Lawyers routinely deal in confidential information. Indeed, one mainstay of the profession is attorney-client privilege, meant to foster candid and informative discussions between attorney and client, to help clients understand their rights and obligations and conform their conduct to the law.
The lawyer’s duty to maintain confidentiality generally requires that he or she take reasonable precautions to protect confidential information. In an era of technological change, data explosion, and ever-greater reports of hacking and other data security breaches, however, standards for “reasonable” precautions to protect information may change.
Recently, an American Bar Association commission proposed an amendment that would expand lawyer data protection obligations. The ABA Commission on Ethics 20/20 was established to review the Model Rules of Professional Conduct in the context of rapid technological growth. In its recent report, the Ethics 20/20 Commission focused on the responsibilities of a lawyer to take steps to protect a client’s confidential information when communicating via electronic technology. (See Commission on Ethics 20/20, Report to the House of Delegates, May 7, 2012, www.americanbar.org.)
Previously, the ABA and other state bar ethics bodies had ruled that the use of unencrypted email comports with a lawyer’s duty to maintain client confidentiality. (See ABA Formal Opinion No. 99-413, Protecting the Confidentiality of Unencrypted E-Mail, www.abanet.org.)
The opinions recognized the risk of unauthorized interception and disclosure of client information in the use of email, but concluded that it is not reasonable to “require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination is a violation of law." The ABA and other opinion writers, however, noted that there are some types of information, and some types of technological configurations, that may require heightened security.
The recent Ethics 20/20 Commission report pushed the data security point to a new level. The report suggested that lawyers must “keep abreast” of changes in technology, “including the benefits and risks” of using specific tools. Further, the report specifically warned against the dangers of “unauthorized access by third parties” (e.g., “hacking”) and the potential need to adopt additional “safeguards” to protect information, depending in part on its “sensitivity.” Finally, the report reminded lawyers that other state and federal laws, such as data breach notification laws and data privacy regulations, may affect the lawyer’s obligations.
The Ethics 20/20 Commission thus confirms that the “pervasive use of technology” has affected every aspect of society, including the legal profession. The Commission has proposed, among other things, creation of a new ABA Website to provide additional guidance regarding the “evolving security risks” associated with new technology.
[NOTE: The author is a partner in the New York City offices of Jones Day. Samuel Goldstein, a summer associate at the firm, assisted in the preparation of this article. The views expressed are solely those of the author, and should not be attributed to the author’s firm or its clients.]
— Steven C. Bennett is a partner in the New York City offices of international law firm Jones Day.