The world and the way we communicate within it has changed a lot since 1999 when the ABA introduce Formal Opinion 99-413 to address confidentiality obligations for email communications with clients. Mailed letters, faxes and many phone calls are now often replaced by more extensive communication through email and other digital means; but the lawyer’s obligation to protect client confidentiality hasn’t changed. In 1999 email was assumed to be confidential, in 2017 we all understand that this is not necessarily a valid assumption. ABA Formal Opinion 477 addresses the new world order not only in terms of the means of communication but the security of those communication tools.
A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.
Lawyers need to understand the risks associated with various communication tools, as well as the information being communicated, in order to choose the best means to communicate with a client. There are 7 “reasonable steps” outlined in Formal Opinion 477 that should be considered in all decisions made by the lawyer. Here’s what they mean to your firm:
1. Understand the Nature of the Threat
The security needed in a merger and acquisition matter will be different than that in a “simple” estate plan. The level of security needed by your firm may require changes in the tools you are currently using. “Reasonable efforts” to protect client information are requested in high-risk scenarios, so be aware of the risk and assess your current setup.
2. Understand How Client Confidential Information is Transmitted and Where it is Stored
This is a crucial point, especially for those utilizing web-based (or cloud) solutions. It is important to look at all devices and applications used to store data and communicate with clients and other parties. If your client data is stored off-site, take the time to learn where the vendor stores the data, who has access to it, and what security measures are in place when the data is being transmitted. Ask about encryption (at rest and in-transit). Further, your security for every device being used (your iPad, your paralegal’s laptop, etc.) must be considered, including a plan if a device is lost or stolen.
3. Understand and Use Reasonable Electronic Security Measures
Lawyers must make reasonable efforts to prevent inappropriate access to client information. There are a variety of options available depending on the nature of the information and where it is stored. As a start, Antivirus/Anti-Malware/Anti-Spyware and Firewall software are part of best practices that should be understood and implemented. When looking at specific software for your security, practice management, and even accounting, look for tools that require strong passwords and offer 2-factor authentication upon login to confirm user identity. As an additional step, attorneys should take precaution to limit their employees access to client data to mitigate the security risk. The software solutions your office implements should include role-based privileges — allowing users access only to matters which they are directly related to and blocking them from accessing any unrelated or confidential items.
4. Determine How Electronic Communications About Client Matters Should be Protected
Different communications require different levels of protection. It may not be necessary to protect an email scheduling or confirming a meeting, but a document associated with the meeting may need encryption or other protection. For high-risk situations, consider moving beyond consumer-level email to more secure connections such as encrypted messaging or secure client portals.The lawyer should be aware of not only their own environment but the environment of the client. For example, if a cell phone is owned by the client’s employer, it may be inappropriate to send communications to that device.
5. Label Client Confidential Information
While including a disclaimer on an email may not stop someone from reading information they should not see, Model Rule 4.4(b) obligates a lawyer who “knows or reasonably should know” that he has received an inadvertently sent “document or electronically stored information relating to the representation of the lawyer’s client” to promptly notify the sending lawyer. A clear and conspicuous appropriately used disclaimer may affect whether a recipient lawyer’s duty under Model Rule 4.4(b) for inadvertently transmitted communications is satisfied.
6. Train Lawyers and Nonlawyer Assistants in Technology and Information Security
Make sure that employees and vendors are trained to understand the threats as well and to handle data appropriately. Ultimately the lawyer is responsible for clients data and must make sure that everyone involved follows appropriate procedures. When implementing a new software, ask if the vendor provides training on proper use and/or security procedures for your employees.
7. Conduct Due Diligence on Vendors Providing Communication Technology
This again comes back to the fact that the lawyer is ultimately responsible. When choosing vendors, the lawyer should check references and credentials, look at security procedures of the vendor, user confidentiality agreements, and check for conflicts, so as to protect the client’s information.
When choosing new software, whether desktop or cloud, lawyers have an obligation to make sure that all client data is protected. The lawyers should also consider how the software will help in meeting client confidentiality needs in communications. Take the time to try multiple software solutions, complete demos, and ask lots of questions — in the end, finding the solution that is the best fit and most reliable for your firm’s needs. Perhaps the software supports encrypted email or offers a secure client portal for communication with clients. Maybe for growing firms, security options in the software that may be used to limit who can access specific data or types of data are a must-have. The importance of these features will vary based on the types of clients the lawyer works with, the data that is communicated or stored, and the people in the firm.
Stay In The Know
Lawyers must continuously assess the nature of the data they share with clients and the means by which they share information. They must adopt tools and processes to meet needs, and adapt to the type of client and the type of data. Lawyers must educate themselves and their clients to ensure that confidentiality is protected. If you have any questions or would like an evaluation of your firm’s current setup, contact our experts for a free one-on-one consultation.