Nicole Black
BridgeTower Media Newswires
Technology competence has been an ethical requirement for lawyers in many jurisdictions for years now. Specifically, ethics committees have generally required that lawyers take steps to ensure that they have a sufficient understanding of the technologies available to them so that they can make educated decisions about when and how to use the technologies in their law firms.
Of note is that this ethical obligation is all the more important in 2020 as many lawyers routinely work remotely due to COVID-19 restrictions. Because lawyers are regularly relying on technologies such as mobile and cloud-based software to facilitate remote work, it’s imperative that they have a sufficient understanding of the tools that they’re using and are ensuring that they’re being used in a secure manner that protects confidential client information.
The good news is that technology competence is now a requirement in the majority of jurisdictions, and a few times each year a new state joins the club and adopts the ethical requirement of technology competence for lawyers in its jurisdiction. One of the most recent jurisdictions to do so was Michigan. Earlier this year the Michigan State Bar Association issued Ethics Opinion RI-381, which established that the technology competence requirement applied to Michigan lawyers.
In adopting this ethical requirement, the Michigan Bar mirrored the American Bar Association’s approach and added the following language to the comment that follows MRPC 1.1: “Maintaining Competence. To maintain the requisite knowledge and skill, a lawyer should engage in continuing study and education, including the knowledge and skills regarding existing and developing technology that are reasonably necessary to provide competent representation for the client in a particular matter. If a system of peer review has been established, the lawyer should consider making use of it in appropriate circumstances.”
The Committee explained that the duty of technology competence means that lawyers “have ethical obligations to understand technology, including cybersecurity, take reasonable steps to implement cybersecurity measures, supervise lawyer and other firm personnel to ensure compliance with duties relating to cybersecurity, and timely notify clients in the event of a material data breach.”
According to the Committee, the technology competence requirement centers around safeguarding electronically stored information (ESI), supervising the competence of law firm employees, and understanding and responding to cybersecurity threats.
First, the Committee explained that the technology competence duty does not require absolute security. Instead, taking reasonable steps to ensure security is what’s required: “A lawyer cannot reasonably be expected to be a guarantor of client data security ... A lawyer must, however, exercise reasonable care in safeguarding client ESI ... To discharge that duty, a lawyer must formulate, adopt, and follow policies and procedures, appropriate to the lawyer’s field(s) of practice, regarding the use, transmission, and storage of client ESI. In addition, a lawyer must evaluate whether specific cybersecurity measures are appropriate for the representation of a client in a particular matter.”
Importantly, the Committee emphasized that the definition of what constitutes reasonable care will necessarily evolve over time and change as technology advances: “As with substantive law, what may be considered ‘reasonable’ cybersecurity changes over time ... Therefore, the duty to exercise reasonable care includes an obligation to assess periodically whether the lawyer’s policies and procedures keep pace with evolving technology risks.”
Of particular note now that lawyers regularly work remotely is that the Committee adopted the ABA’s standard regarding secure communication with clients as set forth in ABA Formal Opinion 477R. Specifically, the Committee opined that unencrypted email is often insufficient for sharing confidential information with clients and that more secure methods, including encrypted online client communication portals, may be required: “What constitutes ‘reasonable measures’ in fulfilling the duty to exercise reasonable care regarding client ESI depends on the circumstances, including the degree of sensitivity of the information to the client, potential threats, the risk of harm to the client in the event of unauthorized disclosure ... and the availability of protective technology ... . As noted in ABA Formal Opinion 477R ... ‘the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication,’ but ‘particularly strong protective measures, like encryption, are warranted in some circumstances.’”
Finally, regarding potential data breaches, the Committee adopted the ABA’s standard for client notification, and concluded that “When a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations under these Model Rules.”
So with Michigan adopting the technology competence requirement, that’s one more state down, 22 to go. If you’re not sure where your state falls, you can find an updated list of states that already require lawyers to have technology competence here.
—————
Nicole Black is an attorney, author, journalist, and the Legal Technology Evangelist at MyCase legal practice management software. She can be contacted at niki.black@mycase.com.
––––––––––––––––––––
Subscribe to the Legal News!
http://legalnews.com/Home/Subscription
Full access to public notices, articles, columns, archives, statistics, calendar and more
Day Pass Only $4.95!
One-County $80/year
Three-County & Full Pass also available