Yesterday was this blog’s 7th birthday. We entered the world with Competence Includes Tech Competence. The theme dominated back then. Indeed, one could reasonably argue that tech competence is to this blog, as rock & roll is to Starship’s city.[1]
The rules related to tech competence have evolved since then. In 2018, we adopted language that makes clear that maintaining competence includes keeping “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”[2] More recently, we amended V.R.Pr.C. 1.6, the confidentiality rule, to include this paragraph:
- (d) A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.
The amendment, which takes effect next week, addresses the duty to act competently to safeguard client information, no matter the format in which the information is stored. Here’s the Reporter’s Note:
- “Subdivision (d) is added to reflect that the modern practice of law includes possession of information related to the representation of client in many forms, including information that is stored electronically or digitally. A lawyer is under a duty to act competently to safeguard client information, no matter its format. See V.R.Pr.C. 1.1. Paragraph (d) tracks the ABA Model Rule, clarifies that V.R.Pr.C. 1.6 applies to the electronic transmission and storage of information relating to a representation, and makes explicit that the duty under Rule 1.6 is broader than avoiding affirmative disclosures of information relating to the representation of a client.”
With the new rule, a question that arises is “what are reasonable efforts?” As I indicated here, it’s not my role to issue a formal opinion as to what’s reasonable and what isn’t. My stance finds support in ABA Formal Opinion 477. Among other things, the opinion concludes that “[w]hat constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors.” It goes on to state that “the reasonable efforts standard:
- “. . . rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement
appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”
That said, it’s undisputed that my role includes providing guidance. To that end, here are two resources.
In September, Jim Knapp and I presented “Tech Competence & Cybersecurity” at the VBA’s Annual Meeting. I began with a short overview of the new rule, then Jim provided a boatload of cyber and tech tips. You can access the material here.
In addition, Catherine Reach is the Director of the North Carolina Bar Association’s Center for Practice Management. Two days ago, Catherine posted “Protecting Portable Devices.” Like Jim’s material, Catherine’s post is chock full o’ helpful tips on securing data.
As always, let’s be careful out there.
[1] Those of you who remember the 80s music scene might question including We Built This City in a post on competence. Your skepticism is warranted. After all, a few years ago, GQ named it “the Worst Song of All Time.” However, I’ll say this: on the rare occasion that I listen to the song, I turn the volume to 11, sing along enthusiastically, and find myself particularly thrilled to belt out (with proper intonation that doesn’t come through in a blog post) “knee deep in the hoopla” and “Marconi plays the Mamba.” So, for giggles, a trip down memory lane is here.
[2] V.R.Pr.C. 1.1, Cmt. [8].