New ABA Opinion – Attorneys Must Take Reasonable Cybersecurity Measures To Protect Client Data

On May 11, 2017, the American Bar Association (ABA) issued Formal Opinion 477, making clear that a lawyer may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct so long as the lawyer takes reasonable efforts to prevent inadvertent or unauthorized access to client information. Lawyers may also be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security. This new opinion updates a prior opinion issued by the ABA in 1999 (Formal Opinion 99-413), in which the ABA concluded that attorneys may use the Internet to transmit unencrypted communications relating to a client without running afoul of the Model Rules of Professional Conduct.

According to the ABA, in the “technical landscape of Opinion 99-413,” unencrypted email posed “no greater risk of interception or disclosure than other non-electronic forms of communication.” Although this premise remains true today for routine communication with clients, and the use of unencrypted routine email generally remains an acceptable method of lawyer-client communications, cyber-threats and the proliferation of electronic communications devices have “changed the landscape and it is not always reasonable to rely on the use of unencrypted email.” As an example, the ABA notes that electronic communication through certain mobile applications or on message boards or via unsecured networks may lack the basic expectation of privacy afforded to email communications. Lawyers must therefore, on a case-by-case basis, constantly analyze how they communicate electronically about client matters.

Although the ABA does not provide specific steps for attorneys to take in this regard, it does provide the following considerations as guidance:

Understand the Nature of the Threat

The ABA says that understanding the nature of the threat includes consideration of the sensitivity of the client’s information and whether the client’s matter is a higher risk for cyber intrusion. Client matters involving proprietary information in highly sensitive industries such as industrial designs, mergers and acquisitions or trade secrets, and industries like healthcare, banking, defense or education, may present a higher risk of data theft.

Understand How Client Confidential Information is Transmitted and Where It Is Stored

The ABA says a lawyer should understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information. Every “access point is a potential entry point for a data loss or disclosure.” Every access point, and each device, should therefore be evaluated for security compliance.

Understand and Use Reasonable Electronic Security Measures

Model Rule 1.6(c) requires a lawyer to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. What is “reasonable” will vary depending on the facts of each case. The ABA indicates that making reasonable efforts may include “analysis of security measures applied to both disclosure and access to a law firm’s technology system and transmissions.” A lawyer should also understand and use electronic security measures to safeguard client communications and information, including using secure internet access methods to communicate, access and store client information, using unique complex passwords, changed periodically, implementing firewalls and anti-malware/spyware/antivirus software on all devices, and applying necessary security patches and updates to software when required.

Determine How Electronic Communications About Client Matters Should Be Protected

Different communications require different levels of protection. The ABA recommends that the lawyer and client discuss what levels of security will be necessary for each electronic communication about client matters. For example, if client information is of sufficient sensitivity, the ABA says a lawyer should encrypt the transmission and determine how to do so to sufficiently protect it, and consider the use of password protection for any attachments. Lawyers can also consider the use of well vetted and secure third-party cloud based file storage systems to exchange documents normally attached to emails. Lawyers should also be cautious in communicating with a client if the client uses computers or other devices subject to the access or control of a third party.

Label Client Confidential Information

The ABA recommends lawyers follow the “better practice” of marking privileged and confidential client communications as “privileged and confidential” and using disclaimers in client emails.

Train Lawyers and Nonlawyer Assistants in Technology and Information Security

The ABA recommends lawyers establish policies and procedures, and periodically train employees, subordinates and others assisting in the delivery of legal services, in the use of reasonably secure methods of electronic communications with clients.

Conduct Due Diligence on Vendors Providing Communication Technology:

The ABA recommends lawyers examine a vendor’s reference checks and credentials, security protocols and policies, hiring practices, and the use of confidentiality agreements when determining which vendors to use in supplying communications technologies.

Takeaways

Although most enterprises and firms use some level of protection in their electronic communications, this new opinion highlights the growing focus on cybersecurity across all industries and professions. Encryption is increasingly becoming the industry standard in securing electronic data and communications, and is often the first line of defense when facing a data breach scenario.