Safeguarding Client Data: Understanding Your Legal and Ethical Duties
Tuesday, April 30, 2019
By David G. Ries
Clark Hill PLC
The headlines continue to be filled with reports of data breaches, sometimes appearing to report the breach of the day. For more than a decade, they have increasingly included reports in the popular and legal press and on security media of successful attacks on attorneys and law firms. Breaches have become, so prevalent that there is a new mantra in cybersecurity today – it’s “when, not if” there will be a breach. This is true for attorneys and law firms as well as other businesses and enterprises.
Data breaches and security incidents are a particular concern to attorneys because of their duties of competence in technology and confidentiality. Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients. They also often have contractual and regulatory duties to protect client information and other types of confidential information.
ABA Formal Opinion 477 (May 2017) (discussed below), describes the current threat environment:
At the same time, the term “cybersecurity” has come into existence to encompass the broad range of issues relating to preserving individual privacy from intrusion by nefarious actors throughout the Internet. Cybersecurity recognizes a … world where law enforcement discusses hacking and data loss in terms of “when,” and not “if.” Law firms are targets for two general reasons: (1) they obtain, store and use highly sensitive information about their clients while at times utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.
Security threats to lawyers and law firms continue to be substantial, real, and growing – security incidents and data breaches have occurred and are occurring. It is critical for attorneys and law firms to recognize these threats and address them through comprehensive information security programs. The greatest security threats to attorneys and law firms today are most likely spearphishing, ransomware, business email compromise, and lost and stolen laptops and mobile devices.
I. Duty to Safeguard
Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and often have contractual and regulatory duties to protect confidential information.
Ethics Rules. Several ethics rules have particular application to protection of client information, including competence (Model Rule 1.1), communication (Model Rule 1.4), confidentiality of information (Model Rule 1.6), safeguarding property (Model Rule 1.15), and supervision (Model Rules 5.1, 5.2 and 5.3).
Model Rule 1.1: Competence covers the general duty of competence. It provides that “A lawyer shall provide competent representation to a client.” This “requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” It includes competence in selecting and using technology, including cybersecurity. It requires attorneys who lack the necessary technical competence for security to learn it or to consult with qualified people who have the requisite expertise.
The ABA Commission on Ethics 20/20 conducted a review of the Model Rules and the U.S. system of lawyer regulation in the context of advances in technology and global legal practice developments. One of its core areas of focus was technology and confidentiality. Its recommendations in this area were adopted by the ABA at its Annual Meeting in August of 2012.
The 2012 amendments include addition of the following underlined language to the Comment to Model Rule 1.1:
 To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…
As of March 2019, 36 states have adopted this addition to the comment to Model Rule 1.1, some with variations from the ABA language. Montana has included this language in the Preamble to its Rules of Professional Conduct.
Model Rule 1.4: Communications also applies to attorneys’ use of technology. It requires appropriate communications with clients “about the means by which the client's objectives are to be accomplished,” including the use of technology. It requires keeping the client informed and, depending on the circumstances, may require obtaining “informed consent.” It requires notice to a client of a compromise of confidential information relating to the client.
Model Rule 1.6: Confidentiality of Information generally defines the duty of confidentiality. It begins as follows:
A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b). . .
Rule 1.6 broadly requires protection of “information relating to the representation of a client;” it is not limited to confidential communications and privileged information. Disclosure of covered information generally requires express or implied client consent (in the absence of special circumstances like misconduct by the client).
The 2012 amendments added the following new subsection (underlined) to Model Rule 1.6:
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
This requirement covers two areas – inadvertent disclosure and unauthorized access. Inadvertent disclosure includes threats like leaving a briefcase, laptop, or smartphone in a taxi or restaurant, sending a confidential email to the wrong recipient, producing privileged documents or data in litigation, or exposing confidential metadata. Unauthorized access includes threats like hackers, criminals, malware, and insider threats.
The 2012 amendments also include additions to Comment  to Rule 1.6, providing that “reasonable efforts” require a risk-based analysis, considering the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed and consideration of available safeguards. The analysis includes the cost of employing additional safeguards, the difficulty of implementing them, and the extent to which they would adversely affect the lawyer’s ability to use the technology. The amendment also provides that a client may require the lawyer to implement special security measures not required by the rule or may give informed consent to forgo security measures that would otherwise be required by the rule.
Montana has adopted the amendment to the rule, but not the amended comment.
Significantly, the Ethics 20/20 Commission noted that these revisions to Model Rules 1.1 and 1.6 make explicit what was already required rather than adding new requirements.
Model Rule 1.15: Safeguarding Property requires attorneys to segregate and protect money and property of clients and third parties that is held by attorneys. Some ethics opinions and articles have applied it to electronic data held by attorneys.
Model Rule 5.1: Responsibilities of Partners, Managers, and Supervisory Lawyers and Model Rule 5.2: Responsibilities of a Subordinate Lawyer include the duties of competence and confidentiality. Model Rule 5.3: Responsibilities Regarding Nonlawyer Assistants was amended in 2012 to expand its scope. “Assistants” was expanded to “Assistance,” extending its coverage to all levels of staff and outsourced services ranging from copying services to outsourced legal services. This requires attorneys to employ reasonable safeguards, like due diligence, contractual requirements, supervision, and monitoring, to ensure that nonlawyers, both inside and outside a law firm, provide services in compliance with an attorney’s ethical duties, including confidentiality.
Ethics Opinions. A number of state ethics opinions, for over a decade, have addressed professional responsibility issues related to security in attorneys’ use of various technologies. Consistent with the Ethics 20/20 amendments, they generally require competent and reasonable safeguards.
Most recently, the ABA issued Formal Opinion 483, “Lawyers’ Obligations After an Electronic Data Breach or Cyberattack” (October 17, 2018). The opinion reviews lawyers’ duties of competence, confidentiality and supervision in safeguarding confidential data and in responding to data breaches. It discusses the obligations to monitor for a data breach, stopping a breach and restoring systems, and determining what occurred. It finds that Model Rule 1.15: Safeguarding Property applies to electronic client files as well as paper client files and requires the care required of a professional fiduciary.
The opinion concludes:
Even lawyers who, (i) under Model Rule 1.6(c), make “reasonable efforts to prevent the unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client,” (ii) under Model Rule 1.1, stay abreast of changes in technology, and (iii) under Model Rules 5.1 and 5.3, properly supervise other lawyers and third-party electronic-information storage vendors, may suffer a data breach. When they do, they have a duty to notify clients of the data breach under Model Rule 1.4 in sufficient detail to keep clients “reasonably informed” and with an explanation “to the extent necessary to permit the client to make informed decisions regarding the representation.”
The key professional responsibility requirements from these various opinions on attorneys’ use of technology are competent and reasonable measures to safeguard client data, including an understanding of limitations in attorneys’ knowledge, obtaining appropriate assistance, continuing security awareness, appropriate supervision, and ongoing review as technology, threats, and available safeguards evolve. They also require obtaining clients’ informed consent, in some circumstances, and notifying clients of a breach or compromise. It is important for attorneys to consult the rules, comments, and ethics opinions in the relevant jurisdiction(s).
Electronic Communications. Email and electronic communications have become everyday communication forms for attorneys and other professionals. They are fast, convenient, and inexpensive, but also present serious risks to confidentiality. It is important for attorneys to understand and address these risks.
The Ethics 2000 revisions to the Model Rules, over 15 years ago, added Comment  (now ) to Model Rule 1.6. For electronic communications, it requires “reasonable precautions to prevent the information from coming into the hands of unintended recipients.” It provides:
…This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement…
Some attorneys overlooked the language “special circumstances” and concluded that they did not need to use “special precautions,” like encryption.
On May 11, 2017, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477, “Securing Communication of Protected Client Information.” The Opinion revisits attorneys’ duty to use encryption and other safeguards to protect email and electronic communications in light of evolving threats, developing technology, and available safeguards. It expresses a stronger view that encryption is sometimes required and suggests a fact-based analysis. It concludes “the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication,” but “particularly strong protective measures, like encryption, are warranted in some circumstances.”
The conclusion to Opinion 477 provides:
A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.
The Opinion provides general guidance and leaves details of their application to attorneys and law firms, based on a fact-based analysis on a case-by-case basis.
In addition to complying with any applicable ethics and legal requirements, the most prudent approach to the ethical duty of protecting electronic communications is to have an express understanding with clients (preferably in an engagement letter or other writing) about the nature of communications that will be (and will not be) sent electronically and whether or not encryption and other security measures will be utilized. It has now reached the point where all attorneys should have encryption available for use in appropriate circumstances.
Common Law and Contractual Duties. Along with the ethical duties, there are parallel common law duties defined by case law in the various states. The Restatement (3rd) of the Law Governing Lawyers (2000) summarizes this area of the law, including Section 16(2) on competence and diligence, Section 16(3) on complying with obligations concerning client’s confidences, and Chapter 5, “Confidential Client Information.” Breach of these duties can result in a malpractice action.
There are also increasing instances when lawyers have contractual duties to protect client data, particularly for clients in regulated industries, such as health care and financial services that have regulatory requirements to protect privacy and security.
For example, the Association of Corporate Counsel has adopted Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information that companies can use for security requirements for outside counsel.
Regulatory Duties. Attorneys and law firms that have specified personal information about their employees, clients, clients’ employees or customers, opposing parties and their employees, or even witnesses may also be covered by federal and state laws that variously require reasonable safeguards for covered information and notice in the event of a data breach.
II. Complying with the Duties
Understanding all the applicable duties is the first step, before moving to the challenges of compliance by designing, implementing and maintaining an appropriate risk-based information security program. It should address people, policies and procedures, and technology and be appropriately scaled to the size of the practice and the sensitivity of the information.
Information Security Overview.
Information security is a process to protect the confidentiality, integrity, and availability of information. Comprehensive security must address people, policies and procedures, and technology. While technology is a critical component of effective security, the other aspects must also be addressed. The best technical security is likely to fail without adequate attention to people and policies and procedures. Many attorneys incorrectly think that security is just for the Information Technology department or consultants. While IT has a critical role, everyone, including management, all attorneys, and all support personnel, must be involved for effective security.
An equally important concept is that security requires training and ongoing attention. It must go beyond a onetime “set it and forget it” approach. A critical component of a law firm security program is constant vigilance and security awareness by all users of technology.
Information security is best viewed as a part of the information governance process. Information governance manages documents and data from creation to final disposition – including security and privacy.
At the ABA Annual Meeting in August 2014, the ABA adopted a resolution on cybersecurity that is consistent with this general approach:
RESOLVED, That the American Bar Association encourages all private and public sector organizations to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization and the data and systems to be protected.
This resolution recommends an appropriate cybersecurity program for all private and public sector organizations, which includes law firms.
The first step for a security program is assigning responsibility for security. This includes defining who is in charge of security and defining everyone’s role, including management, attorneys and support personnel.
Security starts with an inventory of information assets to determine what needs to be protected and then a risk assessment to identify anticipated threats to the information assets. The next step is development, implementation, and maintenance of a comprehensive information security program to employ reasonable physical, administrative, and technical safeguards to protect against identified risks. This is generally the most difficult part of the process. It must address people, policies and procedures, and technology and include assignment of responsibility for security, policies and procedures, controls, training, ongoing security awareness, monitoring for compliance, and periodic review and updating.
An information security program should cover the core security functions: identify, protect, detect, respond and recover. While detection, response, and recovery have always been important parts of security, they have too often taken a back seat to protection. The requirement for lawyers is reasonable security, not absolute security. Recognizing this concept, the Ethics 20/20 amendments to the Comment to Model Rule 1.6 include “…[t]he unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”
Security involves thorough analysis and often requires balancing and trade-offs to determine what risks and safeguards are reasonable under the circumstances. There is frequently a trade-off between security and usability. Strong security often makes technology very difficult to use, while easy to use technology is frequently insecure. The challenge is striking the correct balance among all of these often-competing factors.
The Ethics 20/20 amendments to Comment 18 to Rule 1.6 provide some high-level guidance. As discussed above, the following factors are applied for determining reasonable and competent safeguards:
Factors to be considered in determining the reasonableness of the lawyer’s efforts include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
This is a risk-based approach that is now standard in information security.
A comprehensive security program should be based on a standard or framework. Examples include the National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, (April 2018), other more comprehensive NIST standards, like NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations (April 2013) and standards referenced in it (a comprehensive catalog of controls and a process for selection and implementation of them through a risk management process) (designed for government agencies and large organizations), and the International Organization for Standardization’s (ISO), ISO/IEC 27000 family of standards, (consensus international standards for comprehensive Information Security Management Systems (ISMS) and elements of them).
These standards can be a challenge for small and mid-size firms. In October 2018, the Federal Trade Commission launched a new website, Cybersecurity for Small Business, which includes links to a number of security resources that are tailored to small businesses. It is a joint project of the FTC, NIST, the U.S. Small Business Administration, and the U.S. Department of Homeland Security. NIST’s Small Business Information Security: The Fundamentals, NISTR 7621, Revision 1 (November 2016) provides NIST’s recommendations for small businesses based on the Framework. In March of 2019, NIST launched its Small Business Cybersecurity Corner website.
A comprehensive information security program should include:
- Assignment of responsibility for security,
- An inventory of information assets and data,
- A risk assessment,
- Appropriate administrative, technical and physical safeguards to address identified risks,
- Managing new hires, current employees and departing employees
- An incident response plan,
- A backup and disaster recovery program,
- Managing third-party security risks, and
- Periodic review and updating.
Attorneys and law firms will often need assistance in developing, implementing, and maintaining information security programs because they do not have the requisite knowledge and experience. For those who need assistance, it is important to find an IT consultant with knowledge and experience in security or a qualified security consultant. Qualified consultants can provide valuable assistance in this process. An increasing number of law firms are using service providers for assistance with developing and implementing security programs, for third-party review of security, and for services like security scans and penetration testing to identify vulnerabilities. A growing trend is to outsource part of the security function by using a managed security service provider for functions such as remote administration of security devices like firewalls, remote updating of security software, and 24/7/365 remote monitoring of network security.
Cyber Insurance. Law firms are increasingly obtaining cyber insurance to transfer some of the risks to confidentiality, integrity, and availability of data in their computers and information systems. This emerging form of insurance can cover gaps in more traditional forms of insurance, covering areas like restoration of data, incident response costs, and liability for data breaches. Because cyber insurance is an emerging area of coverage and policies differ, it is critical to understand what is and is not covered by policies and how they fit with other insurance. The ABA Center for Professional Responsibility has published Protecting Against Cyber Threats: A Lawyer’s Guide to Choosing a Cyber-Liability Insurance Policy that provides guidance in this area.
Attorneys have ethical and common law duties to take competent and reasonable measures to safeguard information relating to clients and often have contractual and regulatory duties. These duties provide minimum standards with which attorneys are required to comply. Attorneys should aim for even stronger safeguards as a matter of sound professional practice and client service. The safeguards should be included in a risk-based, comprehensive security program. Attorneys and law firms should promptly implement plans, appropriately scaled to the size of the practice and sensitivity of the data, if they don’t already have one. Those with plans should periodically review and update their plans.
IV. Additional Information
Note: The American Bar Association website is going through a major revamping. Some of the links below and in the endnotes may change.
American Bar Association, Cybersecurity Resources, www.americanbar.org/groups/leadership/office_of_the_president-old/cybersecurity/resources.html, provides links to cybersecurity materials and publications by various ABA sections, divisions and committees
American Bar Association, Cybersecurity Legal Task Force www.americanbar.org/groups/leadership/office_of_the_president/cybersecurity.html
American Bar Association, Law Practice Division, www.lawpractice.org, including the Legal Technology Resource Center
American Bar Association, Section of Litigation, Privacy and Data Security Committee,
ILTA (International Legal Technology Association) LegalSEC, , provides the legal community with guidelines for risk-based information security programs, including publications, the LegalSEC security initiative, peer group discussions, webinars, an annual LegalSEC Summit conference and other live programs; some materials are publicly available while others are available only to members, http://connect.iltanet.org/resources/legalsec?ssopc=1
Sharon D. Nelson, David G. Ries and John W. Simek, “Encryption Made Simple for Lawyers” (American Bar Association 2015)
Sharon D. Nelson, David G. Ries and John W. Simek, “Locked Down: Practical Information Security for Lawyers, Second Edition” (American Bar Association 2016)
Jill D. Rhodes and Robert S. Litt, “The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals, Second Edition” (American Bar Association 2017)
David G. Ries is of counsel in the Pittsburgh office of Clark Hill PLC, where he practices in the areas of environmental, technology, and data protection law and litigation. For over 20 years, he has increasingly focused on cybersecurity, privacy, and information governance. He has used computers in his practice since the early 1980s and since then has strongly encouraged attorneys to embrace technology – in appropriate and secure ways. He frequently speaks and writes nationally on legal ethics, technology, and technology law topics.
 ABA Model Rules of Professional Conduct (2019) (Model Rules).
 Eileen R. Garczynski, “Protecting Against Cyber Threats: A Lawyer’s Guide to Choosing a Cyber-Liability Insurance Policy” (American Bar Association 2016) and Eileen R. Garczynski, “Protecting Firm Assets with Cyber Liability Insurance,” Business Law Today (September 2016), www.americanbar.org/publications/blt/2016/09/05_garczynski.html.