As originally published in Forbes.
The cat-and-mouse relationship between technology and the law requires attorneys to examine how their use of new technologies triggers professional duties and responsibilities. This article will focus on attorneys’ use of wireless networks in particular, which is the focus of the The State of California Standing Committee on Professional Responsibility and Conduct Formal Opinion No. 2010-179 (“California Formal Opinion”). See California Formal Op. 2010-179 (2010). That opinion addresses and is widely considered to be the authority on the question of whether an attorney violates the duties of confidentiality and competence if he or she fails to investigate those technologies and how they might result in the disclosure of client information, among other factors. The California Formal Opinion is also an outstanding resource to help attorneys determine how best to proceed in the face of difficult choices with uncertain answers.
The use of wireless networks to conduct confidential business is now standard practice. Work is often done on unsecured networks using mobile devices such as smart phones and tablets (e.g., Blackberries, iPhones, and iPads). These networks range from those at commercial establishments (e.g., coffee shops bustling with laptops and mobile devices connected to free WiFi) to public spaces such as airports to home networks that often are not password-protected. In 2010, for example, Google famously swept data from thousands of unsecured private networks, an act now known as “wardriving” that many hackers continue to this day. Such networks provide the user little control when it comes to preventing third parties from accessing their mobile devices, client data, and even law firm networks. This is a first order concern.
Mobile devices are not simply gaining popularity among attorneys. Rather, they are “taking over law firms as they become consumerized ubiquitously.” John Jablonski, Why Law Firms Should Lock Down Their Mobile Devices (Law Technology News Oct. 1, 2011). To wit, the ABA’s Law Practice Management Section recently published a highly useful guide to assist attorneys “take a great deal of mystery and confusion out of using your iPad.” Tom Mighell, iPad in One Hour For Lawyers (ABA 2011) (quoting back cover). Simple searches on sites such as West and Lexis Books reveal that such guides are readily available, and with good reason. California’s Formal Opinion recognizes that the “ever-evolving nature of technology and its integration in virtually every aspect of our daily lives” has made the use of mobile devices and wireless networks “indispensible tool[s] in the practice of law.” California Formal Op. at 1
Why is this worrisome? What is it about mobile devices that triggers myriad ethical duties? The high respected journal Security Week recently answered this question succinctly: “Mobiledevices in most circumstances are the antithesis of control. And thus the antithesis of security.” Oliver Rochford, Control: The Scariest Thing About Security Mobile Devices (Security Week Nov. 21, 2011). As important as these issues are to practitioners, they need not be alarmed. California has taken the lead in providing solid guidance. The ABA is looking closely at amending the Model Rules of Professional Conduct to reflect the realities of technology in practice. State Bars are sure to follow.
The California Formal Opinion sets forth six factors that attorneys “must” evaluate before “using a particular technology in the course of representing a client.” California Formal Op. at 1. The Standing Committee’s use of the imperative leaves no doubt as to the serious consideration given this issue. While California’s Formal Opinion does not control in other states, one would be wise to examine its thorough analysis. Moreover, although the Formal Opinion explicitly does not engage in a technology-by-technology analysis, see id., it states:
The Committee’s own research—including conferring with computer security experts—causes it to understand that, without appropriate safeguards (such as firewalls, secure username/password combinations, and encryption), data transmitted wirelessly can be intercepted and read with increasing ease.
DUTIES OF CONFIDENTIALITY AND COMPETENCE
Before turning to the Formal Opinion’s guidance, attorneys should review the two legal duties—confidentiality and competence—that give rise to their obligations when using technology.
The Duty of Confidentiality
Model Rule of Professional Conduct 1.6 defines the confidential nature of information within a client-lawyer relationship. Rule 1.6(a) states: “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent or the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).” Model R. Prof. Conduct 1.6(a). Paragraph (b) provides exceptions to paragraph (a) that are not relevant here. See id. at (b).
From a practical perspective, attorneys must use—and are not prohibited from doing so—forms of communication beyond in-person meetings in order to carry out effectively a client’s representation. These include, at a minimum, U.S. mail or other mail services and the telephone. While one might imagine a country lawyer practicing this way, modern realities find attorneys using electronic mail with confidential attachments, much of which mail is unencrypted and/or sent via cloud-based services such as Google Apps for Business; faxes; and Web-based technologies such as Skype for conference calls and two-way communication. When on the move, mobile devices come into play and are often connected to wireless networks – some are secure; many are not. The key is the manner in which an attorney ensures the confidentiality of client information. This goes directly to the attorney’s duty of competence.
The Duty of Competence
The standards of a lawyer’s duty of competence are set forth in comments 16 and 17 to Model Rule 1.6. Comment 16 states that “[a] lawyer must act competently to safeguard informationrelating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.” Id. at cmt. 16. Comment 17 discusses the transmission of communication and the “reasonable precautions to prevent the information from coming into the hands of unintended parties.” Id. at cmt. 17. The ABA’s choice of language in Comment 17 is important. There is a difference between (i) a duty not to prevent inadvertent or unauthorized disclosure and, (ii) an affirmative duty to actually prevent the information “from coming into the hands of unintended parties.” Id. (emphasis added). The latter requires attorneys to see that their own networks are not compromised – and thus establishes a duty to secure their own wireless networks such as those they use at home for work, for example. Finally, Comment 17 sets forth factors to be considered in determining the reasonableness of a lawyer’s expectation of confidentiality in his or her information. These include:
- the sensitivity of the information;
- the extent to which the privacy of communication is protected by law or by a confidentiality agreement;
- client instructions to implement special security measures not otherwise required by Model Rule 1.6; and
- a client’s informed consent to use a means of communication that would otherwise be prohibited by Model Rule 1.6. See id.
Competence must be maintained over time. The ABA provides that a lawyer must thus keep abreast of changes in the law and its practice, including the benefits associated with technology.” ABA Commission on Ethics 20/20 Initial Draft Proposals – Technology and Confidentiality at 5 (May 2, 2011) (emphasis in original). Such guidance is thus clearly not meant to hamstring counsel.
California’s Formal Opinion tracks these factors to a great extent. It is also far more comprehensive than the currrent Model Rules and thus deserves attention.
A Six-Part Test To Examine One’s Duties of Confidentiality and Competence vis-à-vis Technology
It is essential that practitioners pay close attention to the legal and ethical obligations discussed in this article. The good news is that help is already here. The California Bar established a six-part test for attorneys to determine whether they have met their duties of confidentiality and conduct in the context of using technology.
Before setting forth the six-part test, the California Formal Opinion states that as a result of the “ever-evolving nature of technology” and its integration into daily life, “attorneys are faced with an ongoing responsibility of evaluating the level of security and technology that has increasingly become an indispensable tool in the practice of law.” California Formal Op. at 1. It also acknowledges that without appropriate safeguards, data transmitted wirelessly can be intercepted and read with “increased ease, [yet] guidance in this area has not kept pace with technology.” Id.
Factors To Consider With Respect To The Use of Different Technologies, Including Wi-Fi Networks
According to the California Formal Opinion, an attorney should consider the following factors before using technology that presents the possibility of disclosure that would compromise his or her legal duties:
1) His or her ability to assess the level of security afforded by the technology. Let’s consider some important questions to ask.
1.a) How does the particular technology differ from other media? Most lawyers are not technologists, which can make this question difficult for them to answer. It is wise to confer with a firm’s IT staff or for solo practitioners and smaller firms to seek third-party expertise. These consultations should seek to determine how best to secure networks, be it with encrypted routers and/or firewalls, and a simple-but-reliable practice of turning off wireless networks when they are not in use. Law firms should use the strongest available security systems for at least three reasons: (i) to secure confidential client information; (ii) to protect the law firm’s own data; and (iii) to prevent hackers from establishing the law firm’s network as a base from which to enter third-party systems, including to spread viruses or destroy property.
1.b) Can reasonable precautions be taken when using the technology to increase the level of security? Encrypting email may be a reasonable step for an attorney working on a highly sensitive manner, especially in light of the fact that the very nature of digital technologies makes it easier for a third party to intercept a much greater amount of information in a much shorter period of time than would be required if the information were in hard copy. “[I]f an attorney can readily enable encryption when using public wireless connections and has enabled his or her personal firewall, the risks of unauthorized access may be significantly reduced.” Id. at 5.
1.c) Are other parties (e.g., licensors) permitted to monitor the technology? If so, the Formal Opinion advises attorneys to secure in writing, “along with or apart from any written contract for services that might exist,” a written Legal Services Agreement with assurances of confidentiality. Id.
2) The legal ramifications to third parties of intercepting, accessing or exceeding authorized use of another person’s electronic information. Third parties may expect that their privacy will not be invaded by the receipt of confidential information from unsecured networks. Such parties could be subject to criminal charges or civil claims for inadvertently intercepting an attorney’s confidential client information. This is hardly an idle concern when one thinks of data protected by HIPAA or FINRA, for example.
3) How sensitive is the information? The Formal Opinion advises what one might expect: “If the information is of a highly sensitive nature and there is a risk of disclosure when using a particular technology, the attorney should consider alternatives unless the client provides informed consent.” Id. at 6. The role of the client is also addressed below.
4) What impact on the client could a possible inadvertent disclosure of privileged or confidential information or work product have, including a possible waiver of the privileges? The fact that communication does not lose its privileged nature solely because it is communicated electronically is not a compete safeguard. The opinion states: “It is possible that, if a particular technology lacks essential security features, use of such a technology could be deemed to have waived [privilege] protections. Where the attorney-client privilege is at issue, failure to use sufficient precautions may be considered in determining waiver.” Id. (emphasis added).
5) Urgency. The Opinion notes that if the use of technology is necessary to address an imminent situation or exigent circumstances and other alternatives are not reasonably available, it may be reasonable in limited cases for an attorney to do so without taking additional precautions.
6) Client Instructions. If a client instructs an attorney not to use certain technology due to the security concerns expressed in this piece, then such technology should not be used in the course of representing that client. All such instructions should be memorialized formally at the time of informed consent. If this is not possible, a lawyer “may act in reliance of that consent so long as it is confirmed in writing within a reasonable time thereafter.” ABA Ethics Draft Proposals Supp. Report at 2 (announcing likely proposed changes to Model Rules).
Taking Affirmative Steps To Fulfill One’s Duties of Confidentiality and Competence
There is no doubt that the use of technology is changing the scope of lawyers’ ethical duties. Yet the ABA acknowledges that the need for additional resources educate lawyers “is critical given that rule-based guidance and ethics opinions are insufficiently nimble to address the constantly changing nature of technology and the regularly evolving security risks associated with that technology.” Attorneys should take the following minimum steps to maintain their competence and their satisfaction of the duty of confidentiality. First, stay abreast of the changes in the law and its practice, and especially the benefits and risks of specific technologies, as currently required by Model Rule 1.1. Second, take affirmative measure to protect a client’s confidential information from inadvertent disclosure and authorized access. Finally, work closely with IT experts to ensure that your wireless networks are secure, establish protocols for your use of wireless networks, and see that your computer systems are armed with all necessary security measures so that if you must use wireless networks (secure or not), you can do so safely and confidently. Attorneys seeking guidance on these issues may wish to look to the California Formal Opinion as their model.