Lawyers and law firms face the same cybersecurity risks as other businesses, but they have unique duties in dealing with these risks.
In 2016, the Colorado Supreme Court adopted amendments to the Colorado Rules of Professional Conduct relating to technology issues, including cybersecurity risks, based on amendments to the ABA Model Rules.
These are amended Rules 1.1 on competence, 1.6 on confidentiality and 5.3 on supervision of non-lawyers outside the firm.
Comment [8] to Rule of Professional Conduct 1.1 states that to maintain competence, “a lawyer should keep abreast of changes in the law and its practice, and changes in communications and other relevant technologies…”
Rule 1.6(c) on confidentiality requires that a lawyer “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Inadvertent disclosure of client information involves errors by a lawyer or non-lawyer employee at a firm. Unauthorized disclosure or access to client information, on the other hand, involves third-party cyber attacks. In general, “reasonable measures” is a process, not a product. Comments [18] and [19] to Rule 1.6(c) provide additional guidance. Comment [18] states that factors “to be considered” in determining the reasonableness of a lawyer’s efforts include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.
Comment [19] addresses transmitting communications. It provides that a lawyer must take “reasonable precautions” when transmitting client information, to prevent that information from coming into the hands of unintended recipients. In general, this does not require special security measures if the method of communication affords a reasonable expectation of privacy, but special circumstances “may warrant special precautions.”
Comment [19] further acknowledges that a client may require the lawyer to implement special security measures not required by the rule or may give informed consent to the use of means of communications that would otherwise be prohibited by this rule. Finally, Comment [19] recognizes that a lawyer may be required to take additional steps in order to comply with other law, such as state or federal laws that govern data privacy, but that is beyond the scope of the rules.
Rule 5.3 addresses the supervision of non-lawyers outside the firm, given the increased use of third-party vendors for various services. Comment [3] to Rule 5.3 recognizes this practice but requires a lawyer using such services to make “reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations.”
LAWYERS’ OBLIGATIONS
The extent of these obligations depends on the circumstances. But a lawyer using such services should communicate appropriate directions to the non-lawyer outside the firm to give “reasonable assurance” that the non-lawyer’s conduct is compatible with the lawyer’s professional obligations.
Comment [4] to Rule 5.3 addresses the situation where the client directs the use of a particular non-lawyer service provider outside the firm.
In 2017, the ABA issued Formal Ethics Opinion 477R on securing the communication of protected client information. Formal Opinion 477R reaffirmed the conclusion in previous ABA Formal Ethics Opinion 99-413 that unencrypted email is generally sufficient.
However, Formal Opinion 477R concludes that lawyers cannot always rely on unencrypted email and may have to take special security measures, given the increased risk and sophistication of cyber threats. After considering the factors under Comment [18] to Rule 1.6, Formal Opinion 477R offers several considerations “as guidance.”
These considerations include understanding the nature of the threat, using reasonable electronic security measures, determining how electronic communications should be protected, labeling confidential client information, training lawyers and non-lawyer assistants in technology and information security and conducting due diligence on vendors providing communications technology.
These duties primarily address lawyers’ duty to protect — that is, minimizing the risk of cyber incidents.
In 2018, the ABA issued Formal Ethics Opinion 483 on lawyers’ obligations after an electronic data breach or cyber attack. Formal Opinion 483 addresses lawyers’ duties with regard to current and former clients and standards and best practices regarding breach notification.
—Cecil Morris is a director in the Denver office of Fairfield and Woods