ABA adoption of ethical considerations for electronic communications

“[I]n this world, with great power there must also come great responsibility.” [1] 

Maybe the practice of law and technology was not exactly what Uncle Ben had in mind when he said those words, but they are applicable. As technology brings advancement, globalization, and power to our world, it is also bringing new challenges and responsibilities for attorneys. Given the recent increase in document leaks, data breaches, and virus attacks, it is not surprising that you can’t turn on the television, open your phone, or look at the internet without an article or update on the topic.

Therefore, it should come as no surprise that the American Bar Association (ABA) recently provided new guidance to ensure attorneys have an understanding of some basic steps that should be considered when dealing with technology and the professional requirement to protect client information and communications.

On May 17, 2017, the ABA’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477.  The Committee acknowledged that the basic obligation of an attorney to maintain confidentiality has not changed.  However, the “role and risks of technology in the practice of law” have changed. [2] This Opinion is an update to ABA Formal Opinion 99-413, which was issued eighteen years ago, and it is intended to provide additional assistance and guidance to attorneys as they strive to stay up to date with changes in technology while maintaining confidential and privileged client information and communications. 

As Opinion 477 points out, the use of technology and email communications by attorneys has grown exponentially since the 1999 opinion. Attorneys and their staff “now regularly use a variety of devices to create, transmit and store confidential communications, including desktop, laptop and notebook computers, tablet devices, smartphones, and cloud resources and storage locations. Each device and each storage location offers an opportunity for the inadvertent or unauthorized disclosure of information relating to the representation, and thus implicate a lawyer’s ethical duties.” [3]

Sadly, this guidance has come a little late for some attorneys and their clients:  

In Harleysville Insurance v. Holding Funeral Home, a senior investigator uploaded a video surveillance of a fire loss scene and the entire investigation file onto an internet-based electronic file sharing service. He then sent an email with a hyperlink that was not password protected. The link was shared with defendant’s counsel—and all the unprotected information including the case investigation file which contained privileged information—was hosted and available without any password protection. 

Given the lack of restrictions to access the site and the absence of basic document-level protections, Judge Sargent found that the attorney-client privilege had been waived by the client’s conduct. “In essence, Harleysville has conceded that its actions were the cyberworld equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it.” [4] Judge Sargent went on to state, “[t]he technology involved in information sharing is rapidly evolving. Whether a company chooses to use a new technology is a decision within that company’s control.  If it chooses to use a new technology, however, it should be responsible for ensuring that its employees and agents understand how the technology works and, more importantly, whether the technology allows unwanted access by others to its confidential information.” [5] This opinion was rendered approximately 3 months before the ABA issued Opinion 477. With some additional training and procedures in place this incident could have easily been prevented.

Not only has the potential for inadvertent disclosure of client information grown, but the potential for cyberattacks has developed and exploded. A recent cyberattack on June 27, 2017 across Europe had a significant impact on the US based law firm DLA Piper. The malware known as Petya came in the middle of the night in the US and impacted the firm’s email and phone services for most of the week. As of July 11, 2017, DLA Piper’s website still leads with “Malware Attack Update: Important Information for Clients.”

Although the firm has not reported the loss of any confidential client information, [6] it has been reported by the Wall Street Journal that firm lawyers requested deadline extensions from courts in at least five civil cases.  Experts are currently estimating that the total cost of this attack on DLA Piper from a financial and a reputational standpoint “could be in the millions.”

Could DLA Piper have done something different to prevent the severity of the attack? Quite possibly! It has been reported that the law firm of Baker McKenzie confined the damage to one computer in their European office causing minimal damage to the firm’s computer system and reputation. DLA Piper had not undertaken the same security measures, and it may have cost them dearly.

With those stories in mind, what type of responsibility do lawyers owe their clients in this new age of technology, and what type of guidance has the ABA provided in Opinion 477?

We all know lawyers must be competent and possess a certain level of proficiency to represent clients and handle their cases. As the ABA outlined in their comments to Rule 1.1 and  Rule 1.6, this duty of competency now includes a requirement that a lawyer is abreast of the risks and benefits of relevant technology, while continuing to maintain confidential and privileged client information. [7] It is important to note that on March 6, 2017, Tennessee became the twenty-seventh state to adopt this provision. [8]

Technology is changing at such a fast pace, any “minimum standards” could quickly be obsolete. Opinion 477 has adopted a “reasonable efforts” standard.  It is recommended that a lawyer apply a “process” to assess risks, identify and implement appropriate security measures and verify that these are effectively implemented and updated as technology develops. [9] This type of process and analysis means that different circumstances may require different protective measures.

Opinion 477 focuses on the following seven (7) areas for guidance. [10]

Understand the Nature of the ThreatUnderstand How Client Confidential Information is Transmitted & StoredUnderstand and Use Reasonable Electronic Security MeasuresDetermine How Electronic Communications about Clients Should Be ProtectedLabel Client Confidential InformationTrain Lawyers & Non-Lawyer Assistants in Technology & Information SecurityConduct Due Diligence on Vendors Providing Communication Technology

A lawyer and her non-lawyer assistants will need to be up-to-date on the technology being used in their offices. Some acceptable first steps to protect your client’s information may include training staff on how to detect phishing emails, changing passwords frequently, limiting or prohibiting the use of public wi-fi, and implementing two-factor authentication. [11] Additionally, a well thought-out information governance policy for your firm can also help prevent or limit the damages from a cyberattack while helping prevent the inadvertent disclosure of confidential and privileged client information. A lawyer should also be on the lookout for instances where it is necessary to discuss enhanced security safeguards with their clients. 

As technology continues to bring new services and products to the marketplace, an attorney will be expected to stay abreast of the advancements that may benefit their clients. However, they must continue to maintain the security of client information as a top priority. The costs of a breach can have significant impacts on a client’s case, causing financial consequences and reputational damages to both the client and the attorney.  If your firm does not have the means to implement a technology plan/system to protect client data, look to a vendor to assist in this process. And once you have a plan and process in place, consider using this to differentiate your firm from those around you that have not taken the time and effort to put together a thoughtful process-oriented plan for information security.

Originally published in the Tennessee Lawyer's Association Summer Newsletter 2017

About the Author

Lee Angela Holcomb is the Director of Managed Services for Sumati.  Lee is a Certified E-Discovery Specialist and an active member of the Sedona Conference. Currently, she is serving on the Membership Committee of the Sedona Conference Working Group 6, the International Electronic Information Management, Discovery and Disclosure. Prior to joining Sumati she was the COO and Director of Legal Services for Cobra Legal Solutions.  Lee was a Member in the Knoxville office of Leitner, Williams, Dooley and Napolitan. She received her undergraduate degree from Rhodes College and studied law at the Cecil C. Humphreys School of Law in Memphis.

[1] Stan Lee and Steve Ditko, Amazing Fantasy No. 15: “Spider-Man,” p. 13 (1962).
[2] ABA Comm. On Ethics & Prof’l Responsibility, Formal Op. 477, at 1 (2017) (A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.).
[3] Id.
[4] Harleysville Ins. Co. v. Holding Funeral Home, Inc., No. 1:15cv00057, 2017 WL 1041600 (W.D. Va. Feb. 9, 2017).
[5] Id.
[6] At the time of the writing of this article on July 11, 2017.
[7] Model Rules of Prof’l Conduct R 1.1, cmt 8 (A lawyer should stay abreast of changes in the law, “including the benefits and risks associated with relevant technology.”); see also Model Rules of Prof’l Conduct R 1.6(c), cmt 18 (“[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”).
[8] Tenn. Sup. Ct. R. 8, RPC 1.1 cmt 8.
[9] ABA Comm. On Ethics & Prof’l Responsibility, Formal Op. 477, at 1 (2017).
[10] Id. at 5 - 9.
[11] Rhys Dipshan, The Cybersecurity Contradiction:  Simple Attacks, Devastating Effects, Legaltech News, June 13, 2017, http://www.legaltechnews.com/id=1202789671735/The-Cybersecurity-Contradiction-Simple-Attacks-Devastating-Effects. 

Source: https://mailchi.mp/f4b99d9a0122/tlaws-summer-2017-newsletter

Lee Holcomb