In a recent formal Ethics Opinion, the American Bar Association stressed that lawyers must make reasonable efforts to prevent inadvertent or unauthorized access to confidential information relating to the representation of their clients. The ABA recognized that in the age of constant cybersecurity threats, law firms are targets for hackers for two reasons:
(1) they obtain, store and use highly sensitive information about their clients while at times utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.
The Opinion further recognizes that while the Model Rules of Professional Conduct do not impose greater or different duties of confidentiality based upon the method by which a lawyer communicates with his or her client, electronic communication involves risks that are constantly changing.
In examining the applicable Model Rules to explain what factors constitute reasonable efforts when using technology to communicate with clients, the Opinion specifically mentions trade secrets lawyers, noting that they handle client matters involving proprietary information that “may present a higher risk of data theft.” Trade secrets lawyers must, on a case-by-case basis, analyze how they communicate electronically about client matters and “particularly strong protective measures, like encryption, are warranted in some circumstances.” The nonexclusive factors to examine when making a “reasonable efforts” determination are:
(1) The sensitivity of the information;
(2) The likelihood of disclosure if additional safeguards are not employed;
(3) The cost of employing additional safeguards;
(4) The difficulty of implementing the safeguards; and
(5) The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
When making these reasonable efforts to safeguard electronic communications and storage, Model Rule 1.4 may require the lawyer to obtain informed consent from the client regarding whether to the use enhanced security measures, the costs involved, and the impact of those costs on the expense of the representation where nonstandard and not easily available or affordable security methods may be required or requested by the client. The Opinion stresses that reasonable efforts might require avoiding the use of electronic methods or any technology to communicate with the client altogether, just as the ABA stressed avoiding the use of the telephone, fax and mail in its 1999 Formal Opinion 99-413.
In sum, the Opinion makes clear that lawyers must have an open exchange of communication with their clients about the securities measures their firms are taking to safeguard the clients’ confidential information. They must recognize that the determination of whether they are making reasonable efforts in enhancing their cybersecurity is a fact-based analysis to be made on a case-by-case basis and may not be uniformly employed.