- Robert Stines
Attorneys Ethical Obligations for Technology and Cybersecurity
Do attorneys have any ethical obligations regarding technology and cybersecurity? The answer is a resounding "Yes!"
Tech Savvy Attorneys?
A lawyer's first ethical obligation is to provide competent representation to a client. In the digital/cyber age, technology plays a major role in providing competent representation.
The American Bar Association (ABA), in the Model Rules of Professional Conduct commented that to maintain the requisite knowledge and skill to provide competent representation, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.
It is therefore an axiom that attorneys must use technology in the practice of law. For example, every attorney should understand how to send an email, create a pdf, and use electronic signatures.
Ethical Obligations Regarding Cybersecurity
Lawyers may also need to understand the risks associated with using unencrypted emails or cloud services.
In Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (October 17, 2018), the ABA noted that:
“Data breaches and cyber threats involving or targeting lawyers and law firms are a major professional responsibility and liability threat facing the legal profession. As custodians of highly sensitive information, law firms are inviting targets for hackers ."
The Model Rules of Professional Conduct, Rule 1.6(c), states that a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure. See Rules 1.1, 5.1 and 5.3.
But, the unauthorized access to information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. This makes sense because if the U.S. government can be hacked, what chance does a law firm have against some of these cyber threats. Which is why lawyers have to make reasonable efforts (not herculean efforts) to prevent a data breach.
That begs the question, what are reasonable efforts? Factors to be considered in determining reasonable efforts include:
the sensitivity of the information,
the likelihood of disclosure if additional safeguards are not employed,
the cost of employing additional safeguards,
the difficulty of implementing the safeguards, and
the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Despite these factors, a client may require the lawyer to implement special security measures or may give informed consent to forgo security measures.
Attorneys should also know that when transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients - like hackers.
This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions.
When considering special precautions, lawyers should consider: (1) the sensitivity of the information, and (2) the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.
What Does All of This Mean?
Lawyers need to have, at least, a basic understanding of technology to better serve clients. Lawyers also need to understand that in the cyber age, law firms, like every other business, are targets for cyber attacks. With that in mind, they need to make reasonable efforts to prevent hackers from accessing client information, and need to take reasonable precautions (like encrypting emails) when sending sensitive information through electronic communications.
~ Florida Cyber Lawyer, Robert Stines, Esq., CIPP