Consider the risks presented by these common scenarios: a phone is left at a restaurant bar; a young family member uses a parent's device without email access blocked; the device is used on a public Wi-Fi network; an attorney continues to use the device following the end of employment with the firm. The scenarios are endless, as are possibilities for disclosure of client confidences.
Confronting these concerns, the American Bar Association revised Model Rule of Professional Conduct 1.6, adding subsection (c) as follows: "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."
In explaining the need to elevate to a "black letter" rule an attorney's duty to prevent even inadvertent disclosure of a client's confidential information, the ABA Commission on Ethics, in its Report to the House of Delegates, detailed the following three occurrences which could lead to a violation of Rule 1.6: (1) an email is sent to the wrong person; (2) a third party "hacks" into a law firm's network or a lawyer's email account; and (3) employees or other personnel release client information without authority, such as when an employee posts confidential information on the Internet. The use of personal devices may trigger further violations of Rule 1.6, such as when an attorney's device is lost or stolen or when an attorney downloads content that infects the host network with malware, potentially impacting not only the attorney's personal device but also the firm's entire network.
Fortunately, comment  to Model Rule 1.6 provides a safe harbor in certain circumstances when attorneys and law firms make "reasonable efforts to prevent the access or disclosure." When reviewing an attorney's or law firm's "reasonable efforts," courts are encouraged by comment  to consider "the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer's ability to represent clients." Thus, in order to take advantage of comment 's safe harbor, a BYOD policy should:
Insure all devices and data transfers are secure;
State that the firm retains control of the device;
Include end of employment and acceptable use policies;
Discourage users from using public Wi-Fi connections, which are susceptible to hacking;
Require all devices to employ a passcode, auto-lock, and a phone locator app;
Require the ability to remotely delete all information saved on the device; and
Employ requirements for password strength to ensure security.
Attorneys in particular should strongly consider the use of separate personal and work-dedicated devices.
Likewise, firms must develop sensible email policies and make their attorneys aware of the potential consequences of noncompliance. These policies should expressly require attorneys to:
Remind all parties involved of the requirements of maintaining the attorney-client privilege, and how the use of email could weaken the privilege;
Preserve all email, sent and received;
Consider addressing email use in the retainer or engagement letter;
Counsel clients against forwarding attorney-client emails to others, or posting them on Facebook, Twitter, or other forms of social media;
Remind staff to check email addresses carefully and avoid using "auto-fill"; and
While these policies cannot eliminate the risks presented by technology, they are necessary to establish "reasonable efforts" to comply with ethical obligations.
Avoiding the Pitfalls: Maintain Confidentiality
The use of mobile technology should heighten an attorney's concern for maintaining client confidentiality. Before sending an email, one should always ask: Would a letter be a more appropriate means of communicating this information? Does this really require immediate response? Does the client have exclusive access to this email? Unfortunately, the all-to-common scenario of the accidental "reply to all" or auto-correct function in the recipient field could destroy the attorney-client privilege, necessitate litigation to remedy the lost privilege, and result in disciplinary action.
The pitfalls of email use were at the forefront of Terraphase Engineering, Inc. v. Arcadis, U.S., Inc., No. 10-cv-04647-JSW (N.D. Cal. Oct. 10, 2010). In Terraphase, the plaintiffs, who were several former employees of the defendant, intended to sue their former employer for threatening litigation against the plaintiffs' clients. In preparing for litigation, the plaintiffs' counsel drafted an email outlining the litigation strategy against the former employer. The email was intended solely for the plaintiffs; however, an "auto-fill" mistake caused the email to be sent to one plaintiff's email address at the former employer, which had been monitoring the plaintiffs' former email addresses. This "auto-fill" error resulted in the defendant former employer receiving an outline of its former employees' legal strategy.
Once litigation began, the defendant's counsel used the inadvertently sent email to craft a counterclaim against the plaintiffs. In response, the plaintiffs applied for and were granted an order enjoining the defendant's outside and in-house counsel from participating in the case and awarding attorney fees and costs to the plaintiffs. These difficulties arose exclusively from the use of email—difficulties that may have been avoided had the plaintiffs' attorneys used a formal "hard copy" letter to communicate and/or been aware of the "auto-fill" pitfall presented by most email software. The case illustrates the great expense and loss that can arise from a simple error—one that can occur anytime an email is sent.
Avoiding the Pitfalls: Recognize the Danger of Instant Communication
The ease of email communication and its potential to invoke immediate, and possibly inappropriate, responses were at issue in a recent attorney disciplinary case in New Jersey, In re Stolz, Docket No. DRB 13-331 (N.J. Mar. 18, 2014). The ethics charges arose out of the attorney's representation of a client in a litigated matter and the tenor of the attorney's email communications with adverse counsel. During his representation, the attorney sent several disparaging emails to his adversary, which stated, in part:
"Don't feel you have to email me daily and let me know just how smart you are."
"This will acknowledge receipt of your numerous Emails, faxes and letters. . . . In response thereto, Bla Bla Bla Bla Bla Bla."
"Did you get beat up in school a lot?, because you whine like a little girl."
"Why don't you grow a pair?"
"I'd send you the delivery receipt, but I put both your email addresses in my 'Junk Mail' box, because that is all I get from you, JUNK."
"What's that girlie email you have. Hotbox.com or something?"
Based on these emails, coupled with other conduct, the New Jersey Disciplinary Review Board determined that the attorney violated various ethics rules, including "failing to treat with courtesy and consideration all persons involved in the legal process." While an email received on a handheld device may invoke strong emotion, the ability to respond immediately does not mean that you should.
Avoiding the Pitfalls: Know the Technology
Issues of mixed business and personal use have found their way to the courtroom. A recent complaint filed in the United States District Court for the District of New Jersey, Nascimento v. Anheuser-Busch Cos., LLC, No. 2:15-cv-02017-CCC-MF (D.N.J. Mar. 19, 2015), highlights these concerns. Employees were issued company-owned iPads but were required to use personal iTunes accounts on the devices. A group of employees sent text messages to each other on their personal iPhones allegedly disparaging another employee—text messages that automatically transferred to their company-owned iPads due to the nature of the technology, by virtue of the common personal iTunes account. Ultimately, the company-owned iPads were redistributed to other employees, including the employee who was allegedly disparaged by the personal text messages—and who was able to view the text messages. The employees purportedly responsible for the disparagement were terminated for alleged misuse of company equipment but then sued the company for wrongful termination.
The Nascimento case is currently the subject of pending motions to dismiss in favor of arbitration; however, the mere allegations serve as an important reminder that the use of technology has real consequences. While the case did not involve attorneys, the implications to attorneys who use similar technologies are clear. In using a personal device for business purposes, is confidential information transferred to a home computer? Is it available on other unsecure personal devices?
Attorneys must understand and address the means by which they employ technology in their daily practice. While the precise ethical obligations continue to develop, the potential for problems, and the growth of litigation arising from the age of instant communication, require that attorneys reaffirm their understanding of basic professional responsibilities when conducting their practice in the technology-driven workplace. A personal communications device expands an attorney's office beyond the bricks and mortar of an office building. This convenience must not compromise the long-standing principles that govern the practice of law.
Keywords: litigation, commercial, business, attorney ethics, bring your own device, BYOD, confidentiality, personal electronic devices, email, litigation, Model Rule 1.6