In a major new ethics opinion, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility indicated that lawyers must take reasonable efforts to ensure that communications with clients are secure and not subject to inadvertent or unauthorized security breaches. Notably, and for the first time, the opinion says that, in some circumstances, lawyers would be warranted using “particularly strong protective measures” such as encryption.
The new ethics opinion, ABA Formal Opinion 477 (embedded below), updates Formal Opinion 99-413, issued in 1999. Although the ABA Standing Committee noted that the new opinion does “not impose greater or different duties of confidentiality…” but discusses “how a lawyer should comply with the core duty of confidentiality in an ever-changing technological world… .”
The ethics opinion stated that lawyers must use “reasonable efforts” to ensure the security of client information. According to the opinion, the reasonable efforts standard is a fact-specific inquiry that requires examining the sensitivity of the information, the risk of disclosure without additional precautions, the cost of additional measures, the difficulty of adding more safeguards, and whether additional safeguards adversely impact the lawyer’s ability to represent the client.
The use of unencrypted routine email remains an acceptable method of routine communication with clients, assuming the lawyer has implemented basic and reasonably available methods of electronic security measures.
However, cyber-threats, particularly in “highly sensitive industries such as industrial designs, mergers and acquisitions of trade secrets and industries like healthcare, banking, defense or education, may present a higher risk of data theft.” Lawyers in these fields may need to take “greater effort” to ensure secure communication. Therefore, lawyers must analyze how they communicate electronically about client matters on a case-by-case basis.
The opinion urged lawyers to take reasonable steps to protect client communications, and listed seven considerations that should guide lawyers:
- The nature of the threat.
- How client confidential info is transmitted and stored.
- The use of reasonable electronic security measures.
- How electronic communications should be protected.
- The need to label client information as privileged and confidential.
- The need to train lawyers and non-lawyer assistants in technology and cybersecurity.
- The need to conduct due diligence on vendors who provide technology services.
In addition to the seven factors summarized above, the opinion emphasized that a lawyer has a duty to communicate with a client about the nature and method of electronic communications. The lawyer and client then should decide whether high level encryption, personal delivery or unencrypted email is warranted.
The opinion concludes as follows:
Rule 1.1 requires a lawyer to provide competent representation to a client. Comment [8] to Rule 1.1 advises lawyers that to maintain the requisite knowledge and skill for competent representation, a lawyer should keep abreast of the benefits and risks associated with relevant technology. Rule 1.6(c) requires a lawyer to make “reasonable efforts” to prevent the inadvertent or unauthorized disclosure of or access to information relating to the representation.
A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.
ABA Formal Opinion 477 is embedded below:
Vanarelli & Li, LLC website: https://vanarellilaw.com/