The task of conducting due diligence in the selection of technology vendors is a critical component of the lawyer’s ethical obligation to maintain reasonable security over client confidential information. However, for several reasons, it is also one of the most difficult tasks that law firms will undertake.
Rule 1.6 of the American Bar Association’s Model Rules of Professional Responsibility provides: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Legal ethics rules in every state similarly require lawyers to protect client confidential information.
The lawyer’s ethical obligation with respect to technology vendors is to use judgment and care in their selection. This is because, in reality, few lawyers have the expertise necessary to meaningfully evaluate the technology they use to store and transmit client information.
The technologies employed to deliver cloud-based services such as data storage and data processing are complex and ever-changing. Client data is at a location — or distributed across multiple locations — physically inaccessible to the lawyer (not that looking at a bank of servers would be enlightening). And technology services are, for all but the largest law firms, licensed through highly technical contracts that are rarely subject to negotiation.
Cybercrimes are at their highest levels in history, with law firms sitting on a veritable goldmine of information for cyberthieves. Now is the time for law firms to hunt down and address cybersecurity weaknesses in their operations.
Bar Regulators: Careful Vendor Selection Is Critical
Bar regulators understand that lawyers cannot guarantee the security of client information. “Reasonable efforts” under the circumstances are all that is required. In the commentary to Rule 1.6 added in 2012, the ABA explained:
The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
The lawyer’s ethical obligation to maintain reasonable security over client confidential information has been the topic of many state ethics opinions over the past decade.
The Louisiana State Bar Association, in a recent opinion outlining ethical considerations raised by the use of technology, wrote that lawyers “must use due diligence” and “must review and consider the service agreement” when selecting a technology vendor. Louisiana State Bar Association Opinion 19-RPCC-021 (2019).
Similarly, the Kentucky Bar Association advised lawyers in that jurisdiction that “the duty of competence, the duty to protect a client’s property, and the duty of confidentiality require the lawyer to investigate the qualifications, competence, and diligence of the provider.” Kentucky Bar Association Formal Ethics Opinion KBA E-437 (2014).
The Pennsylvania Bar Association concluded that lawyers could ethically store client information in the cloud, provided they “make reasonable efforts to meet their obligations to ensure client confidentiality, and confirm that any third-party service provider is likewise obligated.” (emphasis added). Pennsylvania Bar Association Formal Opinion 2011-200 (2011).
Elements of Due Diligence
In their 2019 article Ethics: Keeping Up With Ever Evolving Technology, They Didn’t Teach That in Law School (PDF), attorneys Regina Amolsch, of Plave Koch PLC in Reston, Va., and Leslie Smith, of Foley & Lardner LLP in Miami, Fla., comprehensively reviewed the lawyer’s legal and ethical obligations to maintain reasonable security over client information. On the topic of exercising due diligence in the selection of technology vendors, their advice for lawyers includes the following:
- Have a basic understanding of technology and keep up-to-date on privacy and cybersecurity laws.
- Select technology providers capable of providing security that is compatible with professional responsibilities and client demands.
- Carefully review and understand service agreements with technology vendors. Important terms include those covering (a) service levels, (b) physical location of client data, (c) technology standards employed, and (d) remedies in case of breach of contract.
- Review service agreements to particularly ensure that a service provider claims no ownership or other interest in client-related data.
- Research each vendor’s track record with respect to data breaches and service interruptions.
- Check each vendor’s customer references, length of time in business, financial security, frequency and thoroughness of security audits, and certifications that vendor meets industry standards.
- Ensure that service agreement obligates the provider to give notice of breaches of data security and third-party requests for data or access.
- Reach an understanding — in writing — with each technology vendor on how the law firm will be notified in the event of any changes in physical or cybersecurity protocols.
- Seek contract language that provides indemnification for damages and costs in the event a service failure or data breach.
- Ensure that technology vendors have insurance against physical or cybersecurity breaches.
The due diligence measures outlined above may change over time, according to the particular security demands of each representation, as well as changing security threats and evolving technologies.
Esquire Deposition Solutions has implemented a multi-layered security framework (PDF) of physical, digital and procedural risk management controls to protect customer information that is shared with us and transmitted across our technology platforms. All data is encrypted end-to-end and secured with system-wide, automatic threat detection and data loss prevention solutions.
Key vendors used by Esquire Deposition Solutions must provide an SSAE 18 SOC2 Type 2 audit for service organizations if they have access to sensitive data of any kind. Esquire Deposition Solutions also requires key vendors either to maintain ISO 27001 certification or provide proof of controls and compliance with ISO 27001 or an equivalent security framework. After successful initial review of key vendor documentation, Esquire Deposition Solutions requests and reviews updated SOC 2 reports annually to verify compliance across all Trust Services Categories to ensure that key vendor controls provide secure service delivery along with robust backup and recovery capabilities.
Finally, it’s important to note that the focus on vendors should not lead lawyers to overlook their own cybersecurity practices. Even the most secure technologies will succumb to user carelessness. For example, in 2017, a federal district court in Virginia held that an insurance company had inadvertently waived attorney-client privilege in a file uploaded to the cloud because access to the file was available to anyone with a hyperlink to its location. The hyperlink, which pointed to the file’s location on the Box document-sharing website, was distributed in an email message containing a disclaimer that the material was privileged. Disclaimer notwithstanding, the federal magistrate judge ruled that the insurance company’s carelessness with the file amounted to a waiver of attorney-client privilege. Harleysville Ins. Co., v. Holding Funeral Home, Inc., No. 1:2015cv00057 (W.D. Va. 2017).
Lawyers should also remove client information from the cloud when the representation terminates. They should train staff in safe cybersecurity practices, and they should check in frequently with technology vendors to make sure that technology used to store and transmit client information has kept pace with current threats.