In June 2017, companies, government entities, and law firms faced a global ransomware attack from a type of malware where attackers lock certain data or components of a system and demand payment in exchange for returned access to such data or systems. Lawyers and law firms are targets of attacks like this and other forms of data breaches at high rates. In the wake of this latest global ransomware attack, let us recall certain ethical obligations related to technology that apply to lawyers.
Per Rule 1.1 of the Model Rules of Professional Conduct, a basic tenet of a lawyer’s ethical obligations to his or her client is that the lawyer must provide “competent representation” or “legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” The requirement for competent representation encompasses keeping “abreast of changes” to “benefits and risks associated with relevant technology.” Additionally, lawyers must “make reasonable efforts to prevent . . . unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client” per Rule 1.6 of the Model Rules of Professional Conduct. While unauthorized disclosure of or access to client information does not violate Rule 1.6 in and of itself, a lawyer must take reasonable action to prevent such access or disclosure. Comment 18 to Rule 1.6 provides several factors for determining whether a lawyer has made reasonable efforts, including the level of sensitivity of the information and the cost and impact of safeguards.
In May 2017, the American Bar Association Standing Committee on Ethics and Professional Responsibility (Committee) released revised Formal Opinion 477R, which spoke to the foregoing rules and, more specifically, to securing electronic communications involving client information. The Committee found that “a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure . . . when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.” The Committee also advised that lawyers take the following steps when determining what level of security to assign to their communications:
- Understand the level of risk of cyber intrusion and the nature of the threat
- Know where the communications are created, where the client data is stored, and what the access options are
- Understand electronic security methods and their use
- Discuss necessary security measures with the client
- Mark “privileged and confidential” communications accordingly
- Maintain policies and hold employee trainings on the electronic security of client communications
- Evaluate the conduct of vendors that provide electronic communication services or technology
For example, the Committee found that unencrypted, standard security methods of communicating may be acceptable in some circumstances, but that other situations may require the use of encryption or other stronger security protections. As lawyers and law firms face a barrage of cyberattacks, it is important to stay up to date on relevant technology and implement adequate security measures, in line with ethical obligations. This post discusses the requirements under the Model Rules of Professional Conduct only, so be sure to consult the professional rules in each applicable jurisdiction.