Cybersecurity, data protection, and a lawyer’s duty of competence.

Given some of the looks and comments that I receive when broaching this topic at CLEs, I’m not certain that it’s an appropriate subject for a day typically reserved for “wellness” posts.  However, as I emerge from a summer blogging hiatus fueled by a disinterest in blogging, I’m less worried about sticking to the traditional schedule than I am in finding something – anything – to write about.  And today, “cybersecurity” not only presents itself as a topic, it does so in a manner that reinforces a notion that lies near and dear to this blog’s heart: competence includes tech competence.

Cybersecurity White Images – Browse 16,974 Stock Photos, Vectors, and Video  | Adobe Stock

To recap, V.R.Pr.C. 1.1 requires a lawyer to provide clients with competent representation. Under the heading “Maintaining Competence,” Comment [8] states:

  • “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject.” (emphasis added).

The bolded language refers to “tech competence” and was added in 2018.  At the time, and as reported by LawSites, its addition made Vermont the 32nd state to adopt a duty of technology competence. The italicized language has existed since the rule was first promulgated in 1999.  I emphasized it to make clear that continuing legal education is a critical component of maintaining competence.

Which brings me to today’s point.

As reported by LawSites and the ABA Journal, New York recently became the first state to mandate CLE in cybersecurity and data privacy & protection.  From the LawSites post:

  • “Under the new requirement, all attorneys must complete one hour of training every two years in either the ethical obligations surrounding cybersecurity, privacy and data protection, or in the technological and practice-related aspects of protecting data and client communications. Only two other U.S. states mandate technology training as part of a lawyer’s continuing education requirement, Florida and North Carolina. While those states’ CLE requirements allow for training in a range of technology topics, which can include cybersecurity, New York’s is the first to focus its requirement on these topics.”

New York’s new rule is here. The ABA Journal notes that the rule allows lawyers to count up to 3 hours of cybersecurity CLE towards their required 4 hours of ethics CLE.  The ABA post goes on to state:

  • “The New York State Supreme Court’s Appellate Division adopted the cybersecurity CLE requirement based on a recommendation from the New York State Bar Association’s Committee on Technology and the Legal Profession. The NYSBA approved the committee reportin June 2020, according to the bar’s news center.”

This is important. The impetus for the new CLE requirement was not my counterpart in New York.  It was the bar association.  In other words, this isn’t bar counsel crying wolf over competence, tech competence, and the duty to take reasonable precautions to safeguard client data.

Am I saying that a breach is an ethics violation?



Again, a lawyer’s duty is to take reasonable precautions to safeguard client data. As I’ve always recognized, the fact that a lawyer or firm is breached or hacked does not necessarily mean that the precautions in place weren’t reasonable. Indeed, in yesteryear, the fact that a client’s paper documents ended up in unauthorized hands didn’t necessarily mean that the lawyer or firm charged with safeguarding those documents failed to take reasonable precautions.  For instance, it likely wouldn’t have been an ethics violation for a firm to fall victim to enterprising criminals who employed thermite to breach a secure cabinet within a secure room within a secure office within a secure building [i]

What I’m saying is this.

A lawyer’s professional obligations include providing clients with competent representation.  CLE is a way to maintain competence.  There’s now a jurisdiction that requires 1 hour of CLE in cybersecurity, privacy, and data protection.  That same jurisdiction allows lawyers to count up to 3 hours of cybersecurity CLE toward their required 4 hours of ethics CLE. In sum, no more eye-rolling at CLEs when I discuss cybersecurity and data protection.  The topic clearly goes to the duty of competence.

As always, let’s be careful out there.


[i] I’m obsessed with Better Call Saul.  This week’s series finale has left me thinking of ways to pay homage to the show.  My thermite analogy reminded me not of Better Call Saul, but of its predecessor, Breaking Bad. Specifically, the scenes in the Season 1 finale when Walt uses the innards of an old Etch-A-Sketch to make thermite that he and Jesse use to break into a warehouse to steal methylamine. In fact, the scenes themselves probably subconsciously caused me to use “thermite” in the analogy.

Some basics related to the duties that apply when a lawyer or law firm handles cryptocurrency.

Blogger’s Note:  many thanks to Tom Little for sending me the Ohio advisory opinion that is referenced below and that served as the impetus for this post.


My sense is that not many Vermont lawyers or law firms often handle cryptocurrency.  Doing so is likely to become more common, especially for lawyers and firms whose clients regularly use cryptocurrency to conduct transactions. Thus, it makes sense to highlight the professional responsibility issues most likely to arise.

Caveat: I don’t understand even the basics of cryptocurrency. So, here, I’m not going to try to explain what it is or how it works. Rather, I will limit this post to sharing guidance that others have provided.  Namely, via the following advisory ethics opinions:

The opinions discuss three distinct situations in which a client or third party might ask to transfer cryptocurrency to a lawyer or law firm:

  1. to pay for legal services that have already been rendered.
  2. as an advance against legal services that will be provided in the future.
  3. to hold in escrow pending future use by the client.[i]

For me, the opinions lend themselves to a single overarching takeaway.[ii]

On this blog and at CLEs, I’ve long argued that new things don’t necessarily require us to rewrite the Rules of Professional Conduct. 

  • No matter the mode of communication, the duty is to employ reasonable precautions against unauthorized access to or inadvertent disclosure of client information
  • Whether using a file cabinet, the storage facility on Town Line Road, or the cloud, the duty is to take reasonable precautions to safeguard client property.
  • Yes, social media has provided new ways for lawyers to get caught. It has not, however, created or caused the underlying misconduct that has always been a violation of the rules, but is more readily apparent when done in a public medium.

That’s why a section of the D.C. opinion resonates with me:

“We do not perceive any basis in the Rules of Professional Conduct for treating cryptocurrency as a uniquely unethical form of payment. Cryptocurrency is, ultimately, simply a relatively new means of transferring economic value, and the Rules are flexible enough to provide for the protection of clients’ interests and property without rejecting advances in technologies.”

In other words, just because something is new doesn’t mean it’s unethical.

Rather, take the “tech” out of it and look to fundamental principles that have long been part of the foundation upon which the Rules were constructed:

  • legal fees must not be unreasonable,
  • client property must be safeguarded,
  • risks associated with the representation must be explained to the client,
  • no matter who pays, a client’s confidences must be protected, and a lawyer’s independent judgment must not be compromised, and,
  • business transactions with a client must be transparent and fair.[iii]

With these principles in mind, I should stop.  If I don’t, my second post in 2 months would go on so long that readers would wish I’d taken a permanent vacation from blogging.

Alas, I’d be remiss not to mention the following points, each of which is made in both the Nebraska and D.C. opinions.

  • Cryptocurrency is not fiat currency. It is property and must be treated as such. 
  • Before a lawyer or firm agrees to accept cryptocurrency as an advance fee, the lawyer or firm better know how to hold it safely.
  • V.R.Pr.C. 1.5 prohibits unreasonable fees. Comment [4] states that while a lawyer may accept property as payment of a fee, “a fee paid in property instead of money may be subject to the requirements of Rule 1.8(a),” the rule that governs business transactions with a client. 
  • Indeed, the D.C. opinion concludes that Rule 1.8(a), which governs business transactions with a client, applies when (a) a client transfers cryptocurrency against which the lawyer will bill for legal services in the future; and (b) a client and lawyer agree to an ongoing relationship in which the lawyer will provide legal services in exchange for X amount of cryptocurrency per month.

Now I’ll stop.  For real.  For more, check out the opinions or give me a call.

As always, let’s be careful out there.

Related Posts

[i] The Nebraska and D.C. opinions focus on the first two, while the Ohio opinion addresses the third. 

[ii] My takeaway is not a substitute for reading the opinions themselves and may not be the same takeaway made by Disciplinary Counsel’s, a PRB hearing panel, or the Vermont Supreme Court.

[iii] In order, Rule 1.5, Rule 1.15, Rule 1.4, 1.6, and Rule 1.8.