This week’s ransomware attack against DLA Piper, one of the nation’s largest law firms, provided a harsh reminder of the need for lawyers and law firms to be vigilant about cybersecurity. In DLA Piper’s case, the firm’s security system detected suspicious activity and its IT team acted quickly to isolate the malware, according to a statement, but as of yesterday, the firm was still working to restore full operations.
A ransomware attack against a global law firm is a major intrusion, but it is important to remember that such attacks often begin with a single malicious email and can happen to law firms of any size. Opening a malicious attachment or clicking a malicious link can plant the ransomware virus and allow it to propagate throughout a firm.
Given the vulnerability of email, every lawyer who has not done so already should stop and read the opinion issued last month by the American Bar Association’s Standing Committee on Ethics and Professional Responsibility. It provides guidance on the steps lawyers should take to protect the confidentiality and security of client information in electronic communications.
The opinion, Formal Opinion 477, is significant for a number of reasons, not least of which is that is based in part on the so-called duty of technology competence, which we last wrote about in the context of a California ethics opinion concerning competence in e-discovery technology. The focus of this new opinion is confidentiality, not cybersecurity in a broader sense, but it underscores the duty of lawyers to understand the technologies they use so that they may use them in a way that reasonably protects their clients’ confidences.
Formal Opinion 477 is an update to a 1999 ABA opinion, Formal Opinion 99-413. The update was needed, the commission said, both because of changes in the digital landscape and because of the 2012 changes to the ABA’s Model Rules of Professional Conduct, particularly the addition of the duty of technology competence in Model Rule 1.1 and changes to Rule 1.6 regarding client confidences.
The most notable aspect of this opinion is its variance from the 1999 opinion on whether and when lawyers should encrypt their email. In the 1999 opinion, the committee said that it was OK for lawyers to send email without encryption because they have a reasonable expectation of privacy in all forms of email communications.
In contrast, this new opinion says that some circumstances warrant lawyers using “particularly strong protective measures” such as encryption. The opinion declines to spell out exactly when encryption is required or to delineate what other security measures lawyers should take. Instead, the opinion says that lawyers should perform a “fact-based analysis” in which they evaluate such factors as:
- The sensitivity of the information.
- The likelihood of disclosure if additional safeguards are not employed.
- The cost of employing additional safeguards.
- The difficulty of implementing the safeguards.
- The extent to which the safeguards adversely affect the lawyer’s ability to represent
In some cases that will require encryption, while for matters of “normal or low sensitivity,” standard security measures will suffice, the opinion says.
In the technological landscape of Opinion 99-413, and due to the reasonable expectations of privacy available to email communications at the time, unencrypted email posed no greater risk of interception or disclosure than other non-electronic forms of communication. This basic premise remains true today for routine communication with clients, presuming the lawyer has implemented basic and reasonably available methods of common electronic security measures. Thus, the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication.
However, cyber-threats and the proliferation of electronic communications devices have changed the landscape and it is not always reasonable to rely on the use of unencrypted email. For example, electronic communication through certain mobile applications or on message boards or via unsecured networks may lack the basic expectation of privacy afforded to email communications. Therefore, lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters, applying the [above] factors to determine what effort is reasonable.
As the quotation above says, the opinion urges lawyers to perform a case-by-case analysis of the steps they should take to protect client communications. The opinion lists seven considerations that should guide lawyers in performing this analysis:
- Understand the nature of the threat. This includes consideration of the sensitivity of a client’s information and whether the matter is a higher risk for cyber intrusion. “Client matters involving proprietary information in highly sensitive industries such as industrial designs, mergers and acquisitions or trade secrets, and industries like healthcare, banking, defense or education, may present a higher risk of data theft.”
- Understand how confidential information is transmitted and where It Is stored. Lawyers should understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information, so that they can better manage the risk of inadvertent or unauthorized disclosure of client information.
- Understand and use reasonable electronic security measures. Because access to client communications can occur in different forms, ranging from direct intrusion into a law firm’s systems to theft or interception of information during the transmission process, a lawyer’s reasonable efforts include analysis of security measures applied to both disclosure and access to a law firm’s technology system and transmissions. Further, a lawyer should understand and use electronic security measures such as VPNs or other secure internet portals, use unique complex passwords that are changed periodically, implement firewalls, use anti-malware/anti-spyware/anti-virus software, and apply all necessary security patches.
- Determine how to protect electronic communications about client matters. The opinion urges that, at the beginning of the client-lawyer relationship, the lawyer and client should discuss what levels of security will be necessary for communications. For sensitive communications, a lawyer should use encryption and should consider the use of password protection for any attachments. “Alternatively, lawyers can consider the use of a well vetted and secure third-party cloud based file storage system to exchange documents normally attached to emails.” The opinion further notes that a client’s lack of technological sophistication or lack of available technology “may require alternative non-electronic forms of communication altogether.” Finally, the opinion notes that extra caution is required when a client uses computers subject to the access or control of a third party (such as a work computer).
- Label client confidential information. Lawyers should mark privileged and confidential client communications as such in order to alert anyone to whom the communication was inadvertently disclosed that the communication is intended to be privileged and confidential. This can consist of something as simple as appending a message or “disclaimer” to client emails, the opinion says.
- Train lawyers and staff in technology and information security. Lawyers are ethically obligated to supervise their employees and subordinates to ensure compliance with ethical rules, and that obligation extends to electronic communications, the opinion says. For this reason, lawyers must establish policies and procedures, and periodically train employees, subordinates and others assisting in the delivery of legal services, in the use of reasonably secure methods of electronic communications with clients, as well as on reasonable measures for access to and storage of those communications.
- Conduct due diligence on vendors providing communication technology. The opinion reaffirms the principle that lawyers must perform due diligence when selecting an outside vendor. Factors to consider include vendor’s credentials, reference checks, security policies and protocols, hiring practices, use of confidentiality agreements, conflicts checking systems, and legal avenues for relief for violations of the vendor agreement.
This opinion agrees with others – including the California opinion mentioned above – in saying that, if the lawyer lacks the competence to evaluate the vendor, the lawyer may perform the evaluation by associating with another lawyer or expert who has the requisite competence.
Duty to Communicate with Client
There is one other notable aspect of this opinion. It says that a lawyer must not only conduct his or her own case-by-case analysis of appropriate security, but must also communicate with the client about the nature and method of electronic communications.
When the lawyer reasonably believes that highly sensitive confidential client information is being transmitted so that extra measures to protect the email transmission are warranted, the lawyer should inform the client about the risks involved. The lawyer and client then should decide whether another mode of transmission, such as high level encryption or personal delivery is warranted. Similarly, a lawyer should consult with the client as to how to appropriately and safely use technology in their communication, in compliance with other laws that might be applicable to the client.
The committee concludes its opinion with this summary:
A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.
We can hope that successful ransomware attacks such as that experienced by DLA Piper last week remain a relative rarity among law firms. But this new ABA ethics opinion makes clear that lawyers can never be complacent about security and technology. Lawyers have an ethical duty to understand the technology they use and to use it responsibly.