Lawyers, ask yourselves:
Can I ethically connect my work laptop computer to an unsecured public Wi-Fi network?
What data security measures are in place at the technology vendors that store and process my clients’ confidential information?
Do the software applications that process my clients’ confidential information have the latest security updates?
If you don’t know the answers to these questions, there’s a strong likelihood that you’re violating the ethical obligation to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” [ABA Model Rule of Professional Conduct 1.6(c)] That’s because the duty to make reasonable efforts to prevent the disclosure of client confidential information necessarily includes (1) the duty to understand the confidentiality implications of each technology used in firm operations and (2) the duty to make inquiries of all technology vendors to ensure that their cybersecurity practices are sufficiently robust to protect client confidential information. Lawyers who fail to carefully vet technology vendors are already failing their clients from a professional ethics standpoint.
The ethical duty to protect client information in electronic storage and transmission is nothing new. However, the explosion of remote work in the legal profession during the COVID-19 pandemic, the ubiquity of legal technologies processing client information in modern law offices, and the rising levels of cybercrime targeting law firm networks taken in combination make data security a mission-critical concern.
Consider the following ethical guidance from state bar regulators.
From the New York State Bar Association:
[A] lawyer who uses technology to communicate with clients must use reasonable care with respect to such communication, and therefore must assess the risks attendant to the use of that technology and determine if the mode of transmission is appropriate under the circumstances. (Ethics Opinion No. 782 (Dec.8, 2004)) (emphasis added).
From the State Bar of Arizona:
Lawyers providing an online file storage and retrieval system for client access of documents must take reasonable precautions to protect the security and confidentiality of client documents and information. Lawyers should be aware of limitations in their competence regarding online security measures and take appropriate actions to ensure that a competent review of the proposed security measures is conducted. As technology advances over time, a periodic review of the reasonability of security precautions may be necessary. (Ethics Opinion 09-04 (December 2009)) (emphasis added).
From the State Bar of California:
Before using a particular technology in the course of representing a client, an attorney must take appropriate steps to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client’s instructions and circumstances, such as access by others to the client’s devices and communications. (Ethics Opinion No. 2010-179 (2010)) (emphasis added).
More recently, the American Bar Association’s ethical guidance on law firm ethical obligations following a data breach included the command that “lawyers must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and external vendors providing services relating to data and the use of data.” (ABA Formal Opinion 483 (Oct. 17, 2018)) (emphasis added). The ABA pointed out that, without monitoring, there would be no way for the law firm to know that a data breach had occurred or whether vendors’ data security measures were reasonable and sufficient.
Assess the risks. Conduct a competent review. Take appropriate steps to evaluate. Monitor external vendors. All of these phrases suggest the exercise of discretion, professional judgment, and a clear appreciation of foreseeable risks when acquiring technology from outside vendors.
Questions to Ask Technology Vendors
With so much at stake, it’s not surprising that lawyers are beginning to hear blunt advice on how to vet technology vendors. During a recent ABA event, I encouraged lawyers to ask pointed questions of technology vendors about their data security practices. The scope should not be limited to potential vendors only; existing vendors’ operations should also come under the appropriate level of scrutiny.
What follows are additional areas of inquiry concerning any technology vendor’s cybersecurity capabilities. First, of course, lawyers should scrutinize the terms of the vendor’s contract and any service level agreements before engaging a technology vendor. Beyond that, however, several searching inquiries should be put to all vendors that handle client information:
- Does your technology encrypt client information during transmission and while in storage?
- Have you worked with law firms in the past and will you provide information (names and contact information) on representative engagements?
- Where is the server (or servers) that will hold client information physically located?
- What are your obligations to notify the law firm in the event of a data breach?
- Do you have cyber-insurance policies covering the risk of unauthorized access or loss of client information? In what amounts?
- Do you adhere to industry-standard security practices? Will you describe, with particularity, your understanding of prevailing industry standards?
- Will you be responsible for updating your data security practices in response to changes in industry best practices or government mandates?
- Have your data security practices been subjected to a third-party audit? Will you provide us with a copy of any such audit?
- Are you willing to put in writing all of your representations relating to data security?
A detailed description of how law firms should conduct due diligence when contracting for data security services with vendors can be found in the ABA Cybersecurity Legal Task Force publication Vendor Contracting Project: Cybersecurity Checklist Second Edition (2021). The document is available at no charge to ABA members and for a nominal charge to nonmembers.
The Duty of Technology Competence
So far, this post has addressed the implications of ABA Model Rule 1.6 (and related state adoptions), which concern the ethical duty to maintain the confidentiality of client information. However, the competence-related duty of technology competence is also relevant to vendor relations when client confidential information is involved.
The ethical obligation of technology competence was added to the ABA Model Rules of Professional Conduct in 2012 and has been adopted in all but a handful of states. The duty of technology competence can be found in Comment 8 to ABA Model Rule 1.1 (Competence) and states that a lawyer “shall keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
Clearly, the duty of technology competence does not require attorneys to be technology experts. It does, however, require lawyers to be discerning consumers of technology and to understand, at a deep level, the implications of technology acquisitions on the security of their clients’ confidential information. Clients should be able to rely on the fact their lawyers have conducted a careful review of how client information is acquired and processed during the attorney-client relationship — and that they have taken all reasonable measures to protect client information from unauthorized access or loss. Many sophisticated clients today are demanding that data security obligations be included in retainer agreements.
In view of the potentially disastrous consequences for clients in the event of a data breach or unauthorized access to client confidential information, lawyers are ethically obligated to be among the toughest customers that technology vendors serve.