cloud. This article examines what it means to be an ethical attorney in a modern, technical world.
First, this article examines the professional rules of conduct and discusses the holistic approach that is necessary to marry ethics and technology. While most attorneys are aware of an explicit duty to be technologically competent, other rules of conduct are equally important in applying ethics to the modern practice of law. Second, this article examines the legal ethics surrounding technology and security. Because the practice of law relies heavily on the use of electronic devices and the Internet, an ethical attorney needs to understand how to keep the firm’s accounts, client files, and client communications secure. Third, this article examines the legal ethics surrounding the proficient use of technology. Some of the biggest ethics lapses of the last decade were triggered because attorneys failed to use technology effectively.
Rules of Professional Conduct in a Technical World
By now, most attorneys are familiar with the 2012 amendment to Rule 1.1, Comment [8], to the American Bar Association (ABA) Model Rules of Professional Conduct (Model Rules), which added a duty of technological competence to an attorney’s duty of competent representation: “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology” (emphasis added). In the decade since that amendment, 40 states have incorporated technological competence into their rules of professional conduct.
While this article explores the scope of that duty, a critical piece of being ethical in a technical world is realizing that modern advancements in technology and the practice of law implicate other rules of professional conduct beyond a duty of technological competence. Thus, being ethical requires attorneys to think critically about how long-standing principles of legal ethics are affected by modern technology.
For example, Model Rule 1.6 imposes a duty of confidentiality on attorneys, including the requirement to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Even without an explicit duty of technological competence, that rule requires attorneys to understand that measures to keep client files secure in 1978—such as a locked filed cabinet—are insufficient for electronic files stored in the cloud.
As a second example, Model Rule 1.4 governs communications with the client, including the duties to “keep the client reasonably informed about the status of the matter” and “promptly comply with reasonable requests for information.” In the era of 24/7 email, the application of this rule has evolved well beyond the days of landline telephone communication and snail mail.
More than any single aspect of technological competency, ethics in an era of technology require attorneys to understand that the approach is a holistic endeavor. Smartphones, laptop computers, and the Internet have revolutionized the manner in which attorneys practice law. Because that technological revolution has touched nearly every aspect of legal practice, ethics in a technical world is much more than the duty of competence. Technology touches everything we do; its effect on the ethical practice of law is equally widespread.
A number of articles and CLEs on technological proficiency are laundry lists of disparate technological “fails” that serve as cautionary tales for practicing attorneys. While those horror stories are important—this section and the next rely on some of them—the laundry list method can fall short in helping attorneys to think about how to approach ethics and technology. With that in mind, fulfilling the duty to be ethical in a technical world requires attorneys to understand and develop two categories of technological competence: security and proficiency.
The Ethical Duty of Security
The first category, security, requires attorneys to understand the interaction between their ethical duties and how the use of technology can risk a breach of those duties if that technology is not used securely. In addition to Rule 1.1’s requirement that attorneys understand the “risks” associated with technology, security implicates the other rules discussed above, including the duty of confidentiality. Security is critical for solo and small firm attorneys for the additional reason that a single breach could be fatal to a solo or small firm. Being an ethical attorney who keeps data, files, communications, and accounts secure can be guided by a few simple principles:
First, be vigilant about security. Above all else, keeping systems secure should be a thought that’s never far from an attorney’s mind. While this section contains a list of best practices that are important tools in the security arsenal, using technology in a secure manner is a broader approach than simply employing a few technological bells and whistles.
For example, when an attorney signs up for a new account, the following questions should be at the forefront of that attorney’s mind: (1) How secure can I make my password for this new account? (2) Would this account be compromised if someone gained access to one of my other accounts, and how can I ensure that doesn’t happen? (3) Are there additional ways to make this account secure beyond the username and password? With that in mind, there are a few ways to be vigilant about security:
- Lock devices early and often. Every device an attorney uses should be password-protected, those passwords should not be shared with others, and an attorney should ensure that those devices are locked whenever they are not being used. For example, while it may be overkill, I lock my computer whenever I leave my chair, even if my computer is in my locked office with no one else. That habit ensures that anyone who gains access to my computer will not be able to access confidential information. The danger is heightened for cell phones, which are inadvertently left on restaurant tables, checkout counters, and other insecure locations.
- Limit access to work devices. The corollary to using passwords early and often is to limit access to the devices that contain sensitive information (e.g., work laptop, cell phone) or that are used for attorney business. Even if the people accessing those devices don’t necessarily pose a security risk, the results can still be less than ideal. Consider the lawyer whose young grandchild used his computer and left on a filter that made the lawyer look like a cat when he took part in a teleconference court appearance the next day. But there’s also reason to be concerned from a security standpoint—dozens of popular programs and apps, including children’s games, have later been exposed as spyware tracking the user’s activity and data. Thus, even if a device is shared only with benevolent actors, security can still be compromised.
- Be wary of free WiFi. Finally, for attorneys who travel (or work in public spaces such as libraries or coffee shops), free WiFi networks pose a substantial security risk. Such networks are inherently insecure; anyone on that network can track every single thing every other user on that network is doing. The best defense is software called a virtual private network (VPN). Quality VPNs cost a few dollars a month, and they are a vital tool in keeping devices secure.
Second, follow security best practices. Whenever possible, attorneys should utilize best practices that make their systems harder to access and, thus, more secure. Those best practices include:
- Create strong passwords and use a password manager. The best passwords are as long as a system or account will allow, avoid personal information that is easy to guess, differ across accounts from every other password used by that user, and do not rely on common dictionary words. Because attorneys must often maintain a dozen or more accounts, a password manager (e.g., 1Password, Dashlane, etc.) can be a critical tool in creating and remembering good, secure passwords.
- Utilize two-factor authentication. Two-factor authentication (often abbreviated “2FA”) requires a user to verify his or her identity after entering a username and password; in other words, it requires a second form of authentication from the user. The most common 2FA is a text message to the user’s cell phone containing a six- to eight-digit code that must be entered after the password to gain access to an account. 2FA should be activated on every account and system that contains that feature, which includes every bank and credit card account a firm uses.
- Employ security software. Reputable, name-brand anti-virus/anti-malware/firewall software is not a blank check to engage in risky behavior, but it is nonetheless an important tool in an attorney’s arsenal to keep his or her devices secure. Windows users have an added bonus here: One of the best Windows security suites is Windows Security, which is free and built into Windows itself.
- Update frequently. Although a smart device’s constant reminders to update operating systems and software may be annoying, they serve an important purpose: Those updates, more often than not, contain important patches that protect the device from new and emerging security threats. Thus, while the user may not see any added features after updates, the device is nonetheless more secure because of them.
Third, be suspicious of scams. Attorneys are frequently and increasingly targeted by cyber scams. Cyber scams are typically confidence schemes that utilize deception and social engineering more than technical sophistication. From an ethical standpoint, cyber scams are especially scary because a bad actor could use a scam to gain access to an attorney’s or firm’s entire system, meaning that communications, client files, work products, firm bank accounts, and other critical systems are completely compromised.
The most common cyber scam—and arguably the biggest cyber threat to solo and small firms—is phishing. Phishing is a confidence scheme that attempts to trick the user into disclosing confidential information such as a username, password, or account number. One of the most effective phishing scams is the “security breach.” In this scam, the attorney receives an authentic-looking email from a vendor with which the attorney has an account (e.g., Microsoft, Google, Bank of America, Chase) that states the attorney’s account has been compromised and tells the attorney to log in to verify his or her information.
The trick is that the link provided in the email to “fix” the problem is bogus: Instead of taking the target to the actual, legitimate website of the vendor, it takes the attorney to a website that appears legitimate but is actually controlled by the scammers. Ironically, the target’s account is completely secure until the target enters the log-on information into the fake website, at which point the scammer has that information and will use it to get access to the account (and do nefarious things such as change the password, deplete the account, etc.). Phishing comes in various forms (e.g., email, text messages, phone calls) and may target various accounts (email, cloud storage, bank accounts, credit cards, etc.), but the mechanics of the scam are almost always the same: to trick the attorney into giving his or her credentials to an illegitimate source.
Other scams targeting attorneys abound, and the best way to keep abreast of such scams is to stay educated through the ABA and state bars, a number of which keep running blogs on scams targeting attorneys. (See, e.g., Jeffrey Allen & Ashley Hallene, Say “Scram” to Online Scams, GPSolo May/June 2022, at 42; Joanna Herzik, Scams Continue to Target Texas Attorneys, Texas Bar Blog (Dec. 9, 2022); Fraud Alert: New and Old Scams Targeting Attorneys, State Bar of Cal. (last visited Dec. 30, 2022).) Two recent scams to watch out for: (1) the bogus check/settlement scam, in which an attorney is contacted by a client who needs an attorney to receive settlement funds, which invariably will be in the form of a bogus cashier’s check; and (2) impersonation emails, in which the scammer impersonates a known entity (such as a bar association or charity) seeking payment for a donation or an alleged late bill—the payment ends up going to the scammer instead of the legitimate entity.
A great rule of thumb to avoid a number of online scams is to avoid clicking on links in emails whenever possible. If I receive an email from a vendor with whom I have an account (e.g., Chase), I will go to my browser and access my account by going to the legitimate Chase page. It may add a few seconds to my day, but that habit alone ensures that I don’t automatically click on links in emails that may take me to a nefarious website.