Safeguarding Client Information

Confidential data in computers and information systems, including those used by attorneys and law firms, faces greater security threats today than ever before. And, they continue to grow! They take a variety of forms, ranging from email phishing scams and social engineering attacks to sophisticated technical exploits resulting in long-term intrusions into law firm networks. They also include lost or stolen laptops, tablets, smartphones and USB drives, as well as inside threats—malicious, untrained, inattentive and even bored personnel. Trusts and estates practitioners face cybercriminals targeting money, banking information, personally identifiable information that can be used for identity theft and other confidential data.

These threats are a particular concern to attorneys because of their duty of confidentiality. Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients. They also often have contractual and regulatory duties to protect client information and other types of confidential information. Breaches are becoming so prevalent that there’s a new mantra in cybersecurity today—it’s “when, not if” there will be a breach. This is true for attorneys and law firms as well as other businesses and enterprises. Consistent with this threat environment, New York Ethics Opinion 1019 warned attorneys in May 2014:

Cyber-security issues have continued to be a major concern for lawyers, as cyber-criminals have begun to target lawyers to access client information, including trade secrets, business plans and personal data. Lawyers can no longer assume that their document systems are of no interest to cyber-crooks.

Ethics Rules 

Several ethics rules¹ have particular application to protection of client information, including Competence (Model Rule 1.1), Communication (Model Rule 1.4), Confidentiality (Model Rule 1.6) and Supervision (Model Rules 5.1, 5.2 and 5.3).

Model Rule 1.1: Competence covers the general duty of competence. It provides that, “A lawyer shall provide competent representation to a client.” This “requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” It includes competence in selecting and using technology, including cybersecurity. It requires attorneys who lack the necessary technical competence for security to learn it or to consult with qualified individuals who have the requisite expertise.

The American Bar Association (ABA) Commission on Ethics 20/20 conducted a review of the Model Rules and the U.S. system of lawyer regulation in the context of advances in technology and global legal practice developments. One of its core areas of focus was technology and confidentiality. Its recommendations in this area were adopted by the ABA at its annual meeting in August 2012.

The 2012 amendments include addition of the following italicized language to the Comment to Model Rule 1.1:

[8] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…

As of September 2017, 28 states have adopted the new comment to Model Rule 1.1, some with variations from the ABA language. 

Model Rule 1.4: Communication also applies to attorneys’ use of technology. It requires appropriate communications with clients “about the means by which the client’s objectives are to be accomplished,” including the use of technology. It requires keeping the client informed and, depending on the circumstances, may require obtaining “informed consent.” It requires notice to a client of a compromise of confidential information relating to the client.

Model Rule 1.6: Confidentiality of information defines generally the duty of confidentiality. It begins as follows:

A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b). . . 

Model Rule 1.6 broadly requires protection of “information relating to the representation of a client;” it isn’t limited to confidential communications and privileged information. Disclosure of covered information generally requires express or implied client consent (in the absence of special circumstances like misconduct by the client).

The 2012 amendments added the following new subsection (italicized) to Model Rule 1.6:

(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

This requirement covers two areas—inadvertent disclosure and unauthorized access. Inadvertent disclosure includes threats such as leaving a briefcase, laptop or smartphone in a taxi or restaurant, sending a confidential email to the wrong recipient, producing privileged documents or data in litigation or exposing confidential metadata. Unauthorized access includes threats like hackers, criminals, malware and insider threats.  

The 2012 amendments also include additions to Comment [18] to Rule 1.6, providing that “reasonable efforts” require a risk-based analysis, considering the sensitivity of the information, the likelihood of disclosure if additional safeguards aren’t employed and consideration of available safeguards. The analysis includes the cost of employing additional safeguards, the difficulty of implementing them and the extent to which they would adversely affect the lawyer’s ability to use the technology. The amendment also provides that a client may require the lawyer to implement special security measures not required by the rule or may give informed consent to forgo security measures that would otherwise be required by the rule. 

Significantly, the Ethics 20/20 Commission noted that these revisions to Model Rules 1.1 and 1.6 make explicit what was already required rather than adding new requirements.

Model Rule 5.1: Responsibilities of partners, managers and supervisory lawyers include the duties of competence and confidentiality. 

Model Rule 5.2: Responsibilities of a subordinate lawyer also includes these duties. 

Model Rule 5.3: Responsibilities regarding nonlawyer assistants were amended in 2012 to expand its scope. “Assistants” was expanded to “Assistance,” extending its coverage to all levels of staff and outsourced services ranging from copying services to outsourced legal
services. This requires attorneys to employ reasonable safeguards, like due diligence, contractual requirements, supervision and monitoring, to ensure that nonlawyers, both inside and outside a law firm, provide services in compliance with an attorney’s duty of confidentiality.

Ethics Opinions

A number of state ethics opinions, for over a decade, have addressed professional responsibility issues related to security in attorneys’ use of various technologies. Consistent with the Ethics 20/20 amendments, they generally require competent and reasonable safeguards. 

Examples include: State Bar of Arizona, Opinion No. 05-04 (July 2005) and State Bar of Arizona, Opinion No. 09-04 (December 2009): “Confidentiality; Maintaining Client Files; Electronic Storage; Internet” (Formal Opinion of the Committee on the Rules of Professional Conduct); New Jersey Advisory Committee on Professional Ethics, Opinion 701 (April 2006): “Electronic Storage and Access of Client Files;” State Bar of California, Standing Committee on Professional Responsibility and Conduct, Formal Opinion No. 2010-179; and New York State Bar Association Ethics Opinion 1019 (August 2014): “Confidentiality; Remote Access to Firm’s Electronic Files.” 

Significantly, California Formal Opinion No. 2010-179 advises attorneys that they must consider security before using a particular technology in the course of representing a client. Depending on the circumstances, an attorney may be required to avoid using a particular technology or to advise a client of the risks and seek informed consent if appropriate safeguards can’t be employed. 

There are now multiple ethics opinions on attorneys’ use of cloud computing services like online file storage and software as a service.² For example, the New York Bar Association Committee on Professional Ethics Opinion 842, “Using an outside online storage provider to store client confidential information” (September 2010), consistent with the general requirements of the ethics opinions above, concludes: 

[a] lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality is maintained in a manner consistent with the lawyer’s obligations under Rule 1.6. 

The most recent opinion on safeguarding client data is ABA Formal Opinion 477, “Securing Communication of Protected Client Information” (May 2017). While focusing on electronic communications, it also explores the general duties to safeguard information relating to clients in light of current threats and the Ethics 20/20 technology amendments to the Model Rules. Its conclusion includes:

Rule 1.1 requires a lawyer to provide competent representation to a client. Comment [8] to Rule 1.1 advises lawyers that to maintain the requisite knowledge and skill for competent representation, a lawyer should keep abreast of the benefits and risks associated with relevant technology. Rule 1.6(c) requires a lawyer to make ‘reasonable efforts’ to prevent the inadvertent or unauthorized disclosure of or access to information relating to the representation.

The key professional responsibility requirements from these various opinions on attorneys’ use of technology are competent and reasonable measures to safeguard client data, including an understanding of limitations in attorneys’ knowledge, obtaining appropriate assistance, continuing security awareness, appropriate supervision and ongoing review as technology, threats and available safeguards evolve. They also require obtaining clients’ informed consent in some circumstances. It’s important for attorneys to consult the rules, comments and ethics opinions in the relevant jurisdiction(s).

Electronic Communications

Ethics rules. Email and electronic communications have become everyday communications forms for attorneys and other professionals. They’re fast, convenient and inexpensive, but present serious risks to confidentiality. It’s important for attorneys to understand and address these risks.

The Ethics 2000 revisions to the Model Rules, over 10 years ago, added Comment [17] (now [19]) to Model Rule 1.6. It requires “reasonable precautions to prevent the information from coming into the hands of unintended recipients.” It provides:

 …This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement…

This Comment requires attorneys to take “reasonable precautions” to protect the confidentiality of electronic communications. Its language about “special security measures” has often been viewed by attorneys as providing that they never need to use “special security measures” like encryption. While it does state that “special security measures” aren’t generally required, it contains qualifications and notes that “special circumstances” may warrant “special precautions.” It includes the important qualification—“if the method of communication affords a reasonable expectation of privacy.” 

There are, however, questions about whether unencrypted email affords a reasonable expectation of privacy. Respected security professionals for years have compared unencrypted email to postcards or postcards written in pencil.³

Comment [19] to Rule 1.6 also lists “the extent to which the privacy of the communication is protected by law” as a factor to be considered. The federal Electronic Communications Privacy Act⁴ and similar state laws make unauthorized interception of electronic communications a crime. Some observers have expressed the view that this should be determinative and attorneys aren’t required to use encryption. The better view is to treat legal protection as only one of the factors to be considered. As discussed below, some of the newer ethics opinions conclude that encryption may be a reasonable measure that should be used, particularly for highly sensitive information.

Ethics opinions. An ABA ethics opinion in 1999 and several state ethics opinions concluded that special security measures, like encryption, aren’t generally required for confidential attorney email.⁵ However, these opinions, like Comment [19], contain qualifications that limit their general conclusions.

Consistent with the questions raised by security experts about the security of unencrypted email, some ethics opinions express a stronger view that encryption may sometimes be required. For example, New Jersey Opinion 701 (April 2006), discussed above, notes at the end: “where a document is transmitted to [the attorney] … by email over the Internet, the lawyer should password a confidential document (as is now possible in all common electronic formats, including PDF), since it is not possible to secure the Internet itself against third party access.”⁶ This was over 10 years ago.

California Formal Opinion No. 2010-179, Pennsylvania Formal Opinion 2011-200 and Texas Ethics Opinion 648 (2015) provide that encryption may sometimes be required. A July 2015 ABA article notes, “The potential for unauthorized receipt of electronic data has caused some experts to revisit the topic and issue [ethics] opinions suggesting that in some circumstances, encryption or other safeguards for certain email communications may be required.”⁷

ABA Formal Opinion 477, “Securing Communication of Protected Client Information” (May 2017), consistent with these newer opinions and the article, concludes:

A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.

The Opinion references the Ethics 20/20 amendments to Comment [18] to Model Rule 1.6 and its discussion of factors to be considered in determining reasonable and competent efforts. It provides general guidance and leaves details of their application to attorneys and law firms, based on a fact-based analysis on a case-by-case basis. 

In addition to complying with any applicable ethics and legal requirements, the most prudent approach to the ethical duty of protecting electronic communications is to have an express understanding with clients (preferably in an engagement letter or other writing) about the nature of communications that will be (and won’t be) sent electronically and whether encryption and other security measures will be used. It’s now reached the point at which all attorneys should have encryption available for use in appropriate circumstances.

Common Law and Contractual Duties

Along with the ethical duties, there are parallel common law duties defined by case law in the various states. The Restatement (Third) of the Law Governing Lawyers (2000) summarizes this area of the law, including Section 16(2) on competence and diligence, Section 16(3) on complying with obligations concerning client’s confidences and Chapter 5, “Confidential Client Information.” Breach of these duties can result in a malpractice action.

There are also increasing instances when lawyers have contractual duties to protect client data, particularly for clients in regulated industries, such as health care and financial services, which have regulatory requirements to protect privacy and security.

Regulatory Duties

Attorneys and law firms that have specified personal information about their employees, clients, clients’ employees or customers, opposing parties and their employees or even witnesses may also be covered by federal and state laws that require reasonable safeguards for covered information and notice in the event of a data breach.⁸

Complying With the Duties

Understanding all of the applicable duties is the first step, before moving to the challenges of compliance by designing, implementing and maintaining an appropriate risk-based information security program. The program should address people, policies and procedures and technology and be appropriately scaled to the size of the practice and the sensitivity of the information.  

Endnotes

1. American Bar Association (ABA) Model Rules of Professional Conduct (2017).

2. The ABA Legal Technology Resource Center has published a summary with links, “Cloud Ethics Opinions around the U.S.,” http://bit.ly/2duVMwC.

3. For example, Bruce Schneier, E-Mail Security—How to Keep Your Electronic Messages Private (John Wiley & Sons, Inc. 1995), at p. 3; Bruce Schneier, Secrets & Lies: Digital Security in a Networked Work (John Wiley & Sons, Inc. 2000), at p. 200; Larry Rogers, “Email—A Postcard Written in Pencil, Special Report” (Software Engineering Institute, Carnegie Mellon University 2001); Google Official Blog, “Transparency Report: Protecting Emails as They Travel Across the Web” (June 3, 2014); and Molly Wood, “Easier Ways to Protect Email from Unwanted Prying Eyes,” New York Times (July 16, 2014).

4. 18 U.S.C. Sections 2510-2522.

5. For example, ABA Formal Opinion No. 99-413, “Protecting the Confidentiality of Unencrypted E-Mail” (March 10, 1999) (“based upon current technology and law as we are informed of it … a lawyer sending confidential client information by unencrypted e-mail does not violate Model Rule 1.6(a) …  this opinion does not, however, diminish a lawyer’s obligation to consider with her client the sensitivity of the communication, the costs of its disclosure, and the relative security of the contemplated medium of communication. Particularly strong protective measures are warranted to guard against the disclosure of highly sensitive matters”) and District of Columbia Bar Opinion 281, “Transmission of Confidential Information by Electronic Mail” (February 1998) (“In most circumstances, transmission of confidential information by unencrypted electronic mail does not per se violate the confidentiality rules of the legal profession. However, individual circumstances may require greater means of security”).  

6. File password protection in some software, like current versions of Microsoft Office, Adobe Acrobat and WinZip uses encryption to protect security. It’s generally easier to use than encryption of email and attachments. However, the protection can be limited by use of weak passwords that are easy to break or “crack.” 

7. Peter Geraghty and Susan Michmerhuizen, “Encryption Conniption,” Eye on Ethics, Your ABA (July 2015), http://bit.ly/2Cl615N. 

8. For example, Internal Revenue Code Section 6713, Internal Revenue Procedure 2007-40, Gramm-Leach-Bliley Act, 15 U.S.C. Sections 6801-6809 and National Conference of State Legislatures—State Data Security Laws, http://bit.ly/2zVyXvW, and State Security Breach Notification Laws, http://bit.ly/1ao7NAi.