The opening paragraph summarizing ABA Formal Ethics Opinion 477 places requirements on lawyers using the Internet to transmit client information:

A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.

What constitutes “reasonable efforts to prevent inadvertent or unauthorized access? “ The bulk of Opinion 477 outlines a framework for answering this question, but not a final answer for any particular situation. This article will examine the implications of Opinion 477 for Texas lawyers.

The Nature of the Professional Obligations Associated With Internet Communication

Opinion 477 justifies what it says lawyers must do when communicating through the Internet by first noting a duty of competence in the use of technology. Comment 8 to ABA Model Rule 1.1 was amended in 2012 to require knowledge and skill in “relevant technology.”  While Texas has not adopted this amendment, it is not unfair to interpret the general requirement of competence in Texas Rule 1.01 to include such expertise since the practice of law now often uses or requires electronic research, online filing of documents, and internet communication with clients. Such a duty of competence translates well to a negligence standard in legal malpractice cases.

Improper use of technology can result in release of client confidential information, violating duties lawyers have under ABA Model Rule 1.6. Rule 1.6(c) was added in 2012 to require lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The Texas Rule has not been amended to move from a “knowing” standard under Texas Rule 1.05(b) to a more rigorous standard requiring “reasonable efforts” for concluding that a lawyer has improperly disclosed or used client confidential information.  In a legal malpractice cause of action, however, it is possible that a negligence standard of case would require reasonable efforts to protect client information.

Reasonable Efforts

The ABA’s approach to determining what reasonable efforts are required is complex. The opinion indicates that the nature of the reasonable efforts required is fact specific. The factors which should determine what measures are required include, but are not limited to sensitivity of information, likelihood of disclosure without additional safeguards, cost of safeguards, difficulty of implementing safeguards, and whether the ability to represent the client is affected by safeguards. As is often the case with the rules of ethics, this standard, which is not complete, gives lawyers no safe harbor for what they must do to avoid violating ethical or malpractice standards.

With that background, the opinion proceeds to provide guidance as to a process lawyers can follow to avoid ethical violations.

Understand the Nature of the Threat.  Some types of data have a higher value to thieves, and thus may require higher levels of security.

Understand How Client Confidential Information is Transmitted and Where It Is Stored. Access points and storage points for communications are the most vulnerable to interception, and should be analyzed for security issues.

Understand and Use Reasonable Security Measures. Use of secure and encrypted transmission protocols is important. Such security  includes network and device security within law firms. The ABA notes that implementation of security of networks and security is “routinely accessible and available for free.” Encryption of sensitive data and use of multifactor authentication should be considered. Lawyers should understand that information deleted from a device or other storage point may still be recoverable. Perhaps some data should not be electronically stored or transmitted.

Determine How Electronic Communication About Client Matters Should Be Protected. The Opinion indicates lawyers and client should discuss security of communications.  This implies that initial engagement documents should probably include warnings about potential security issues in Internet communication. Encryption may be appropriate for either emails or attachments for sensitive matters. Use of a cloud based storage system with appropriate encryption and other security safeguards may be an alternative. Lack of client knowledge about secure communication might require other methods. Client use of third party devices, such as borrowed devices belonging to client’s employer or family, should be considered as a security threat, and may prompt a need to warn the client about using such devices.

Label Client Confidential Information. Labeling confidential information alerts the client to the need to avoid forwarding emails or showing them to others. In the event of an inadvertent disclosure, the label can require another lawyer to notify the lawyer of the disclosure in some cases, and perhaps prevent adverse consequences to the client.

Train Lawyers and Nonlawyer Assistants in Technology and Information Security. Supervising lawyers have a duty under ABA Model Rules 5.1 and 5.3, as well as Texas Rules 5.01 and 5.03, to ensure that lawyers and nonlawyers they supervise conform with and conduct themselves in a manner compatible with the ethical rules. From a malpractice angle, this corresponds with vicarious and supervisory liability. Policies and procedures regarding use of technology and training in those policies and procedures  for all firm members should be considered.

Conduct Due Diligence on Vendors Providing Communication Technology.  Aspects of legal services are frequently outsourced to nonlawyer, third party vendors.  ABA Model Rule 5.3, which is similar to Texas Rule 5.03, As a result, there is a duty to assure that vendors protect client confidential information.  Compliance with such a duty requires conducting due diligence on vendors.  Comment 3 to Model Rule 5.3 added in 2012 specifically notes that outsourcing to vendors is within the scope of the rule, and includes use of Internet based storage of client information.  While Texas does not have this comment, the similarity of the rules, as well as a negligence standard for malpractice claims, suggests that lawyers should vet vendors of internet services.

Conclusion

Opinion 477 is important for Texas lawyers since it outlines the scope of what may be required under ethical rules. While ethics rules and opinions are not intended to create standards of care for malpractice, they are often the basis for expert testimony as to lawyer’s duties to clients. Lawyers would be well served to consider the framework for protection of attorney client communications on the Internet laid out by Opinion 477, but should not stop there. The opinion makes clear that there may be requirements not addressed by the opinion to meet ethical obligation.