Chapter § 9.03

• Jurisdiction: United States

§ 9.03 Source of Lawyers’ Duty to Protect Client Data

It is axiomatic at this point that all lawyers have an ethical and legal obligation to understand emerging cybersecurity technologies and to enact reasonable data security measures to protect client data. In this section, we discuss various sources of lawyers’ ethical and legal duties to protect client information from cyber threats. In the next section (9.04), we discuss certain policies and practices that lawyers should consider implementing to satisfy their obligations.

[1] Ethical Obligations

A lawyer’s ethical duty to safeguard client data primarily implicates ABA Model Rules of Professional Conduct 1.1, 1.4, 1.6, 1.15, 5.1, and 5.3.²⁴ The ABA Standing Committee on Ethics and Professional Responsibility (the “Committee”) made clear in two recent ethics opinions that these rules, read together, impose on lawyers a broad responsibility to establish policies and practices to, among other things, protect client information, monitor cyber threats, securely communicate with the client, train lawyers and staff on cybersecurity, and notify clients about a data breach.²⁵ We discuss each of these rules below and how they apply in the cybersecurity and data privacy context.

[a] Duty of Competence

Model Rule 1.1 demands that lawyers deliver “competent representation” to clients, meaning they must bring “knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”²⁶ Recognizing the increasing impact of technology on the legal practice, in 2012, the ABA revised its Model Rules to specify that, to “maintain the requisite knowledge and skill, a lawyer should keep abreast of . . . the benefits and risks associated with relevant technology.”²⁷ The Committee instructs that, once a lawyer has a grasp of the technology, she must use and maintain it in a manner that will “reasonably safeguard property and information that has been entrusted” to her.²⁸ Lawyers can satisfy this ethical duty by retaining an internal or external expert to help with their cybersecurity protocols.²⁹

[b] Duty to Communicate

Under Model Rule 1.4, a lawyer shall “promptly inform the client of any decision or circumstance with respect to which the client’s informed consent . . . is required.” The Committee concluded, based on Model Rule 1.4, that, when “the lawyer reasonably believes that highly sensitive confidential client information is being transmitted so that extra measures to protect the email transmission are warranted, the lawyer should inform the client about the risks involved.”³⁰ The lawyer and client then “should decide whether another mode of transmission, such as high level encryption or personal delivery is warranted.”³¹ Also, in accordance with Model Rule 1.4, lawyers must notify clients of a data breach and advise them of “the known or reasonably ascertainable extent to which client information was accessed or disclosed.”³² The Committee noted that compliance with the Model Rules in the event of a breach “depends on the nature of the cyber incident, the ability of the attorney to know about the facts and circumstances surrounding the cyber incident, and the attorney’s roles, level of authority, and responsibility in the law firm’s operations.”³³

[c] Duty of Confidentiality

Model Rule 1.6 states that, except in limited cases, a “lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent.”³⁴ Consequently, a “lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”³⁵ Such unauthorized disclosure doesn’t give rise to an ethical violation if the lawyer has, in fact, “made reasonable efforts to prevent” it.³⁶ Lawyers may consider these factors to measure their reasonableness: (1) the sensitivity of the information, (2) the likelihood of disclosure if the lawyer uses additional safeguard, (3) the cost of employing additional safeguards, (4) the difficulty of implementing the safeguards, and (5) the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).³⁷ A lawyer must abide by clients’ requests “to implement special security measures not required” under Model Rule 1.6, and, conversely, a client may give informed consent to forgo required security measures.³⁸

[d] Duty to Safeguard Property

Model Rule 1.15 requires lawyers to hold “property” of their clients “in connection with a representation separate from the lawyer’s own property.”³⁹ A lawyer must identify client property “as such and appropriately safeguard[]” it.⁴⁰ Despite language in the Model Rule 1.15’s comment suggesting that the rule only applies to tangible client files as opposed to intangible ones, the Committee decided that “[r]eading Rule 1.15’s safeguarding obligation to apply to hard copy client files but not electronic client files is not a reasonable reading of the Rule.”⁴¹ Several state ethics committees have reached the same conclusion. For instance, the District of Columbia ethics committee said that lawyers “who maintain client records solely in electronic form should take reasonable steps (1) to ensure the continued availability of the electronic records in an accessible form during the period for which they must be retained and (2) to guard against the risk of unauthorized disclosure of client information.”⁴²

[e] Duty of Supervision

Model Rules 5.1 and 5.3, read together, require lawyers with managerial authority to “make reasonable efforts to establish internal policies and procedures designed to provide reasonable assurance” that (i) “all lawyers in the firm will conform” with relevant ethics rules and (ii) internal and external staff will “act in a way compatible with the professional obligations of the lawyer.”⁴³ The Committee said that, with respect to electronic communications, “lawyers must establish policies and procedures, and periodically train employees, subordinates and others . . . in the use of reasonably secure methods of electronic communications with clients” and “instruct and supervise on reasonable measures for access to and storage of those communications.”⁴⁴ Under Model Rule 5.3, lawyers are also obligated to use diligence in selecting and supervising vendors that will provide services that require them to access client files.⁴⁵ The Committee also concluded that, taking into account their duty to use technology to safeguard confidential information and to supervise lawyers and staff, lawyers “must employ reasonable efforts to monitor the technology and office resources connected to the internet, external data sources, and...