Is Email Encryption the New Reasonable Standard? The ABA Opines

The ever-present threat to data security  in an increasingly digitized legal profession has redefined the  “reasonable efforts” standard for lawyers who handle client information. Nicole Black over at Above the Law offers a good summary of the recently released American Bar Association (ABA)  Formal Opinion 477, which addresses a need for lawyers to increase the security  of electronic communication by using encryption in certain situations to maintain competence and client confidentiality  She also explores New York State Bar Association (NYSBA) updated  Social Media Ethics Guidelines, which acknowledge and address newer state opinions in the realm of social media.

Click on the link below to access Nicole Black’s article from Above the Law and learn more about the potential impact of ABA Formal Opinion 477 and NYSBA’s Social  Media Ethics Guidelines on the legal community.

New Guidelines: ABA On Email And NYSBA On Social Media

In the Cloud? The Florida Bar Publishes Guidelines for Selecting a Cloud Service Provider

In the Cloud? The Florida Bar Publishes Guidelines for Selecting a Cloud Service Provider

The Florida Bar’s Technology Committee in collaboration with The Florida Bar’s Practice Resource Institute have published both a quick start guide to cloud computing and  more comprehensive due diligence guidelines to assist lawyers in selecting a cloud service provider.

The Florida Bar News reports:

“Two things are happening more than ever right now: Lawyers are using the cloud to store sensitive information; and lawyers are under attack from cyber criminals looking to steal sensitive information,” said Tech Committee Chair Al Saikali, who also chairs the Privacy and Data Security Practice area at Shook, Hardy & Bacon. “It was therefore important to develop a document that teaches lawyers about the cybersecurity and legal issues associated with the storage of cloud service providers.”

To read the article that contains links to the new guidelines click here

Illinois: Attorneys & Clients in the Cloud

Recently, the Illinois State Bar Association (ISBA) issued a Professional Conduct Advisory Opinion stating that lawyers may use cloud-based services to store client information.

However, the ISBA warned that the use of cloud-based services raises ethical implications of “…competence, confidentiality and the proper supervision of non-lawyers.”

The ISBA quoted Nevada Formal Opinion 33 (2006), which analogized the duty to protect client information on a cloud-based service to the duty to protect client information on a physical server. The Nevada Opinion concluded, “[t]he question in either case is whether the attorney acted reasonabl[y] and competently to protect the confidential information.”

To help lawyers select a cloud-based service provider, the ISBA outlined 7 non-exhaustive practices lawyers could engage in (summarized):

  1. Reviewing industry standards and appropriate safeguards;
  2. Investigating whether the provider has implemented reasonable security precautions;
  3. Investigating the provider’s reputation and history;
  4. Inquiring as to whether the provider has experienced any breaches of security;
  5. Requiring an agreement;
  6. Requiring that all data is appropriately backed up;
  7. Requiring provisions for the reasonable retrieval of information.

Further, the ISBA warned that the duties implicated by using cloud-based services do not end with choosing a reputable provider. This is in part due to the fact that the Illinois Supreme Court recently amend Comment 8 to Rule 1.1 of the Illinois Rules of Professional Conduct. The Comment now reflects Comment 8 to Rule 1.1 of the Model Rules of Professional Conduct and says “…lawyers must keep abreast of changes in law and its practice, including the benefits and risks associated with relevant technology…” (Emphasis added).

This led the ISBA to echo Arizona Ethics Op. 09-04 (2009) and Washington State Bar Association Advisory Op. 2215 (2012) (among others) and conclude that lawyers using cloud-based services must, “…conduct periodic reviews and regularly monitor existing practices to determine if the client information is adequately secured and protected.”

Read the full opinion here.

Alaska Bar Association: Use of “Web Bugs” is Unethical

Alaska Bar Association recently advised that the use “web bugs” to track e-mail communications with opposing counsel violates The Alaska Code of Professional Conduct. Opinion 2016-1, describes “web bugs” as Internet surveillance tools that may inform e-mail senders of the following information:

  • whether and when the e-mail and/or attachments were opened;
  • how long recipients reviewed the e-mail and/or attachments;
  • how many times the e-mail and/or attachments were opened;
  • whether and when the e-mail and/or attachments were forwarded; and
  • the rough geographical location of the recipient.

The Opinion explains that web bugs may allow the sending lawyer to determine the undisclosed location of the opposing party or to gain insight into which sections of a settlement draft are most important to the opposing side based upon how much time is spent on various pages of a document.

Concurring with New York State Bar Association’s Opinion, the Alaska Opinion concludes that “web bugs” “impermissibly and unethically interfere with the lawyer-client relationship and the preservation of confidences and secrets,” required by Rule 1.6- Confidentiality. Thus, the Opinion advises that the use of web bugs is unethical, dishonest, and a violation of Alaska Rules of Professional Conduct Misconduct Rules 8.4(a) and 8.4 (c). Moreover, the opinion states that “even the disclosed use of a tracking device when communicating with opposing counsel” is impermissible.

To read the full opinion, click here.

Up in the ‘Clouds’: Illinois Finds Duty of Competence Applies to Selection of Provider

This fall, the Illinois State Bar Association Committee on Professional Ethics reached two conclusions regarding use of cloud-based services. In Opin. 16-06, the Committee opined that:

(1) a lawyer may use cloud-based services to store confidential client information, so long as the attorney uses reasonable care to make sure that client confidentiality and client information is protected; and

(2) a lawyer is responsible for complying with her duties of competence in selecting a cloud-based services provider, assessing cloud-based services practices, and monitoring compliance with the lawyer’s professional obligations.

 This opinion expands Illinois’s prior opinion where a lawyer may work with a private vendor to monitor the law firm’s computer server, so long as the lawyer takes reasonable steps to ensure the vendor protects client’s confidential information. See, ISBA Op. 10-01 (2009).

Rule 1.1 Competence provides that lawyers must provide competent representation to their clients. Illinois recently amended this rule to include that lawyers who use cloud-based services must have a sufficient understanding of the technology to properly consider the risks of disclosure of confidential information. See Illinois Rule 1.1 Comment 8. Lawyers must also make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, confidential information. See Rule 1.6(e) Confidentiality. Because lawyers hire third-party providers for cloud-based services, lawyers will be subject to the professional rules regarding employing and supervising subordinates. See Rule 5.3 Comment 3.

Due to technology constantly changing, Illinois does not provide any specific requirements for lawyers when choosing a provider. However, Illinois does provide some tips for lawyers when inquiring about a cloud-based services provider, which are:

  • Review cloud computing industry standards and what protections should be put in place when using a cloud-based service;
  • Investigate whether the provider has employed reasonable security measures to protect client data from unintentional disclosures;
  • Investigate the provider’s reputation and history;
  • Look into whether the provider has experiences any security breaches in the past;
  • Demand an agreement to reasonably safeguard that the provider will abide by the lawyer’s duties of confidentiality and will immediately notify the lawyer of any breaches of information;
  • Require that all data is backed up and under the lawyer’s control; and
  • To require reasonable recovery of information if the agreement with the provider is terminated, or if the provider goes out of business.

Several other states have allowed lawyers to use cloud-based services to help with storing client information. See e.g., Alabama Ethics Op. 2010-2; Iowa Ethics Op. 11-01; Tennessee Formal Ethics Op. 2015-F-159; see generally “Cloud Ethics Opinions Around the U.S.”, American Bar Association, Legal Technology Resource Center.

To read the full opinion, click here.