In  Formal Opinion 498, issued on March 10, 2021, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility has provided some guidance on the ethical obligations triggered when a lawyer practices virtually; or what the Committee called “beyond the traditional brick-and-mortar law firm” setting.

The Committee flagged some of the ethical obligations commonly triggered when a lawyer practices virtually, as well as some related best practices.

Here are the highlights:

1.            Confidentiality – The Committee noted that, as with any electronic form of communication, lawyers have a particular duty to “‘prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.’”  In addition, when lawyers practice virtually, they should “implement reasonable measures to safeguard information.”  The Committee noted that the virtually practicing lawyer is not required to “use special security measures,” but must take special precautions as the circumstances warrant, with particular concern for the sensitivity of the client information at issue.

The Committee emphasized the obligation to protect any client information transmitted via WiFi, a particular concern given the vulnerability of certain portable communication devices.  Thus, it emphasized the best practices of “‘using unique Spyware/Antivirus software on all devices upon which client confidential information is transmitted or stored, and applying all necessary security patches and updates to operational and communications software.’”  The Committee specifically mentioned the use of a Virtual Private Network (VPN) as one such best practice.

The Committee also emphasized the need for lawyers and law firms to “periodically assess whether their existing systems are adequate to protect confidential information.”

2.            Accessing remotely stored client files and data – Citing an earlier opinion, the Committee urged lawyers using cloud-based storage systems to “’choose a reputable company, and … take reasonable steps to ensure that the confidentiality of client information is preserved’” while also ensuring that “‘the information is readily accessible to the lawyer.’”  In addition, as is the case for all law firms that rely on electronically stored information, a law firm whose attorneys are practicing virtually must have in place a data breach policy to address a potential security breach  whether caused by internal inadvertence  or external hack.

3.            Supervision of subordinates – The Committee suggested law firms adopt a bring-your-own-device (BYOD) policy.  As in a traditional law firm setting, to the extent lawyers or non-lawyer assistants use their personal devices to access, transmit or store client related information, the firm needs to “ensure that [any lost or stolen device may be remotely wiped, that client-related information cannot be accessed by, for example, staff members’ family or others, and that client-related information will be adequately and safely archived and available for later retrieval.”  The Committee emphasized that all law firm employees “must receive appropriate oversight and training on [their] ethical obligations to maintain the confidentiality of client information” and particularly when working virtually.

4.            The risk of “peeping” by unauthorized persons – As with any remote law firm setting, the lawyer must ensure that confidential information, including that transmitted over a virtual meeting platform such as Zoom or through traditional video conferencing not be overheard or seen by others in “the location in which the professional is working,” such as the professional’s home.

5.            Contact information for a virtual practice – Even if a lawyer does not practice at a physical office address, the lawyer nonetheless should publicly designate a physical address for the receipt of mail or other deliveries.  In addition, if the lawyer doesn’t have the ability for face-to-face meetings with a client, the lawyer should indicate through “online instructions” that he or she “is available by appointment only.”

6.            Trust account obligations – Finally, the Committee noted the obvious point that practicing virtually does not excuse or relax the strict obligations for trust fund accounting.  Even when practicing virtually,  “the lawyer must still be able to … write and deposit checks, make electronic transfers, and maintain full trust-accounting records …”

[View source.]