Confidentiality – Electronically Stored Information – Unauthorized Access
The State Bar of California's Standing Committee on Professional Responsibility and Conduct Formal Opinion Interim 16-0002
Risk Management Issue: What are a lawyer's ethical obligations with respect to unauthorized access by third persons to electronically stored client confidential information in the lawyer's possession?
The Opinion: The State Bar of California's Standing Committee on Professional Responsibility and Conduct recently released Formal Opinion Interim No. 16-0002, which addresses a lawyer's ethical responsibilities arising from unauthorized third-party access of electronically stored client data.
With many lawyers now working remotely, the convenience—and risk—of electronically-stored client data has significance for more lawyers and clients than ever. In light of this "new normal" and the myriad of accompanying technological concerns, the Committee expanded upon its previously published analysis on the subject, Cal. State Bar Formal Opinion Nos. 2015-193 and 2010-179.
Using hypotheticals, the Interim Opinion addresses four factually diverse scenarios: a lawyer losing a laptop and forcing the data to be remotely wiped; another lawyer temporarily misplacing a smartphone overnight in a restaurant; a receptionist unknowingly falling victim to a ransomware link, resulting in firm payment; and a lawyer working remotely on an unprotected Wi-Fi network that resulted in the hacking of client data. While all involve different devices and types of employees, each of these individuals may have run afoul of the ethical obligations to employ reasonable measures to keep client data safe from unauthorized access.
These four hypotheticals implicate the rules of competence and confidentiality. The competence rule (Model Rule 1.1) and the duty to safeguard clients' information (Model Rule 1.6 and Bus. & Prof. Code, § 6068(e)) require lawyers to make reasonable efforts to protect such information from unauthorized disclosure or destruction. However, as ABA Formal Op. No. 18-483 explains, the duty to make reasonable efforts to preserve clients' confidential information does not "require the lawyer to be invulnerable or impenetrable."
According to Cal. State Bar Formal Op. No. 2015-193, the threshold requirement is that lawyers have a basic understanding of the "benefits and risks associated with relevant technology." The Interim Opinion reiterates this and adds that this obligation can be met by learning where and how confidential client information is vulnerable to unauthorized access. This inquiry "must be made with respect to each type of electronic device" incorporated into the lawyer's practice.
While the duties of competence and confidentiality do not create a strict liability standard, the Interim Opinion suggests that "a legal standard for 'reasonable' security is emerging. That standard rejects requirements for specific security measures (such as firewalls, passwords, or the like) and instead adopts a fact-specific approach to business security obligations that requires a 'process' to assess risks, identify and implement appropriate security measures responsive to those risks, verify that the measures are effectively implemented, and ensure that they are continually updated in response to new developments."
The Interim Opinion also discusses a lawyer's duty to communicate in the event of an attack seeking to access, download, or destroy client information. Model Rule 1.4(a)(3) and Business and Professions Code Section 6068(m) require lawyers to keep clients "reasonably informed about significant developments" relating to the lawyer's representation. This would include a circumstance in which the client's confidential information is misappropriated, destroyed, or otherwise compromised, or where a lawyer's ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode. ABA Formal Op. No. 483.
With respect to the details of a required disclosure, the Interim Opinion provides that the lawyer "shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions" as to what to do next, if anything. (Model Rule 1.4(b)). "In a data breach scenario, the minimum disclosure required to all affected clients under Model Rule 1.4 is that there has been unauthorized access to or disclosure of its information, or that unauthorized access or disclosure is reasonably suspected of having occurred. Lawyers must advise clients of the known or reasonably ascertainable extent to which client information was accessed or disclosed." ABA Formal Op. No. 18-483. Beyond the ethical obligations of disclosure, there may very well be instances where federal statutes such as HIPAA also require notification.
Editor's Note: This issue has been addressed by other states and was discussed in the September 2012 edition of the Lawyers' Lawyer Newsletter. In addition, Hinshaw regularly publishes Cyber Alerts addressing this and related topics.
Risk Management Solution: This Interim Opinion addresses the dangers associated with digitally-stored data. While convenient, lawyers must be attentive to the potential vulnerabilities each of their devices and systems and be diligent in upholding legal duties owed to clients. Records of reasonable efforts and informed analysis will be the best evidence of compliance with the rules and various duties owed to clients.
Settlement Negotiations – Limitations – Statements Regarding Criminal Prosecution
Illinois State Bar Association Professional Conduct Advisory Opinion No. 20-03
Risk Management Issue: What are the ethical implications when a lawyer sends a demand letter to the opposing party which accurately sets forth the law, including the potential for both civil and criminal liability? Relatedly, can the lawyer ethically state that the alleged offense could result in criminal liability, and can the lawyer ethically agree to withhold criminal prosecution if a civil demand is met?
The Opinion: In Opinion No. 20-03, the Illinois State Bar Association's Professional Conduct Advisory Committee addresses the implication of referencing potential criminal liability in a settlement communication.
The requesting plaintiff's employment attorney wished to send a demand letter to a client's employer referencing the Illinois Wage Payment and Collection Act, which has both civil and criminal components. The attorney requested the opinion of the Committee on Professional Conduct regarding whether Rule 8.4(g) of the Illinois Rules of Professional Conduct prohibits her from stating in her demand letter that the employer's alleged violation of the Act may result in criminal and/or civil liability, and that a report to law enforcement would be avoided if the employer paid the demanded amount.
Rule 8.4(g) of the Illinois Rules of Professional Conduct provides: "It is professional misconduct for a lawyer to … present, participate in presenting, or threaten to present criminal or professional disciplinary charges to obtain an advantage in a civil matter." However, here the Committee opined that mere references do not violate the Rule. Relevant case law governs certain express references, such as to civil penalties, In re Zeas, 2014PR00069 (January 14, 2016), or to criminal actions already existing, without further threats to file additional charges, Nieves v. OPA, Inc., 948 F. Supp. 2d 887 (N.D. Ill. 2013).
The Committee determined that referencing the existence of criminal liability and providing requisite statutory authority did not violate Rule 8.4(g). Further, it found that Rule 8.4(g) is not violated where a lawyer states that an alleged act or omission may be criminal, so long as the lawyer does not state that the lawyer will present, participate in presenting, or threaten to present criminal charges.
If the attorney went beyond a reference and actually attempted to gain leverage in the settlement discussions by making threats of criminal prosecution, however, such behavior would violate Rule 8.4(g). The Committee emphasized that the attorney's demand letter should only state that civil remedies will be pursued by the lawyer if the demand is not met. The demand letter should not, however, state that the lawyer will pursue criminal prosecution—nor should the letter agree to withhold criminal prosecution in exchange for the payment of the client's demand—because that clearly connects the presentation or threat of criminal liability to an advantage sought in the civil matter.
Risk Management Solution: This Opinion serves as a reminder to carefully craft settlement demands. As the Opinion explains, "a demand letter written by a lawyer in an attempt to settle a civil claim may accurately set forth the relevant statute including the statute's possibility of both civil and criminal liability." A demand letter should not, however, threaten criminal prosecution to gain an advantage in a civil matter. Finally, a lawyer should not suggest criminal prosecution can be avoided by making payment—i.e. settling the claim—because such a statement would "be an improper threat.
Advertising – Social Media – Reviews and Ratings
Texas Center for Legal Ethics Opinion 685
Risk Management Issue: Can lawyers encourage clients to post positive reviews and favorable ratings of the lawyer on a search engine or social media?
The Opinion: Texas Legal Ethics Op. 685 addresses whether an attorney may encourage clients, both past and present, to post reviews, comments, and ratings favorable to the attorney through an internet platform's review feature, i.e., Google, Yelp, etc.. The Committee concluded that, under the Texas Disciplinary Rules of Professional Conduct, an attorney may ask current and former clients to post favorable ratings and reviews, so long as the attorney does not encourage false or misleading statements, or statements for which the client has no factual basis. Additionally, the attorney cannot give anything of value in return for the submission of a positive review.
The Committee did not decide whether the lawyer has an affirmative duty to monitor websites or platforms for false, misleading, or unfounded statements. However, if the attorney controls the platform (i.e., the attorney's own website), the attorney has an affirmative obligation to either encourage the author to correct false, misleading, or unfounded statements, or to remove the statements completely. On the other hand, if the attorney does not control the platform, the attorney should address the matter with the author of the review or the platform's administrator. Alternatively, the attorney should consider making a curative comment to the misleading review. Of course, if the attorney makes such a curative comment, care must be taken to preserve client confidentiality.
Additionally, the Committee noted that it previously examined a lawyer's a response to a former client's negative review on the internet and determined that a lawyer "may post a proportional and restrained response that does not reveal any confidential information or otherwise violate the Texas Disciplinary Rules of Professional Conduct." Professional Ethics Committee Opinion 662 (August 2016).
Editor's Note: This and related issues have been addressed by other states, and covered by other Lawyers' Lawyers Newsletters including publications from February 2020 (California Op. 2019-199); May 2015 (New York and Pennsylvania); and January 2011 (New York City Op. 2010-2).
Risk Management Solution: Approach online reviews and ratings with care. The rules—at least in Texas—do not "prohibit a lawyer from encouraging current and former clients to leave positive reviews or ratings online, provided that the lawyer does not encourage the clients to make statements that are false, misleading, or unfounded." If a lawyer learns that a client has "posted a favorable review that is false, misleading, or unfounded, the lawyer should take reasonable steps to ensure the statement is corrected or removed."