The ABA's Standing Committee on Ethics and Professional Responsibility has issued Formal Opinion 477R which recommends that attorneys take reasonable efforts to the prevent inadvertent or unauthorized access of client information. This opinion updates the ABA's guidance on protecting electronic client communications, including the possible encryption of emails when warranted.
While attorneys used multiple forms of communication to communicate with their clients in 1999, many lawyers now use electronic communications to provide clients with legal services. With the risk of hacking and data loss being omnipresent for users of electronic communications, Formal Opinion 477R recommends that attorneys use a fact-based analysis to determine what constitutes reasonable efforts in protecting client information.
Adopting language from the ABA Cybersecurity Handbook, Formal Opinion 477R defines the reasonable efforts standard as rejecting "requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopting a fact-specific approach to business security obligations." The standard "requires a 'process' to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments."
Recognizing that the reasonable efforts determination is facts-based, the ABA provides several nonexclusive factors to assist attorneys in making that determination:
In explaining these factors, the ABA advises that a fact-based analysis means that strong protective measures, like encryption or avoiding the use of electronic means altogether to communicate with the client, may be warranted for certain highly sensitive material.
Encryption is a technology that makes information unreadable by normal means in order to protect the information from interception by unintended parties. The technology uses a mathematical or logical function to transform data and deliver it to the intended recipient, who then uses appropriate methods to make the information readable again. On the other hand, for matters of normal or low sensitivity, standard security methods with low or reasonable costs to implement, may be sufficient to meet the reasonable efforts standard to protect client information from inadvertent and unauthorized disclosure.
While the ABA provides guidance on the factors to consider in making a reasonable efforts determination, the ABA states it is beyond the scope of Formal Opinion 477R to specify the reasonable steps that lawyers should take under a given set of facts. However, the ABA does offer several considerations as guidance:
Section leaders acknowledge the importance of Formal Opinion 477R because of our reliance on electronic communications. "The opinion recognizes that technology risks pose a host of new challenges for protecting client confidentiality, but does not impose a broad ranging obligation to impose specific cyber security measures in all practice areas," states Thomas G. Wilkinson, Jr., Philadelphia, PA, Center for Professional Responsibility and Section Officers Conference Professional Responsibility Committee Liaison for the ABA Section of Litigation's Ethics and Professionalism Committee.
"Practically speaking, lawyers can benefit by staying abreast of developments in technology—particularly in regards to cyber security. A couple of technologies that attorneys may consider are the use of encryption and multi-factor authentication for remote access to client documents," advises Stephen E. Reynolds, Indianapolis, IN, Professional Development Chair of the Section of Litigation's Minority Trial Lawyer Committee.
"Since most attorneys do not have backgrounds in information technology, attorneys may need to use vendors or IT professionals to implement reasonable security measures. As with the selection of any vendor, attorneys would be well served by using due diligence to find reliable vendors in the field of cybersecurity," explains Reynolds. While Formal Opinion 477R does not require the use of encryption for all electronic communications, some Section leaders believe we are headed there. "Some feel that the opinion's incremental approach does not go far enough in view of the cybersecurity risks already facing law firms, which are viewed as relatively 'soft' targets for hackers. They view mandatory full encryption as an inevitable next step in the ethics guidance in this field," observes Wilkinson.
Onika K. Williams is an associate editor for Litigation News.
Keywords: cybersecurity, encryption, attorney-client, electronic, communications
Hashtags: #FormalOpinion477R, #cybersecurity, #encryption, #disclosure
Copyright © 2017, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).
