On May 4, 2017, the ABA released Formal Ethics Opinion 477, “Securing Communication of Protected Client Information” (attached at the end of this post). This Opinion updates Formal Ethics Opinion 99-413, issued in 1999, which concluded that lawyers could use unencrypted email to communicate with clients. Those of us who were practicing in 1999 will remember the difficulty the then-still-new phenomenon of ubiquitous email communication created for lawyers’ obligations of confidentiality. The ABA has revisited the question because of new concerns about cybersecurity and client confidentiality.
Opinion 477 does not mandate any specific cybersecurity measures, but instead requires “reasonable efforts” to ensure client confidentiality when using any form of electronic communication, including text messaging, cloud-based document sharing, or other services, in addition to email. The “reasonable efforts” requirement is consistent with Model Rule 1.6(c) concerning inadvertent disclosure of client information. The Opinion adopts the factors set forth in Comment 18 to Model Rule 1.6(c) as guidelines for “reasonable efforts”:
(1) The sensitivity of the information;
(2) The likelihood of disclosure if additional safeguards are not employed;
(3) The cost of employing additional safeguards;
(4) The difficulty of implementing the safeguards; and
(5) The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Opinion 477, lines 108-114.
For “routine communication with clients,” Opinion 477 reaffirms the conclusion of Opinion 99-413 that unencrypted email is generally acceptable, “presuming the lawyer has implemented basic and reasonably available methods of common security measures.” Id., lines 130-136. However, Opinion 477 requires a more extensive, fact-based risk assessment for other kinds of communications.
Steps for Compliance
Basic Technical Measures
There are some technical measures every lawyers should take to secure electronic communications with clients and that Opinion 477 seems to assume are normally reasonable. These generally are technologies and policies that every law firm already should be using:
- Sound password and access policies;
- Appropriately configured firewalls;
- Use of a VPN for communications outside a secure office network;
- Encryption of data at rest, at least for sensitive client information;
- Secure file sharing portals, at least for sensitive documents;
- Appropriate BYOD policies.
Education and Training
Like any good cybersecurity compliance program Opinion 477 suggests that lawyers and their support staff must obtain some training about cyber hygiene. Id., lines 149-200. This does not mean lawyers need to obtain expert cybersecurity certification credentials, but it does mean every lawyer must obtain at least a general understanding of how computers and computer networks function, of common types of cybersecurity threats and how to mitigate them, and of the proper use and implementation of the kinds of technologies and policies mentioned above. A firm should be able to document the content and frequency of such training for its personnel.
Inventories and Audits
A key part of a strong cybersecurity program that is often overlooked is to inventory computer networks and systems and to audit compliance policies. A firm should know:
- Its network configuration;
- Exactly which devices are connecting to the network;
- Open ports on the network;
- The volume of traffic flowing over the network.
A number of software tools are available to help automate this inventory and monitoring process and to raise red flags if unusual patterns occur. If the firm is relying on an outside vendor for network support, the vendor should be able to provide this information.
In addition, a firm should maintain centralized cybersecurity compliance and breach response policies, which should regularly be reviewed by attorneys and staff. A law firm’s cybersecurity compliance should include tiered security measures based on specific types of client information regularly handled or with the potential to be handled in the course of the firm’s practice.
Due Diligence on Vendors
The Opinion also requires attorneys to conduct due diligence on vendors that provide communications technology. The auditing checklists here likely are more extensive than the current practices of many law firms. See Opinion, 477, lines 267-312. Attorneys should remember that these requirements relate to their ISPs, web hosting companies, cloud storage providers, email providers, outside experts who handle electronic client information, e-discovery providers, and other vendors. It can be helpful to develop standardized checklists and questionnaires for gathering this information.
ABA Opinion 477 makes clear that law firms must follow up-to-date, comprehensive cybersecurity compliance practices. While many firms likely already use some basic security technologies, Opinion 477 makes cybersecurity a high priority for competency in the practice of law.