Thursday Thinkpiece: Locked Down—Practical Information Security for Lawyers

Each Thursday we present a significant excerpt, usually from a recently published book or journal article. In every case the proper permissions have been obtained. If you are a publisher who would like to participate in this feature, please let us know via the site’s contact form.

Locked Down: Practical Information Security for LawyerS, 2nd edition

Enter the discount code LD2016 when purchasing this book online from the ABA. Discount valid until 1/1/2017.

Copyright 2016 © by the American Bar Association. Reprinted with permission. All rights reserved. This information or any or portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.

Sharon D. Nelson, Esq., is the President of Sensei Enterprises, Inc., a digital forensics, information security and information technology firm in Fairfax, Virginia. She is a frequent author (fifteen books published by the ABA and hundreds of articles) and speaker on legal technology, information security and electronic evidence topics. She was the President of the Virginia State Bar June 2013 – June 2014 and a past President of the Fairfax Law Foundation.

John W. Simek is the Vice President of Sensei Enterprises, Inc.. He holds the prestigious CISSP (Certified Information Systems Security Professional) and EnCE (EnCase Certified Examiner) certifications in addition to multiple other technical certifications.

David G. Reis is Of Counsel in the Pittsburgh, PA office of Clark Hill PLC where he practices in the areas of environmental, technology, and data protection law and litigation. For over 15 years, he has increasingly focused on cybersecurity, privacy, and information governance.

Excerpt from: Chapter 3. [Download the full chapter in PDF]

Lawyers’ Duty to Safeguard Information

Confidential data in computers and information systems, including those used by attorneys and law firms, faces greater security threats today than ever before. And they continue to grow! These threats are substantial and real. As discussed in our previous chapter on data breach nightmares, they have taken a variety of forms, ranging from phishing scams and social engineering attacks (e.g., using e-mail to trick attorneys to visit a malicious web site or to be lured into fraudulent collection schemes for foreign “clients”) to sophisticated technical exploits that result in long term intrusions into a law firm’s network to steal information. They also include inside threats – malicious, untrained, inattentive, and even bored personnel – and lost and stolen laptops and mobile devices.

Attorneys have ethical, common law and statutory obligations to protect information relating to clients. Many attorneys also have contractual obligations to protect data. Beyond these requirements, protection of confidential information is sound business and professional practice. It is critical for attorneys to understand and address these obligations and to exercise constant vigilance to protect client data and other confidential information.

Ethical Duties Generally

An attorney’s use of technology presents special ethics challenges, particularly in the areas of competence and confidentiality. The duty of competence (ABA Model Rule 1.1) requires attorneys to know what technology is necessary and how to appropriately and securely use it. This duty also requires attorneys who lack the necessary technical competence to either learn what is necessary or consult with qualified people who have the requisite expertise. The duty of confidentiality (ABA Model Rule 1.6) is one of an attorney’s most important ethical responsibilities. Together, these rules (included in Appendix D) require attorneys using technology to take competent and reasonable measures to safeguard information relating to clients. It is a continuing obligation as technology, threats and available security measures evolve. This duty extends to all use of technology, including computers, portable devices, networks, technology outsourcing and cloud computing. Effective information security is an ongoing process that requires constant vigilance.

Model Rule 1.1 covers the general duty of competence. It provides that “A lawyer shall provide competent representation to a client.” This “requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” It includes competence in selecting and using technology.

Model Rule 1.6 generally defines the duty of confidentiality. It begins as follows:

A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).

Rule 1.6 broadly requires protection of “information relating to the representation of a client”; it is not limited to confidential communications and privileged information. Disclosure of covered information generally requires express or implied client consent (in the absence of special circumstances like misconduct by the client).

The Ethics 2000 revisions to the model rules (over 10 years ago) added Comment 16 to Rule 1.6. This comment requires reasonable precautions to safeguard and preserve confidential information.

Acting Competently to Preserve Confidentiality

[16] A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3.

The ABA Commission on Ethics 20/20 conducted a review of the ABA Model Rules of Professional Conduct and the U.S. system of lawyer regulation in the context of advances in technology and global legal practice developments. One of its core areas of focus was technology and confidentiality. Its Revised Draft Resolutions in this area were adopted by the ABA at its Annual Meeting in August of 2012.[1]

The amendments include addition of the following highlighted language to the Comment to Model Rule 1.1 Competence:

[8] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with technology…

The amendments also added the following new subsection (highlighted) to Model Rule 1.6 Confidentiality of Information:

(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

This requirement covers two areas – inadvertent disclosure and unauthorized access. Inadvertent disclosure includes threats like leaving a briefcase, laptop, or smartphone in a taxi or restaurant, sending a confidential e-mail to the wrong recipient, erroneously producing privileged documents or data, or exposing confidential metadata. Unauthorized access includes threats like hackers, criminals, malware, and insider threats.

The amendments also include the following changes to Comment [18] to this rule:

Acting Competently to Preserve Confidentiality

[18] Paragraph (c) requires a A lawyer must to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons or entities who are participating in the representation of the client or who are subject to the lawyer’s supervision or monitoring. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forego security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of these Rules.

Significantly, these revisions are clarifications rather than substantive changes. They add additional detail that is consistent with the then existing rules and comments, ethics opinions, and generally accepted information security principles.[2]

Model Rule 1.4 also applies to attorneys’ use of technology. It requires appropriate communications with clients “about the means by which the client’s objectives are to be accomplished.” It requires keeping the client informed and, depending on the circumstances, may require obtaining “informed consent.” As stated in ABA Formal Ethics Opinion 95-398, “Access of Nonlawyers to a Lawyer’s Database” (October 27, 1995), it may require notice to a client of compromise of confidential information relating to the client if the release of information “could reasonably be viewed as a significant factor in the representation.”

The comment references Model Rule 5.1 (Responsibilities of Partners, Managers, and Supervisory Lawyers) and Model Rule 5.3 (Responsibilities Regarding Nonlawyer Assistants), which are also important in attorneys’ use of technology. Partners and supervising attorneys (including junior attorneys supervising staff or service providers) are required to take reasonable actions to ensure that those under their supervision comply with these requirements.

Model Rule 5.3 (Responsibilities Regarding Nonlawyer Assistants) was amended to expand its scope. “Assistants” was expanded to “Assistance,” extending its coverage to all levels of staff and outsourced services ranging from copying services to outsourced legal services. This requires attorneys to employ reasonable safeguards, like due diligence, contractual requirements, supervision, and monitoring, to insure that nonlawyers, both inside and outside a law firm, provide services in compliance with an attorney’s duty of confidentiality.

Attorneys must also take reasonable precautions to protect confidential information to which third parties, like information systems consultants and litigation support service providers, are given access. ABA Formal Ethics Opinion 95-398, provides guidance in this area and concludes, “[a] lawyer who gives a computer maintenance company access to information in client files must make reasonable efforts to ensure that the company has in place, or will establish, reasonable procedures to protect the confidentiality of client information.”

In August 2008, the ABA issued an ethics opinion that comprehensively addresses outsourcing by attorneys of both legal services and nonlegal support services. ABA Formal Ethics Opinion 08-451, “Lawyer’s Obligations When Outsourcing Legal and Nonlegal Support Services” (August 2008). It includes requirements for protecting confidentiality.

A 2011 Pennsylvania opinion (included in Appendix E) analyzes ethics requirements for attorneys’ use of cloud computing, a form of outsourcing. Formal Opinion 2011-200, “Ethical Obligations for Attorneys Using Cloud Computing/Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property.” It concludes:

An attorney may ethically allow client confidential material to be stored in “the cloud” provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.

These requirements are further discussed in our chapters on outsourcing and cloud computing.

A number of state ethics opinions have addressed professional responsibility issues related to attorneys’ use of various technologies. Several examples are discussed in this chapter. It is important for attorneys to consult the rules, comments and ethics opinions in the relevant jurisdiction(s).

An early ethics opinion on this subject, State Bar of Arizona, Opinion No. 05-04, “Formal Opinion of the Committee on the Rules of Professional Conduct” (July 2005), provides a well-reasoned explanation of these duties for electronic files and communications. It notes that “an attorney or law firm is obligated to take competent and reasonable steps to assure that the client’s confidences are not disclosed to third parties through theft or inadvertence.” The opinion also calls for “competent and reasonable measures to assure that the client’s electronic information is not lost or destroyed.” It further notes that “an attorney must either have the competence to evaluate the nature of the potential threat to the client’s electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence.”

An April 2006 New Jersey ethics opinion takes a consistent approach in reviewing obligations in lawyers’ use of electronic storage and access of client files. New Jersey Advisory Committee on Professional Ethics, Opinion 701, “Electronic Storage and Access of Client Files” (April 2006). It observes:

The obligation to preserve client confidences extends beyond merely prohibiting an attorney from himself making disclosure of confidential information without client consent (except under such circumstances described in RPC 1.6). It also requires that the attorney take reasonable affirmative steps to guard against the risk of inadvertent disclosure. . . .

The critical requirement under RPC 1.6, therefore, is that the attorney “exercise reasonable care” against the possibility of unauthorized access to client information. A lawyer is required to exercise sound professional judgment on the steps necessary to secure client confidences against foreseeable attempts at unauthorized access. “Reasonable care,” however, does not mean that the lawyer absolutely and strictly guarantees that the information will be utterly invulnerable against all unauthorized access. Such a guarantee is impossible, and a lawyer can no more guarantee against unauthorized access to electronic information than he can guarantee that a burglar will not break into his file room or that someone will not illegally intercept his mail or steal a fax.

A later Arizona opinion contains a similar analysis, with emphasis on requirements of awareness of limitations of lawyers’ knowledge of technology and periodic review of security measures. State Bar of Arizona, Opinion No. 09-04, “Confidentiality; Maintaining Client Files; Electronic Storage; Internet” (Formal Opinion of the Committee on the Rules of Professional Conduct) (December 2009). It explains,

Lawyers providing an online file storage and retrieval system for client access of documents must take reasonable precautions to protect the security and confidentiality of client documents and information. Lawyers should be aware of limitations in their competence regarding online security measures and take appropriate actions to ensure that a competent review of the proposed security measures is conducted. As technology advances over time, a periodic review of the reasonability of security precautions may be necessary.

A recent California ethics opinion addresses the use of a laptop by an attorney, where the laptop may be monitored by the law firm, and use of the laptop in public and home wireless networks. The opinion concludes that such use may be proper under the ethics rules if an adequate evaluation is made and appropriate precautions are taken. State Bar of California, Formal Opinion No. 2010-179 (included in Appendix F).

The Digest to this opinion states:

Whether an attorney violates his or her duties of confidentiality and competence when using technology to transmit or store confidential client information will depend on the particular technology being used and the circumstances surrounding such use. Before using a particular technology in the course of representing a client, an attorney must take appropriate steps to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the of the situation; and 6) the client’s instructions and circumstances, such as access by others to the client’s devices and communications.

The opinion contains a detailed analysis of the ethics requirements for attorneys’ use of technology and their application to the technology covered in the opinion, including a detailed discussion of factors an attorney should consider before using a specific technology. Significantly, it includes the requirement of an evaluation before an attorney uses a particular technology.

Attorneys need to stay up to date as technology changes and new threats are identified. For example, following news reports that confidential information had been found on digital copiers that were ready for resale,[3] the Florida Bar issued Professional Ethics of the Florida Bar Opinion 10-2 (September, 2010) that addresses this risk. Its conclusion states:

In conclusion, when a lawyer chooses to use Devices that contain Storage Media, the lawyer must take reasonable steps to ensure that client confidentiality is maintained and that the Device is sanitized before disposition. These reasonable steps include: (1) identification of the potential threat to confidentiality along with the development and implementation of policies to address the potential threat to confidentiality; (2) inventory of the Devices that contain Hard Drives or other Storage Media; (3) supervision of nonlawyers to obtain adequate assurances that confidentiality will be maintained; and (4) responsibility for sanitization of the Device by requiring meaningful assurances from the vendor at the intake of the Device and confirmation or certification of the sanitization at the disposition of the Device.

New York Opinion 1019, “Remote Access to Firm’s Electronic Files” (August 2014), cautions attorneys to analyze necessary precautions in the context of current risks:

Cybersecurity issues have continued to be a major concern for lawyers, as cybercriminals have begun to target lawyers to access client information, including trade secrets, business plans and personal data. Lawyers can no longer assume that their document systems are of no interest to cybercrooks. That is particularly true where there is outside access to the internal system by third parties, including law firm employees working at other firm offices, at home or when traveling, or clients who have been given access to the firm’s document system.

It leaves it up to attorneys and law firms to determine the specific precautions that are necessary:

Because of the fact-specific and evolving nature of both technology and cyber risks, we cannot recommend particular steps that would constitute reasonable precautions to prevent confidential information from coming into the hands of unintended recipients, including the degree of password protection to ensure that persons who access the system are authorized, the degree of security of the devices that firm lawyers use to gain access, whether encryption is required, and the security measures the firm must use to determine whether there has been any unauthorized access to client confidential information.

The opinion requires attorneys to either make a determination that the selected precautions provide reasonable protection, in light of the risks, or to obtain informed consent from clients after explaining the risks.

There are now multiple ethics opinions on attorneys’ use of cloud computing services like online file storage and software as a service (SaaS).[4] For example, New York Bar Association Committee on Professional Ethics Opinion 842 “Using an outside online storage provider to store client confidential information” (September, 2010), consistent with the general requirements of the ethics opinions above, concludes:

A lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality is maintained in a manner consistent with the lawyer’s obligations under Rule 1.6. A lawyer using an online storage provider should take reasonable care to protect confidential information, and should exercise reasonable care to prevent others whose services are utilized by the lawyer from disclosing or using confidential information of a client. In addition, the lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client’s information, and the lawyer should monitor the changing law of privilege to ensure that storing information in the “cloud” will not waive or jeopardize any privilege protecting the information.

Additional examples of opinions covering cloud services are Pennsylvania Bar Association, Committee on Legal Ethics and Professional Responsibility, Formal Opinion 2011-200, “Ethical Obligations for Attorneys Using Cloud Computing/Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property” (November, 2011) and North Carolina State Bar 2011 Formal Ethics Opinion 6, “Subscribing to Software as a Service While Fulfilling the Duties of Confidentiality and Preservation of Client Property” (January, 2012).

The key professional responsibility requirements from these various opinions on attorneys’ use of technology are competent and reasonable measures to safeguard client data, including an understanding of limitations in attorneys’ competence, obtaining appropriate assistance, continuing security awareness, appropriate supervision, and ongoing review as technology, threats, and available security evolve.

…

[1] See, www.americanbar.org/groups/professional_responsibility/aba_commission_on_ethics_20_20.html.

[2] ABA Commission on Ethics 20/20, Report to Resolution 105A Revised (2012): “The proposed amendment, which appears in a Comment, does not impose any new obligations on lawyers. Rather, the amendment is intended to serve as a reminder to lawyers that they should remain aware of technology, including the benefits and risks associated with it, as part of a lawyer’s general ethical duty to remain competent.” (Model Rule 1.1) “This duty is already described in several existing Comments, but the Commission concluded that, in light of the pervasive use of technology to store and transmit confidential client information, this existing obligation should be stated explicitly in the black letter of Model Rule 1.6.”

[3] E.g., Armen Keteyian, “Digital Copiers Loaded with Secrets,” CBS Evening News (April 19, 2010).
www.cbsnews.com/news/digital-photocopiers-loaded-with-secrets.

[4] The ABA Legal Technology Resource Center has published a summary with links, “Cloud Ethics Opinions around the U.S.,” available at www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/cloud-ethics-chart.html.