Lawyers have received new guidance on the extent of their professional responsibility to ensure the secure transmission of client information. Last week, the American Bar Association’s (ABA) Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477 entitled “Securing Communication of Protected Client Information.”

Though they are not considered mandatory authority governing lawyer behavior, the ABA’s ethics opinions and model rules provide important guidance to the states in the construction of their own rules of professional conduct. Significantly, the opinion comes at a time when data security is at the forefront of the national conversation, and as a result, it should have maximum impact in shaping the agenda of the various state bar associations.

A Sign of the Times

Formal Opinion 477 updates Formal Opinion 99-413 delivered in 1999 wherein the ABA first tackled the implications of the use of e-mail on attorney-client confidentiality. The 1999 opinion held that e-mail, like other traditional forms of communication (e.g., postal mail or telephone) “afford[ed] a reasonable expectation of privacy from a technological and legal standpoint,” and, therefore privilege could be maintained absent the use of encryption.

In the most recent opinion, while the committee does not go so far as to specifically require encryption, it does make clear that it recognizes times are changing, noting this is now “a post-Opinion 99-413 world where law enforcement discusses hacking and data loss in terms of ‘when,’ and not ‘if.’”

Adaptable Standard

Wisely, the committee steers clear of identifying any specific technology or security measure as necessary to meet a minimum security threshold. The pace of technological change would quickly render obsolete the mandates of any such box-ticking approach.

Rather, the opinion leans on the so-called “technology amendments” to the Model Rules that were adopted in 2012 as well as the recommendations of the ABA’s Cybersecurity Handbook in order to craft a more evergreen standard, one that can provide a framework for guiding and evaluating security protocols even in the face of ever-evolving cyber threats.

The result is the following balancing test:

A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.

To define “reasonable efforts,” the committee points to the “reasonable efforts” standard as defined in the ABA’s Cybersecurity Handbook which calls  for a “’process’ approach to assess risks, identify and implement appropriate security measures responsive to those risks, verify that that they are effectively implemented, and ensure that they are continually updated in response to new developments.”

As an example of factors to consider when determining whether “reasonable efforts” have been made, the committee references Comment [18] to the ABA’s Model Rule 1.6(c) which advocates weighing the sensitivity of the information to be protected against the burden of instituting additional safeguards.

By employing a factor-based, process-oriented approach the “reasonable efforts” standard recommended by the ABA has the ability to change with the times. The definition of what is considered a “reasonable effort” will definitely evolve. What is considered a “reasonable effort” today will almost certainly not be considered a “reasonable effort” five years from now. New threats will emerge, while technological breakthroughs will create novel defensive measures and will make security infrastructure and processes previously thought to be cost prohibitive, available to the masses.

Engage with Clients

Moreover, the committee’s framework puts the client at the center of the conversation. The opinion directs lawyers to consult with their clients on matters of data privacy and security at the outset of any engagement. At that time, lawyers should evaluate the sensitivity of the information to be transmitted and the needs of the client and tailor their security measures accordingly.

The determination should also take into account how the client intends on interacting with the electronic communications as well. The ABA cautions that lawyers should be aware of whether an electronic communication might be sent to a computer or device in which a 3rd party, not the client, exercises ownership or control which could endanger attorney-client privilege.

Implications for Firms

ALM Intelligence research has found the state of cybersecurity preparedness in the legal services sector leaves something to be desired (see graphic below) so it is essential that firms do not view the committee’s recommendations as an unnecessary burden.

The bottom line is that firm leaders have both a professional and business responsibility to treat the data security practices of their firm as mission critical. First, as to their professional responsibility, the ability to protect and maintain client confidences is fundamental to providing effective counsel. Second, with regard to their business responsibility, the increasing importance of data security presents an opportunity for those firms that invest time and resources developing a comprehensive and process-oriented approach to information security to differentiate themselves from their competition.

The events of the past year have demonstrated that law firms are not immune from the growing cyber threat, and going forward, stories of the hacking of electronic communications will continue to make headlines and capture the public’s attention. Firm leaders would be well advised to do everything in their power to ensure the proper security infrastructure and incident response protocols are in place when the inevitable attack occurs. It is not hyperbole to say that the future of their firm depends on it.

ALM Intelligence Notes:

  • Calling all Law Department Leaders: Feeling stressed? Trouble sleeping? If you are a law department leader, then you are not alone. Let us know the issues that are keeping you up at night by completing our brief survey. You could win free passes to our upcoming SuperConference or a donation to a charity of your choice.
  • Intelligence in Your Inbox: Subscribe to the ALM Intelligence Analysts Brief, featuring the latest thinking from our analysts, delivered straight to your inbox each week.

Steve Kovalan is a Senior Analyst at ALM Intelligence. A member of the District of Columbia Bar, he holds a JD from the West Virginia University College of Law and a BA (summa cum laude) in History and Political Science from West Virginia University. He can be reached via email, Twitter, or LinkedIn.