On May 11th, the American Bar Association released Formal Opinion 477 entitled Securing Communication of Protected Client Information. In summary, it says "A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security."
The opinion updates Formal Opinion 99-413 noting that the role and risks of technology have evolved since 1999. That made me laugh - do you think?
It fundamentally says that special protective measures, such as encryption, are warranted under some circumstances.
What's a lawyer to do in this complicated technology world? The opinion offers some guidance. Certainly you want to consider the sensitivity of the information. Scheduling a phone call via text or e-mail is probably fine. Sending a merger agreement without encrypting it is almost certainly not.
The opinion suggests that lawyers should understand how their electronic communications are created, where client data resides and what avenues exist to access that information. Here, I think the opinion asks a lot of lawyers, particularly with understanding what avenues exists to access information – those avenues change all the time.
I do agree that lawyers should understand and use reasonable electronic security measures, but the truth is that the opinion lists things that lawyers generally do not understand, including secure Wi-Fi, the use of a Virtual Private Network, or another secure Internet portal, using unique complex passwords (um, NIST is about to change that), changed periodically (not so much under the new NIST framework expected to be published this summer), implementing firewalls and anti-Malware/Anti-Spyware/Antivirus software on all devices upon which client confidential information is transmitted or stored, and applying all necessary security patches and updates to operational and communications software (most lawyers rely on IT folks to do this and they do not follow Reagan's "trust but verify" approach).
Yes, we should be able to remotely wipe lost or stolen phones. The opinion doesn't state that all phones MUST be encrypted, but that is certainly my belief.
The opinion talks at length about conversing with your client about security, about considering communications with third parties and it does flatly state "if client information is of sufficient sensitivity, a lawyer should encrypt the transmission." It further notes that some laws and regulations require encryption.
Training lawyers and other law firm employees about cybersecurity is a key measure to help protect confidential data. It is imperative that law firms have information security policies which are periodically reviewed. How to review the security of vendors is also detailed in the opinion.
It is certainly very helpful to read this opinion. Because it is a very detailed opinion, it is likely that it will need change sooner rather than later. I do not think that our own state of Virginia would adopt this rule. Virginia has chosen to limit the amount of "specifics" since they are so subject to becoming quickly obsolete. While we teach lawyers about cybersecurity all the time – and lawyers, to their credit, try to understand what we teach – there is a limit to how much a lawyer can be expected to understand about cybersecurity in a world where attack surfaces and attack methodologies change daily.
E-mail: email@example.com Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology