Ethics

• Publication year: 2017
• Author: By Wendy Huang and Kermit Marsh

Ethics

By Wendy Huang and Kermit Marsh

An Analysis of the Expansion of General Counsel's Ethical Obligations

Over the past few years, in-house counsel have experienced a continuing expansion of their ethical obligations. 2017 was no exception. A decision by the American Bar Association's Standing Committee on Ethics and Professional Responsibility and a decision by the California Supreme Court have expanded the responsibilities for preserving and safeguarding evidence and for review and production of communications, respectively. Both warrant serious consideration by all in-house counsel, in both the public and private sectors.

Developing Technology and the Duty to Preserve and Safeguard Information

The ABA Departs from Bright Line Standards on Technological Responsibilities

On May 11, 2017, the American Bar Association's Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 17-477¹, which provides guidance on the procedures attorneys should take to protect confidential electronic client communications. Formal Opinion 17-477 updates and expands upon the American Bar Association's Standing Committee on Ethics and Professional Responsibility Formal Opinion 99-413², which covered the topic of confidentiality in electronic communications and on which general counsel have relied for many years.

In Formal Opinion 99-413, the committee famously concluded that unencrypted email was acceptable in the practice of law because attorneys have a reasonable expectation of privacy in all forms of email communication. This bright line rule was helpful, as it provided clear guidance to in-house counsel.

In the eighteen years between Formal Opinion 99-413 and Formal Opinion 17-477, the technology has changed dramatically, as has the apparent risk of destruction or disclosure of electronic records. Today, attempts to hold computer data "hostage" unless a sum is paid as "ransom" are commonplace, but this problem was almost unknown in 1999. Similarly, the theft of large quantities of confidential information, often from significant public and private entities, is much more commonly reported in the news today than two decades ago.

To address these concerns, the ABA's Model Rules of Professional Conduct were changed in 2012 to add the duty of technology competence pursuant to Model Rule 1.1³, which was added, and Model Rule 1.6⁴, which was modified regarding client confidences. The comment to Model Rule 1.1 was modified to read: "a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology." Model Rule 1.6(c) was added, which reads: "A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." Based upon these new developments, Formal Opinion 17-477 provides that some circumstances warrant lawyers using "particularly strong protective measures" such as encryption.

The Fact-Based Analysis

Formal Opinion 17-477, in contrast to Formal Opinion 99-413, offers no bright line as to when one must engage in encryption and other technical methodologies. Instead, a "fact-based analysis" is now required, which appears to adopt a balancing test based upon multiple factors.

The fact-based analysis must include, but is not limited to, evaluation of the following factors:

1. Information sensitivity;
2. Likelihood of disclosure if additional safeguards are not employed;
3. Cost of the additional safeguards;
4. Difficulty of implementing the safeguards;
5. Extent to which the safeguards adversely affect the attorney's ability to represent clients (for example, by making an important device or software excessively difficult or cumbersome to use).

[Page 31]

In some cases, enhanced encryption will be necessary, the committee said, while for matters of "normal or low sensitivity," standard security measures may suffice.

At the time Formal Opinion 99-413 was issued, and due to the reasonable expectations of privacy available to email communications at the time, unencrypted email was seen as posing no greater risk of interception or disclosure than other non-electronic forms of communication. The opinion still seems consistent with that basic premise today, at least for routine communication with clients, in circumstances where the attorney has implemented basic and reasonably available methods of common electronic security measures. Thus, the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication.

With the changing landscape due to cyber-threats and the proliferation of electronic communications devices, it is not reasonable to always rely on using unencrypted email. Electronic communication through mobile applications, message boards, or unsecured networks may not have the same privacy afforded to email communications. Therefore, attorneys should always analyze how they communicate electronically to clients and about their matters, using the above factors to determine what efforts are reasonable and necessary.

While Formal Opinion 17-477 urged lawyers to take reasonable steps to protect client communications, it also states that specifying the steps for any given set of facts is beyond the scope of the opinion. Instead, the opinion listed seven considerations that attorneys should use as a guideline:

Understand the Nature of the Threat

The attorney must evaluate the sensitivity of a client's information and whether higher...