The Rules Have Changed
In 2013, the ABA Model Rules were modified in a couple of significant ways as it relates to technology. To date, Ohio and 25 other states have adopted the changes I'm about to describe. If your state hasn't adopted the changes yet, I would expect them at some point in the near future. No state's rules of professional conduct can continue ignoring technology for much longer (Michigan, Indiana & Kentucky, I'm talking about you).
The first significant change was to Comment 8 of Rule 1.1 (Competence). Specifically, the bolded language was added:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
Many have argued (and I agree) that this change imposes a duty of technical competence upon lawyers. As far as that goes, I say that it's about time. Technology affects nearly everything a lawyer does from the way they communicate, research, write, present a case, file a case, and produce work product in general. Plenty of lawyers resist, call themselves "old-school" and try to avoid learning how to use the new tools. I understand the psychology behind the avoidance techniques because few things can make smart people feel ignorant like technology. However, a lawyer shouldn't be able to disclaim responsibility for knowing how to use the tools reasonably necessary to practice law. Technology mistakes can be costly. Further, doing everything slow and analog in a fast, digital world risks violating the Rule 1.3 duty to "act with reasonable diligence and promptness in representing a client."
The second significant change to the model rules was the addition of subsection (c) to Rule 1.6 (Confidentiality of Information) which stipulates that a lawyer must make reasonable efforts to prevent the disclosure of confidential client information. Comment 18 to the same rule requires lawyers to act competently to safeguard client information. The comment further provides:
"The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use)." (emphasis added)
Finally, Comment 19 to Rule 1.6 requires that when "transmitting a communication," lawyers must take reasonable precautions to prevent client information from falling into the wrong hands.
The way I see it, a lawyer's duty to protect the confidentiality of client information isn't on a scale of 1 to 10. Instead, it's an on-off switch. Client data is either confidential under Rule 1.6 or it isn't. As such, I fail to see how the sensitivity, likelihood of disclosure, costs or difficulty of protecting it are even relevant.
Whether lawyers like it or not, a lot of client information is now electronic/digital. Every lawyer knows (or should know) that digital information can easily be taken, misdirected, lost or accidentally disclosed. As such, taking no precautions to address those risks is the equivalent of driving without a seatbelt, never locking one's doors or running with scissors. It doesn't even pass a common-sense test.
Going back to the considerations listed in Comment 18, I don't think the lawyer should be the one to judge how sensitive something might be from the client's perspective. If a lawyer can't afford to protect a client's information or finds it too difficult to do so, then they shouldn't have possession of it in the first place. Finally, how many lawyers are even remotely qualified to predict the "likelihood of disclosure?" Anyway, as I'll discuss below, making reasonable efforts to protect client data isn't expensive or difficult. Therefore, I don't believe there's a defensible excuse for doing nothing to protect client information.
Responsibility for Violations: For purposes of an example, assume a paralegal, secretary or associate attorney fails to properly redact a social security number in a PDF file. Rules 5.1 and 5.3 put the ethical responsibility for that mistake on the partner or supervising attorney. Even if the supervising attorney in question has never redacted something on a PDF and hasn't the foggiest idea how to do so, the responsibility still flows to them. Therefore, it is incumbent upon partners and supervising lawyers to learn how to properly use relevant technology tools, document the correct usage, and ensure that those charged with using them are doing so properly.
Encryption: There are many angles one can take on digital security; and I'm definitely not trying address all of them. Instead, I just want to discuss base-level security that should be on every lawyer's radar. The primary weapon in this area is encryption. For purposes of this discussion, encryption can be defined as follows.
"Encryption is the process of converting data to an unrecognizable or 'encrypted' form. It is commonly used to protect sensitive information so that only authorized parties can view it. This includes files and storage devices, as well as data transferred over wireless networks and the Internet.
An encrypted file will appear scrambled to anyone who tries to view it. It must be decrypted in order to be recognized. Some encrypted files require a password to open, while others require a private key, which can be used to unlock files associated with the key."
Simple Security Recommendations
Email Encryption: To ensure that only the intended recipient can read your email and any attachments thereto, you need to utilize email encryption. This isn't complicated or expensive and most of the systems allow you to create a password prior to sending the email which must be entered by the recipient to decrypt and read the email. Here are a few options and Protected Trust is my favorite.
Encrypt Email Attachments: If you don't have an email encryption program, then Word, WordPerfect and every good PDF program (including Acrobat, Nuance Power PDF, Nitro Pro and Foxit PhantomPDF) offers file encryption. This functionality is built-in so you only have to learn how to use it. With file encryption, the file simply cannot be opened without a password you create. Your email could simply say "Please see attached." However, the attached file containing the sensitive information would be encrypted on its own. Hopefully it goes without saying that you wouldn't include the password in the email.
Encrypt PCs: If you've got a notebook computer, there's always the chance that someone will steal it or that you'll misplace or lose it. If you have confidential client information on the laptop, then you must encrypt it. Encryption would prevent a thief or finder of your laptop from obtaining any information from the hard drive, even if they remove the hard drive and install it in another computer. There are many choices for this type of software, including the following:
• BitLocker - included for free with certain versions of Windows Vista, 7, 8 & 10.
• Mac FileVault - included for free with OS X.
• Folder Lock /
Encrypt Smartphones: If your smartphone can access or holds confidential client information, then it must be encrypted. All of the smartphone operating systems have free encryption built in, you must only enable it.
Encrypt Tablets: Again, if your tablet contains or can access confidential client data, then it should encrypted. Like smartphones, Android and iOS tablets have built-in encryption that you must simply turn on. Windows tablets may also have BitLocker depending upon the version of Windows installed. Of course, any of the Windows encryption options above would also work (besides BitLocker).
Encrypt Wife/Wireless Connections: If you rely on a wireless Internet connection at your office or home to work with sensitive client information, it goes without saying that your wireless router or access point should be properly encrypted. If you set it up yourself and aren't sure, then you should immediately secure the assistance of an expert to ensure that your security is properly configured. Sometimes, it's as easy as calling the technical support line for the manufacturer of your router. The big wireless router companies all have technical support representatives that can walk you through the process over the phone. In case you're wondering, big names in wireless routers include Cisco, Linksys, Netgear, Belkin, TP-Link, D-Link and Asus, among others.
Furthermore, there's a significant risk associated with using public WiFi. For a quick primer, here are two short articles that will bring this issue into focus: Here's what an eavesdropper sees when you use an unsecured Wi-Fi hotspot by Eric Geier, 6/28/13 and What Is A Packet Sniffer? by Andy O'Donnell, 12/15/14. For an interesting discussion of this in the legal arena, see the now famous California Formal Opinion No. 2010-179 which states:
"With regard to the use of a public wireless connection, the Committee believes that, due to the lack of security features provided in most public wireless access locations, Attorney risks violating his duties of confidentiality and competence in using the wireless connection at the coffee shop to work on Client’s matter unless he takes appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall. Depending on the sensitivity of the matter, Attorney may need to avoid using the public wireless connection entirely or notify Client of possible risks attendant to his use of the public wireless connection, including potential disclosure of confidential information and possible waiver of attorney-client privilege or work product protections, and seek her informed consent to do so."
Here's how you can protect yourself:
• Cellphone WiFi Hotspot: Rather than connecting to the public WiFi where ever you are, consider using a cellular hotspot or MiFi. Properly configured, these connections are a secure way to connect your notebook or tablet to the Internet via the phone hotspot.
• Consumer VPN Services: There are many services that allow you to create a Virtual Private Network connection even though you're using a public and otherwise unsecured WiFi connection. "In the simplest terms, a VPN creates a secure, encrypted connection between your computer and the VPN's server. This tunnel makes you part of the company's network as if you are physically sitting in the office, hence the name. While connected to the VPN, all your network traffic passes through this protected tunnel, and no one in between can see what you are up to. A consumer VPN service does the same thing, but extends that protection to the public." Here are some options for this. Private Internet Access is the one I use personally.
Other Issues: In the interest of brevity, I'm not going to fully explore these topics, but you should also have a secure password policy everyone is required to follow; and you should use two-factor authentication whenever possible.