Last week (May 11, 2017), the ABA issued a new ethics opinion, Formal Opinion 477, dealing with the security of communication of protected client information. Several excellent posts have already been written about the opinion, including a summary by the ABA Journal, and an article by Bob Ambrogi on his Law Sites blog, among others. The opinion is getting a lot of attention, since it updates the ABA's Formal Opinion 99-413, issued in March 1999, on protecting the confidentiality of unencrypted email. That opinion concluded that,
Opinion 477 is getting a lot of attention, since it updates the ABA's Formal Opinion 99-413, issued in March 1999, on protecting the confidentiality of unencrypted email. That opinion concluded that,
A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint. The same privacy accorded U.S. and commercial mail, land-line telephonic transmissions, and facsimiles applies to Internet e-mail. A lawyer should consult with the client and follow her instructions, however, as to the mode of transmitting highly sensitive information relating to the client's representation.
But much has changed since 1999; email and other forms of electronic communication have become much more prevalent, and hacking has become a daily occurrence. In addition, since 1999, the ABA has adopted the 2012 "technology amendments" to the Rules of Professional Conduct, including Comments to Rule 1.1 regarding technology competence and 1.6 regarding the lawyer's obligation use reasonable measures to prevent inadvertent or unauthorized disclosure of confidential information.
As noted in Opinion 477,
Comment [18] to Model Rule 1.6(c) includes nonexclusive factors to guide lawyers in making a “reasonable efforts” determination. Those factors include:
- the sensitivity of the information,
- the likelihood of disclosure if additional safeguards are not employed,
- the cost of employing additional safeguards,
- the difficulty of implementing the safeguards, and
- the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Opinion 477 still reinforces the "reasonableness under the circumstances" standard to determine what measures a lawyer must take to protect confidential client information, but provides some guidance in the form of seven factors lawyers should consider when determining what level of security is appropriate and what measures are reasonable under the circumstances. I recommend that all lawyers read the complete opinion, but I've listed the seven factors here, along with a list of questions under each factor that lawyers might use to help them decide what security measures should be employed.
1. Understand the Nature of the Threat
- How sensitive is the client's information? Does the matter involve trade secrets or other proprietary information that might be valuable to hackers or competitors?
- Is the client in a highly sensitive industry, such as banking or healthcare?
- Is this a high profile case or client which might increase the risk of a cyber-attack or attempt to intercept the client's data?
The more sensitive the client's data, the more stringent your security measures may need to be to be considered "reasonable."
2. Understand How Client Confidential Information is Transmitted and Where it is Stored
- Is client data stored onsite or off (or both)?
- Where are the data servers located?
- What security is in place for servers storing client data?
- How are your electronic communications generated?
- How is client data accessed?
- Who can access client data?
- What devices are used to access client data? How many devices, and how many different types of devices, access client data?
- Are firm employees accessing client data from home? On the road?
- Where is client data being accessed from? How many different potential locations?
Once you know the answers to these questions you can begin to evaluate what security measures should be considered.
3. Understand and Use Reasonable Electronic Security Measures
As Opinion 477 states,
Making reasonable efforts to protect against unauthorized disclosure in client communications thus includes analysis of security measures applied to both disclosure and access to a law firm’s technology system and transmissions.
Lawyers have many different options when it comes to data security, but not all options make sense in all circumstances. Some are more costly or complicated to implement, and may not be necessary in all circumstances. But lawyers must understand what is available in order to evaluate what is reasonable. Options include strong passwords, two-factor authentication, device security, and encryption, as well as the security of the networks over which client electronic data is being accessed or communicated.
- How secure is our network within the office?
- Are firewalls and anti-virus software up to date on all devices within the office?
- How are other networks that are used to transmit client data secured (ie are home wifi networks used by lawyers secured?)
- Are firewalls and anti-virus software up to date and being used on any networks or devices outside of our office that access our network and client data?
- How are the devices that access our network and client data secured? Are they password protected? Are all devices that access our network and client data locked? Can they be remotely disabled and wiped if lost or stolen?
4. Determine How Electronic Communication About Clients Matters Should be Protected
Now that you know how sensitive your client data is, how that data is accessed and communicated, where the potential points of intrusion are, and what security measures are available, you need to determine which available security methods (or combination of methods) is reasonable given the sensitivity of your clients' data.
In addition to asking questions globally for the firm as a whole, you must also consider each client and matter individually and discuss security and protection of data and confidentiality with the client.
- What kinds of communication will be sent in this matter? Will they be routine or highly sensitive?
- Who will we be communicating with in this matter and how will that communication take place?
- How confident are we in (or how much control do we have over) the security measures put in place by those with whom we will be communicating?
- What technology is available to the client (or third party) with whom we will be communicating?
- How tech-savvy is the client (or third party) with whom we will be communicating?
- Who has control over and access to the devices which the client will use to communicate with us electronically, and how will this affect attorney-client privilege?
- What methods of communication are appropriate for this client or matter? Is there especially sensitive information that should not be transmitted by email?
- Is there especially sensitive information that should not be transmitted by email?
- What other, secure methods are available to communicate with clients and third parties in this matter?
The opinion even suggests that "well vetted and secure third-party cloud-based file storage systems" might be a secure alternative to communicating and exchanging documents with clients than email.
5. Label Client Confidential Information
The opinion suggests that labeling client confidential information to alert others that the information was intended to be privileged. While this may be a good routine practice in some circumstances, and may trigger a lawyer's obligation under Model Rule 4.4(b) to notify another lawyer if they "know or reasonably should know" that the information was intended to be privileged, it is likely not a reliable method of protection.
- Are privileged documents prominently labeled "privileged and confidential?"
- Are appropriate disclaimers used based on the circumstances and the content of the communication?
6. Train Lawyers and Nonlawyer Assistants in Technology and Information Security
Managing partners and supervising lawyers are required to take measures to ensure that the firm and its lawyers comply with the Rules of Professional Conduct, and those who supervise nonlawyers, including outside vendors who have contact with or access to client data, must ensure that those nonlawyers are acting in a manner compatible with the ethical rules. This includes rules regarding security of electronic communications and data.
- Do we have a security policy in place that covers electronic data and communication? Has that policy been provided to all employees?
- Has that policy been provided to all employees?
- How often is this policy updated?
- Have we trained our lawyers and staff on appropriate security measures for storage, access, and communication of client data?
- How recently was this training conducted?
- How often do we provide an update or refresher on this training?
- Are all employees required to participate in this training?
- Are the security measures being implemented?
- How often do we assess the security measures in our firm?
- Who is responsible for ensuring that security policies are implemented and followed?
- How recently was this training conducted? How often do we provide an update or refresher? Are all employees required to participate in this training?
- Do lawyers and staff understand how to secure devices that access our network or client data?
7. Conduct Due Diligence on Vendors Providing Communication Technology
- What are the qualifications of the vendors we use, including education, experience, and reputation?
- What services is the vendor providing (are they likely to come into contact with sensitive or privileged information)?
- What hiring practices are employed by our vendors (background and security checks, etc.)?What security measures do our vendors have in place?
- Do we have confidentiality agreements in place with our vendors? Do the vendors have confidentiality agreements in place with employees and others?
- Do vendors use to check for conflicts? If so, what methods do they use?
- What legal forums and remedies are available if the vendor agreement is violated?
- Are the members of our firm qualified to assess these issues, or do we need to hire an outside expert?
- Do the vendors have confidentiality agreements in place with employees and others?
- What security measures do our vendors have in place?
Getting Client Input
Lawyers are also obligated to communicate with clients about security and confidentiality issues and may need to advise clients about potential risks, particularly those involving highly sensitive or confidential information. A client also has input on the security and communication methods to be used in their matter; a client may provide informed consent for the use of a less secure (but possibly less expensive and/or less onerous and complicated) method of communication or may require the lawyer to use more secure methods.
(For more on client confidentiality, specifically with regard to email communication with clients, see my post on attorney-client confidentiality and email here.)
UPDATE: This article was chosen as the SmallLaw Pick of the Week!
Thank you for sharing this information about email security. Most apps nowadays, like Microsoft word, adobe acrobat, etc. have methods to password-protect your documents before you send them. Writing a letter to your client that includes the sensitive information, protecting the document, and sending the document to the client is a good way to keep information sensitive. Give the client the password through a separate email, text, or phone call (or have it established beforehand).
Posted by: Olivia E. | July 27, 2017 at 02:53 AM
Security of information very essential. Great work here.
Posted by: lornah | June 30, 2017 at 03:05 AM
Data Security informative post keep it up
Posted by: patrick | June 29, 2017 at 03:28 AM