Can any of us imagine our lives without the computer in our pocket that we call our cell phone? Is it even harder to imagine that the cell phone, as we now know it, was first introduced a mere 13 years ago? With our cell phones, we can do almost anything that used to require a trip to the store, a visit to the bank, or a quick stop at the grocery on the way home from work. We can shop online, bank online, and even get our dinner delivered online, all with our cell phones. A very handy tool in the age of the COVID-19 pandemic.
Not a member of the ABA's Real Property, Trust and Estate Law Section? Join now to view premium content.
It is no different with real estate settlements or closings. What once required a trip to the office of a settlement attorney or title or escrow company to review a stack of closing documents and then to execute those documents in the presence of a notary public can now be done entirely on a cell phone, with the client’s consent and with proper laws in place. Whatever form the closing takes, it is reasonable to assume that more and more closings will be completed partially or fully via electronic means, as customers demand that level of service and convenience, especially in light of the new health concerns associated with the pandemic.
What has not changed, however, are the lawyer’s ethical responsibilities related to conducting an eClosing. These types of closings implicate not only all of the usual ethical obligations inherent in the lawyer’s role in a closing, but also the electronic nature of the closing itself presents new twists on different ethical issues. This article will explore some of these emerging issues in the eClosing context. Though it attempts to answer certain ethical questions, this article may succeed in raising more questions than it answers.
What Is an eClosing?
An eClosing may encompass many different features. All eClosings will include some form of electronic signature, which connotes a signature that is captured in an electronic medium and which constitutes the acknowledgement or adoption of an electronic transaction or document. The Uniform Electronic Transactions Act (UETA) defines an electronic signature as “an electronic sound, symbol or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.” Unif. Elec.Transactions Act § 2(8) (Unif. Law Comm’n 1999). Section 7 of UETA gives legal recognition to electronic signatures, records, and contracts.
Forty-eight states, the District of Columbia, and the US Virgin Islands have adopted UETA. Uniform Law Commission, Electronic Transactions Act, https://bit.ly/3ewxHnM. Illinois and New York have not adopted UETA but have adopted substantially similar laws making electronic signatures enforceable. Electronic Commerce Security Act, 5 Ill. Comp. Stat. 175/1-101 et seq.; Electronic Signatures and Records Act, N.Y. State Tech Law §§ 301 et seq. Puerto Rico is the only US jurisdiction without a law like UETA.
In an eClosing, the parties appear in person before the person conducting the settlement, and all documents are electronically signed by the parties and by the notary. In an online eClosing, the parties and the person conducting the settlement are not in the same physical space, and all the documents are electronically signed and electronically notarized through a process commonly known as Remote Online Notarization (RON).
RON represents the latest technology, allowing the act of notarization to occur without the signer and the notary being in the same space; the notarial act is done via audio and webcam with a variety of safeguards in place. Before the pandemic hit, approximately 21 states had adopted remote online notarization statutes. See, e.g., Minn. Stat. Ann. § 358.645; 49 Okla. Stat. tit. 49, § 208. Once the pandemic hit and with the need to remain socially distant, many state governors issued emergency orders permitting the use of RON in their states under particular circumstances. See, e.g. Illinois COVID-19 Exec. Order No. 12 (Mar. 26, 2020), https://bit.ly/3hXxNqY. Many of those emergency orders have now expired or been scaled back, but the pandemic has spurred and will continue to spur new legislation enacting RON.
What Is the Lawyer’s Role in the eClosing?
A lawyer may perform many roles in an eClosing. The lawyer may be an adviser to the client, whether a seller, buyer, or lender. The lawyer may be a participant in the eClosing, perhaps acting as a notary. The lawyer may be the settlement agent responsible for conducting the eClosing, whether in person or remotely, using someone else’s technology or using the lawyer’s own technology. Though each of these roles implicates many of the same ethical rules, this article will focus on the lawyer conducting an eClosing—in effect a traditional closing with the overlay of modern technology that creates a paperless environment.
What Ethical Rules Are Implicated in an eClosing?
Several different ethical rules come into play in an eClosing. Although these rules also come into play in a traditional closing, the technological aspects of eClosings create additional issues. The intersection of eClosings and lawyers’ ethical obligations is so new that little literature exists on the topic. This article will focus only on the ABA Model Rules of Professional Conduct. Model Rules of Prof’l Conduct (Am. Bar Ass’n 2016). Though the Model Rules serve as the models for the ethics rules of most jurisdictions in the United States, each state adopts its own rules, with little or much variation from the Model Rules, so lawyers must understand the rules as adopted in their jurisdiction.
Two recent ABA ethics opinions published by the Standing Committee on Ethics and Professional Responsibility elucidate ideas and principles that are useful in trying to understand a lawyer’s ethical obligations in the eClosing context. See ABA Comm. on Ethics & Prof’l Responsibility Formal Opinion 477R, Securing Communication of Protected Client Information (May 11, 2017, Rev. May 22, 2017) (this opinion was an update to ABA Formal Opinion 99-413 Protecting the Confidentiality of Unencrypted E-Mail (1999)) and ABA Comm. on Ethics & Prof’l Responsibility Formal Opinion 483, Lawyers’ Obligations After an Electronic Data Breach or Cyberattack (October 17, 2018). This article will primarily examine the duty of competence and the duty of confidentiality as analyzed in the two ABA Formal Opinions.
Duty of Competence
Model Rule 1.1 provides: “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” Model Rules of Prof’l Conduct 1.1 (Am. Bar Ass’n 2016). Recognizing “the increasing impact of technology on the practice of law and the duty of lawyers to develop an understanding of that technology,” Formal Opinion 477R, at 3, in 2012 the ABA modified Comment  to Rule 1.1 to read as follows:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
Model Rules of Prof’l Conduct R. 1.1 cmt. 8 (emphasis added).
The ABA Commission on Ethics 20/20 further explained:
Model Rule 1.1 requires a lawyer to provide competent representation, and Comment . . .  specifies that, to remain competent, lawyers need to “keep abreast of changes in the law and its practice.” . . . For example, a lawyer would have difficulty providing competent legal services in today’s environment without knowing how to use email or create an electronic document.
Formal Opinion 483 expands the concept of lawyer technological competence, by stating:
[B]oth Comment  to Rule 1.1 and the 20/20 Commission’s thinking behind it require lawyers to understand technologies that are being used to deliver legal services to their clients. Once those technologies are understood, a competent lawyer must use and maintain those technologies in a manner that will reasonably safeguard property and information that has been entrusted to the lawyer. A lawyer’s competency in this regard may be satisfied either through the lawyer’s own study and investigation or by employing or retaining qualified lawyer and nonlawyer assistants.
ABA Formal Op. 483, at 4.
Duty of Confidentiality
Model Rule 1.6 provides:
(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).
. . .
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Model Rules of Prof’l Conduct R. 1.6 (Am. Bar Ass’n 2016). The duty of confidentiality continues after the client-lawyer relationship has terminated. See Model Rule 1.9(c)(2).
Comment 18 to Model Rule 1.6, as amended in 2012, provides:
Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.
Id. cmt. 18 (emphasis added).
Formal Opinion 477R states that “lawyers must exercise reasonable efforts when using technology in communication about client matters.” ABA Formal Op. 477R, at 4. Rather than imposing a “hard and fast rule,” the opinion identifies various nonexclusive factors to make the “reasonable efforts” determination, including:
- the sensitivity of the information,
- the likelihood of disclosure if additional safeguards are not employed,
- the cost of employing additional safeguards,
- the difficulty of implementing the safeguards, and
- the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Id. at 4-5. The ABA committee recommended that lawyers take the following steps to guard against disclosures:
- Understand the nature of the threat. Consider the sensitivity of the client’s information and whether it poses a greater risk of cyber theft. If there is a higher risk, greater protections may be warranted.
- Understand how clients’ confidential information is transmitted and where it is stored. Have a basic understanding of how your firm manages and accesses client data. Be aware of the multiple devices such as smartphones, laptops, and tablets that are used to access client data, as each device is an access point and should be evaluated for security compliance.
- Understand and use reasonable electronic security measures. Have an understanding of the security measures that are available to provide reasonable protections for client data. What is reasonable may depend on the facts of each case and may include security procedures such as using secure Wi-Fi, firewalls, and anti-spyware or anti-virus software and encryption.
- Determine how electronic communications about clients’ matters should be protected. If the information is sensitive or warrants extra security, consider safeguards such as encryption or password protection for attachments. Take into account the client’s level of sophistication with electronic communications. If the client is unsophisticated or has limited access to appropriate technology protections, alternative nonelectronic communication may be warranted.
- Label client confidential information. Mark communications as privileged and confidential to put any unintended lawyer recipient on notice that the information is privileged and confidential. Once on notice, under Model Rule 4.4(b) Respect for Rights of Third Persons, the inadvertent recipient would be on notice to promptly notify the sender.
- Train lawyers and nonlawyer assistants in technology and information security. Under Model Rules 5.1 and 5.3, take steps to ensure that lawyers and support personnel in the firm understand how to use reasonably secure methods of communication with clients. Also, follow up with law firm personnel to ensure that security procedures are adhered to and periodically reassess and update security procedures.
- Conduct due diligence on vendors providing communication technology. Take steps to ensure that any outside vendor’s conduct comports with the professional obligations of the lawyer.
See Formal Opinion 477R, at 6-10.
Formal Opinion 483 further provides that it does not supplant other federal or state laws regarding data breaches. The opinion imposes pre-breach obligations and defines data breach more broadly than other similar data breach laws:
As discussed above and in Formal Opinion 477R, an attorney’s competence in preserving a client’s confidentiality is not a strict liability standard and does not require the lawyer to be invulnerable or impenetrable. Rather, the obligation is one of reasonable efforts. Rule 1.6 is not violated even if data is lost or accessed if the lawyer has made reasonable efforts to prevent the loss or access. As noted above, this obligation includes efforts to monitor for breaches of client confidentiality. . . .
Although security is relative, a legal standard for “reasonable” security is emerging. That standard rejects requirements for specific security measures (such as firewalls, passwords, or the like) and instead adopts a fact-specific approach to business security obligations that requires a “process” to assess risks, identify and implement appropriate security measures responsive to those risks, verify that the measures are effectively implemented, and ensure that they are continually updated in response to new developments.
Formal Op. 483, at 9.
Applying the Principles in the eClosing Context
Although the rules, commentary, and formal opinions have expanded our understanding of the rules in connection with certain specifics of practicing law in the cyberworld, none of these authorities directly addresses the eClosing context. How do or should these principles apply to an eClosing?
First, clearly the duty of competence mandates that a lawyer understand the technology associated with eClosings and eClosing platforms and, in particular, understand and take appropriate steps to mitigate the cybersecurity risks of such platforms. Competence takes on special urgency considering the rapid technological advances in the world of eClosings. What might comply with a lawyer’s ethical obligations today might not tomorrow, as technology and business practices and protocols constantly change. Perhaps the most frightening aspect of all of this is that a lawyer may not even know what she doesn’t know.
Second, the duty of confidentiality must guide everything a lawyer does in conducting eClosings. A lawyer should anticipate having to comply with the highest level of “reasonable efforts” to protect the identity of the clients, client information, and the security integrity of the transaction. The prudent lawyer will heed the admonitions of Formal Opinion 477R and understand the following seven factors in the context of an eClosing and implement appropriate measures.
- Understand the nature of the threat. The nature of client information transmitted in an eClosing is highly sensitive and may include items of personally identifying information (SSN, birthdate) and financial information (bank accounts, securities accounts, credit card accounts). The risk associated with a hack of this information suggests that greater protections may be warranted when the lawyer is using his own eClosing platform or conducting the eClosing with a third-party platform.
- Understand how confidential client information is transmitted and where it is stored. Compliance with this factor requires not only a basic understanding of how the eClosing platform gathers, manages, and accesses client data but also of how the lawyer’s computer systems communicate and integrate with that platform. The lawyer needs to evaluate for security compliance any device that may be used with the eClosing platform and implement appropriate security measures.
- Understand and use reasonable electronic security measures. The lawyer needs to understand the array of security measures that are available to provide reasonable protections for client data. Given the highly sensitive nature of information involved in an eClosing, reasonable security efforts may require the highest level of security measures, such as multi-factor authentication (via text to known device) or knowledge-based authentication. Does the platform provide for signed document lock with tamper-evident markers? Does the platform provide secure storage and retrieval of an electronically signed document?
- Determine how electronic communications about clients’ matters should be protected. In the eClosing context, the lawyer may be communicating with the client or clients as well as the lender or other parties. The lawyer has the obligation to discuss with the client the level of security that is appropriate for the transaction, and the lawyer must coordinate or otherwise try to ensure that the entire transaction is conducted with the appropriate level of security.
- Label client confidential information. It is unclear how this factor would be put into practice in an eClosing. Certainly if the lawyer is representing a client in the transaction, all communications between the lawyer and the client should be labeled as confidential. To the extent that the lawyer is sharing client information on the eClosing platform, the lawyer should mark that information as confidential, assuming that would be permitted by the platform technology. If the lawyer is conducting the settlement for all parties via an eClosing platform, the entire transaction would have to be marked as confidential within the platform, if possible. For a lawyer’s duties when sharing information with nonlawyers outside the lawyer’s own firm, see Model Rule 5.3, Comments -.
- Train lawyers and nonlawyer assistants in technology and information security. The lawyer will be responsible for making sure that everyone in the firm working on eClosings understands all of the technologies and their obligations to comply with the factors discussed here. The rapid nature of technological change will further require constant monitoring and reassessment of the security elements of the eClosing platforms. The need to stay abreast of technological advances may, for example, mean limiting the number of eClosing platforms used; if the lawyer is using too many different platforms it may become impossible to stay up to date (i.e., competent).
- Conduct due diligence on vendors providing communication technology. eClosings bring this factor into stark relief. Most individual lawyers are unlikely to have all the information and tools necessary to understand and evaluate the cybersecurity features of an eClosing platform. By necessity, most lawyers will need to rely on third parties, whether persons inside of the law firm or other third parties, to undertake the required due diligence. For purposes of selecting an eClosing platform, the lawyer has an obligation to communicate with the vendor and take appropriate steps to ensure that any outside vendor’s conduct comports with the professional obligations of the lawyer.
Lastly, as Formal Opinion 483 makes abundantly clear, in the event of a data breach of client information, whether within the law firm or within the eClosing platform, the lawyer has a variety of notification obligations. On the front end, the lawyer must try to make sure that the lawyer is notified of any data breaches within the eClosing platform so that the lawyer may comply with the lawyer’s ethical obligations to inform the client. On the back end, as soon as the lawyer is informed of a data breach from the eClosing platform provider, the lawyer should undertake the notifications described in Formal Opinion 483.
eClosings pose great promise and great risk. They represent the future of many, if not most, real estate transactions. A lawyer’s essential role in the closing process will not change, but the means by which the lawyer will fulfill that role will most definitely change. The well-prepared lawyer will be ready to meet the challenges of eClosings and comply with all ethical obligations. The future is now—we must embrace it.