The Latest ABA Guidance on Protecting Confidential Client Communications
Here on the blog we regularly explore issues around the protection of sensitive, confidential information in legal discovery and other legal matters. Recently the ABA Standing Committee on Ethics and Professional Responsibility issued an opinion addressing this subject in a more specific context—securing the communication of client confidential information using electronic means. In Formal Opinion 477R, the Committee offers guidance on how lawyers can meet their ethical obligation to use “reasonable means” to protect electronic communications and “comply with the core duty of confidentiality in an ever-changing technological world.”
The ABA last addressed this subject back in 1999, in Formal Opinion 99-413. At that time, the Committee concluded that “Lawyers have a reasonable expectation of privacy in communications made by all forms of e-mail, including unencrypted e-mail sent on the Internet, despite some risk of interception and disclosure. It therefore follows that its use is consistent with the duty under Rule 1.6 to use reasonable means to maintain the confidentiality of information relating to a client’s representation.” But in the intervening 20 years, the means and methods used by lawyers and clients to communicate have changed substantially. And threats to the security of those communications have increased dramatically. As Opinion 477 notes, lawyers have become prime targets of cybersecurity crime for two reasons: “(1) they obtain, store and use highly sensitive information about their clients while at times utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.” In light of these technology changes and heightened risks, the Committee decided that updated guidance was warranted.
To meet their ethical duty of client confidentiality, “lawyers must exercise reasonable efforts when using technology in communicating about client matters.” However, what constitutes “reasonable efforts” cannot be defined by a “hard and fast rule.” Rather, deciding what’s reasonable involves analysis of a number of factors, including “the types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of electronic communications employed, and the types of available security measures for each method.” The Opinion turns to the ABA Cybersecurity Handbook to further explain this fact-specific approach, which calls for “a ‘process’ to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”
While the Committee declined to specify any particular reasonable steps lawyers should take, it set out a sequence of considerations lawyers might use to make their assessment:
- Understand the Nature of the Threat.
- Understand How Client Confidential Information is Transmitted and Where It Is Stored.
- Understand and Use Reasonable Electronic Security Measures.
- Determine How Electronic Communications About Clients Matters Should Be Protected.
- Label Client Confidential Information.
- Train Lawyers and Nonlawyer Assistants in Technology and Information Security.
- Conduct Due Diligence on Vendors Providing Communication Technology.
While this list is somewhat specific to the context of lawyers’ communications, it also reflects the more general best practices that we follow at DiscoverReady to protect our clients’ sensitive, confidential information. And the guidance offered in Formal Opinion 477R is consistent with how we work with clients to develop holistic programs for identifying and securing sensitive data. Please reach out if you’d like to discuss our approach to protecting confidential information in more detail.