You work for a boutique firm that handles transactional legal needs. One of the firm’s clients has grown from a successful regional business into a nationwide powerhouse. It has become so successful, in fact, that it recently became the target of a widely reported cyberattack. You spoke with the client contact when that happened, and she confided in you that the company is aware of dozens of attempts to breach its security measures just within the past year.
The client contact tells you her company is contemplating the acquisition of a mid-sized publicly traded corporation. The deal is extremely sensitive – any public leaks could cost the client tens of millions of dollars. The contact would like your firm to handle the legal work related to the acquisition.
You know your firm can handle the legal aspect of the deal, but in light of the recent cyberattacks, you wonder if your security measures are enough for this engagement. This client prefers email communications, and expects quick answers after business hours. You’ve read about encrypting emails, but it’s not something your firm typically does. You’re pretty sure it’d slow down or even stop after-hours communications. Besides, the client has never expressed a concern about using regular email to communicate on sensitive matters, and you’re aware of a 1999 Formal Opinion from the ABA saying unencrypted email is okay. So it must be okay, right?
State of the Law and the State of Technology
In 1999, the ABA issued Formal Opinion 99-413, in which it stated: “A lawyer may transmit information relating to the representation of a client by unencrypted e-mail… because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.”
However, the trend in opinions issued over the past five to ten years has recognized the increasing dangers posed by cyber threats. These opinions support imposing greater obligations on an attorney than the ABA’s 1999 opinion.
For instance, in California’s Formal Opinion 2010-179, the Committee noted that technology has changed since the ABA issued its opinion. It is not enough to rely on an expectation of privacy in all cases, particularly in California, where an attorney must “at every peril to himself or herself [act] to preserve the secrets of his or her client.” (Cal. Bus. and Prof. Code section 6068(e)(1).) Instead, the opinion concludes that “the duties of confidentiality and competence that attorneys owe to their clients  require a basic understanding of the electronic protections afforded by the technology they use in their practice.” In relation to email, to ensure a client’s confidentiality, “[e]ncrypting email may be a reasonable step for an attorney to take … when the circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.”
Following this trend, in 2012 the ABA adopted “technology amendments” to the Comments to Model Rule 1.1, and added a Comment and paragraph (c) to Rule 1.6, requiring lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to” a client’s confidential information. In 2015, the State Bar of Texas issued Opinion 648 (2015), stating encryption may be appropriate where, inter alia, the information is highly sensitive or where it may be intercepted by a third party such as law enforcement.
Finally, on May 22, 2017, the ABA issued Formal Opinion 477R: “Securing Communication of Protected Client Information.” Through the opinion, the ABA formally amends the stance it took in 1999.
Instead of taking a one-size-fits-all approach, the ABA endorses a fact-specific approach sensitive to the client’s needs, evolving technological threats, and evolving technological solutions. Thus, instead of endorsing one technology, the ABA sets out seven factors an attorney should consider in determining appropriate cybersecurity for a given engagement.
1. Know What’s at Stake: Understand the Nature of the Threat
The attorney must first assess how sensitive the information is and how high the risk is for “cyber intrusion.” The opinion gives examples of particularly sensitive matters, including mergers and acquisitions. Those matters may warrant greater security measures than is typical.
2. Know Your Hardware and Communications Software: Understand How Client Confidential Information is Transmitted and Where It Is Stored.
The attorney must ask himself, and the client, will those involved be using laptops, smartphones, or tablet computers to communicate? Will communication on the matter occur via telephone, email, text message? Each of these methods of communication and types of devices present different security weaknesses. The opinion notes, “[e]very access point is a potential entry point for a data loss or disclosure.”
3. Know Your Security Options: Understand and Use Reasonable Electronic Security Measures.
Under ABA Model Rule 1.6, a lawyer’s must take “reasonable” measures to prevent the unauthorized disclosure of confidential information. To do that, the lawyer must first understand the reasonable measures that are available. The attorney must understand her firm’s technology and how transmissions take place, and she must understand the options that are available to make those transmissions and technology secure from (or less vulnerable to) hacking.
4. Pick the Reasonable Approach for the Matter: Determine How Electronic Communications About Client Matters Should Be Protected.
The attorney must consider the sensitivity of the matter to determine what types of security measures are appropriate. Routine matters may be suitable for normal email communications, but there may be matters where it is not enough. For highly sensitive matters, the attorney may need to consider a protocol to restrict communication to devices that have been encrypted or that have other appropriate security technology implemented, or consider not transmitting certain data electronically at all.
5. Label Client Confidential Information.
Label your client communications “PRIVILEGED AND CONFIDENTIAL,” in case of inadvertent disclosures or the dreaded “reply all” slip-up.
6. Train Lawyers and Non-lawyer Assistants in Technology and Information Security
If people are not trained to implement the solutions you’ve chosen, those solutions will not be effectively implemented. Set aside time for training on the technology, and make sure staff knows your expectations on implementing it. Establish policies and procedures so everyone is on the same page.
7. Monitor Your Vendors: Conduct Due Diligence on Vendors Providing Communication Technology.
Lawyers outsource non-legal work. All businesses do. But attorneys remain under a fiduciary obligation to maintain a client’s confidences. That means lawyers must make sure (inter alia) technology vendors are competent, and that confidentiality agreements are in place if the vendor will have access to confidential data. Going with the cheapest option may end up being penny wise but pound foolish, if doing so endangers the confidentiality of the client’s data. An established, respected vendor may be the better option, even if it is more expensive. And even if the client selects the vendor, the lawyer must “remain aware of how the non-lawyer services are being performed.”
In the fact pattern above, you are right to wonder if firm security is enough for this engagement. It may have been in the past, but in light of the sensitivity of the matter and the cyberattacks aimed at the client, heightened security measures are likely called for. That means an attorney who is less tech-savvy must sit down with a competent IT professional and get a handle on the available options.
You must meet with the client to educate her on cyber-security, and get the client’s input and, ultimately, buy-in on a specific approach. A client who wants to lower costs by opting for a lower level of security should be able to choose to do so, as long as he or she has been informed of the risks. In short, you must do what attorneys do—advise the client about risks, present potential options, and then let the client decide.
**No portion of this article is intended to constitute legal advice. Be sure to perform independent research and analysis. Any views expressed are those of the author only and not of the SDCBA or its Legal Ethics Committee.**