Quimbee logo
DMCA.com Protection Status

The Ethics of Cybersecurity

4.8 out of 5 Excellent(35 reviews)
HG
Presenter(s)
Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49
Play video

The Ethics of Cybersecurity

This CLE program will help lawyers understand how using technology responsibly and protecting electronic data are actually ethical obligations. The first part of the program examines a lawyer’s duty of competence (rule 1.1) with respect to data security. The second portion of the program explains a lawyer’s confidentiality (rule 1.6) obligations with respect to protected client information. The third portion of the program analyzes how, and when, a lawyer needs to communicate (rule 1.4) a suspected data breach to her client. The final portion of the program discusses the Rules governing the supervision of trained IT professionals (rule 5.3).

Presenters

Hilary Gerzhoy
Associate
Harris, Wiltshire & Grannis LLP

Transcript

Hello, my name is Hilary Gerzhoy, and I am a partner at Harris, Wiltshire & Grannis. I am the Vice Chair of the firm's Legal Ethics and Malpractice Group. I principally represent lawyers and law firms in disciplinary investigations and prosecutions, and I've handled matters in front of a number of state bars, including the Attorney Grievance Commission of Maryland and D.C.'s Board on Professional Responsibility. I'm also a member of the D.C. Bar Rules of Professional Conduct Review Committee, which is the committee that reviews the rules of professional conduct for possible revision and amendment. And I teach legal ethics and professional responsibility at Georgetown Law School. Today, I'm going to be presenting on the Ethics of Cybersecurity, and I'm gonna go through a number of the legal ethics rules that are implicated by cybersecurity, and then some case studies about opinions that have come out in which courts have ruled on what lawyers were supposed to do with respect to cybersecurity. So, I'll go into the agenda now. The first two sections of the presentation for today will talk about competence, which is Rule 1.1, and so the first section we'll talk about technological knowhow and the requirement and burden that the rules of professional conduct put on lawyers with respect to understanding technology. Then, I'll move into some competence case studies involving social media, eDiscovery, and metadata, and specific requirements that are imposed in terms of understanding and being competent with respect to those pieces of cybersecurity. I'm then gonna go into confidentiality and what the standard for reasonable care is under the rules, and the nuance that exists about how you have to keep information confidential and what that looks like in a world in which information is stored in the cloud and can be stored in multiple places, and people are no longer relying just on paper files. Then, I'm gonna talk about specifically requirements related to storing data in the cloud, and that's really where the competence rules and the confidentiality rules meet. Then, I'll go into the communication responsibilities that lawyers have, particularly with respect to communicating data breaches to clients. And then finally, I'm gonna go through the requirements that are imposed on lawyers for supervising those who report to them to make sure that they too are being compliant with all of the rules of professional conduct. So, ABA Rule 1.1 states that a lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation. In Comment 8 to ABA Rule 1.1, and I'll note that every jurisdiction has a Rule 1.1 that mirrors this, but Comment 8 is specific to the ABA. Not every jurisdiction has adopted this particular comment, which says that to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education, and comply with all the continuing legal education requirements to which a lawyer is subject. The particular important thing to note here is the ABA's requirement that lawyers stay abreast of changes in relevant technology, particularly with respect to the benefits and risks associated with technology. The impetus behind this particular comment is really because confidentiality is so significant and important, and because a lawyer needs to be able to maintain client confidences and communicate effectively with clients that part of the competence obligation, the 1.1 competence requirement, is really that a lawyer understands the uses of technology and how they can aid in their particular practice, but also how the risks associated with technology, particularly storing information and how there are confidentiality concerns, communication concerns, lots of different rules that are implicated. And the threshold is really that you know enough about technology that you are able to meaningfully represent your clients in an effective way with respect to all parts of the representation. In Opinion 371 that came out of D.C., and this was an opinion in 2016, the D.C. Legal Ethics Committee, which is the committee that writes opinions to basically explain the contours of the rule stated that because of society's embrace of technology, a lawyer's ignorance or disregard of it presents a risk of ethical misconduct. So, a lawyer simply saying, "You know, I'm not, I'm a luddite, I don't know anything about technology, I don't use it," is really not a defense under the rules, and so to the extent that the representation really calls for the use of some sort of technology, which it must, right, filing things, being able to effectively communicate with your client, that is a requirement that you stay abreast of changes in technology so that you know how to represent your client effectively, but sort of throwing your hands up and saying, "I'm not interested in understanding how to use technology or things like metadata, for example," is really not a defense under the rules to a potential allegation of misconduct. So, other jurisdictions have a similar Rule 1.1 analysis. And so, the California State Bar on Professional Responsibility issued a formal opinion in 2020, in which they said that the general principle requires lawyers to have a basic understanding of the risks posed when using a given technology, and if necessary obtain help from appropriate technology experts on assessing the risks and taking reasonable steps to prevent data breaches, which potentially can harm clients. The threshold obligation to understand the risk is satisfied by learning where and how confidential information is vulnerable to unauthorized access. This inquiry must be made with respect to each type of electronic device or system as they have been, or are incorporated into the lawyer's practice. And the critical concern here is really that there will be a data breach and a lawyer simply saying, "I don't understand how technology works," is really no defense. And so, either a lawyer can with all their competent, competent obligations, competency obligations, you can either become competent yourself, or you can associate with somebody who is competent, and so what the California State Bar has said specifically is if you don't understand everything about the risk associated with storing information in the cloud, for example, you can associate with technology experts who can help you, so that client information is really protected. So, as with all aspects of a lawyer's representation, if you lack the requisite competence, you have three options, and this is laid out in the ABA's "Cybersecurity Handbook", but it is applicable to every aspect of a lawyer's representation, which is that you can acquire the sufficient learning and skill before performance is required, you can associate with or consult with an expert or competent counsel, or you can decline the representation. And so, what you cannot do is continue with representation in which you are incompetent in some aspect, and so these are different ways to achieve that and it's not the requirement is not that you yourself become an expert in technology, but that you know what your limitations are and associate with appropriate people who have the requisite skill. D.C. Rule. 1.1 has in Comment 2 the same idea, which is competent representation can also be provided through the association of a lawyer of established competence in the field in question. What you see typically in the instance of technological knowhow is that lawyers will satisfy their duty of competence by hiring a qualified technology professional to help assist them. And so, in ABA Formal Opinion 483, which came out in 2018, the ABA said that a competent lawyer must use and maintain those technologies in a manner that will reasonably safeguard property and information that has been entrusted to the lawyer. A lawyer's competency in this regard can be satisfied either through the lawyer's own study and investigation or by employing or retaining qualified lawyer and non-lawyer assistance. So, the ABA has further articulated what we know to be true, which is that you can become an expert yourself or you can associate with an expert. The D.C. Bar's Legal Ethics Committee did a deep dive into the uses of social media in its opinion that it released in 2016, Opinion number 371. And the opinion provided the committee's guidance about advice and conduct by lawyers that relates to social media related to the provision of any legal services, and discussed the rules that were implicated by social media use. And this part, Opinion 371, was actually a continuation of Opinion 370, which is the first social media opinion that the DC Ethics Committee put out which addressed the use of the lawyer's use of social media in marketing and personal use. Opinion 371 goes further and says what do lawyers need to understand about social media for purposes of their practice and their representation. So, not getting and marketing to clients, but once they have a client, what is the lawyer's obligation and what are the things that they can't do? And so, in the opinion, there's actually maybe 12 different subsections of ethics rules that are implicated. But the first section really goes to the significance, being able to understand social media because it is part and parcel of your requirement to be competent with respect to technology. And that D.C. Rule 1.13, and every jurisdiction has an equivalent, states that a lawyer has to seek the lawful objectives of a client through reasonably available means because that is part of zealous representation. And so, what Opinion 371 clarifies is that being able to access a client's social media and understand how social media is used can be important to meeting that zealous and diligent representation requirement. In particular, there are certain examples that are provided with respect to researching a case. So, what the opinion says is that there may be instances in which you have an obligation as a lawyer to look at your client's social media for relevant evidence, potentially there are claims, defenses that you would only become aware of if you actually did a deep dive into your client's social media use. And of course, this involves conversation with the client, right? If the client tells you that their social media is private, that they never put anything on there that could be relevant to their case, that's a different category than if your client says, "I communicated about this case, there's witnesses that would have relevant information. I posted a picture at the time of the events in question, those kinds of things," then that requires that you look at the client's social media. And really, what the opinion is saying is that you have to have those threshold questions to understand in the first instance whether or not there's more for you to be doing with respect to investigating your client's social media presence. There's also particular concerns regarding preserving evidence. And what the opinion provides is that social media postings are subject to discovery and subpoenas, which we know, and that a lawyer might have to include social media in advice and instructions to clients about litigation holds and document preservations to the extent that your client is subpoenaed, that one thing you need to consider, which maybe is not always top of mind for everybody, is to tell your client that a litigation hold also applies to their social media posts, meaning that they can't then once they're under subpoena go back and delete a bunch of social media postings if any of those postings could be potentially relevant. There is also concerns about spoliation and duties under Rule 3.4, which specifically requires that a lawyer cannot obstruct another party's access to evidence or alter, destroy, or conceal evidence, or assist anybody in doing so. So, it's really important to make sure that to the extent that there's anything relevant to a ongoing case or an upcoming case, that you advise your clients not to delete any of their postings. To the extent that they do delete postings, you wanna make sure that they preserve all of the metadata behind them. So, there have been instances in which clients have gone back to clean up their social media once they were in active litigation and deleted postings, but took screenshots of the postings to save them. And there is precedent that says that that is insufficient because it doesn't capture the metadata. So, simply taking a screenshot of postings and then deleting them is not going to satisfy your obligations. Under the rules of professional conduct, you need to make sure that you have saved the metadata. And if you don't know how to do that, you need to need to make sure that you engage a technology expert who does and who can help you. The opinion also clarifies that it's really not a great idea to communicate with clients over social media in part because the records are harder to keep, but it is a client communication and so all of the obligations regarding the client file then kick in, and so under the rules of professional conduct communications with your clients and written records with your clients are property of the client. And so, to the extent that you're giving legal advice to a client over social media, that's part of the client file and part of the reason that various opinions sort of advise against doing that is because keeping records of it is more challenging to do. The other thing is being mindful of when an attorney-client relationship is created. And so, communicating with prospective clients, there's the same confidentiality obligations that arise and you wanna make very clear to the extent that you're communicating with any prospective clients on social media, sort of what the nature of your relationship is, has an a attorney-client relationship formed? Have they retained you? All of those questions come up in the context of social media. Let's talk a little bit about competence and eDiscovery. So, Federal Rule Civil Procedure 26b1 states that parties may obtain discovery about a relevant matter that is proportional to the needs of a particular case. And there are factors that are laid out about what is deemed to be proportional to the needs of a case, including relative access to relevant information, the party's resources, the importance of the discovery, and the burden versus the expense. And being able to make that appropriate analysis and both request discovery from an opposing party, but also be responsive to discovery requests yourself requires competence in eDiscovery generally, and understanding what your client's, what materials your client has and how those materials can be produced. And so, that requires a level of competence to understand how to engage in electronic discovery because that is the nature of discovery in 2022. So, metadata, let's talk about that. So, what is metadata? So, metadata is really data about data, it's typically not visible from the face of a document, but it is ultimately retrievable if you know how to look for it. So, the examples of metadata are the document author, the date a document was created, the date that a document was last modified, and the date that a document was last opened. And why is it important? The first reason it's important is that if you don't know about metadata and you don't know to scrub metadata then you can inadvertently disclose work product to the opposing side if you produce documents. If you produce a document and you haven't scrubbed the metadata, there could be substantial information in there that is actually work product that you don't want to be revealed the other side, but because you didn't know to look for it and you didn't know to delete it, it did. There's also concerns about inadvertent spoliation. So, to the extent that you're not saving metadata, that's information that is certainly relevant to discovery requests when somebody asks. When an opposing side asks for discovery about a document, it is not just sort of what's on the face of the document, but things like when the document was created, last changed, who authored the document, who edited the document. And so, to the extent you're not preserving metadata, you could be guilty of spoliation. So, work product metadata is not, there's not a client confidence issue there, but you have to strip it before it's disclosed to the other side because you don't wanna be disclosing your own attorney work product. Then there's evidentiary metadata, which is a client. Then there's evidentiary metadata, which is not a client confidence because it's not a communication with your client that you need to keep in confidence and keep confidential, but it is something that you have to retain and possibly produce because it could be responsive to discovery requests. In ABA Model Rule 4.4 Subsection B, the Model Rule states that a lawyer who receives a document or electronically stored information relating to the representation of the lawyer's client and knows or reasonably should know that the document or electronically stored information was inadvertently sent shall promptly notify the sender. For purposes of the rule, in Comment 2 the ABA clarifies that document or electronically stored information includes in addition to paper documents, email, and other forms of electronically stored information, including embedded data, which is metadata, that is subject to being read or put into readable form. Metadata in electronic documents creates an obligation under the rule only if the receiving lawyer knows or reasonably should know that the metadata was inadvertently sent to the receiving lawyer. So, the critical takeaway here is to the extent that you have gotten documents or ESI from another lawyer and you know or reasonably should know that it was inadvertently sent to you, you have to notify the sender. And then in Comment 2, that's extended to mean that to the extent that you see that metadata is visible and you know or should know that the opposing side did not want you to see that metadata, you similarly have an obligation to notify the sender. So, let's talk now about confidentiality and the rule governing it and the reasonability standard. So, ABA Rule 1.6 is the rule that governs confidentiality and it states that a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation, or the disclosure is permitted by Paragraph B. So, factors to be considered in determining the reasonableness of a lawyer's effort to keep information confidential is the sensitivity of the information, the likelihood of disclosure, if additional safeguards are not employed, the cost of employ those additional safeguards, the difficulty of implementing those safeguards, and the extent to which the safeguards adversely affect the lawyer's ability to represent clients. For example, making a device or important piece of software excessively difficult to use. There are some jurisdictions that have provided additional detail as to what a lawyer's 1.6 obligations are, and what your obligations are to make reasonable efforts to prevent the inadvertent disclosure. So, to figure out whether or not you have complied, and your efforts have been reasonable, the ABA has put forth a series of those five factors that I discussed about sensitivity, and likelihood of disclosure, and costs. And other jurisdictions have actually gone further and provided additional detail. So, one example is Virginia's Rule 1.6. So, in Comment 20 to Rule 1.6, Virginia states that to comply with this Rule 1.6 obligations of confidentiality, a lawyer does not need to have all the required technology competencies. The lawyer can and more likely must turn to the expertise of staff or an outside technology professional because threats and technology both change, lawyers should periodically review both and enhance their security as needed, steps that are reasonable measures when adopted might become outdated. And it goes further in Comment 21 to really clarify that because of the evolving nature of technology and associated risks, law firms should keep abreast on an ongoing basis of the reasonable methods for protecting client confidential information. And there are particular practices that Virginia recommends to ensure that you're compliant with your 1.6 confidentiality obligations. So, those include periodic staff security training and evaluation programs, including precautions, procedures regarding data security. So, to the extent that you work at a law firm, making sure that all non-lawyers are trained periodically on data security measures and that all lawyers similarly receive security training about how to keep client information secure. Adopting policies to address a departing employee's future access to confidential information is really important. And making sure that to the extent a employee leaves a law firm, that they return all electronically stored confidential information back to the law firm. Virginia also recommends procedures to address the security measures for access of third persons to stored information. So, to the extent that anybody outside of the law firm is gaining access to client information, that's obviously a problem, and understanding what your security measures are to ensure that only those who are working on a case have access to it. Virginia also recommends procedures for backing up and storing firm data and making sure that there are steps that securely erase or wipe electronic data from computer devices before those devices are transfer, sold, or reused. So, sometimes firms will issue from laptops, from phones, for example, and then when a lawyer leaves the firm, they'll clean those, and then give it to a new lawyer who starts. And it's really important to make sure that all electronic data and not just what's on the computer, you know, on the desktop, for example, but everything that is electronic data is really is wiped from a device before it's transferred, sold, or reused by anybody else. Also, encouraging everyone to use really strong passwords and other authentication measures to log on to their network. And the security of those passwords to make sure that passwords are changed frequently, and that they're not reused in multiple ways and for multiple logins. And then, the use of hardware and software measures to prevent, detect, and respond to malicious software and activity. What is classified as reasonable when used in relation to conduct by a lawyer denotes the conduct of a reasonably prudent and competent lawyer, that's the ABA standard under Rule 1.1h. And so, the question is really to the extent that there is a data breach and client confidential information is released, did a lawyer violate their 1.6 obligations? And to figure out if the lawyer violated their 1.6 obligation, the question is did they engage in reasonable exercises to ensure that that information stayed confidential, knowing that mistakes happen and breaches happen? And so, what the ABA says and every model, every jurisdiction model, some version of this, which is to determine whether or not a lawyer engaged and took reasonable measures is really would a reasonably prudent and confident lawyer in that same circumstance have acted similarly? In an Article 4 in 2016 regarding the ethical obligations with regards to technologies employed in the practice of law, what the author there said was really in assessing whether reasonable efforts were made in accordance with Rule 1.6, the Model Rules suggest essentially a cost-benefit analysis, which is weighing the sensitivity of the information and the cost of employing additional safeguards. So, to determine whether or not a lawyer engaged in reasonable protections to protect client information, and this question arises after there's been a data breach is really what was the cost of taking additional security measures? And what was the benefit of taking those measures? And what factors into that is really what is the sensitivity of the information? How important is it? How costly is it if it gets out there? And what could you have done in addition to safeguard that information and what would the burden be on the lawyer to ensure that that happened? So, a number of other jurisdictions have also given details about what reasonable measures require, and sort of how to engage in that analysis. So, in 2010, the Alabama State Bar Office of General Counsel of Ethics stated that the lawyer must have reasonable measures in place to protect the integrity and security of an electronic file, and that the lawyers should take reasonable steps to ensure that files are secure from outside intrusion, such steps may include the installation of firewalls and the intrusion and intrusion detection software. The New Jersey Advisory Committee on Professional Ethics issued an opinion in 2006, and in which they analyzed the contours of Rule 1.6 and held that a lawyer is required to exercise sound professional judgment on the steps necessary to secure client confidences against foreseeable attacks, attempts at unauthorized access. In 2017, the ABA issued Formal Opinion 477R, where they talked about cybersecurity and data breaches in particular. And what the ABA said was that law firms are targets of cyber attacks at really staggering rates. And the reason that their targets are for two principal reasons. The first is that law firms get and store highly sensitive information about their clients, and they utilize safeguards to shield that information that at times is inferior to those that would be deployed by the client. And so, you might have clients who have highly sensitive information that they have given to you because it is relevant to the representation, but the firm itself is not utilizing safeguards that are perhaps as strong as what the client would be doing by himself or by herself. And the second is just the information that law firms possess is likely to be more of interest to a hacker and less voluminous than it would be if held by the client. So, 'cause the question is why would you hack a firm as opposed to just trying to get information from the client? And why wouldn't that a hacker just hack the client as opposed to the firm? And the idea at at least the hypothesis among the ABA is really that firms are not as good at protecting their information, and that firms would have only the information that likely a hacker would want, whereas hacking into a client's computer could have all kinds of information that is not relevant to what a hacker is looking for. And so, in analyzing what constitutes reasonable measures to prevent against the release of client confidential information, the ABA says that it's really a case-by-case analysis, and that what constitutes reasonable efforts is not susceptible to hard and fast rules because it's contingent upon a number of factors. And that those factors in turn depend on possible types of information being communicated, which range from highly sensitive information to insignificant information, and the methods of electronic communications imposed, and the types of available security measures for each method. So, whereas there's an obligation to ensure that you employ reasonable measures to protect client information, there's no set rule that sort of lays out this is reasonable. If you do X, Y, and Z, this is reasonable. If you do A, B, and C, that's unreasonable, you have not engaged in reasonable efforts because it really is a balancing test that depends on what kind of information you're protecting. So, how sensitive really is that information and what the available security options are, how timely, how costly it would be to employ them. So, what happens if there is a data breach and you work at a firm or your solo practitioner, your computer is hacked and client confidential information is accessed? So, the rules don't impose a strict liability standard. In ABA Opinion 483, which came out in 2018, the ABA said that an attorney's competence in preserving a client's confidentiality is not a strict liability standard and does not require the lawyer to be invulnerable or impenetrable, rather the obligation is one of reasonable efforts. Rule 1.6 is not violated even if data is lost or accessed if the lawyer has made reasonable efforts to prevent that loss or access. What's really significant to know is that whether or not a lawyer failed to engage in reasonable measures to be compliant with 1.6 is not an after the fact test, it's not did a data breach occur and therefore you did not impose, you did not have reasonable measures in place. It's really what were the efforts that you took to ensure client confidential information and evaluating them from the standard of what would a reasonable competent lawyer have done in that circumstance. In Comment 18 to Rule 1.6, the rules explain that Paragraph C of 1.6 requires that a lawyer act competently to safeguard information relating to the representation of a client against unauthorized access by third parties, and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer supervision, the unauthorized access to or the inadvertent or unauthorized disclosure of information relating to the representation of a client does not constitute a violation of Paragraph C if the lawyer has made reasonable efforts to prevent the access or disclosure. So, whether or not a lawyer took reasonable precautions consistent with Rule 1.6 is not measured by whether or not a cyber attack occurred because there's a recognition, as there has to be, that sometimes reasonable safeguards fail. So, in the "ABA Cybersecurity Handbook", they, the ABA, specifically calls this out and says it's important to bear in mind that lawyers under the rules of professional conduct, that their security measures that they're required to take are not required to be invulnerable, that standard would simply just be too high. The Connecticut Bar Association on Professional Ethics issued an opinion in 2013 #that also reiterated this idea that the duty of confidentiality described in Rule 1.6 is rigid, but it's tempered by the recognition that even when a lawyer acts confidently to preserve the confidentiality of data, reasonable safeguards sometimes fail. The reasonableness standard is really an evolving standard. In an opinion that the ABA issued in 1999, so a significant time ago, what the ABA Committee on Ethics said was that lawyers have a reasonable expectation of privacy and communications made by all forms of email. And so, this was really when email was becoming a much bigger thing, and so the ABA Committee on Ethics opined about what are your obligations with respect to email? You're now sending client confidential information via email, what are the protections in place? And the standard that the ABA Committee put out there was that lawyers have a reasonable expectation that their communications will stay confidential, that includes communications over information and communications over email. And it therefore follows that its use is consistent with the duty under 1.6 to use reasonable measures to maintain the confidentiality of information relating to a client representation. 10 years later, the ABA issues opinions based on social media, then they're talking about metadata technology is constantly evolving and it's important for lawyers to stay aware of what those changes are and be cognizant about the potential security risks that clients can face. In 2017, the ABA issued Opinion 477R, which I talked about earlier, which states that the use of unencrypted routine email generally is an acceptable method of lawyer-client confidentiality, lawyer-client communication. So, whereas lawyers frequently communicate with their clients over email and they don't use encrypted email, that as a general matter is an okay thing except that what the ABA says is however, cyber threats and the proliferation of electronic communication devices have changed the landscape, and it's not always reasonable to rely on the use of unencrypted email therefore lawyers must on a case-by-case basis constantly analyze how they communicate electronically about client matters. And so, what the ABA is really highlighting there is that there could be instances we're using unencrypted routine email is simply not a reasonable effort in light of the confidentiality concerns in a given matter. And so, it's really a case-by-case analysis to determine the sensitivity of the information that you're communicating about. And it might be the case that the information is so sensitive that to be considered acting reasonably to safeguard client information, what you have to do is pick up the phone or use encrypted communication that gets deleted and is not saved so that there's additional security. So, let's talk about storing data into cloud, which is really where the competence obligations 1.1 and confidentiality 1.6 meet. So, what is the cloud? The cloud is really a fancy way of saying stuff not on your own computer is how the Pennsylvania Bar Association Committee on Ethics put it, it really refers to a constellation of web-based data processing transmissions and storage services that are available over the internet. The cloud for law firms may involve the storage of a law firm's data, including client files, business billing information, work product on remote servers rather than on the law firm's own computer, and therefore are outside of the direct control of the lawyer. So, like online billing platforms, Gmail, Westlaw, Square, Dropbox, Evernote, online fax services, all things that are not accessible that are not within the direct control on a lawyer's computer. So, this presents the question is soaring information in the cloud consistent with the ethics rules? And the answer is really yes so long as reasonable precautions are taken. In 2019, the Virginia State Bar Committee on Legal Ethics issued an Opinion 1872 that went into some detail about this. And what that opinion says is that when a lawyer is using cloud computing, the lawyer must follow Rule 1.16b6, and exercise care in the selection of the vendor, have a reasonable expectation that the vendor will keep the data confidential and inaccessible by others, and instruct the vendor to preserve the confidentiality of the information. The lawyer will have to examine the third-party provider's use of technology in terms of services in order to know whether it adequately safeguards client's information. And if the lawyer is not able to make this assessment, she will have to consult with someone qualified to make that determination. So, that's a very high standard. So, in Virginia, what the Committee on Legal Ethics has stated is as a general member you're allowed to use cloud computing, but when selecting the vendor who hosts the cloud for you, that you really have to do due diligence, it's not just selecting somebody, but that you have to do things as detailed as looking at their terms of service to know how they safeguard information. And if you're not able to because you don't have a technological knowhow to examine their terms of service and make a determination about whether or not their standards are reasonable in terms of keeping information confidential and safe, then you have to consult somebody who can make that determination. And what Virginia has recognized is that a lawyer is not required to absolutely guarantee that a breach of confidentiality cannot occur when using an outside service provider, but that the standard, again, is this reasonable care to protect information relating to a representation. But I think what's important to note here is what constitutes reasonable specifically with respect to the cloud and using vendors is higher than one might think. I think thinking about requiring a lawyer to look at the terms of service that a provider, that a vendor has to see whether or not they think that they're adequately safeguarding information is a relatively burdensome, onerous task. And, but it's something that the rules, at least in Virginia, really clarify as a requirement. In 2019, the Nebraska State Bar Association Ethics Advisory Committee issued an opinion where they said that a lawyer can transmit information relating to the representation of a client over the internet and allow for that information to be stored on and accessed through third-party offsite servers, i.e. the cloud, if the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access to that information, maintain the confidentiality of the information, and establish reasonable safeguards to ensure the information is protected from loss, breaches, business interruptions, and other risks created by advancements in technology. So, not as detailed or as onerous as what the Virginia opinion states, but what Nebraska holds is really you can use the cloud so long as you've done things to prevent the inadvertent disclosure of any information that ultimately gets stored in the cloud, you're maintaining the confidentiality of the information and you're using reasonable safeguards to make sure that that information isn't ultimately lost or that there aren't business interruptions that mean that the information is not accessible. Alaska in 2014 issued an opinion in which they said that they are joined in the community of bar associations that conclude that cloud computing is permissible so long as reasonable steps to take to protect client information are taken. The New Jersey Advisory Committee on Professional Ethics analyzed 1.6 and stated that the touchstone in using reasonable care against unauthorized disclosure of information is that the lawyer has entrusted such documents to an outside provider under the circumstances in which there's an enforceable obligation to preserve confidentiality. So, looking at an agreement with a vendor where they have agreed to keep he information that is stored in the cloud confidential and are gonna maintain requisite security measures. And also that the use is made available of technology to guard against reasonably foreseeable attempts to infiltrate the data. So, you want to have assurances from your cloud computing provider that they have the ability to guard against what would be reasonably foreseeable attempts to infiltrate data. So, the standard is not would the best hacker in the world be able to access this information? But to the extent that we think that cyber attacks occur, there are hackers who are interested in trying to get this information, have we done the things that would prevent against what we foresee will be reasonable attempts to infiltrate? And what New Jersey says is if the lawyer has come to the prudent professional judgment that he's satisfied both those criteria, right, there's an enforceable obligation to preserve confidentiality with the provider and technology is available and used to guard against foreseeable attempts to infiltrate then a lawyer can rest assured that he has engaged reasonable care to protect client confidential information consistent with his 1.6 obligations. And so, even if there is an ultimate breach, he would not have been held to violate 1.6. So, what's the bottom line here? Protect confidentiality and availability of client information via contract and security settings, make sure that you have all the adequate privacy security settings available. And to the extent that you are engaging in outside provider have a contract that imposes those same obligations that you would have on your provider to ensure that information is kept confidential. Ban secondary access and use to information, only people who are working on the case should have access to the client file as a general matter, that you wanna regularly assess the appropriateness of your cloud provider security. And don't just be satisfied that when you first engage somebody, they have good security measures, but stay on top of what security measures they continue to have, and check if your jurisdiction has specific recommendations or requirements. So, we talked about Virginia imposing some additional requirements. It's important to make sure that you look at your jurisdiction and see whether or not there's any additional requirements that are being imposed to make sure that you are compliant with 1.6. So, if there is a data breach that you will not be held to have violated 1.6, because you've done the things that your jurisdiction requires to be deemed to have engaged reasonable methods to protect client confidential information. And the last thing to know on this topic is that clients can request additional security measures, and a lawyer has to follow a client's reasonable request. So, to the extent that a client says, "My information is sensitive, and I know you take certain security measures at your firm, you have certain software that you install to prevent against data breaches. I have my own specific requests, and I would like, for example, none of my files to be uploaded onto your firm's computer system, for example." Depending on what the request is, if it's reasonable under the circumstances what the client is asking, a lawyer has to follow the client's reasonable requests. So, be cognizant of whether or not your clients are imposing any security measures above and beyond what your typical practice is, so that you can comply with them. So, what happens if there's a data breach? We know that a very significant percent of law firms are the targets of cyber attacks and that data breaches happen all the time. So, let's talk about your obligations to communicate with your clients as a general matter and then how that relates specifically to your obligations to communicate things like a data breach. So, ABA Rule 1.4, which is the communication rule, states that a lawyer shall promptly inform the client of any decision or circumstance with respect to which the client's informed consent is required. That a lawyer shall reasonably consult with the client about the means by which the lawyer's objectives are to be accomplished. And then, really critical to a data breach category is keep the client reasonably informed about the status of a matter. So, do you need to tell your client, for example, that you're storing information in the cloud? Is that a threshold question that a client needs to be able to weigh in on? Does that fall within the contours of any of your 1.4 obligations? So, not every jurisdiction has weighed in on this question, but the likely answer based on jurisdictions that have weighed in so far is no. So, Nevada in 2006 addressed this question and said that an attorney can use an outside agency to store confidential client information in electronic forms and on hardware located outside the attorney's direct supervision and control so long as the attorney observes the usual obligations applicable to such arrangements for third-party storage services. And if the third-party can reasonably be relied on to maintain the confidentiality and agrees to do so, then the transmission of client information over the cloud is permitted even without the client's consent. So, your typical cloud computing dynamic, not something that you in all likelihood to have to tell the client about or ask the client about, and the client is probably going to assume that this is something that you do because storing things on remote servers is common and also storing things in a way that is accessible, not just saved on your individual device is very common, but what do you do if your client information is stolen? Stolen either because you're using a cloud computing service and there's a hack there or your personal device is hacked. If you think your client's information has been stolen, what are the steps that you take? So, the first sort of initial step is that it likely takes some time to understand what happened and in particular to understand the scope of a breach. So, in 2018, the ABA Committee on Ethics and Professional Responsibility issued a Formal Opinion 483, in which they said that the information gathered in a post-breach investigation is necessary to understand the scope of the intrusion consistent with the lawyer's duty of communication and understanding, and communication and honesty under Model Rules 1.4 and 8.4c. So, there's a recognition that if you think that there is a breach, it's gonna take a little to time and investigation to understand what happened, and so that you can actually provide an accurate disclosure to the client. So, you have to keep the client updated about things that happened in his or her case. Clearly, information being stolen via cyber attack is relevant and is information that the client needs to know, but there's a recognition that it's gonna take it, it could take you a little time to figure out actually what happened? Was it just an attempt? Or was information in fact retrieved? And which information? And segregating out by client matter which information could be something that could be not obvious to you what information was in fact taken, but so you wanna make sure that you understand what happened in a post-breach investigation and that you provide accurate disclosures to your clients. Now, the question is so I have to engage in this post-breach investigation, I wanna make sure I get accurate information to my client, but don't I need to communicate with my client quickly, and isn't there an obligation under Rule 1.4, to notify my client in real time about things that are happening in his or her matter? So, the standard under the ABA Model Rule 1.4 is that you need to keep your client reasonably informed about the status of a matter. You also have to promptly comply with reasonable requests for information from your client. So, if your client calls you, for example, you can't wait a week to call your client back. What Michigan, the Michigan State Bar Professional Ethics Committee issued Opinion 2020 that tried to address this question and really sort of left it to, again, a reasonable standard. And so, in that opinion, what the Michigan State Bar Committee stated was that a lawyer has a duty to inform a client of a material data breach in a timely matter. And so, they define material it as a breach if it involves the unauthorized access, destruction, corruption, or ransoming of client ESI, that's protected by 1.6 or other applicable law, or materially impairs the lawyer's ability to perform the legal services for which the lawyer has been hired. And so, what Michigan says is you have to inform the client in a timely matter. A timely matter is similar to a reasonable person's standard, which is really hard to define. There's not a multifactor test, there's not a strict timeline for how quickly you have to notify your client. But what you wanna do is make sure that once you think that there could have been a potential cyber attack, that you do your investigation promptly, that you loop in any IT professionals that work at your law firm, so that they are also looking into the matter and that you notify the client that you think that there might have been a breach, and then you keep them notified as you continue your investigation. And even though there might be a desire to try to get to the exact right answer and know precisely what was taken and what was revealed, you don't wanna let too much time pass because of your 1.4 obligations to keep your client informed about a matter in a timely way. So, the next section that I'm gonna go through is supervising trained professionals in the context of cybersecurity. So, we talked about in the 1.1 section that there's multiple ways to be competent. One is that you can learn yourself and become an expert yourself, and the other is that you can hire people who are experts and are trained professionals, and you can supervise them. So, under Rule 5.4, a partner or a lawyer who individually are together with other lawyers, manages anybody in a law firm shall make reasonable efforts to ensure that the firm has in effect measures that give reasonable assurance that the person's conduct is compatible with the professional obligations of the lawyer. A lawyer who has direct supervisory authority over a non-lawyer has to make reasonable efforts to ensure that that person's conduct is compatible with the professional obligations of a lawyer. So, what this really says is that to the extent that you are supervising other individuals, it is incumbent upon you to make sure that they are acting consistent with the rules. So, just like you have your 1.6 obligations to maintain client confidences, when you're acting in a supervisory capacity that then extends to those who you are supervising. And so, what happens if you supervise somebody and they make a mistake, they mess up, or and in particular they make a mistake with respect to cybersecurity and data security and potentially violate Rule 1.6 because client confidential information has been released? So, when are you responsible for that? So, under 5.4, a lawyer is responsible for the conduct of a person that would be a violation of the rules of professional conduct if the lawyer engaged in that conduct, if either one of two things. Either one, the lawyer orders or with knowledge of this specific conduct ratifies the conduct. So, if you tell somebody to do something that would be a violation of the rules, that is a violation that you are held responsible for, or and the more likely circumstance is two, which is that the lawyer is a partner or has managerial authority in the firm in which that person is employed or has direct supervisory authority over the person and knows of the conduct at a time when its consequences can be avoided or mitigated, but fails to take remedial action. So, if you know that somebody who you manage is engaging in conduct that would be a violation of the rules and there is time to avoid the violation or mitigate it damages, but you don't take any remedial action then you are liable for the violation of the rule as if you had done it yourself. And so, the duty to supervise non-lawyer staff pursuant to Rule 5.3 as discussed in the restatement of the Law Governing Lawyers, and it says that it really is what it describes is that a lawyer has to have reasonable measures in place that ensure that lawyers and non-lawyer personnel are reasonably competent for their intended responsibilities and thereafter receive appropriate training, supervision, and support, allowing them to recognize and carry out their responsibilities. So, again, it's back to this reasonable person standard to make sure that the people that you supervise are both competent for the thing that they're supposed to do and are trained to do it. And so, this extends to all personnel that you supervise, but in particular with respect to cybersecurity issues, IT personnel and people who are dealing with data at a firm. And so, how do you figure out whether or not you're hiring people who meet the criteria established in 5.4, who are competent for their intended responsibilities? So, in ABA Formal Opinion 500, which came out in 2021, the ABA talked about hiring language interpreters and translators, but there's a particular feature of that opinion that's sort of very relevant for hiring anybody who would be an expert to help you assist your competence obligation. So, to the extent that you don't know everything about technology, you're hiring an IT expert, how do you decide who you hire and whether or not you're adequately satisfying your 5.3 obligations to make sure they're competent? So, what the ABA has said is that you're supposed to evaluate the individual's training, experience, certifications, and professional standing. So, you can in deciding whom to hire as a technology expert to ensure that you're meeting your obligations under 1.1, you wanna look at that person's resume in the way that you would look at anybody's resume that you're hiring, but it's important to note the limits of a lawyer's duty under this rule because what a lawyer is not required to do is become a cybersecurity expert to hire a cybersecurity expert, that would sort of defeat the rules, the feature of the rule that allows a lawyer to become competent by hiring another. So, really you're supposed to use these proxies, like did the person, are they certified in what they're supposed to be certified for? Have they been trained? Are there people who are at the firm who can train them to do the job that they're going to be doing? Those are really the questions that you wanna be asking. And so, the obligation from a lawyer and both the Washington State Bar Association has an opinion on this and the California State Bar Association has a similar opinion is really that a lawyer who is using a third-party provider or hiring somebody to be a technology expert has to conduct a due diligence investigation into who that person is. And to consult with people to be able to assess that that person has the necessary skill and knowledge to be an IT professional in a firm and protect client information. So, to wrap this all up, the fact that the use of technology is so pervasive and that cybersecurity attacks happen all the time, it's really important that lawyers be aware of what the risks are, associate themselves with people who have expertise to ensure that they're engaging in reasonable steps to protect client information, and are in a position to identify if there has been a cybersecurity attack and then engage in an investigation to determine the scope of that attack and communicate to the client what needs to be communicated. And with that, I will conclude, thank you so much.

Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49

Course materials

Supplemental MaterialsHandout

Practice areas


Course details

On demand
1h 1m 37s

Credit information