The greatest threats today are spearphishing, ransomware, business email compromise, supply chain/third-party compromises, insider threats, and lost and stolen laptops, smartphones, and portable devices. These and other threats are a particular concern to attorneys because of their duties of competence in technology and confidentiality.
It is critical for attorneys and law firms to recognize the threats, understand their duty to safeguard, and address the duty through comprehensive cybersecurity programs.
This is the fifth in a series of cybersecurity articles by me for the annual ethics editions of Law Practice Today, following “Cybersecurity for Attorneys: Addressing the People Part of Security” (November 2022) “Cybersecurity for Attorneys: The Ethics of Securing Your Virtual Practice” (October 2021), “Cybersecurity for Attorneys: The Ethics of Incident Response” (November 2020), and “Cybersecurity for Attorneys: Addressing the Legal and Ethical Duties” (November 2019). This article addresses the duty of employing competent and reasonable safeguards.
Duty to Safeguard
Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients, and also often have contractual and regulatory duties to protect confidential information.
Ethics Rules. Several ethics rules in the ABA Model Rules have particular application to protection of client data, including competence (Model Rule 1.1), communication (Model Rule 1.4), confidentiality of information (Model Rule 1.6), supervision (Model Rules 5.1, 5.2 and 5.3), and safeguarding property (Model Rule 1.15).
At the ABA Annual Meeting in 2012, the ABA adopted the recommendations on technology and confidentiality of the ABA Commission on Ethics 20/20. They include:
- An amendment to Comment [8] to Model Rule 1.1 providing that competence requires knowing and keeping abreast of changes in “the benefits and risks associated with relevant technology”,
- Addition of section (c) to Model Rule 1.6, requiring attorneys to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.,” and
- Additions to Comment [18] to Model Rule 1.6, providing that “reasonable efforts” require a risk-based analysis, with additional details.
Model Rule 1.4: Communications applies to attorneys’ use of technology. It requires appropriate communications with clients “about the means by which the client's objectives are to be accomplished,” including the use of technology. It requires keeping the client informed and, depending on the circumstances, may require obtaining “informed consent” about use of technology. It requires notice to a client of a material loss or compromise of information relating to the client.
Model Rule 5.1: Responsibilities of Partners, Managers, and Supervisory Lawyers and Model Rule 5.2: Responsibilities of a Subordinate Lawyer include the duties of competence and confidentiality. Model Rule 5.3: Responsibilities Regarding Nonlawyer Assistants was amended in 2012 to expand its scope. “Assistants” was expanded to “Assistance,” extending its coverage to all levels of law firm staff and outsourced services, ranging from copying services to outsourced legal services. This requires attorneys to employ reasonable safeguards, like due diligence, contractual requirements, supervision, and monitoring, to ensure that nonlawyers, both inside and outside a law firm, provide services in compliance with an attorney’s ethical duties, including confidentiality.
Model Rule 1.15: Safeguarding Property requires attorneys to segregate and protect money and property of clients and third parties that is held by attorneys. Some ethics opinions and articles have applied it to electronic data held by attorneys.
Ethics Opinions. A number of ABA and state ethics opinions, for over a decade, have addressed professional responsibility issues related to security in attorneys’ use of various technologies. Consistent with the Ethics 20/20 amendments, they generally require competent and reasonable safeguards.
An early opinion, several years before the Ethics 20/20 amendments, is State Bar of Arizona Ethics Opinion 05-04: “Electronic Storage; Confidentiality” (July 2005). It concludes:
[Ethics Rules] 1.6 and 1.1 require that an attorney act competently to safeguard client information and confidences. It is not unethical to store such electronic information on computer systems whether or not those same systems are used to connect to the internet. However, to comply with these ethical rules as they relate to the client's electronic files or communications, an attorney or law firm is obligated to take competent and reasonable steps to assure that the client's confidences are not disclosed to third parties through theft or inadvertence. In addition, an attorney or law firm is obligated to take reasonable and competent steps to assure that the client's electronic information is not lost or destroyed. In order to do that, an attorney must either have the competence to evaluate the nature of the potential threat to the client's electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence.
Three current ABA formal ethics opinions address attorneys’ duty to safeguard information relating to clients when using technology, all after the Ethics 20-20 amendments:
- ABA Formal Opinion 477R, “Securing Communication of Protected Client Information” (May 2017) (focusing on electronic communications; also explores the general duties to safeguard information relating to clients in light of current threats and the Ethics 20/20 technology amendments to the Model Rules).
- ABA Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (October 17, 2018) (reviews lawyers’ duties of competence, communication, confidentiality, supervision, and safeguarding client property in protecting confidential data; discusses duty to: (1) monitor for a breach; (2) stop a breach and restore systems; (3) determine what happened; and (4) communicate with current clients concerning a material loss or compromise of information relating to a client).
- ABA Formal Opinion 498, “Virtual Practice” (February 2021) (lawyers must make reasonable efforts to prevent inadvertent or unauthorized disclosures of information relating to the representation, take reasonable precautions when transmitting such information, and make reasonable efforts to ensure compliance by subordinate lawyers and nonlawyer assistants).
Common Law and Contractual Duties. Along with the ethical duties, parallel common law duties are defined by case law in the various states. These duties are defined in court opinions and in the Restatement (Third) of the Law Governing Lawyers. They include competence, communication, and confidentiality. Breach of these duties can result in a malpractice action.
Increasingly, lawyers also have contractual duties to protect client data, particularly for clients in industries such as health care and financial services, which have regulatory requirements to protect privacy and security. They frequently include requirements for incident response and notice of security incidents and data breaches. In addition, cybersecurity insurance policies may include required safeguards.
Regulatory Duties. Attorneys and law firms that have covered personal information about their employees, clients, clients’ employees, or customers, opposing parties and their employees, or even witnesses may also be covered by federal and state laws that variously require reasonable safeguards for covered information and notice to affected individuals and sometimes to regulators in the event of a data breach.
In addition, court confidentiality orders sometimes include requirements for safeguarding covered information.
These general obligations are now well-established in the Model Rules, comments, and ABA and state court and ethics opinions.
Competent and Reasonable Safeguards
The general requirements of competent and reasonable safeguards are clear. The challenge to attorneys and law firms in practice is applying these requirements to their practice, technology, and data, and staying current as technology, threats, and available safeguards develop. Comments to the Model Rules and ethics opinions provide some guidance.
ABA Formal Opinion 483 (at p. 9) notes that the nature and scope of this emerging standard is addressed in the ABA Cybersecurity Handbook:
Although security is relative, a legal standard for “reasonable” security is emerging. That standard rejects requirements for specific security measures (such as firewalls, passwords, or the like) and instead adopts a fact-specific approach to business security obligations that requires a “process” to assess risks, identify and implement appropriate security measures responsive to those risks, verify that the measures are effectively implemented, and ensure that they are continually updated in response to new developments.
Formal Opinion 483 (at p. 9) also quotes Formal Opinion 477R on the nature of the duty:
At the intersection of a lawyer’s competence obligation to keep “abreast of knowledge of the benefits and risks associated with relevant technology,” and confidentiality obligation to make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client,” lawyers must exercise reasonable efforts when using technology in communicating about client matters. What constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors.
The Ethics 20/20 amendments to Comment 18 to Rule 1.6 also provide some high-level guidance, noting the following nonexclusive factors for determining reasonable and competent safeguards:
Factors to be considered in determining the reasonableness of the lawyer’s efforts include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
This is a risk-based approach, considering these factors, which is now standard in cybersecurity.
The requirement for lawyers is reasonable security, not absolute security. For example, New Jersey Ethics Opinion 701, “Electronic Storage And Access of Client Files” (April 2006), states “’[r]easonable care,’ however, does not mean that the lawyer absolutely and strictly guarantees that the information will be utterly invulnerable against all unauthorized access. Such a guarantee is impossible…” Recognizing this concept, the Ethics 20/20 amendments to the Comment to Model Rule 1.6 include “…[t]he unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”
Attorneys have three options for addressing these duties: (1) know the requirements, threats, and relevant safeguards; (2) learn them; or (3) get qualified assistance. For most attorneys, it will be a combination of the three. In the areas of technology and cybersecurity, it is particularly important that consultants have requisite knowledge and experience.
In the event of a data breach, whether safeguards were reasonable may be judged, with 20-20 hindsight, by clients, disciplinary authorities, regulators, or courts. The following section explores the cybersecurity process and some generally accepted standards.
Complying with the Duty
Understanding all of the applicable duties is the first step, before moving to the challenges of compliance by designing, implementing, and maintaining an appropriate risk-based cybersecurity program. Cybersecurity is a process to protect the confidentiality, integrity, and availability of information; it is a process, not a product. Comprehensive security should cover people, policies and procedures, and technology.
A cybersecurity program should address the core security functions of govern, identify, protect, detect, respond, and recover. The program should be appropriately scaled to the size of the firm and the sensitivity of the information.
A common approach to employing reasonable security is basing a comprehensive security program on or aligning it with a generally accepted standard or framework. Examples include the National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, (April 2018) (Version 2 currently in draft form), other more comprehensive NIST standards, like NIST Special Publication 800-53, Revision 5, Security and Privacy Controls for Federal Information Systems and Organizations (September 2020) and standards referenced in it (a comprehensive catalog of controls and a process for selection and implementation of them through a risk management process) (designed for government agencies and large organizations), and the International Organization for Standardization’s (ISO), ISO/IEC 27000 family of standards, (consensus international standards for comprehensive Information Security Management Systems (ISMS) and elements of them). The Center for Internet Security has published the CIS Controls v8 that provides globally recognized best practices for securing IT systems and data.
These standards can be a challenge for small and mid-size firms. The ABA Cybersecurity Legal Task Force maintains a website with resources for attorneys and law firms generally and for solo practitioners and small firms. Federal agencies also provide cybersecurity resources for small and midsize businesses. The Cybersecurity and Infrastructure Security Agency (CISA) maintains a website with Resources for Small and Midsize Businesses; NIST has a Small Business Cybersecurity Corner website; and the Federal Trade Commission (FTC) maintains a website, Cybersecurity for Small Business, which includes links to a number of tailored security resources.
Training is a critical component of a law firm security program, both initial training and periodic updates. The goal should be constant vigilance and security awareness by all users of technology, every day, every time they’re using technology.
An important concept is that effective security requires ongoing attention as technology, threats, and available safeguards evolve. It must go beyond a onetime “set it and forget it” approach.
For more information on comprehensive cybersecurity programs and details on specific safeguards, see the references in this section, the earlier articles listed above, and Additional Information below.
Conclusion
Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and often have contractual and regulatory duties to protect confidential information. It is critical for attorneys to understand these duties and address them in a risk-based, comprehensive cybersecurity program, including periodic updates.
Additional Information
- American Bar Association, Cybersecurity Legal Taskforce
- American Bar Association, Law Practice Division, including articles, webinars, the Legal Technology Resource Center, and ABA TECHSHOW
- Cybersecurity and Infrastructure Security Agency (CISA), including Shields Up, StopRansomware, and Resources for Small and Midsize Businesses websites
- Jill D. Rhodes, Robert S. Litt and Paul S. Rosenzweig, The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Third Edition (ABA 2022)