Encryption & The Evolving Duty to Safeguard Client Information

In December 2015, I posted To Encrypt or not to Encrypt?   

The post began with an analysis of how Rules 1.1 and 1.6 work together to impose a duty to act competently to safeguard client information, including information that is stored and transmitted by electronic means.

From there, I walked readers through a series  advisory ethics opinions.  Over time, the opinions moved from concluding that the duty to act competently to safeguard client information did not include a duty to encrypt to concluding that it might.

I stated that, at the very least, lawyers had a duty to warn clients about the risks associated with unencrypted electronic communications.  Then, I wrote:

  • “My sense is that we will soon reach, if we haven’t already reached, a day upon which it will not be considered reasonable to transmit client information via unencrypted email.  Encryption is not as difficult or expensive as it used to be and more secure alternatives are readily available.”

Last week, that day drew closer.

On May 11, the ABA’s Standing Committee on Ethics & Professional Responsibility issued Formal Opinion 477: Securing Communication of Protected Client Information. The opinion analyzes the duties imposed by Rules 1.1 and 1.6.  It reviews a series of advisory ethics opinions and discusses the trend towards requiring lawyers to encrypt electronic client communications.

Opinion 477 concludes that lawyers must make reasonable efforts to safeguard client information.  It states that “[w]hat constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors.”  That is, lawyers must employ a “fact-based analysis” when transmitting & storing client information.  Factors in the analysis include:

  • the sensitivity of the information,
  • the likelihood of disclosure if special safeguards are not used,
  • the cost of using special safeguards, and
  • the difficulty of using special safeguards.

With respect to these factors, the opinion concludes that lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters . . . to determine what effort is reasonable.”

The opinion makes clear that lawyers must remain cognizant that the analysis will change as technology evolves. In other words, what’s reasonable today might not be reasonable in 2020.

More importantly, what was unreasonable in 1997 might be reasonable today.  For example, as the opinion notes, “a fact-based analysis means that particularly strong protective measures, like encryption, are warranted in some circumstances.”

The opinion suggests that the duty to safeguard client communications likely requires lawyers to:

  • Understand the nature of the threat,
  • Understand how information is transmitted & where it is stored,
  • Understand & use reasonable electronic security measures,
  • Determine how electronic communications should be protected,
  • Label communications as “privileged & confidential,”
  • Train partners, associates, and nonlawyer assistants in information security, and
  • Exercise due diligence when choosing a vendor.

For more on each, see pages 5-9 of formal opinion 477.

In my view, the opinion sends a strong signal that the failure to use basic and widely available tools violates the duties imposed by Rules 1.1 and 1.6.  Those tools include:

  • Within an office, using adequate login passwords
  • Changing those passwords on a regular basis
  • Password protecting email attachments
  • Using secure WiFi (as in, not the coffee shop’s Wifi)
  • Installing & updating firewalls, anti-malware, anti-spyware, and anti-virus software
  • Using client portals instead of email
  • Using established & secure cloud-based file storage vendors to send, exchange, and view documents
  • Remembering that client information is on, or has been accessed from, multiple devices: cell phones, tablets, remote log-ins

If you take anything away from this, as usual, let it be my refrain that “competence includes tech competence.”  For, if you find yourself in times of trouble, it will not be acceptable to respond “but that tech stuff is too complicated!”

It isn’t.

As technology evolves, so evolves the standard of “reasonable efforts to safeguard client information.”

Have you evolved?

Electronic Communication

 

 

 

 

Tech Competence: It includes more than you might think.

Last week I stepped off my e-soapbox and blogged that Tech Competence Isn’t Everything: Soft Skills Matter.

Today I’m e-jumping back onto the e-soapbox.  (Sadly, my e-vertical is infinitely higher than my real vertical was in my playing days.)

Tech encompasses things less techy than you think.

The Legal Rebels section of the ABA Journal has a very interesting new post from Ivy Grey.  It’s here:  Not competent in basic tech? You could be overbilling your clients – and be on shaky ground.

I recommend reading the entire post.  But, here are 3 sections that caught my eye.

  • “Data security and e-discovery may get attention in the press, but lawyers should not neglect learning about the mundane tools that they use every day. Document preparation, drafting, and polishing consumes a significant amount of every lawyer’s time regardless of practice area. And MS Word is more sophisticated with greater capabilities for meeting our complex needs than you might otherwise think. It is an area ripe for learning. Ignoring that touches on bigger issues like unearned fees.”
  • “Technology competence is broad. However, its definition must include the tools that lawyers use to practice law, such as case management software, document management software, billing software, email, a PDF system with redacting capabilities, and the MS Office Suite, particularly MS Word. Any lawyer who does not develop basic skills in these six types of programs will risk ethical rebuke”
  • “By remaining technologically incompetent, lawyers are knowingly wasting clients’ time and money due to lack of computer skills. That is unacceptable. It is time to recognize that inefficient use of technology, such as MS Word, could mean overbilling a client. When lawyers choose not to learn technology because the old way of doing things leads to more billable hours, they are not serving their clients fairly.”

Here’s my takeaway.

Rule 1.1 mandates competence.  Rule 1.5 prohibits unreasonable fees.  At some point, an inability to use the most basic tech tools causes an attorney to spend an unreasonable amount of time on a task.  Billing for that time might violate Rule 1.5.

Food for thought.

tech-ethics

Social Media Sanction! Except, Not Really

Regulators, practicing attorneys, and those who opine on legal ethics seem to wait with bated breath for any sort of disciplinary sanction involving a lawyer’s use or misuse of social media.

In my view, the collective anticipation causes an anxiety that leads lawyers to distrust, if not avoid, social media.  That’s too bad.  Lawyers who distrust & avoid social media tend not to develop the level of tech competence required in today’s practice.

Here’s a test: you’re having coffee, procrastinating about getting the work day started. You have time to read ONE article.  You see these two links:

  1. Lawyer who advised client to ‘relax’ in response to Facebook inquiries gets suspension.
  2. Nebraska lawyer suspended for failing to properly communicate with client.

Which do you choose? Everyone who chose #1, raise your hand.

As I expected, lots of hands.

The links are to the exact same story.  #1 ran in the ABA Journal, #2 in the Omaha World-Herald. To borrow a phrase, social media sells.  Are you telling me that my choice is “lawyer suspended for using Facebook!” or “lawyer fails to communicate with client?” Ha! I’ll take social media 11 times out of 10!

Here’s another test for my lawyer readers: raise your hand if, even without reading the story, you thought “See, I knew Facebook could get me in trouble.”

Again, lots of hands.

Now, read the opinion from the Nebraska Supreme Court.  In reality, the lawyer’s violation had very little to do with Facebook.  The lawyer’s responses to his client likely would’ve violated Nebraska’s rules whether transmited via Messenger, e-mail, phone call, or U.S. Mail.

In other words, a failure to communicate is a failure to communicate regardless of the medium.  The lawyer who fails to engage in a reasonable level of communication via Messenger in 2017 is as guilty of misconduct as the lawyer who, way before Nirvana, failed to engage in a reasonable level of communication in 1985.

This violation had nothing to do with social media.  Don’t fear social media.

Social Media

P.S.: talk about burying the lede.  The lawyer intentionally sued the wrong defendant in order to access deep pockets!!  To me, that’s a bit more disturbing than a garden-variety failure to communicate.

 

 

 

 

 

 

So You Want To Store Client Data in the Cloud….

. . . you should! Odd are it’ll make your law practice more efficient, which will help both you and your clients.

With the June 30 deadline to report CLE compliance, I’m asked to present at a lot of CLEs in May and June.  This year, several folks have asked me to talk about the ethics associated with storing client data in the cloud.

I will do as asked. Reluctantly.

Last November, I posted a blog in which I expressed my hope that I’d done my last seminar on the ethics of storing information in the cloud.  I think it’s time we move beyond “can I use the cloud?” to figuring out whether the cloud works for you & your firm and, if so, which vendor to choose.

Since my hope has not yet been realized, I’m re-posting my post. Two words to remember: “Reasonable Precautions.”

****

The Cloud:  What are Reasonable Precautions?

Last Friday, I presented a CLE for the Rutland County Bar Association. My assigned topic: the ethics of storing client information in the cloud.  I started by saying that I hoped it was my final seminar on the topic.  I was serious.

Let’s walk through this.

In general, a lawyer has a duty not to disclose information relating to the representation of a client absent client consent.  See, Rule 1.6.  A lawyer also has a duty to keep client property safe.  See,Rule 1.15.

I view the cloud as the latest in a long line of different places to store information.  In that sense, the cloud is not different than manila folders, boxes, offices, attics, basements, barns, file cabinets, file cabinets with locks, storage facilities, hard drives, floppy disks, CDs, and thumb drives.

No matter where a lawyer stores client information, a lawyer must act competently to protect the information against inadvertent or unauthorized disclosure. See, Rule 1.6, Comment [16].  When transmitting client information, a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.  Rule 1.6, Comment [17].

So, think about cloud storage like this:  client information is electronically transmitted to a place where it will be kept.  Thus, a lawyer must take reasonable precautions to protect client information both while it is in transit and while it is at rest.

In fact, that’s almost exactly what the VBA’s Professional Responsibility Committee said – SIX YEARS AGO when it issued Advisory Ethics Opinion 2010-06.  Here’s the digest of the opinion:

  • “Vermont attorneys can utilize Software as a Service in connection with confidential client information, property, and communications, including for storage, processing, transmission, and calendaring of such materials, as long as they take reasonable precautions to protect the confidentiality of and to ensure access to these materials.”

(Aside: for anyone wondering why I included an advisory opinion about “Software as a Service” in a post on cloud computing, I remind you that Rule 1.0’s duty of competence includes tech competence.)

The question I hear most often is this:  “what are reasonable precautions?”  In Rutland, I suggested to the audience that they already know the answer, if only by treating the cloud as if it were a storage facility out on Old County Road. Some questions you might ask when considering that facility:

  • who do you let into this facility?
  • do you require a passcode or badge for the gate?
  • are there locks on the individual units?
  • who besides me has a key or knows the combination?
  • can i get into my unit whenever i want to?
  • what happens to my files if I don’t pay or if you go out of business?

Indeed, take a look at page 6 of the VBA Opinion.  The Committee suggested some of those exact questions when considering a cloud vendor.

Or, take a look at this post from Robert Ambrogi.  He writes that “[s]ome basic questions to ask of a cloud vendor, distilled from various ethics opinions, include:

  • Is it a solid company with a good reputation and record?
  • Can you get access to your data whenever you want, without restrictions?
  • If your service is terminated – by you or by the company – can you retrieve your data?
  • Does it allow use of advanced password protocols and two-step verification?
  • What are its internal policies regarding employee and third-party access to your data?
  • Is your data encrypted both while in transit and while at rest on the company’s servers?
  • How is your data backed up?
  • What security protections are in place at the data centers the company uses?”

Finally, remember that asking the questions isn’t enough.  You need to understand the answers or find someone who does.  For example, imagine this:

  • You:   Will my data be encrypted in transmission and at rest?
  • Vendor:  Yes.  In transmission, we use a BTTF Flux Capacitor.  At rest, we use the latest cloaking technology from Romii.
  • You.  Sounds awesome. Sign me up.

Umm, no.  You just signed up to star in the next entry in Was That Wrong.

In conclusion, you may store client information in the cloud so long as you take reasonable precautions.  This entry includes links that will help you determine what “reasonable precautions” are.  Don’t fear the cloud, but know what you don’t know.

Speaking of which, info on the BTTF Flux Capacitor is HERE. And, for more on Romii cloaking technology, go HERE.

 

Cloud for Lawyers