ABA Advises ‘Reasonable Efforts’ To Protect Client Data
A new ethics opinion from the American Bar Association is calling on attorneys to make “reasonable efforts” to ensure their electronic attorney-client communications are not subject to inadvertent or unauthorized disclosure.
The ABA Standing Committee on Ethics and Professional Responsibility issued Formal Ethics Opinion 477 on May 11, providing an update to Formal Opinion 99-412, which was handed down in 1999. The original 1999 opinion addressed lawyers’ confidentiality obligations for email communication, but subsequent evolution in the “role and risks of technology in the practice of law” required the committee to update its recommendations for protecting client information.
In today’s world, attorneys generally use electronic means as their primary method of communication with clients, and that communication can take place on a number of different devices, each susceptible to data breaches, the opinion says. Thus, attorneys must ensure their clients understand the security concerns associated with electronic communication and, further, must make reasonable efforts to protect communications on each device from an inadvertent hack.
A “reasonable effort” is a fact-sensitive question, the committee said. The opinion offers seven recommendations for making reasonable efforts to protect client data and communications:
• Understand the nature of the threat
• Understand how client confidential information is transmitted and stored
• Understand and use reasonable electronic security measures
• Determine how electronic communications about client matters should be stored
• Label client confidential information
• Train lawyers and nonlawyer assistants in technology and information security
• Conduct due diligence on vendors providing communication technology
In sum, “a lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access to information relating to the representation.” However, the opinion goes on to advise, “a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.”
The full text of Formal Opinion 477 can be found here.