Next week, the Professional Responsibility Board will review several proposed amendments to the Vermont Rules of Professional Conduct, including proposals to change the rules that relate to the duty to act competently to protect client data.
I’ve blogged often on this issue. Nevertheless, it bears re-visiting.
Rule 1.1 requires a lawyer to provide a client with competent representation. I’ve asked the Board to recommend that the Court follow the ABA’s and add the underlined & bolded language to Comment :
-  To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
Per Robert Ambrogi’s Law Sites Blog, 28 states have adopted a duty of tech competence.
- “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
I’ve asked the Board to recommend that the Court do the same.
I view Rules 1.1 and 1.6 as creating an affirmative duty to act competently to safeguard client information, including client information that is transmitted or stored electronically.
Now, if the proposals are adopted, will a lawyer need to know how to create an encryption key? Of course not. Just like, right now, a lawyer does not have duty to know how to build a lock, a file cabinet, or a fob that opens & closes a keyless door. But, a lawyer probably has a duty to understand the risks and benefits associated with leaving client files in a box that’s in a shared hallway, as opposed to in a locked file cabinet that’s in a room behind a keyless door to which only 2 firm employees have fobs.
Similarly, will a hack or data breach automatically lead to a disciplinary sanction? No. Again, if a lawyer has taken reasonable precautions to protect client data, whether by encrypting e-mail or exercising due diligence in choosing a cloud vendor, the fact of a breach likely is not a violation.
However, I believe we’re rapidly approaching, if we haven’t passed, the day when it will no longer be considered reasonable not to have encrypted email. Further, if you’re considering a move to the cloud, while you don’t know how to build your own cloud server, the duty of tech competence includes a duty to know what you don’t know.
For example, let’s say you ask a potential cloud vendor whether your clients’ data will be encrypted. The vendor replies “yes, we use a BTTF flux capacitor to encrypt data at rest. For data in transmission, we guarantee it will make the Kessel Run in 12 parsecs or less.”
What’s your response?
Finally, if adopted, my hope is that the new language in Rules 1.1 & 1.6 leads us away from re-evaluating the ethical duty with each technological advance that gives us a new method of transmitting and storing data.
As I’ve written, today’s cloud-based practice management systems are not much different than the businesses that lease storage units on the outskirts of damn near every town. Before storing client information on or at either, a lawyer must review whether each affords reasonable precautions against unauthorized access and disclosure.
No, the question should not be “is this new way of storing information ethical?” Nor should it be “is it okay to use smoke signals to communicate with my client?” Rather, whenever the next big thing comes along, the question should be “does this means of transmitting and storing client information provide reasonable precautions and safeguards against unauthorized access and disclosure.”
For related posts:
- Encryption & The Evolving Duty to Safeguard Client Information
- The Cloud: What are Reasonable Precautions?
- To Encrypt or not to Encrypt? THAT is the question
- Competence Includes Tech Competence