It would be a nightmare for any lawyer to find that someone had hacked into their firm’s computer network and stolen confidential client information. That nightmare will get even scarier beginning July 1, 2015 when revisions to the Massachusetts Rules of Professional Conduct take effect, with the potential for new rules violations.
An overhaul of the Massachusetts Rules of Professional Conduct will take effect on July 1, 2015. The changes potentially affect all lawyers, regardless of their practice area, and regardless of whether they practice alone or in large firms. Most of the Rules will receive at least a minor update, and Massachusetts lawyers should pay attention lest they step into some new traps. One of the most significant changes to the Rules will impose affirmative obligations with respect to information technology and data security. Lawyers who fail to take appropriate steps to secure their clients’ confidential information could find themselves in violation of the Rules.
For example, a new Rule, 1.6(c), states that a “lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, confidential information relating to the representation of a client.” A new comment to that Rule, comment18, clarifies that “[t]he unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.” However, the standard for what is “reasonable” is less than clear. The comment states that “[f]actors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients…”
Imagine you find yourself as lead counsel in a highly publicized celebrity divorce. You have a computer and a smartphone stuffed with “sensitive information” about your high-profile client, but no, or only rudimentary, encryption and security. It may be “likely” that someone (the paparazzi?) will try to hack your computer or phone and disclose your client’s confidential information across the Internet.
If such a hacker-driven debacle occurs, will you face discipline for having lax computer security? Also, even if your security measures were “good enough” for lower-profile clients’ information, will they pass muster when you take on a high-profile client in a case that is a matter of intense public interest? Even for lower-profile clients, identity thieves, fraudsters, and corporate espionage agents may be highly interested in a lawyer’s confidential electronic files – and they can cause great damage.
The upshot is that, even though the revised Rule does not say what constitutes “reasonable” security, lawyers may find themselves having to defend their data security in the aftermath of a breach. In addition to ensuring that basic security measures are in place, namely, encrypted email systems, phones and laptops that automatically lock, policies concerning using public internet connections, and a clear social media policy that prevents the dissemination of sensitive information or the use of personal email, lawyers with access to especially sensitive data may want to discuss information security with their clients. Comment 18 allows the client to “require the lawyer to implement special security measures not required by this Rule or [to] give informed consent to forgo security measures that would otherwise be required.”
Other changes to the Rules with respect to technology include a new comment 3 to Rule 5.3 which obligates lawyers to at least consider a client’s information security when hiring an outside technology vendor. Comment 3 states that when employing the assistance of “nonlawyers outside the firm” a lawyer “must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations.” A lawyer fulfills this obligation, in part, through “arrangements concerning the protection of client information.” Lawyers should consider this obligation when they retain vendors, and they may want to consider requiring that their vendors agree to basic confidentiality and data security agreements, and permit the law firms to monitor compliance or at least audit their security measures.
Also, as a sort of technology catchall, revised Comment 8 to Rule 1.1 (concerning competence) now states that “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, and engage in continuing study and education.”
The Supreme Judicial Court has established a web site with useful links concerning the revised Rules. These include a redlined version showing changes to the Rules, and a report by the Court’s Standing Advisory on the Rules of Professional Conduct summarizing additional changes.