Why Do Lawyers Resist Ethical Rules Requiring Competence With Technology?
Recently, the Virginia State Bar Council voted to adopt changes to the Model Rules of Professional Conduct. The changes were based on the American Bar Association’s modifications to the Comments of Rule 1.1 respecting Competence (“…a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with technology…”) and Rule 1.6 respecting Confidentiality (“(c) A lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.”)
What’s reasonable? The Comments go on to list relevant factors:
- the sensitivity of the information
- the likelihood of disclosure if additional safeguards are not employed
- the cost of employing additional safeguards
- the difficulty of implementing the safeguards
- adverse effect on the lawyer’s ability to represent clients
The Comments also make it clear that the client can demand more security or, with informed consent, accept lesser measures. This was not adopted by the VSB Council, but many states have adopted it.
As to the remainder of the changes, which were adopted and will now be sent to the Supreme Court of Virginia for its blessing before becoming final, there was quite a firestorm prior to the final vote adopting the proposed rules.
Even before the Council met, there had been comments received on the proposals, saying things like “I believe it is unreasonable to expect a lawyer to become an IT professional in addition to all of our other responsibilities.” This was echoed at the Council meeting.
This is a misunderstanding of the requirement. The change does not require a lawyer to become an IT professional – indeed, for most lawyers, dabbling in IT would be dangerous. They need outside or inside IT help in most cases – the small firms generally contract IT work to an outside IT service company. But all lawyers should be aware of the benefits and risks of technology to be a competent lawyer in the digital era. Hence, the change to Rule 1.1 makes good sense.
Another comment made the point that technology is the only form of competence specifically referenced in the proposed rule.
We are all accustomed to taking CLE each year to maintain our competence as attorneys in the fields of law in which we practice. However, it is uncontroverted that the most disruptive force we have ever seen in the practice of law is technology. It is pervasive – and becomes more so with each successive generation of lawyers. We have reached the point in time where a lawyer cannot effectively practice law without technology – which makes it an imperative that lawyers know something about the technology they use.
We live in a “breach-a-day” world which suggests even more strongly that we need to pay attention to sensitive client data. According to a 2013 Mandiant Threat Report, law firms and consultants constitute 7% of the targets of advanced attackers. This has come to mean that we are the easy route to getting the data of our clients. Cybercriminals and state-sponsored hackers alike have attacked law firms, large and small – and they are all too often successful because employees are not trained in safe computing, security patches and updates are not installed, out-of-support software (receiving no security updates) continues to be used, and they do not employ encryption.
All of this can be addressed by a competent IT professional. Are there costs? Yes, certainly, but they are a matter of scale. The costs will be far greater for a large firm than for a solo or small firm practitioner. The measurement of “acting reasonably” is obviously different depending on the size of the firm.
In spite of all the rhetoric about “small firms can’t afford this requirement” the truth is that many reasonable precautions cost nothing. Installing security patches is free – yet it is frequently not done. It costs nothing to encrypt a Word or PDF attachment with a password before sending it. Encryption is already a built-in feature of modern computers and smartphones – it may need to be enabled, but it is there.
You can encrypt e-mail easily these days with inexpensive products like ZixCorp, to name just one. A lawyer doesn’t need to understand the mathematics of encryption – only how to use the products. And they are fast and easy to learn. You don’t need to use encryption all the time, but when you are sending sensitive data, you probably should. You know what you have to learn? How to hit the “Encrypt and Send” button. That’s it.
Using the cloud to hold data is fine, so long as you understand the security precautions. Chiefly, if you encrypt the data before sending it to the cloud, your data is safe because only you hold the decryption key. Holding the encryption key yourself means the cloud provider has “zero knowledge” of the decryption key – and that’s the kind of cloud provider you want. There is no additional cost to this – you just have pick the right provider. As an example, SpiderOak is a “zero knowledge” file synching cloud whereas Dropbox holds a master decryption key and will, if given the proper paperwork, turn over your data to the authorities. We like SpiderOak and others that are moving in the “zero knowledge” direction, a far better solution for lawyers.
There is no cost to forbidding employees by policy from connecting to the law firm network with personal devices. Who knows what malware may exist on those devices? Large firms may choose to use sophisticated techniques to manage personal devices, but smaller firms are better off simply forbidding them to connect to the network.
There is a long list of free or reasonably priced safeguards for data, but that’s why attorneys should go to CLEs – to learn them and see that they are implemented by their IT provider. How about making sure lawyers use strong passwords (and not same password everywhere) and change them (especially their network credentials) regularly?
The changes to the Model Rules require only reasonable safeguards and give a host of factors to be considered in determining what is reasonable. In some cases, where lawyers hold HIPAA data or data containing personally identifiable information, they may be governed by state or federal law beyond the scope of the proposed rules, which is noted in the new comments to Rule 1.6.
So why all the hoo-ha at the Council meeting? Largely, we believe that there are fundamental misunderstandings about the changes and what they mean. There is also a mentality – so common in the legal profession – that “we’ve always done it this way.” One person actually said that lawyers shouldn’t be required to do more to protect data in the digital world than they were in the paper world? Say what? It defies belief that this sentiment has such a strong hold on so many lawyers, but it does. Perhaps the speaker didn’t realize that over 93% of documents are created electronically and that more than 50% of them are never printed.
One young lawyer took the microphone to point out that the digital world is a new one – and requires us to adapt. We might add “or face extinction.”
Taken as a whole, what we cannot do is turn a blind eye to the impact of technology on our profession. There was a time when protecting client data involved locked file cabinets in a locked office. Today, we must still “lock” the data – digitally. The new modifications to Rule 1.1 and 1.6 are a measured and technology-agnostic step toward applying old rules to the 21st century.
It was notable that when the Law Society of Upper Canada revised its rules of professional conduct last year, there was no reference to technology, or computers, or ‘electronic’ anything, with the sole exception the management of one’s digital signature key for real estate registrations. There was a bit of discussion of this last fall on Slaw.
The Law Society also publishes Technology Practice Management Guidelines, which cover a number of security issues. Guideline 5.5 says this: “Lawyers should have a reasonable understanding of the technologies used in their practice or should have access to someone who has such understanding.”
The legal insurer for Ontario lawyers also has a great deal of advice available to the profession about managing technology, including a lot on security. In particular, there is a Model Technology Usage Policy for law firms. So ethics and prudence do not overlap completely.
In speaking with a leading Law Society of Upper Canada bencher late last year, one who is involved in law & technology issues, he ruled out categorically any inclusion of technological competence within the LSUC’s professional regulatory scheme.
“The Law Society should not be regulating technology,” said he.
“Shouldn’t the public be protected from lawyers without a minimal threshold competence? Technology is integral to every aspect of law these days,” said I.
” “, replied he.
Whether it’s via regulation or via negligence claims, as John Gregory’s comment implies, lawyers will eventually need to incorporate technological awareness as a part of their baseline competence.
So much to say…
First, on the issue of those who say that the law society should not be regulating technology, I have sympathy for that argument. Not sure I agree with it, but telling lawyers in 2015 that they should know that encryption exists and can be used to protect email communications is sort of like 40 years ago putting in a specific expectation that lawyers know the varying confidentiality risks of lettermail, registered mail, and couriers.
Of course they should know that. It derives from their obligation to protect their client’s confidentiality. The objection should not be that the lawyers don’t want to know it. The objection should be that the lawyers are already expected to know it. I don’t think anyone is going to be able to point to the code of conduct and say “the word technology is in there, so it’s not my fault I sent the due diligence over email while sitting in a cafe in the building owned by a competitor.”
I think it is exactly the reluctance of people to recognize that they can’t pretend this doesn’t exist that makes the idea of mentioning it specifically so attractive.
So there’s that.
Now, this idea that the costs of additional regulations falls less heavily on small and solo practitioners: that’s not true. I am a solo practitioner. I am my own IT department. If I spend 2 hours installing encryption on my laptop, that’s 2 hours I can’t get back. If the IT person working in a firm of 10 people installs the same software, they can automate it, do 10 machines at the same time, and it still takes a total of 2 hours. Economies of scale apply to information security as much as anything else. As a general rule, because we have to do it ourselves, and we can’t scale, all regulations hit small and solo practitioners harder. All bar associations need to keep that in mind at all times, and the implications about the availability of small and solo practise (particularly technology-enhanced practise) on access to justice.
Lastly, the idea that encryption in place has no additional cost is ridiculous. Encryption in place essentially enables you to use exactly one technology, and that’s cloud file storage. If you want to do anything else, you can’t, because cloud software cannot (at least not until there are significant improvements in encryption technology) process encrypted data. So you want to have a cloud based accounting package? You can’t. Want to have cloud-based practice management? You can’t. Want to give your clients the ability to download their own documents from a convenient portal? You can’t. Because it’s encrypted and only you have the key. You have to download it, decrypt it, and THEN you can use it.
That is not the standard that we impose on anybody else, because it destroys so many of the advantages that are available. If I can’t use all of those cloud-based services, I have to buy hardware and software to implement those systems in house. It will be less secure, because it will not have a team of security professionals updating and constantly testing the software and it will not be hosted in a dungeon in a desert somewhere. Nor will it be backed up three ways to Sunday across the planet.
So no. Zero knowledge is not a better solution for lawyers. It makes things less secure, more expensive, and makes the entire practice of law more difficult, with commensurate damage to access to justice.
The argument that people should not be expected to do more to secure digital documents than they did to secure paper documents is misstated. The balance between security and convenience for digital data should not be weighted more toward security and less toward convenience solely on the grounds that the data is digital, and that level of security is possible, or even cheap. If we are going to come up with a different level of security for digital data, we should do so on the basis of a change in the level of risk, the amount of that risk that can be alleviated, and the costs in time and money, lawyer and client, of doing so.
No one is suggesting that all off-site storage of paper documents by law firms should be encrypted. It’s possible. But it’s ridiculously expensive, and it makes it more difficult for lawyers to use extremely valuable services like off-site storage that make their own operations less expensive and more available to clients. The balance is off.
Here’s the example that I use: is it reasonable to require people reading a client file on a laptop to install a device that prevents the screen from being viewed from the side?
My answer is no. The risk associated with reading a screen in a public place is exactly the same as the risk associated with reading a piece of paper. There is no additional risk whatsoever by virtue of the data being digital, in that scenario. If we have decided that the risk/convenience equation does not require us to ban reading client documents outside of the office entirely, then there is no reasonable suggestion that we need to impose additional requirements when reading off of a screen.
Is there good reason that we should have higher standards for how lawyers treat their passwords than we have for how they treat the keys to their offices? Abso-friggin-lutely. It’s a totally different question. The risks of digital data are higher, there, and so the standards should be. But the higher standard arises because of a change in the risk, not because of a change in the medium.
God. How long have I been on this soapbox? Sorry.
It should be kept in mind that the “breach-a-day world” is happening in the face of multitudes of competent IT professionals working against the problem. The issue is not just in systems that are not being properly maintained. The breaches are occurring not just in the systems maintained by IT professionals of average competency (i.e. the level of expertise that most law firms would be acquiring in the market for such professionals) but the systems of those being watched after by the most sophisticated technology companies themselves.
Robert Ambrogi reports that fifteen state bar associations have now adopted the ABA model rule that requires lawyers to be competent in the technology they use. The provision in Illinois, the most recent state to do so, reads:
(The italicized clause is new.)
Are Canadian lawyers mural dyslexics, or will they able to read the writing on the wall?