How Formal Opinion 477R Intensifies Lawyers’ Professional Responsibility for Securing Communication of Protect Client Information, Part 2
The topics raised by 477R deserve practical exploration. The fundamental question - “How must a lawyer be professional in electronic communication of client data?” (“client data” refers to the content, documents and other information that may be shared between lawyer and clients or third parties.)
Pervasive technology has merged and entangled our professional and personal lives. Tech companies seek to design tools and services for ease of use by consumers generally. Today’s technology makes it possible to view, speak, text and share client data immediately, wherever and whenever we are connected.
The discipline and responsibility we bear as lawyers to protect our clients’ interests, particularly the confidentiality of client data, requires that we again separate the professional and personal in the content we communicate, the tools we use and how we use them. As lawyers, we strive to understand the technology issues that govern our clients’ business and disputes. We should expect and demand no less in our own work. As technologists, we must enable lawyers with the tools and understanding they need to carry out their professional responsibilities.
Formal Opinion 477R directs lawyers to “understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information.” What must they learn?
Many lawyers delegate these issues to their information technology staff. Formal Opinion 477R emphasizes the responsibility of lawyers themselves.
I suggest that lawyers and staff need a Client Data Transit Map. In the 1990s, the terms “Information Highway” and “Information Superhighway” enjoyed a popularity now faded. Imagining an information city, its Client Data Transit Map would detail lawyers’ electronic communications, by illustrating where client data originates, travels and reaches its destination. It would show the access points where client data enters and leaves and the data storage hubs where client data rests and changes route along the way between lawyer and client or third party. The map should highlight the risky and secure modes of electronic communication.
Client data originates from and is delivered to desktop computers permanently connected to firm and corporate networks, laptop computers, tablet computers and smart phones sometimes connected to firm corporate networks and sometimes connected to home, shared or public wireless networks. Client data is at rest in servers within a law practice, at shared (cloud) service providers used by the practice and clients, and temporarily as it is transported through public and private networks.
Lawyer and client must know:
- Are there insecure points of access for sending or receiving client data?
- Are there insecure storage locations for client data as it is held at either end, or along the way?
- Are there alternative, more secure means of access and transmission than ordinary email?
What should lawyers do to “understand and use electronic security measures to safeguard client communications and information?”
Formal Opinion 477R mentions several standard security precautions:
- Employ secure access to the Internet (open WIFI access should be avoided).
- Use strong passwords, changed periodically.
- Keep software updated and patched.
As important as these steps are, the frequency of attacks should make lawyers limit their sensitive client communications and information to devices and systems that are clean and secure. Communicate through their practice’s tested network, using computers configured for their practice’s security. Avoid communicating client data on personal devices, or on devices connected in public places.
Without special configuration, email programs – whether Outlook in its many forms, Gmail on the web, or the general mail programs of phones, tablet or personal computers – send messages as plain text and documents in their native formats. Encryption of the content of electronic communications can provide a high level of security and confidentiality, especially when encryption occurs from the moment when the message is created and stored on the originating system until the moment when the message is decoded and viewed on the receiving system.
How and when should a lawyer carry out their duty to communicate with clients about security measures?
Include a conversation about security measures at the outset of each client engagement. Lawyer and client should consider whether the sensitivity of client data to be shared will require enhanced email security at all times, for all data. Financial services and health care providers have adopted such procedures, allowing communication about personal or individual business financial information and personal medical information only through secure portal systems, and not by ordinary or even encrypted email.
If the entire client relationship does not demand special security, then assess security requirements at the outset of each matter. Law practices should develop security checklists, and the lawyer in charge of the engagement should review the factors with their client explicitly at the outset of the matter. Lawyers are familiar with reviewing conflicts of interests with their clients and potential clients. The communications security review should be as normal part of the beginning of a matter as the conflicts check.
While language about communications security belongs in a client engagement letter, lawyers should not rely on the letter in place of explicit communication. Informed consent is the standard in many professional / client interactions. It should be here as well. For example, some engagement letters make statements such as, “because [electronic communications] will in most cases be Internet based, certain risks exist that are outside our control. Consequently, we will not be responsible for any of the risks associated with electronic communication.” That sort of blanket consent suggests there was no specific communication about risks. Is it consistent with the guidance of 477R? That is an important question.
When must communications security be reassessed?
Formal Opinion 477R recognizes that a determination of adequate security may be “rendered inadequate by changes in circumstances or technology.” Law practices have been identified as gateways to valuable information. “Cyberattacks against law firms have only just begun.” (http://www.passwordprotectedlaw.com/2017/07/law-firms-data-duty/).
With their clients, lawyers must keep abreast of the cyber risks associated with technology in general, the business line of the client, and the particular aspects of the engagement. Increased exposure and the need to use more secure systems of electronic communication can come from any of these.
This seems like an enormous drag on technology’s promises of productivity and superior client services. Will clients go along with the procedures and pay for their extra costs?
First, acknowledge this feeling. It will be common. Technology as panacea has become, too often, the box of Pandora.
With the widespread concern about security, clients should expect and respect a lawyer’s diligence in protecting their confidentiality. The better the lawyer understands what’s at issue, the more comfortable they and their clients can be about these challenges.
 Even after a lawyer examines these various considerations and is satisfied that the security employed is sufficient to comply with the duty of confidentiality, the lawyer must periodically reassess these factors to confirm that the lawyer’s actions continue to comply with the ethical obligations and have not been rendered inadequate by changes in circumstances or technology.