ABA: Lawyers Must Implement Reasonable Data Security for Client Information


Thought Leadership

ABA: Lawyers Must Implement Reasonable Data Security for Client Information

Jim Brashear

This week, the American Bar Association (ABA) House of Delegates adopted changes to Model Rule 1.6 of the ABA Model Rules of Professional Conduct. New subsection (c) adds the following sentence to the model rule:

    “A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.”

In comments to the revised model rule, the ABA provides a non-exclusive list of factors to be considered in determining the reasonableness of the lawyer’s data security efforts. They include:

    •the sensitivity of the information,
    •the likelihood of disclosure if additional safeguards are not employed,
    •the cost of employing additional safeguards,
    •the difficulty of implementing the safeguards, and
    •the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

A year earlier, on August 4, 2011, the ABA issued Formal Opinion 11-459, describing a lawyer’s “Duty to Protect the Confidentiality of Email Communications with One’s Client.” See my earlier post on that opinion. The 2011 opinion also addresses steps lawyers must take to address the risk that third parties may obtain access to a lawyer’s email communications with a client. See my earlier post on Reasonable Steps to Prevent Disclosure.

The opinion, rule and comment clearly demonstrate that:

    •lawyers should implement reasonable security measures to protect electronically transmitted client information in all circumstances, and
    •lawyers should warn clients about the risk of using electronic communications (including unencrypted email) whenever circumstances present a “significant risk” that a third party may gain access to the content.

There are two circumstances in which lawyers may be required to take additional steps to protect client data:

    •when a client requires the lawyer to implement special security measures, and
    •when required in order to comply with law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information.

The comments to the revised rule also indicate that a client might give informed consent to forgo security measures that would otherwise be required by the rule. That consent does not apply to measures required by law. Informed consent for the use of electronic communications may require more than a warning that Web email might be intercepted or that Web documents might be accessed by unauthorized persons. It may additionally require that the client be advised about the availability of more secure modes of communication – such as encrypted email.

In summary, based on this new ethics guidance, lawyers should seriously reconsider whether outdated opinions from the 1990s still permit lawyers to rely on a fictional expectation of privacy when transmitting or storing client information using email and other Cloud services.