Follow Us

Law.com Subscribers SAVE 30%

Call 855-808-4530 or email GroupSales@alm.com to receive your discount on a new subscription.

Commercial Law Regulations Technology Media and Telecom

CYBER-ETHICS: Technological Competence Obligations and the Interplay of the ABA Model Rules and Attorney Cybersecurity

The ABA has long published its Model Rules of Professional Conduct and modifies them from time-to-time to stay current with legal and technological developments and advances. While these Model Rules are not officially binding on attorneys, they have been adopted in large part by nearly every stateand provide a guideline for attorneys across the country regarding standards of professional responsibility and ethical conduct.

Print
X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.

The American Bar Association (ABA) has long published its Model Rules of Professional Conduct and modifies them from time-to-time to stay current with legal and technological developments and advances. While these Model Rules are not officially binding on attorneys, they have been adopted in large part by nearly every state (with the exception of California), and provide a guideline for attorneys across the country regarding standards of professional responsibility and ethical conduct. In 2012, the ABA implemented several changes to certain of the Model Rules, and the Comments thereto, related to technology and an attorney’s professional responsibilities, and to date approximately 20 states have adopted those modifications.

Rule 1.1 requires technological competence by attorneys.

The current Model Rule 1.1 on competence provides that:

A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.

Comment 8 to Rule 1.1 provides further explanation as to what is required to achieve the necessary level of competence:

To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. (Emphasis added.)

Under this standard, it is no longer acceptable for attorneys to plead ignorance or complete inability regarding use of current technology and understanding of the risks associated with that technology.

What Technology Is Implicated?

What is the “technology” that lawyers must understand? There are several different categories of information and technology that may be implicated and require a reasonable level of understanding:

What Does Technological Competence Entail?

The actual skills that will be necessary to achieve a reasonable and appropriate level of competence will vary depending on the technology or risks at issue.

If, for example, an attorney is handling litigation that involves the potential for the production or review of ESI (and, these days, nearly every piece of litigation does), that attorney must be competent regarding e-discovery related issues and tasks such as:

Notably, the Federal Rules of Civil Procedure were recently amended to address electronic discovery issues. Specifically, Fed. R. Civ. P. 26(b) was amended to strengthen the “proportionality” concept as to the permissible scope of discovery, allowing parties to engage in discovery “regarding any nonprivileged matter that is relevant to any party’s claim or defense and proportional to the needs of the case.” Rule 26 then sets forth a series of factors that should be considered in determining proportionality issues:

[T]he importance of the issues at stake in the action, the amount in controversy, the parties’ relative access to relevant information, the parties’ resources, the importance of the discovery in resolving the issues, and whether the burden or expense of the proposed discovery outweighs its likely benefit.

F.R.C.P. 26(b).

The failure to properly preserve ESI can be highly prejudicial to the non-compliant party. Fed. R. Civ. P. 37(e) was amended to provide that:

If electronically stored information that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery, the court:

(1) upon finding prejudice to another party from loss of the information, may order measures no greater than necessary to cure the prejudice; or

(2) only upon finding that the party acted with the intent to deprive another party of the information’s use in the litigation may:

(A) presume that the lost information was unfavorable to the party;

(B) instruct the jury that it may or must presume the information was unfavorable to the party; or

(C) dismiss the action or enter a default judgment.

Even a basic review of these Rules makes it clear that attorneys who don’t have technical competence with ESI should not attempt to handle matters involving ESI without assistance from someone who does.

Duty of Confidentiality

Model Rule 1.6 imposes a duty of confidentiality, which includes protection of client information.

ABA Model Rule 1.6(c) was amended in 2012 to mandate that “a lawyer shall make reasonable efforts to prevent ‘ the unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” While the Rule itself does not provide further guidance as to what constitutes “reasonableness,” new Comments 18 and 19 to Rule 1.6 do offer partial definition of reasonable efforts.

Comment 18 provides that:

Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.

Comment 19 also helps to shape “reasonableness” guidelines, adding that:

When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.

Read together, Comments 18 and 19 to Rule 1.6 help to define the reasonable efforts that attorneys must take to protect and safeguard the client information entrusted to them. As with any cybersecurity measures, reasonableness is a key measurement, and the ABA rightly recognizes that factors such as sensitivity of the information and extent to which privacy of the communication is protected by law or agreement are ones that attorneys must consider in determining how they will safeguard client information.

The duty to maintain confidentiality of client information requires basic competence regarding data security.

An attorney’s duty to take reasonable measures to protect client information requires basic competence and understanding regarding data security. In order to take those reasonable measures, attorneys need to know what information they are storing, where it is being stored, and how it is being kept secure.

For example, if law firms are using cloud-based storage systems, they must perform sufficient diligence on their chosen provider regarding the security measures the provider has in place. The same goes for storage of hard-copy paper records stored off-site.

Broadly speaking, no client data, information, or records should be kept by attorneys any longer than necessary. Once the engagement has concluded, attorneys should return whatever records they can to their clients. Any remaining records should only be retained and eventually disposed of in accordance with the firm’s retention policy, taking care to shred paper records and properly erasing electronic records. Proper disposal policies must also be applied to hardware, including smart phones, computers, copiers, and fax machines.

Attorneys should also be cognizant of the risks associated with the transmission of client information. While the Comment 19 to the Model Rule does not require encryption of emails, for example, when attorneys are electronically transmitting especially sensitive information, they may want to consider whether encryption would indeed be a “reasonable” measure to take. Attorneys should also be aware that certain states may require the encryption of electronic transmissions containing files or records with personally identifying information. These issues, and any client preferences or requirements, should be discussed with the client at the outset of any engagement.

How Can Attorneys Achieve Technological Competence?

If the Model Rules require an attorney to possess technological competence and an understanding of the benefits and risks associated with the various technologies, how can the attorney achieve that requisite level of competence?

Like with any other skill or expertise, technological competence can be earned through learning and training. There are innumerable continuing legal education courses, webinars, and conferences providing guidance to attorneys seeking to achieve this competence, starting from a basic introductory level up to very advanced and specialized skills in the field. Comment 2 to Model Rule 1.1 also allows an attorney lacking technological competence to partner up on the matter with someone who has the necessary skill and expertise.

Law firms would also be well-served to have a robust training program in place to teach their attorneys about their cyber-ethics obligations and how to stay compliant with them.


Elizabeth (Lisa) Vandesteeg is a partner at Sugar Felsenthal Grais & Hammer LLP where she focuses her practice on issues related to bankruptcy, business divorce, partner and shareholder disputes, and privacy and data security issues. She can be reached at evandesteeg@sugarfgh.com.

The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.

Read These Next