The ABA's Standing Committee on Ethics and Professional Responsibility has issued Formal Opinion 477R which recommends that attorneys take reasonable efforts to the prevent inadvertent or unauthorized access of client information. This opinion updates the ABA's guidance on protecting electronic client communications, including the possible encryption of emails when warranted.
ABA Updates 1999 Ethics Opinion to Conform with Modern Technology
The roles and risk of technology prompted the ABA to issue Formal Opinion 477R and update its 1999 opinion on a lawyer's confidentiality obligations for email communication with clients. The 1999 opinion concluded that "[l]awyers have a reasonable expectation of privacy in communications made by all forms of e-mail, including unencrypted e-mail sent on the Internet, despite some risk of interception and disclosure."
While attorneys used multiple forms of communication to communicate with their clients in 1999, many lawyers now use electronic communications to provide clients with legal services. With the risk of hacking and data loss being omnipresent for users of electronic communications, Formal Opinion 477R recommends that attorneys use a fact-based analysis to determine what constitutes reasonable efforts in protecting client information.
ABA Provides Guidance on a Facts-Based Reasonable Efforts
Adopting language from the ABA Cybersecurity Handbook, Formal Opinion 477R defines the reasonable efforts standard as rejecting "requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopting a fact-specific approach to business security obligations." The standard "requires a 'process' to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments."
Recognizing that the reasonable efforts determination is facts-based, the ABA provides several nonexclusive factors to assist attorneys in making that determination:
• the sensitivity of the information;
• the likelihood of disclosure if additional safeguards are not used;
• the cost of employing additional safeguards;
• the difficulty of implementing the safeguards; and
• the extent to which the safeguards adversely affect the lawyer's ability to represent clients
In explaining these factors, the ABA advises that a fact-based analysis means that strong protective measures, like encryption or avoiding the use of electronic means altogether to communicate with the client, may be warranted for certain highly sensitive material.
Encryption is a technology that makes information unreadable by normal means in order to protect the information from interception by unintended parties. The technology uses a mathematical or logical function to transform data and deliver it to the intended recipient, who then uses appropriate methods to make the information readable again. On the other hand, for matters of normal or low sensitivity, standard security methods with low or reasonable costs to implement, may be sufficient to meet the reasonable efforts standard to protect client information from inadvertent and unauthorized disclosure.
While the ABA provides guidance on the factors to consider in making a reasonable efforts determination, the ABA states it is beyond the scope of Formal Opinion 477R to specify the reasonable steps that lawyers should take under a given set of facts. However, the ABA does offer several considerations as guidance:
1. Understand the nature of the threat;
2. Understand how confidential client information is transmitted and where it is stored;
3. Understand and use reasonable electronic security measures;
4. Determine how communications about client matters should be protected;
5. Label privileged and confidential client communications;
6. Train lawyers and non-lawyer assistants in technology and information security; and
7. Conduct due diligence on vendors providing communication technology.
Attorneys Must Understand How to Secure Confidential Information
Section leaders acknowledge the importance of Formal Opinion 477R because of our reliance on electronic communications. "The opinion recognizes that technology risks pose a host of new challenges for protecting client confidentiality, but does not impose a broad ranging obligation to impose specific cyber security measures in all practice areas," states Thomas G. Wilkinson, Jr., Philadelphia, PA, Center for Professional Responsibility and Section Officers Conference Professional Responsibility Committee Liaison for the ABA Section of Litigation's Ethics and Professionalism Committee.
"Practically speaking, lawyers can benefit by staying abreast of developments in technology—particularly in regards to cyber security. A couple of technologies that attorneys may consider are the use of encryption and multi-factor authentication for remote access to client documents," advises Stephen E. Reynolds, Indianapolis, IN, Professional Development Chair of the Section of Litigation's Minority Trial Lawyer Committee.
"Since most attorneys do not have backgrounds in information technology, attorneys may need to use vendors or IT professionals to implement reasonable security measures. As with the selection of any vendor, attorneys would be well served by using due diligence to find reliable vendors in the field of cybersecurity," explains Reynolds. While Formal Opinion 477R does not require the use of encryption for all electronic communications, some Section leaders believe we are headed there. "Some feel that the opinion's incremental approach does not go far enough in view of the cybersecurity risks already facing law firms, which are viewed as relatively 'soft' targets for hackers. They view mandatory full encryption as an inevitable next step in the ethics guidance in this field," observes Wilkinson.
Onika K. Williams is an associate editor for Litigation News.