This article appeared in JD Supra on July 26, 2017.
DLA Piper attorneys dreaming of an unplugged vacation might have been rethinking their connection-free fantasies on June 27, after a new ransomware attack called “Petya” infected the firm’s IT systems.
Attorneys and staff were forced to work for days without access to email, their document management system, and – for a time – their office telephone lines. The attack made headlines in legal publications for a number of reasons, not the least of which was its terrifying reminder of how essential technology has become to lawyers’ most basic work.
The ABA has repeatedly attempted to address these risks, most notably through the recommendations of its Ethics 20/20 Commission. Since the Commission’s report was issued and the ABA accordingly revised its Model Rules of Professional Conduct in 2012, 31 states have already adopted at least some of its recommended changes to their own ethics rules.
But this previous round of rulemaking has not quieted lawyers’ questions and on May 22 of this year, the ABA released Formal Opinion 17-477R, a new reflection on lawyers’ ethical responsibilities when using information technology.
The Opinion is wide-ranging and often detail-oriented: in 11 pages, it touches on encrypting emails, the need to include “privileged and confidential” in email subject lines, handling multiple devices, and evaluating technology service providers. But does the Opinion succeed in clarifying lawyers’ ethical responsibilities in relation to these issues or does it only muddy the waters?
Law firms and their insurers might be forgiven for worrying about ethical silt deposits: legal malpractice plaintiffs’ attorneys have started to push their own interpretations of the new ethics rules in court.
In December 2016, the Northern District of Illinois unsealed a complaint against the Chicago-based law firm Johnson & Bell, the very first class action lawsuit brought against a law firm on the grounds of inadequate cyber security. The complaint cites Illinois’s version of the ABA’s revised ethics rules, adopted at the beginning of 2016. The cited Rule 1.6(e) requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
In arguing that Johnson & Bell acted negligently, the complaint claimed that the firm had failed to use a “reasonable degree of professional care” because it had failed to adopt industry-standard data security protections. The complaint pointed to the firm’s failure to update certain software and internal systems on one hand and other firms’ best practices on the other.
Was plaintiff’s counsel reading the new ethics rule correctly and do law firms need to look to their peers to determine industry standards for data security? Regardless of whether the details of the Johnson & Bell case are relevant to their circumstances, many lawyers might wonder how they can ensure they comply with what their clients or a court would interpret to be industry norms.
The stated purpose of Opinion 17-477R is to reflect on this question of “how” – how lawyers comply with their ethical responsibilities in an “ever-changing technological world.” Given its call for reflection, the amount of ground it covers in a relatively short space, and the speed with which best practices can become obsolete, the Opinion would be more useful in articulating underlying principles than in making pronouncements about specific technologies.
Implicit in the Opinion are two such principles. If these principles are sound and actionable, then they might be able to help lawyers navigate around potential liability landmines. If not, it might cause them to stumble onto such a landmine.
Principle #1: Technology Risk is Always a Matter of Context
HIPAA experts might find it easy to imagine a regulatory regime for lawyers requiring specific physical and technological safeguards. But that sort of regime was never really an option for the ABA. Instead, it developed an approach that is context-dependent and technology-agnostic. One size does not fit all with respect to the safeguards that are reasonable for different firms. One size does not even necessarily fit all regarding a given firm’s matters or even all communications related to the same matter.
This principle is reflected in the part of the Opinion that has gotten the most attention, its reconsideration of 1999’s Opinion 99-413, which dealt with the ethics of using unencrypted email for confidential client communications. Subject to caveats, Opinion 99-413 did create something close to a bright-line rule: it argued that sending confidential client information by unencrypted email was ethically acceptable. The Opinion built its argument in part on the legal standards that had been developed under the federal Electronic Communications Privacy Act of 1986 (the “ECPA”). Under the ECPA, it is illegal to intercept unencrypted email.
While the ECPA hasn’t changed (in this respect), times have. Opinion 477R argues that while communicating with clients using unencrypted email may be acceptable under many circumstances, not all electronic communications are necessarily afforded a reasonable expectation of privacy, even if interception of them would be a violation of the ECPA.
While the Opinion could have replaced the earlier bright-line rule with new prohibitions on risky email behaviors (such as sending emails via unsecured networks), it instead states: “Therefore, lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters, applying the Comment [18 to Rule 1.6] factors to determine what effort is reasonable.” Comment 18, which was added as part of the 2012 revisions to the Model Rules, includes a non-exhaustive list of factors lawyers must balance in determining whether the safeguards for protecting client confidential information are reasonable.
In spirit, the factors in Comment 18 are not far removed from the caveats to the general bright-line rule in Opinion 99-413, which required consideration of the sensitivity of the information and the relative security of the contemplated medium of communication. Opinion 17-477R does not so much move the goalposts as it changes the arguments about whether they’ve been reached. It leaves the lawyer without recourse to the argument that because an interception is illegal, it is reasonable to expect that it will not occur.
Instead of a bright-line rule, then, lawyers are expected to engage in an individualized decision-making process, consider all potential factors, and balance the probability and magnitude of risks against the cost and inconvenience of implementing a safeguard.
Principle #2: The Individual Lawyer Cannot Outsource Her Professional Judgment
The second principle is in part a natural extension of the first. And it will frustrate lawyers who would rather focus on billable hours than on understanding the ins and outs of the latest technology risks. If the reasonableness of a safeguard depends on context – matter, client, technological circumstances, and sensitivity of contents – then individual lawyers must constantly make judgments about how to protect against technology risks. They cannot completely outsource their professional responsibility for making good technology judgments to their IT staff or firm management.
In 2012, the ABA had amended the comment to Model Rule 1.1 to require that lawyers, “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” (emphasis added)
Understanding the basics of information technology are for the ABA as fundamental to practice as mastery of core skills such as analysis of precedent, the evaluation of evidence and legal drafting.
With respect to data security, Opinion 17-477R lists some of the technologies it regards as basic to competent representation:
[I]ncluding, for example, using secure internet access methods to communicate, access and store client information (such as through secure Wi-Fi, the use of a Virtual Private Network, or another secure internet portal), using unique complex passwords, changed periodically, implementing firewalls and anti-Malware/Anti-Spyware/Antivirus software on all devices upon which client confidential information is transmitted or stored, and applying all necessary security patches and updates to operational and communications software.
As security threats continue to evolve, this list will undoubtedly grow and change.
Have most lawyers mastered these core competencies? Jay Edelson, the lawyer who brought the class action suit against Johnson & Bell, suggested that individual lawyers’ habits and judgments remained a weak point for law firms.
In an interview with Bloomberg Law, he said, “Many firms have impressive policies in place, but they are not enforced, so partners often email sensitive information from personal accounts, use public wifi at coffee shops and take other risks.” If Edelson is correct that many lawyers do not currently comply with their own firm’s blanket IT policies, it stands to reason that these lawyers are not likely to make the more complex, context-specific judgments about IT risks that the Opinion envisions.
Is the New Industry Standard Reasonable?
Law schools and associate training programs are not designed to produce data security experts. Yet Opinion 17-477R’s requires every lawyer to make context-dependent judgments about technology risk. Is this statement of the ethical requirements fair, or even realistic?
In part, the Opinion acknowledges that lawyers’ needs vary: IT security measures designed for a multinational firm handling matters for sensitive industries will not be necessary for a solo general practitioner. Instead of setting minimum technical standards for lawyers, which might increase costs for smaller firms or non-profit practices that rely on low-cost IT solutions, the Opinion allows lawyers to practice ethically if they make reasoned judgments about their own IT security needs.
That different firms have different IT system needs seems intuitive and reasonable. The major risk for lawyers and their firms is that they will substitute conformity with their peers for an independent analysis of risks – an interpretation of the rules evident in the Johnson & Bell complaint.
The day-to-day judgments that lawyers need to make about data security might be more problematic. These are the judgments that large-firm lawyers cannot easily outsource to their IT departments and that small-firm lawyers might not have the resources to address.
They come in all flavors. An employment lawyer representing an employee in an action against their employer must advise their clients on the dangers of using their work email account. A lawyer copying a client on communications with opposing counsel must consider the technological sophistication of the client and the possibility that the client might inadvertently “reply-all” to the message. And busy lawyers attempting to be responsive to client needs must determine whether an urgent client request is actually a sophisticated phishing scheme.
Some lawyers might argue that by placing the onus on the individual lawyer to make such judgments, the ABA has expanded the role of the lawyer beyond its appropriate boundaries. The grim answer is that lawyers might have no choice, as the realities of their responsibilities force them into the role of digital custodians and gatekeepers. The more hopeful answer is that the skills required to address technological risks are actually not so far removed from those lawyers already possess.
How Can Lawyers Gain Technological Competence?
How can lawyers build the skills needed to comply with the new ethics requirements? An initial step is to understand that judgments about technology actually draw on two separate competencies.
The first is a deep understanding of technology – adequate to identify potential problems and evaluate solutions. Making such situational judgments requires far more than proficiency with Microsoft Office or one’s matter management software. The Opinion requires, for example, that “A lawyer should understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information.” How many lawyers can currently answer these questions about their firm’s IT systems with confidence?
The second deals with issue spotting – understanding how a situation can give rise to technology risks. For example, if a lawyer is representing a client in an employment dispute or divorce, where the opposing party might have access to the clients’ email, the lawyer is required to identify the potential issue and work with the client to address it. Similar issues can arise in more complicated business transactions or multi-party litigation, where various actors differ in both their interests and their levels of technological sophistication.
There are few shortcuts to achieving mastery of the two competencies, but lawyers can accelerate their understanding by building on their legal training and experience. Regarding the first competency, understanding of technology, many training programs do not take advantage of the similarities between legal work and software or systems engineering, but in fact both require thinking through complex and risky processes methodically and sequentially.
For example, understanding the dangers of using certain mobile apps or connecting to an off-site Wi-Fi network requires tracing the flow of information and password credentials. If presented well, this flow of information should make intuitive sense to a finance lawyer accustomed to tracing and securing the flow of funds upon drawdown of a loan agreement. Similarly, designing a secure network requires planning and thinking not so far removed from drafting a watertight contract or a well-argued brief.
The second competency cuts even closer to the core of lawyers’ traditional strengths. Clients rely on lawyers to spot the risks in fluid and ambiguous situations, and thus there would seem to be room for lawyers to leverage the growing danger of technology risks into a competitive advantage. But the relationship between technology and legal issue spotting is two-sided. On one hand, technology risk is analogous in important ways to other kinds of risks that lawyers already address, and thus presents an opportunity for those who take the time to master its substance. On the other hand, the use of information technology itself forces lawyers to think and act faster than ever to identify and address all sorts of potential risks.
The speed of action that technology enables can increase the likelihood of mistakes, both legal and technological. Here, there is room for technologists to become more sensitive to the way lawyers spot issues and make judgments. The user experience design of software, for example, can either help or hinder lawyers in identifying potential issues in their communications or work products.
As workplace technology continues to become more sophisticated and technological risks more pervasive, lawyers must meet increasingly rigorous standards for both systemic safeguards and individual competence. In place of bright-line rules or clear safe harbors, Opinion 477R provides a reminder that lawyers cannot be complacent. Individual lawyers are responsible for contextual judgments about technology risks and must find ways of adapting their existing competencies and issue spotting skills accordingly.