Today’s attorneys rely heavily on technology to communicate with clients, especially email.  At the same time, given the sensitive nature of many attorney-client communications and the potential windfall to anyone who wrongfully intercepts these email communications, such communications can also be extremely attractive to would-be hackers.  This situation prompted the American Bar Association (ABA) to issue new guidance on a lawyer’s ethical obligations with respect to the email transmission of client-related information. 

The ABA issued Formal Opinion 477 entitled “Securing Communication of Protected Client Information” on May 12, 2017.  The opinion notes that the attorney’s ethical duties of competency and confidentiality come together when using electronic communications.  The ABA’s ethical competency rules require an attorney to keep abreast of all changes in his or her practice area, including the most up to date electronic communication methods and related security measures.  At the same time, the attorney is obligated by the confidentiality rules to use reasonable methods to prevent inadvertent or unauthorized disclosures of client information. 

So what qualify as “reasonable” measures to prevent inadvertent disclosures of client information in today’s technology-based world?  Not surprisingly, there is no hard and fast rule.  Rather, the ABA points to a variety of factors the attorney must weigh, such as how sensitive the information in the communication is to the client’s business; the cost and availability of additional safeguards the attorney could implement to protect the communication (including how likely it is the information would be disclosed absent such safeguards); and how the use of any such safeguards might adversely affect the attorney’s ability to adequately serve his or her client.

Accordingly, there are three important steps all attorneys should take when undertaking a new matter or onboarding a new client:

1. Thorough Internal Assessments:  Attorneys must look at their own practices to understand what protections their firm currently uses to safeguard and store electronic transmissions.  In order to adequately assess security, the firm should:

• catalog all devices being used by both attorneys and non-lawyers (including any personal devices used by staff for business purposes);
• understand the access and security measures being used to control the devices;
• evaluate who has access to protected client information and assess whether that access is appropriate;
• survey firewalls, anti-spam software and encryption tools (and the corresponding protection of the associated encryption keys); and
• perform due diligence on third party services such as applications, cloud servers and/or cloud sharing services and anti-virus protections (although the primary focus of the ABA opinion deals with email, any vulnerability in the firm’s system could compromise the security of the email transmissions). 

Depending on the nature of the attorney’s practice, it may be reasonable to engage a specialist or a team of security professionals to ensure the firm and its systems are adequately protected.

2. Open and Honest Discussion with Clients:  Attorneys must communicate with clients about the information to be shared and the client’s planned or desired communication methodologies.  It is only with a firm understanding of how sensitive the information pertaining to a particular matter is to the client’s business that the attorney and the client together can best determine how the information should be transmitted.

3. Develop, Then Implement, a Plan:  Once it is understood what security measures are available at the firm and what the appropriate level of security is given the level of sensitivity of the communication, managing attorneys have a duty to create, implement and oversee a policy for all client communications.  This plan may include a variety of measures, including:

• instituting protocols for communications via remote connectivity and remote devices;
• clearly and conspicuously labeling the information and communications as confidential and subject to attorney-client privilege (which puts unintended recipients on notice as to the protected nature of the communications);
• implementing multi-factor authentication, creating criteria around password strength and requiring regular password changes;
• regularly training attorneys and staff in how to appropriately protect all communications;
• updating and patching all software and systems; and
• periodically reassessing and testing the effectiveness of technological security measures in use.

These steps may happen multiple times throughout a particular transaction or representation of the client and should be a dynamic and evolving process of fine-tuning the protections and adjusting the plan depending on the information involved.  But, if the attorney takes the critical first step of consciously and affirmatively understanding the security measures currently in place and otherwise available, and then maintains an open and ongoing dialog with the client as to the client’s information and communication preferences, the appropriate policies and practices will naturally follow.