chevron-down Created with Sketch Beta.
    October 25, 2011 Articles

    Tips for Using Technology While Keeping Client Information Confidential

    By Lisa O'Connor

    The practice of law, while rich in tradition, is a constantly evolving profession. Perhaps now more than ever, lawyers are facing an increased demand from managing partners and clients alike to be more economically efficient. Innovative technology—everything from email to cloud computing—offers appealing and practical options for lawyers to increase their productivity while lowering their costs.

    With the use of new technology, however, comes unchartered ethical territory for lawyers to navigate. The unfortunate reality for solo practitioners and lawyers at small firms is that they often face higher rates of bar complaints than their colleagues at larger firms. See, e.g., Ted Schneyer, On Further Reflection: How "Professional Self-Regulation" Should Promote Compliance with Broad Ethical Duties of Law Firm Management, 53 Ariz. L. Rev. 577, 603 n.132 (2011). And, as leading legal ethics scholars explain, "[N]ew trends in law practice may be putting solo practitioners and small firms at even greater risk." Id.at 627 n.265 (citing Michael Downey, Solos, Smaller Firms, and Technology Risks 1 (Oct. 15, 2010) (unpublished manuscript) (presented to ABA Commission on Ethics 20/20)). Likely due to both lack of resources and lack of time, scholars believe that "technological change . . . is felt most severely by those lawyers, often solos or smaller firms, who provide cost-sensitive services primarily to consumers." Id.Given this background, consideration of a question recently posed by Roberta Cooper Ramo, a current ABA Commission on Ethics 20/20 member and former ABA president, seems particularly appropriate: "How do we resolve our ethical duties to our clients and the system, our need to be economically efficient, and our duty to be competent in this swiftly changing world?" Roberta Cooper Ramo, Ethics for American Lawyers in the Age of Twitter and the Cloud, 72 Mont. L. Rev. 227, 230 (2011).

    Issues related to technology most commonly implicate a lawyer's duty of confidentiality under Rule 1.6 of the Model Rules of Professional Conduct. Rule 1.6 provides that, unless an exception applies, "A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent." Included in this duty is an oft-overlooked element of competence, as recognized in comments 16 and 17 to Rule 1.6. See ABA Comm. on Ethics & Prof'l Responsibility, Formal Op. 11-459 (2011). In pertinent part, the comments provide that a lawyer has a duty to "act competently to safeguard" a client's information from inadvertent or unauthorized disclosure and to "take reasonable precautions to prevent" the information from reaching unintended recipients. Model Rules of Prof'l Conduct R. 1.6 cmt. 16, 17 (emphasis added). Competence, in this context, imposes on lawyers an affirmative duty to take action to protect their clients' confidential information.

    The use of technology creates endless possibilities for breaches of the duty of confidentiality. In particular, technology increases the likelihood of inadvertent disclosures, especially if lawyers are not cognizant of their duty of competence. The simplest of examples is apt to illustrate this point: Consider the ability of virtually all email programs to fill in the address of a recipient. See Ramo at 233. Next, consider the ramifications for both client and lawyer if the address automated by the program is not the address of the intended recipient. Not only is the client's confidential information now in the hands of a third party who likely has no duty to continue to keep it confidential, but the lawyer may also be subject to discipline by the state bar. Compliance with the competence element of Rule 1.6 avoids this situation. The lawyer must take some precaution to ensure that the address automated by the email program corresponds to the intended recipient. This may be as simple as consciously reading the name of the recipient before pressing send, or it may go so far as disabling the automated ability on the lawyer's (and any staff members') email devices. See id. The point is not so much what precaution must be taken as it is that some precaution must be taken.

    For solo practitioners and lawyers at small firms, simple steps may help to alleviate some of the pressure associated with technology while at the same time ensuring that the lawyers are complying with their ethical obligations under Rule 1.6. To this end, a recent article in the Wisconsin Lawyer offered these suggestions.

    • Use software programs (such as SecureDoc) to encrypt passwords and protect workstations from unauthorized logons. Choose a program that locks out the attempted user after a limited number of attempts and protects a physical hard drive from being accessed with external devices.
    • Encrypt all thumb drives or flash drives used by employees to store any sensitive information.
    • Encrypt all emails containing personal identifiers; when reassurance is needed that data has not been altered, use a PDF format for attached files.
    • Lock workstations when they are not in use, and power them down at the end of the day.
    • Back up data onto an encrypted external hard drive and store it in a separate, secure location.
    • Limit access to sensitive data based on employees' need to know and level of responsibility.
    • Limit employees' personal use of and access to public websites to reduce the likelihood of threats such as viruses or "key loggers" who can gain unauthorized access to terminals.
    • If employees are allowed to gain remote access to the firm's network, ensure that VPN tokens or specific means of remote access are properly encrypted.
    • Periodically check on the firm's computers to ensure that security has not been compromised, viruses inadvertently downloaded, or unauthorized access obtained.
    • Stop terminated, retired, and deceased employees' access to computer systems as quickly as possible.

    Faith N. Mondry, ID Theft: Think It Can't Happen in a Law Firm?, 84 Wis. Law. 10, 13–14 (May 2011).

    Even with all of these precautions, new implications for the duty of confidentiality will undoubtedly arise as technology continues to advance. When faced with unforeseeable circumstances, remembering the duty of competence will help lawyers protect client confidentiality and avoid ethics violations.

    Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).