The ABA has dived head first into the pool of law firm cybersecurity. On May 11, 2017, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477 (here), which addresses a broad range of issues that lawyers must consider to protect client confidential information from “nefarious actors throughout the internet.” Those “nefarious actors”—also known as “hackers”—have been creating havoc for law firms for some time.
What makes law firms targets for hacking? Three reasons, primarily. First, law firms are huge repositories of confidential information. A recent article in Fortune magazine discusses a surge in law firm cybersecurity breaches, including published attacks at white shoe firms like Cravath Swaine & Moore and Weil Gotshal & Manges. According to The Wall Street Journal, the goal of the hackers in those cases was to obtain information to facilitate insider trading.
Second, cybersecurity costs money. And the culture in many law firms is to resist infrastructure expenses (“what, more IT costs?”), which come directly off of a law firm’s bottom line.
Third, many lawyers enjoy the autonomy and flexibility that modern technology provides. Today’s 24/7 law practice demands the ability of a lawyer to work whenever and wherever they are, which of necessity will require some usage of “non-office”-based technology including home computers, tablets, laptops and smartphones.
Formal Opinion 477 builds off of two earlier ethics rules developments. In 2012, the ABA modified the comments to Model Rule 1.1—the duty of competence—to state that lawyers must “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology . . .” Additionally, the ABA modified Model Rule 1.6—the duty of confidentiality—to add new subpart (c), which provides that: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
In Formal Opinion 477, the ABA sheds further gloss on what constitutes “reasonable efforts” to prevent unauthorized access to client information. Adopting language from the ABA Cybersecurity Handbook, the Committee concluded that, “in an environment of increasing cyber threats,” the “reasonable efforts” standard for securing client information is not subject to “a hard and fast” rule. On the contrary, the reasonableness of a lawyers’ efforts at cybersecurity must be judged along a continuum based upon the type of information being stored or communicated. The Committee:
rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a “process” to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.
The “factors” that inform the “fact-based analysis” include the sensitivity of the information, likelihood of disclosure without additional safeguards, cost and difficulty of implementing additional security efforts, and the extent to which such safeguards adversely affect the lawyer’s ability to represent clients.
In addition to requiring lawyers to think and act appropriately regarding cybersecurity, the Committee notes that lawyers may ethically be required to “discuss security safeguards with clients.” In fact, the Committee states, lawyers may need to obtain informed consent from clients in certain situations—such as where a client demands, or the representation requires, that the law firm use “enhanced security measures.”
Furthermore, “reasonable efforts” with regard to securing “certain highly sensitive information” might require that the lawyer actually “avoid the use of electronic methods or any technology to communicate with the client altogether.”
According to the Committee, a “fact-based analysis” may mean that in certain representations, “particularly strong protective measures, like encryption, are warranted.”
No specific guidance is provided in the ABA’s Opinion as to what constitutes “highly sensitive information” as opposed to matters of “normal or lower sensitivity.” No doubt, sometimes the appropriate classification of the “sensitivity” of the “information” may be readily apparent, such as when a litigant receives information that it, or an opposing party, has labeled as “highly confidential” under a court’s protective order. One might imagine in that situation that a “fact-based” inquiry would require a relatively greater level of cybersecurity to protect such information from unauthorized disclosure.
On the other hand, determining how “sensitive” client information is can, in many cases, be a very subjective analysis. One can readily see how reasonable persons might disagree on whether a particular piece or type of client information is “super-sensitive” vs. merely “sensitive” vs. not-particularly sensitive at all.
In the context of IP, for example, patent practitioners routinely receive disclosures of information concerning a client’s invention. To the inventor client, that information is the most secret in the world and should be safeguarded as one might the formula for Coca-Cola. The lawyer or law firm receiving a “routine” client invention disclosure, on the other hand, reasonably may have a different opinion as to whether the information qualifies for such “top secret” protection. They might decide some lesser security classification is warranted.
Plainly, the decision on how best to classify the client’s information is something that must be decided early on in a representation, if not before a representation begins. Indeed, a law firm might very well decide it does not have the appropriate security measures in place to undertake competently a given representation. Or a firm may decide it needs to enhance its security protocols because of a particular client’s concerns or the nature of the information.
The issue of law firm cybersecurity is not going away–it is here to stay. And while the American Bar Association does not have ethical jurisdiction over lawyers and is not binding precedent on anyone, it would be foolish to ignore the ABA’s “guidance.” On the contrary, ABA ethics opinions are highly persuasive authority. Courts, bar counsel, and respondents’ counsel in disciplinary proceedings and ethics investigations frequently look to the ethics opinions of the ABA to aid in interpreting the applicable Rules of Professional Conduct.
The ABA’s latest “guidance” on cybersecurity is a must read that should give pause to every lawyer, law firm IT department, and law firm manager. The cyber threat is, unfortunately, a part of our daily practice. As lawyers, we have a duty to deal with it. Top down, it is a management responsibility. And, we should be discussing these matters with our clients, who will expect that law firms are utilizing the appropriate technical tools available to provide reasonable protection to their confidential information. In fact, implementation of a cutting-edge cybersecurity system could very well give a law firm a competitive edge over its competition.
Informed decision-making in securing client information from cyber attacks using a “fact-based” approach is not just a good idea. Implementing the “right” cybersecurity measures for a given representation is fast becoming–if it is not here already–a lawyer’s ethical duty.