The opinion notes that generally, lawyers may use unencrypted email when communicating routinely with clients but that is no longer a sufficient safety wall. It states that the phenomenon of cyber threats, particularly in ‘highly sensitive industries such as industrial designs, mergers and acquisitions of trade secrets and industries such as healthcare, banking, defense or education, may present a higher risk of data theft’ and so lawyers in these fields may need to take ‘greater effort’ to ensure secure communication.
Formal Ethics Opinion 477 updates Formal Ethics Opinion 99-413, which was issued in 1999 before the widespread use of tablet devices, smartphones, and cloud storage. As the new opinion explained: ‘Each device and each storage location offer an opportunity for the inadvertent or unauthorised disclosure of information relating to the representation, and thus implicate a lawyer’s ethical duties.’
These ethical duties include competency, confidentiality, and communication. The bulk of the ethics opinion addresses lawyers’ obligations to ensure the confidentiality of client information and cites that lawyers must use ‘reasonable efforts’ to ensure the security of client information. Citing the ABA Cybersecurity Handbook, the opinion explains that the reasonable efforts standard is a fact-specific inquiry that requires examining the sensitivity of the information, the risk of disclosure without additional precautions, the cost of additional measures, the difficulty of adding more safeguards, and whether additional safeguards adversely impact the lawyer’s ability to represent the client.
Seven steps for consideration
The opinion offers seven considerations for guidance, including understanding: The nature of the threat; How client confidential info is transmitted and stored; The use of reasonable electronic security measures; How electronic communications should be protected; The need to label client information as privileged and confidential; The need to train lawyers and nonlawyer assistants in technology and cyber security and The need to conduct due diligence on vendors who provide technology services. The opinion also briefly addresses the duty of communication, noting that lawyers should inform the clients about risks inherent when transmitting ‘highly sensitive confidential client information.’