How Formal Opinion 477R Intensifies Lawyers’ Professional Responsibility for Securing Communication of Protect Client Information, Part I
We could, if we chose, now celebrate 30 years of email inside law practices, and more than 20 years of client email.1 Our celebrations would be dampened, though, by the cyberattack news of the day, the DLA Piper attack being the most prominent. Lawyers report they refrain from email altogether for sensitive client communication. Welcome back, FedEx?
In 1999, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility (we’ll call it the Ethics Committee) discussed lawyers’ professional responsibilities for information and documents in email communications with clients and third parties. Formal Opinion 99-413 concluded that generally, the use of unencrypted email was “consistent with [a lawyer’s duty] to use reasonable means to maintain the confidentiality of information relating to a client’s representation.”
The Ethics Committee’s Formal Opinion 477R2 (477R) updates their consideration of lawyers’ responsibilities to secure protected client information.
The core issue: does “ordinary” email, without special security precautions, provide adequate safeguards to meet a lawyer’s responsibility to protect the confidentiality of the information and documents shared with clients? Formal Opinion 477R recognizes that in a time of increased risk, the general rule of Formal Opinion 99-413 must give way to an analysis of the circumstances for each client, matter, and even specific communications within an engagement. The analysis requires answers to a series of questions:
- What obligations do lawyers bear to adopt more stringent security tools and procedures for information and documents communicated by email?
- When should tighter security be employed?
- What factors enter into those decisions?
- Who has the responsibility for making them?
- How should the decision process be incorporated in the course of an engagement?
Lawyers are professionally responsible to make reasonable efforts to protect their clients’ information, and must keep “abreast of knowledge of the benefits and risks associated with relevant technology.” The reasonable efforts are determined by factors that “depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of electronic communications employed, and the types of available security measures for each method.”
The factors to be considered include:
- the sensitivity of the information,
- the likelihood of disclosure if additional safeguards are not employed,
- the cost of employing additional safeguards,
- the difficulty of implementing the safeguards, and
- the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use)
The guidance provided by 477R includes eight categories of activities.
The first three cover Understanding. Lawyers must understand (1) the nature of the threat, (2) how client confidential information is transmitted and where it is stored, and (3) the character and use of “reasonable electronic security measures.”
Next comes a factual Determination, to be performed in consultation with a client. Lawyer and client should identify the level of protection for the clients’ information as a whole, or for those matters or types of information where special precautions are warranted. These may include encrypted email or files shared in protected collections with secured access outside of email.
Formal Opinion 477R recommends labelling communications “privileged and confidential” where that applies to their content. Though hardly a counter to mass cyberattacks, human error still results in the chance of inadvertent disclosure. The “privileged and confidential” label continues to serve as a warning to recipients to notify the sender of an inadvertently sent communication and, potentially, repair the error.
The opinion advises Training in Technology and Information Security for lawyer and “employees, subordinates and others assisting in the delivery of legal services.” It is distinctive and important that opinion describes these responsibilities as those of lawyers. Lawyers must assure that they have the required understanding, and share it with colleagues and staff through policies and procedures, instruction, and periodic assessment and redirection. The opinion states, “This is no different than the other obligations for supervision of office practices and procedures to protect client information.” Lawyers cannot avoid the burden of professional responsibility just because technology is involved. Delegation to information technology staff or even an information governance organization may not be enough.
The opinion reviews at some length lawyers’ responsibility for due diligence of vendors that provide communications technology. The vendor must be seen and analyzed as an extension of a lawyer’s practice and professional responsibility. The vendor should satisfy reference checks, employ adequate security policies and protocols, hire staff with the care and diligence, document confidentiality agreements, maintain a conflicts check system to screen for adversity, and be subject to a legal forum where the lawyer can obtain relief for violations of the vendor agreement.
Changing technology demands ongoing assessment. A lawyer must be satisfied that the steps they have determined to be satisfactory to meet their ethical obligations “have not been rendered inadequate by changes in circumstances or technology.”
Part II of this blog post will explore several practical implications of 477R, especially the communication between lawyer and client about protection of communications.
1. Email communication within law practices dates back to the late 1980s. Widespread email with clients and others outside the office grew rapidly in the mid-1990s.
2. Published May 11, 2017 (with revisions published May 22, 2017).