ABA ethics committee issues 'wake-up call' on cybersecurity

Opinion highlights lawyers’ new duty to be technologically competent in communications

By Pat Murphy
BridgeTower Media Newswires

BOSTON, MA - Lawyers are being advised to reassess the security measures they have in place to protect their electronic communications regarding client matters in the wake of a new ethics opinion from the American Bar Association.

The ABA's Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477 earlier this month to address a lawyer's obligation to secure the communication of protected client information. In particular, the opinion assesses the impact of the so-called "technology amendments" to the Model Rules of Professional Conduct adopted by the ABA in 2012.

In Opinion 477, the committee reiterates the general rule that client information may be transmitted over the internet so long as the lawyer has undertaken reasonable efforts to prevent inadvertent disclosure or unauthorized access.

However, the committee announced a significant caveat: "[A] lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security."

Gloucester attorney Robert J. Ambrogi sees the ABA opinion as having a profound impact across the country.

"This is a real wake-up call for lawyers about the duty to ensure the security of privileged and confidential communications with their clients," said Ambrogi, a legal technology consultant and commentator.

Christopher E. Hart, a business litigator at Foley Hoag in Boston, said he expects the ethics opinion to have an important influence on the development of guidance in the state on a lawyer's duty to protect client data.

"This could be an interesting spur in the Massachusetts community to rethink security technology and confidentiality," said Hart, whose practice areas include cybersecurity response and data privacy.

But Boston attorney Erin K. Higgins views Opinion 477 as more of a "natural outgrowth" of the 2012 technology amendments.

"The principal takeaway from this opinion is that using email, even unencrypted email for client communications, and storing client data in a system that has ordinary protections, is generally going to be OK," said Higgins, who co-chairs the professional liability practice group at Conn, Kavanaugh, Rosenthal, Peisch & Ford. "But where you as a lawyer know that you're holding onto or transmitting particularly sensitive information, there you're going to have to consider taking additional steps to protect that information."

-----

Change of course

Opinion 477 marks a departure from the committee's general stamp of approval to unencrypted email communications nearly two decades ago. In a 1999 opinion, the committee recognized that lawyers have a reasonable expectation of privacy in "all forms" of email, including "unencrypted" email, despite there being some risk of interception and disclosure.

"It therefore follows that its use is consistent with the duty under Rule 1.6 to use reasonable means to maintain the confidentiality of information relating to a client's representation," the committee concluded at that time.

The committee's endorsement of unencrypted email in 1999 caused lawyers to become complacent about the need to use encryption, according to Ambrogi. But the committee's worldview has changed since 1999, responding to rapid advances in technology, the exponential rise in cybersecurity threats, and the ABA's responses to those developments in the form of rulemaking.

In 2012, the ABA amended the duty to preserve the confidentiality of client information by adding Rule 1.6(c), which provides a "lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client."

Further, Comment 8 to Rule 1.1 was modified to recognize that the duty of competent representation required lawyers to keep abreast of changes in the law and its practice, "including the benefits and risks associated with relevant technology."

Ambrogi said it is particularly noteworthy that the ABA committee premised its opinion on the new duty of technological competence in addition to the lawyer's duty to protect confidentiality.

Higgins agreed.

"This opinion and the changes to the rule should make people very aware that you can no longer put your head in the sand and say that you're a lawyer and really don't know about technology," she said. "This opinion says we have to know about technology."

The ABA's technology amendments were mirrored by changes to the Massachusetts Rules of Professional Conduct adopted by the Supreme Judicial Court in 2015.

-----

Fact-based analysis

In Opinion 477, the committee adopted a multi-factor test to assess whether a lawyer's cybersecurity measures satisfy the "reasonable efforts" standard of Rule 1.6(c).

The "nonexclusive" list of factors to be weighed include:

(1) the sensitivity of the information;

(2) the likelihood of disclosure in the absence of additional safeguards;

(3) the cost of added safeguards;

(4) the difficulty of implementing such measures; and

(5) the extent to which the security measures inhibited the lawyer's ability to effectively represent the client.

"A fact-based analysis means that particularly strong protective measures, like encryption, are warranted in some circumstances," the committee wrote.

The opinion needed to emphasize that lawyers should be guided by their clients' specific circumstances, said Hart, who was struck by the fact that much of the committee's guidance tracks the advice he would give one of his own clients inquiring about cybersecurity practices.

"Things like no one size fits all, you have to understand your own data environment, and you have to train your employees are all very standard practice for good cybersecurity hygiene," Hart said. "It's very important that the way lawyers should think about how they are maintaining confidentiality and privilege is very similar to the way anybody should be when talking about the private information of employees, customers or medical patients."

In addressing the security of email in particular, the committee found that the use of unencrypted "routine" email generally remains an acceptable method of communication between the lawyer and client.

"However, cyber-threats and the proliferation of electronic communications devices have changed the landscape and it is not always reasonable to rely on the use of unencrypted email," the committee wrote.

The committee highlighted that client matters involving proprietary information such as industrial designs, mergers and acquisitions, or trade secrets present a higher risk of data theft. Likewise, the committee singled out health care, banking, defense and education as high-risk sectors.

"[I]f client information is of sufficient sensitivity, a lawyer should encrypt the transmission and determine how to do so to sufficiently protect it, and consider the use of password protection for any attachments," the committee wrote. "Alternatively, lawyers can consider the use of a well vetted and secure third-party cloud based file storage system to exchange documents normally attached to emails."

Cambridge attorney Craig R. Smith, an IP litigator who includes cybersecurity among his areas of practice at Lando & Anastasi, said the committee's opinion is a "good step" toward clarifying what are considered to be reasonable efforts in protecting a client's data.

He also credited the committee for steering away from recommending specific security measures given the ever-changing cybersecurity environment.

"If you tried to do that, the protections that you thought might be reasonable and adequate today might not be so a year from now," Smith said.

The committee noted that, for certain highly sensitive information, a lawyer may find it necessary to avoid using electronic means of communication altogether.

As Conn Kavanaugh's risk management partner, Higgins recognizes the need for lawyers to handle medical records with particular care.

"In my firm, I want all medical records to be mailed or delivered in person," she said. "I don't want medical records going over the internet."

-----

Gold standard?

Hart said it would not be outlandish to suggest that encryption eventually will be the standard of care for lawyers.

"When massive [cyber]attacks become so rampant or law firms are continuously attacked because of the confidential information that they have, I could certainly see the day where the urgency behind encryption would change," he said. "But I don't see that day coming anytime soon."

Ambrogi said encryption should be the standard of care, although he recognized that every communication to a client does not necessarily contain privileged or confidential information.

"It seems prudent that a lawyer would at a minimum want to be encrypting all the documents they're transmitting to a client," Ambrogi said. "There are a lot of technologies available to make it really easy to do. If you can do that with a click of a button, then why wouldn't you do it?"

But Higgins pointed out that the vast majority of emails involve mundane matters, such as scheduling, that would not be of interest or use to a hacker. Making encryption the standard of care would be burdensome in terms of moving matters along, she said.

Lawyers need to be alert to the fact that outside counsel guidelines provided by a client may impose specific security protocols for the handling of confidential information, Higgins added.

"If the lawyer isn't looking for that in the outside counsel guidelines and simply signs it, you might be agreeing to have certain security protocols in place that you don't have," she said.

Published: Mon, May 22, 2017