by Steve Haley
The use of mobile, internet-enabled devices as a means of providing legal services has been increasing dramatically. This is not surprising; it is simply a reflection of the overall increase in digital commerce in all walks of life and business. However, as attorneys, we bear a strict ethical responsibility related to maintaining confidentiality in communications with, and information related to, our clients.
The theme of the Santa Clara County Bar Association in 2013 is to engage in a prolonged discussion surrounding the increasing use of technology in the practice of law. The purpose of this month’s President’s Message is to discuss whether, and to what extent, attorneys are required by the rules of professional conduct to develop technological proficiency in this ever-changing environment for providing legal services.
In August, 2012, the ABA House of Delegates (“HOD”) adopted several revisions to the ABA Model Rules of Professional Conduct (“MRPC”), including both rules and comments, designed to address the impact of technological advances on the manner in which attorneys provided legal services to their clients. Although the MRPC are not binding on California attorneys, they are considered to provide guidance in the absence of on-point California authority or a conflicting state public policy. (City & County of San Francisco v. Cobra Solutions, Inc. (2006) 38 Cal.4th 839, 852.) Among the MRPC rules that were amended were Rules 1.1 and 1.6.
MRPC Rule 1.1, relating to lawyer competence, provides that an attorney shall provide “competent representation to a client.” “Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” The HOD modified Comment 6 to Rule 1.1 to state that, in order to maintain this competence, lawyers should keep up with changes in the law and its practice, “including the benefits and risks associated with relevant technology.”
MRPC Rule 1.6 relates to confidentiality of information. The HOD adopted a new section (c), which requires lawyers to make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 16 to Rule 1.6 describes the meaning of “reasonable efforts”, as follows:
“Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).”
Comment 16 also recognizes that clients may also require implementation of special security measures not required by Rule 1.6, or may give informed consent to forgo security measures that the rule would otherwise require. The comment contains a reminder that other laws, such as state and federal laws governing data privacy or breach notification requirements, may also impose other requirements.
The foregoing amendments to the MRPC raise the question of whether and to what extent attorneys are expected to become experts in the use of technology, as part of their duty to be cognizant of the benefits and risks associated with technology.
The California State Bar’s Standing Committee on Professional Responsibility (“COPRAC”) has recently addressed issues related to the extent to which attorneys are expected to be proficient and knowledgeable regarding technology in providing legal services.
COPRAC issued Formal Opinion 2010-179 (“Opinion 10-179”), related to transmitting or storing confidential client information when the technology may be susceptible to unauthorized access by third parties, for example, working and communicating through a wireless connection in a public place, such as a coffee shop. In Formal Opinion 2012-184 (“Opinion 12-184”), COPRAC issued an opinion related to providing legal services through a virtual law office.
Opinion 10-179 set forth a number of factors to be considered in using internet resources in performing legal services for clients. The overall factors to be considered include: (a) the attorney’s ability to assess the level of security afforded by the technology; (b) legal ramifications to a third party for intercepting, accessing or exceeding authorized use of another person’s electronic information; (c) the degree of sensitivity of the information; (d) the impact on the client of an inadvertent disclosure of privileged or confidential information or work product; (d) the urgency of the situation; and (f) whether the client has instructed the attorney not to use certain technology due to confidentiality concerns, or if the attorney is aware that there is a greater than normal risk that others have access to the client’s technological devices.
Regarding the first factor, i.e., the attorney’s ability to assess the level of security afforded by technology, one illustration cited in Opinion 10-179 related to the common practice for attorneys and clients to communicate via unencrypted Internet email. Most attorneys have firewall protection software for their computer servers and for their email communications. The Opinion compared the risk of interception of email communication as being similar to the risk that first class mail may be opened by unauthorized third parties. While there is a risk of interception of such email, such email communication is considered to be an acceptable practice and subject to the protection of the attorney-client confidentiality privilege. Encryption of attorney-client communication via Internet email from the attorney’s office is an option to be considered, but is not required.
Attorneys need to assess whether and to what extent reasonable precautions may required in order to increase the level of security in using the technology involved (i.e., email communication; or using internet resources to access or work on confidential client-related projects), particularly when they are operating outside of the normal protections available at their offices. For example, the use of encryption protocols or matter-specific passwords to protect the confidentiality of attorney-client communication may be more prudent depending on the circumstances, such as communicating by email with a client from a public wireless hot spot. Attorneys should make an effort to be familiar with the use of such precautionary measures when operating in an unsecure environment.
Attorneys should also be cognizant of the extent to which third parties may be entitled to access or monitor the use of the technology involved. If the terms of a license agreement permits the provider to have access to the attorney’s account or use of the technology, the attorney may need to confirm that the terms of the agreement do not permit the third party to disclose confidential client information to others or to use the information for purposes not related to the functionality of the technology; this is particularly so if the client information is highly sensitive.
Opinion 12-184 provided the following general guidance for attorneys regarding the topic of familiarity with technology:
This Committee has recognized that while Attorney is not required to become a technology expert in order to comply with her duty of confidentiality and competence, Attorney does owe her clients a duty to have a basic understanding of the protections afforded by the technology she uses in her practice. If Attorney lacks the necessary competence to assess the security of the technology, she must seek additional information, or consult with someone who possesses the necessary knowledge, such as an information technology consultant. (Rule 3-110(C); Cal. State Bar Formal Opn. No. 2010-179.)
As attorneys increase their use of mobile internet-enabled devices in order to communicate with clients and to provide other legal services, the need to increase the use of precautions necessary to preserve and to ensure confidentiality, and to avoid inadvertent disclosure of a client’s information, becomes more critical. Although attorneys may not be required to be technology experts, they need to recognize the potential threats to client confidentiality, and to take ‘reasonable efforts’ to preserve that confidentiality.