Cybersecurity is an increasingly important risk vector that impacts every facet of society. Day by day, businesses and even individuals are finding themselves to be targets of cyberattacks and lawyers are certainly no exception. The exponential scale of the problem can be seen in the fact that, according to a recent report, there were more records compromised in 2017 than there are people currently living on earth.[1] While this risk is applicable to all organizations and individuals, lawyers, as safeguards of their client’s information, are particularly useful targets for cyber criminals. Lawyers of every stripe and specialty tend to possess large quantities of their clients’ sensitive data and in many cases present a more desirable target than the clients themselves because the data of all of their clients is centralized in a single location. Recognizing this threat, the bar has taken steps to ensure that the profession rises to the challenge posed by the pervasive threat of cyber-compromise. The bar’s understanding of the lawyer’s duty to his or her clients has developed along two parallel paths—the duty of confidentiality and the duty of technological competence as applied in the digital context.

In 2017, the American Bar Association proceeded along the first path and released Formal Opinion 477, which dealt with cybersecurity in client communications. The opinion held:

A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.