As a profession, attorneys are not generally thought of as masters of technology. In fact, even lawyers have shockingly little confidence in each other when it comes to technology. Last fall, a survey by Ari Kaplan—together with Relativity and FTI Technology—showed that in-house counsel overwhelmingly reported believing that lawyers lack adequate technological competence.1 And lawyers’ incompetence—or at least the perception of it—seems to have grown after two years of pandemic-influenced law practice. The percentage of in-house counsel in Kaplan’s survey reporting a belief that lawyers lack adequate competence with technology rose from 51% in 2019 to 67% in 2021.2
July 01, 2022 Feature
Confidentiality in the Age of Remote and Hybrid-Remote Work
Kevin J. Vogel
The gap between the ubiquitous nature of technology in today’s practice environment and lawyers’ understanding of that technology presents risk for lawyers and their clients, especially when attorney regulators’ expectations are rising. There are many interesting and important writings about the ethical implications of lawyers using (and misusing) specific types of sophisticated technology, like artificial intelligence.3 This article is about something broader—protecting confidentiality in a remote or hybrid, part-office, part-remote practice.
Confidentiality in General
To briefly recap, confidentiality is one of the fundamental duties a lawyer owes a client. Under the Model Rules of Professional Conduct, a lawyer may not reveal “information relating to the representation of a client” absent informed client consent or implied client authorization, or in a situation specifically authorized by the Rules.4 Confidentiality applies to a great deal of information—“not only to matters communicated in confidence by the client but also to all information relating to a representation, whatever its source.”5
The duty of confidentiality follows a client even after the client–lawyer relationship ends, unless the information becomes “generally known.”6 Notably, under the Model Rules and in many jurisdictions, discussion of confidential information in open court or in public court filings does not make the information fair game for disclosure.7
The Model Rules similarly do not allow a lawyer to make disclosures “that do not in themselves reveal protected information but could reasonably lead to the discovery of such information by a third person.”8 Even using a hypothetical to discuss issues relating to a representation is verboten, unless “there is no reasonable likelihood” that the hypothetical could allow the listener to identify the identity of the client or the situation.9 A lawyer must also “act competently to safeguard” confidential information against “unauthorized access by third parties” and “unauthorized disclosure by the lawyer or other persons who are participating in the representation . . . or who are subject to the lawyer’s supervision.”10
The Pandemic, Rising Expectations, and You
Even before the pandemic, the Model Rules and many jurisdictions had been increasingly emphasizing that these duties require lawyers to affirmatively develop competence in the technologies they are using in their practice.
Model Rule 1.1 was amended a decade ago to make clear that the duty of competence requires a lawyer to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology. . . .”
Comment [19] to Model Rule 1.6 deals with a lawyer’s transmittal of a communication that includes confidential information. In transmitting confidential information, a lawyer must “take reasonable precautions to prevent the information from coming into the hands of unintended recipients.” While this duty ordinarily “does not require special security measures” if the communication already “affords a reasonable expectation of privacy,” the lawyer must act reasonably considering factors like “the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.”11
Pre-pandemic, lawyers sometimes stumbled over technology in ways that exposed client confidences.12 But the pandemic has catalyzed a significant industry change whereby more and more lawyers are working remotely or in some kind of hybrid arrangement, increasingly relying on various technology solutions. At the same time, national bodies and state regulators have remained busy considering how lawyers’ confidentiality obligations should play out in the technological aspects of law practice, like email communications and dealing (or not) with critical reviews posted online. Indeed, expectations for a lawyer’s use of technology have been steadily increasing. And as if these trends were not enough, cyberattacks are more frequently targeting our profession. The result of these trends colliding is that technology is increasingly posing risks for lawyers.
A few months into the pandemic, in June 2020, the ABA Standing Committee on Lawyers’ Professional Liability sponsored an excellent continuing legal education presentation featuring Eileen Garczynski—senior vice president and partner at the insurance company Ames & Gough—and Melissa Lessell, a professional-responsibility litigation partner at Deutsch Kerrigan in New Orleans.13 Based on an ongoing, ten-year-old study of claims data by Ames & Gough and data collected by the ABA Standing Committee on Lawyers’ Professional Liability going back to 1985, Garczynski and Lessell discussed that malpractice claims could very well increase in number and severity as a result of the pandemic. And among the errors they expected were most likely to occur during and after the pandemic (and the resulting economic downturn) were administrative errors—including “[w]ork from home related issues” and “technology issues”—and “cyber related” claims like those for damage stemming from hacking. They noted that litigators, in particular, could see an increase in claims after the pandemic and the related economic downturn as a result of, among other things, “difficulty with team and supervisory collaboration” and errors resulting from “witness and document preparation.” They cautioned that “[w]ork from home and rapidly changing law create the perfect storm for increased errors by lawyers with respect to missed deadlines and committing administrative and procedural errors.”
So, how can lawyers improve their competence when it comes to protecting confidentiality through the technology they are using to work remotely? Well, guidance from disciplinary authorities, risk-mitigation lawyers, and insurance companies gives some pointers.
Using Email to Communicate with Clients
Legal teams are more frequently taking communications about cases from physical conference rooms and offices to the internet. As lawyers more frequently communicate with clients by email, there are some considerations to keep in mind.
First, lawyers should be careful when communicating with opposing counsel and clients together—either copying or blind copying clients on communications with opposing counsel. In January 2020, the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility issued a formal opinion cautioning that “attorneys risk divulging attorney client confidential information and privileged information when they communicate with opposing counsel and include clients on the same email. . . .”14
Specifically, the opinion cautions that by copying a client on an email, the lawyer is revealing the client’s email address—which is confidential information.15 Moreover, the lawyer is revealing to opposing counsel that the client received the email (including attachments).16 And, with regard to corporate clients, the lawyer is revealing that the lawyer believes the individual recipients are connected to the legal matters and the corporate client’s decision-makers.17
Beyond affirmatively revealing confidential information, copying a client may not constitute a reasonable effort to prevent the inadvertent disclosure of confidential information.18 That pesky “reply all” button poses a risk that a client will attempt to respond to the lawyer, and instead inadvertently send their thoughts to opposing counsel, too.19 Notably, this risk remains even if the client is blind copied on the email. If this happens, the opinion cautions, “the client may reveal confidential information . . . or waive the attorney-client privilege.”20
The advisory opinion recommends that lawyers limit the circumstances in which they copy a client on an email to opposing counsel.21 Instead, if a lawyer wants a client to review an email with opposing counsel, the lawyer should forward a copy of the communication separately to the client or use a secure document portal to store the email for a client’s review.22
Beyond that, lawyers should consider specifically advising opposing counsel and their clients when both are included on an email chain. And the lawyer should specify whether the client may “reply all” to the email chain.23
Second, lawyers should understand, be prepared to use, and use in appropriate circumstances encrypted communication channels. Encryption is especially appropriate when the contents of communications contain especially sensitive information like banking information, social security numbers, trade secrets, and protected health information.
The legal-technology company Clio recommends using encrypted email services, secure client portals, encrypted video services like Legaler or Jive, and encrypted text-messaging services like Signal, Zipwhip, Heymarket, and Kenect.24
Under the Model Rules, the key is reasonableness. No special security measures are needed ordinarily when communications afford a reasonable expectation of privacy already.25 But in making that call, lawyers should consider:26
- the sensitivity of the information communicated;
- the likelihood of disclosure if additional safeguards are not employed;
- the cost and difficulty of employing additional safeguards;
- the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use); and
- whether law requires special security measures (e.g., data-privacy laws).
Lawyers would be wise not to wait for a special circumstance to arise before becoming familiar with encryption and secure methods of communication. The Model Rules note that any client “may require the lawyer to implement special security measures not required by this Rule,”27 and part of the duty of competence entails keeping reasonably up to date on the benefits and risks of technology like encryption.28
Securing Wi-Fi and Using Virtual Private Networks
Sitting here reading this article, do you know whether your laptop computer or mobile phone is set to automatically discover and connect to public Wi-Fi sources? Or (gulp) are you reading this on your work device connected to unsecured public Wi-Fi, say at a coffeeshop or airport?
ABA Formal Opinion 498 cautions that lawyers using Wi-Fi should “ensure that the routers are secure and should consider using virtual private networks.”29 The insurance carrier ALPS recommends that lawyers approach public Wi-Fi “with a healthy level of distrust,” including because “you are never alone while using public Wi-Fi and you simply have no way of knowing what everyone else’s intentions are.”30 ALPS further recommends that law firms have a policy with regard to use of public Wi-Fi.31 And making oneself safer while away from the familiar shores of one’s office Wi-Fi, the carrier notes, could be as easy as using a mobile hotspot instead, coupled with a virtual private network.32
Lawyers should also implement “firewalls and anti-Malware/Spyware/Antivirus software on all devices upon which client confidential information is transmitted or stored.”33 Software should be routinely updated, and security patches should be installed promptly.34
Reviewing Terms of Service and Understanding Technology’s Limitations
When the pandemic first forced my family to hunker down in March 2020 and turn to Zoom for video calls with our loved ones, I can tell you that we did not carefully review the terms of service before agreeing. And I do not think anyone at that time had heard the term “Zoom-bombing.”
In our culture, it has become something of a meme to cavalierly accept long terms of service without reading them first. A survey by Deloitte several years ago found that fewer than one person in ten reads legal terms and conditions before agreeing to them—and 97% of people aged 18 to 34 agreed without reading.35 Two researchers memorably included “gotcha clauses” in the terms of a fake social-networking site they called Name Drop—you must agree to give up your firstborn child to the company and agree that anything you share will be passed to the National Security Agency.36 Ninety-eight percent of participants agreed (sorry, kids!).
This bad habit in our personal lives can be a liability in our professional lives. In March 2021, the ABA Standing Committee on Ethics and Professional Liability released Formal Opinion 498, advising that lawyers should “ensure that they have carefully reviewed the terms of service applicable to their hardware devices and software systems to assess whether confidentiality is protected.”37
Using Zoom as an example, attorney Susan Berson has noted that Zoom’s privacy policy states that third-party service providers and advertising partners like Google Ads “automatically collect some information about you when you use our Products. . . .”38
Reviewing terms of service and taking the time to understand how a piece of software or hardware works before transmitting confidential information through it can allow a lawyer to prevent unauthorized access to that information. Formal Opinion 498 also recommends using strong passwords to allow access to videoconferencing solutions, and further recommends that lawyers consider whether solutions provide higher tiers of security.39
Preventing Cyberattacks
It is an unfortunate truth that cyberattacks directed at lawyers and law firms are becoming more frequent—from unsophisticated phishing attempts to extremely sophisticated hacking intrusions.40
While a lawyer’s obligation to prevent unauthorized access to client confidences is generally governed—at least from an ethical standpoint under the Model Rules—by a reasonableness standard, there is good reason to expect that regulators are heightening their expectations when it comes to preventing loss through cyberattacks. The New York State Bar Association Committee on Professional Ethics’ Ethics Opinion 1019 details that committee’s evolving guidance on the reasonableness standard. It states that, in considering whether one’s document system provides reasonable protection,
[l]awyers can no longer assume that their document systems are of no interest to cyber-crooks. That is particularly true where there is outside access to the internal system by third parties, including law firm employees working at other firm offices, at home or when traveling, or clients who have been given access to the firm’s document system.
Law firms and other entities employing lawyers working in a remote or hybrid work situation should carefully consider and audit their electronic systems, policies, and procedures—with the assistance of risk-mitigation counsel, their insurance carriers, or technology consultants where necessary—to ensure they are taking reasonable steps to protect client confidences against intentional malfeasance by bad actors.
A Final Note on Investing the Time Necessary to Protect Yourself
There is no way in any one article to explore all the various technology solutions available—and, indeed, advantageous—in the practice of law. If there is one thing to take away from this article, it is that a lawyer’s approach to technology should be careful and thoughtful. It takes time to protect oneself and one’s clients, and that time will not likely be billable.
Commentator Stephen Embry suggests that lawyers in general may not be taking the time to thoroughly evaluate and consider the technology they use because that evaluation “requires lifting the proverbial non-billable finger.”41 I can see that. If lawyers view technology as a low-risk area, it may be tempting to spend a half hour on billable work, as opposed to, say, taking that time to carefully review a new software application’s terms of service.
But taking this time now can save a lawyer headaches down the road, and there are some things lawyers can do to make maintaining technological competency easier. Insurance providers may have guidance on certain technological solutions, or policies and procedures to suggest to shore up a firm’s or entity’s use of technology. There are many secondary sources online and in journals, written by technology professionals and lawyers alike, about various technologies. Consulting with attorney risk-management counsel and working with a technology company with experience providing high-quality services to lawyers and law firms can also help save time while at the same time evidencing the steps a team is taking to comply with its obligations.
The investment of time, and even money, now—as the industry is still adjusting to remote and hybrid work—could reduce the risk that a lawyer, client, firm, or other entity endures more substantial financial and reputational harm down the road.
Endnotes
1. See Stephen Embry, Lawyers’ Technological Incompetence: Ethics and Clients Be Damned, TechLaw Crossroads (Oct. 8, 2021), https://www.techlawcrossroads.com/2021/10/lawyers-technological-incompetence-ethics-and-clients-be-damned/; Joe Patrice, In-House Counsel Report Lawyers Keep Getting Worse When It Comes to Technology, Above the Law (Oct. 6, 2021), https://abovethelaw.com/2021/10/in-house-counsel-report-lawyers-keep-getting-worse-when-it-comes-to-technology.
2. See id. The percentage dropped to 45% in 2020, but commentator Stephen Embry noted that Kaplan, on a panel discussing the survey, speculated that in-house counsel may have been more forgiving in the first year of the pandemic, as lawyers were forced to use technology they had never used before. Embry, supra note 1.
3. E.g., Anthony E. Davis, The Future of Law Firms (and Lawyers) in the Age of Artificial Intelligence, 27 Pro. Law., no. 1, Oct. 2, 2020, https://www.americanbar.org/groups/professional_responsibility/publications/professional_lawyer/27/1/the-future-law-firms-and-lawyers-the-age-artificial-intelligence.
4. Model Rules of Prof. Conduct r. 1.6 (Am. Bar Ass’n 1983).
5. Id. cmt. [3] (emphasis added).
6. Id. r. 1.9(c).
7. E.g., ABA Comm. on Ethics & Pro. Resp., Formal Op. 479 (Dec. 17, 2017).
8. Model Rules of Pro. Conduct r. 1.6 cmt. [4].
9. Id.
10. Id. cmt. [18].
11 Id. cmt. [19].
12. See, e.g., Judge Herbert B. Dixon Jr., Embarrassing Redaction Failures, 58 Judges’ J., no. 2, Spring 2019, at 37, https://www.americanbar.org/groups/judicial/publications/judges_journal/2019/spring/embarrassing-redaction-failures.
13. Looking Backward to Predict the Future: COVID-19’s Anticipated Impact on Legal Malpractice Claims, ABA Comm. on Lawyers’ Pro. Liab. (June 26, 2020).
14 Pa. Bar Ass’n Comm. on Legal Ethics & Pro. Resp., Formal Op. 2020-100 (Jan. 22, 2020).
15. Id.
16. Id.
17. Id.
18. Id.
19. Id.
20. Id.
21. Id.
22. Id.
23. Id.
24. Teresa Matich, The Complete Guide to Working Remotely as a Lawyer, Clio, https://www.clio.com/guides/complete-guide-lawyers-remote-work/.
25. Model Rules of Pro. Conduct r. 1.6 cmt. [19] (Am. Bar Ass’n 1983).
26. Id. cmt. [18].
27. Id.
28. Id. r. 1.1 cmt. [8].
29. ABA Comm. on Ethics & Pro. Resp., Formal Op. 498, at 4 (Mar. 10, 2021).
30. Mark Bassingthwaighte, Public Wi-Fi—Should Lawyers Just Say No?, ALPS (July 5, 2018), https://blog.alpsinsurance.com/public-wi-fi-should-lawyers-just-say-no.
31. Id.
32. Id.
33. Id.
34. Id.
35. Caroline Cakebread, You’re Not Alone, No One Reads Terms of Service Agreements, Insider (Nov. 15, 2017), https://www.businessinsider.com/deloitte-study-91-percent-agree-terms-of-service-without-reading-2017-11.
36. Id.
37. ABA Comm. on Ethics & Pro. Resp., Formal Op. 498, at 4 (Mar. 10, 2021).
38. Susan Berson, Top Ten Tips for Lawyers “Zoom”ing into Remote Work During the Pandemic to Maintain Confidentiality, Privacy and Productivity, 89 Kan. B. Ass’n 10, 11 (2020).
39. ABA Comm. on Ethics & Pro. Resp., Formal Op. 498, at 5.
40. E.g., David G. Ries, 2018 Cybersecurity, ABA Techreport 2018 (Jan. 28, 2019), https://www.americanbar.org/groups/law_practice/publications/techreport/ABATECHREPORT2018/2018Cybersecurity/; Jennifer Detrani, Strengthening the “Soft Underbelly” of Cybersecurity, Above the Law (June 13, 2019), https://abovethelaw.com/legal-innovation-center/2019/06/13/strengthening-the-soft-underbelly-of-cybersecurity.
41. Embry, supra note 1.