The COVID-19 global pandemic has fundamentally altered the shape of the global economy. From countless businesses furloughing or shutting down, to others turning on a dime to a fully work-from-home environment, our notions of how and where work is done have shifted profoundly and at breakneck speed. One of the largest changes has been the rise of video teleconferencing, which has transitioned from an occasional tool of convenience to the backbone of countless modes of human activity, including from social and family interactions, to classes and conferences, and, most importantly, for this article, attorney-client communications.

With the unprecedented rise in the use of platforms like Zoom, GoToMeeting, and Microsoft Teams (e.g. Zoom has grown from 10 million to 200 million active users in the last three months) ("Zoom's daily active users jumped from 10 million to over 200 million in 3 months," VentureBeat (April 2, 2020)), attorneys are increasingly turning to these platforms to provide various legal services to clients, both inside and outside the courtroom. While these technologies have proven invaluable in ensuring a continuity of legal services, as security vulnerabilities continue to be discovered, the legal community must consider the ethical implications of delivering remote legal services at scale.

Although there are a myriad of issues, in this article we will consider the use of Zoom to conduct confidential client communications because Zoom is the most well studied of the video-conferencing platforms on the market today and all the solutions in the video conferencing space will likely face a similar range of issues and questions as we continue to adapt to this new work-from-home paradigm. We will first examine the issues security researchers have identified in Zoom, we will then move to examining duties of professional responsibility borne by attorneys in the domain of confidential client communications, and finally we will apply those standards to Zoom video conferencing to understand what attorneys ought to do in order to ensure they are adhering to the highest standards of professional responsibility.

Zoom's Cybersecurity Posture

Zoom is, at its core, a video teleconferencing application designed to enable groups of people to quickly, efficiently, and conveniently videoconference with each other. In the wake of the COVID-19 global pandemic, millions of people have turned to Zoom to move their classrooms, conference rooms, places of worship, and family gatherings online. This rapid growth has placed Zoom squarely in the spotlight for both security researchers and hackers alike, looking for security vulnerabilities and weakness that can be remediated or exploited, respectively. This has led to several headlines questioning the security of Zoom's platform (See e.g. Micah Lee, "Zoom's Encryption is 'Not Suited For Secrets' and Has Surprising Links to China, Researchers Discover" (April 3, 2020)), and a variety of organizations banning the use of Zoom (including the NYC Department of Education (Natalie Musumeci, "DOE bans schools using Zoom for remote learning amid security concerns" (April 6, 2020)), NASA (Munsif Vengattil & Joey Roulette, "Elon Musk's SpaceX bans Zoom over privacy concerns -memo" (April 1, 2020)), and SpaceX (Steven Musil, "SpaceX reportedly bans use of Zoom videoconferencing app by employees" (April 1, 2020)).

It is important to understand that there are at least two distinct issues related to Zoom usage, each of which could potentially implicate an attorney's ethical obligations: (1) Software Vulnerabilities—problems in the Zoom's codebase that might allow criminals to exploit the platform to compromise its end-users, and (2) Zoombombing—the practice of bad actors hijacking legitimate Zoom sessions, and either conducting espionage, or disrupting the normal course of events.

With respect to software vulnerabilities, there have been several high-profile vulnerability disclosures in the last weeks related to the ability of criminals to use Zoom to compromise systems of individuals using the platform. (Patrick Wardle, "The 'S' in Zoom, Stands for Security" (March 30, 2020)). While there were meaningful security vulnerabilities, they required the criminal to already have local access to the system in order to exploit the vulnerability. (Amit Serper, et al., "Zoom isn't Malware." (April 3, 2020)). Since the disclosures, Zoom has issued patches that have resolved most of the identified issues. While not minimizing these vulnerabilities, it is important to understand that software vulnerabilities exist in all applications. The process of identifying them, patching them, and updating them is an inherent part of the lifecycle of any application.

With regard to 'Zoombombing,' one of the greatest assets of Zoom is its ease of use. A simple link or a nine-to-eleven digit code and you're able to videoconference. While this simplicity has certainly been an instrumental component of Zoom's growth, it also represents an opportunity for bad actors to 'Zoombomb' and disrupt legitimate meetings with, oftentimes, graphic and disturbing content. (Taylor Lorenz & Davey Alba, "'Zoombombing' Becomes a Dangerous Organized Effort," (April 3, 2020)).

A malicious individual can either randomly input codes until he successfully infiltrates a meeting, or research publicly disclosed meetings and target particular meetings with the intention of accessing the meeting for the purpose of espionage or disruption. Whether the interruption is targeted or random and scattershot, uninvited individuals were able to access Zoom conferences to which they were neither invited nor welcome. While some Zoombombers merely observed the conferences into which they intruded, others actively sought to disrupt them, sometimes using offensive language and slurs targeting the groups that initiated the conferences. (Christopher Mathias, "Anti-Semitic Trolls Disrupt Jewish University's Gathering On Zoom" (April 1, 2020)).

Since these vulnerabilities and weaknesses were identified, Zoom has made a very public push to update its software and either eliminate or mitigate the risk of compromise or intrusion, without meaningfully impacting the ultimate end-user experience. While these efforts are laudable, they also represent an opportunity for the legal community to consider whether and under what circumstances Zoom (or any other video conferencing solution) is an appropriate forum for engaging in confidential client communications and, if so, what measures should be taken to ensure the security and confidentially of the communications.

Duty to Clients

Digital communications have, for a long time, been a mainstay in the world of legal services (ask any lawyers how many emails they send and receive in a typical day), and the State Bars and the American Bar Association have long struggled with regulating the use of email and other electronic modes of communication to transmit sensitive client information and carry out client communications.

The ABA, provided a definitive answer to the question of email in 1999, by stating "Lawyers have a reasonable expectation of privacy in communications made by all forms of email, including unencrypted email sent on the Internet, despite some risk of interception and disclosure. It therefore follows that its use is consistent with the duty under Rule 1.6 to use reasonable means to maintain the confidentiality of information relating to a client's representation." ABA Model Opinion 99-413, which went unchanged until May 2017, when the ABA updated its approach by adopting a multifactor approach to considering whether an attorney can use a given medium for electronic communications. (ABA Formal Opinion 17-477R ). These factors included:

• Understanding the nature of the threat
• Understanding how client confidential information is transmitted and where it is stored
• Understanding and using reasonable electronic security measures
• Determining how electronic communications about client matters should be protected
• Labeling client confidential information
• Training lawyers and nonlawyer assistants in technology and information security
• Conduct due diligence on vendors providing communication technology

These factors were inspired by Comment 18 to Model Rule 1.6(c), which guides attorneys in making "reasonable efforts," as required by the Rule, the factors that should be considered include:

• The sensitivity of the information
• The likelihood of disclosure if additional safeguards are not employed
• The cost of employing additional safeguards
• The difficulty of implementing the safeguards
• The extent to which the safeguards adversely affect the lawyer's ability to represent clients

While each of these factors can be discussed at length individually, taken together they paint a clear picture that electronic communication is not de facto permissible in all contexts, as it once might have been. Rather attorneys must consider the medium they are using, how client information is protected, whether there are mechanisms to provide more robust security, or whether there are more secure alternatives. When considering Zoom (or any video conferencing solution) convenience is not the only standard that matters, attorneys must engage in some degree of due diligence, balance the convenience and utility of the mode of communications against the sensitivity of the materials being discussed, and ensure that they are adequately safeguarding client information.

Can Attorneys Use Videoconferencing Solutions When Handling Client Information? To a certain extent, the answers depends on the specific circumstances of the communication, the audience, and the availability of other forums for transmission, but even with that being said, in order to comfortably use Zoom as a tool for confidential communications with clients, attorneys must ensure basic security functions are enabled to limit exposure, and the risk of compromised communications. These controls include:

• Enabling Meeting Passwords
• Disabling Join Before Host
• Enabling Lobby with Approval
• Locking Zoom Room When the Correct Attendees Have Joined
• Disabling Guest Chat
• Disabling Guest Screen Sharing

Implementing these controls does not provide automatic, categorical compliance with ethical obligations but does provide a firm foundation. The next most critical consideration is the nature of the information being transmitted. Discussions of particularly sensitive topics, such as litigation strategy or sensitive intellectual property, differ profoundly from a routine client check-in or status call. While attorneys should proactively engage these questions, it can also be important to understand the client's needs (and capabilities of supporting other, potentially more advanced/complex communications systems). Additionally, a client always has the right to request attorneys implement a higher level of security for their communications.

While each of the factors identified by the ABA are essential, the core dynamic that must be considered is the balance between the sensitivity of information transmitted and security of the means deployed. A second equally important factor is the need to ensure the education not merely of the attorneys at your firm, but the non-attorney personnel as well. Ensuring awareness of issues relating to contemporary digital modes of communication and confidential client information, as well as technology and information security more broadly is essential to ensuring compliance with both Model Rule 1.6(c), as well as Comment [8] to Rule 1.1, which states that "[t]o maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject."

Furthermore, a critical consideration is the availability and appropriateness of other methods of communication. For example, for more sensitive matters, the use of end-to-end encrypted communications, whether text based (e.g. encrypted email or encrypted messaging) or video calling (even if it might have fewer features and lesser capabilities than full-scope video conferencing platforms like Zoom), might be the more prudent course of action. Whereas, if a real-time video-based, group communication is essential, using Zoom, or a similar conferencing solution, may be the only option. In order to effectively meet his or her ethical obligations, an attorney must be aware of the various communications tools available and must be able to identify the right solution for the specific situation he might be facing.

Conclusion

The COVID pandemic has pushed the legal world to adapt to the digital world. These developments, particularly considering the breakneck pace at which they are emerging, are forcing attorneys to change the way they practice, and the way they adapt to the increasing prevalence of new technologies and processes. In some cases, at least certain practices might be found to be useful and worth retaining once things return to normal. Despite all of this chaos, attorneys cannot forget the core principles guiding the practice of law, chief among them a respect for the principle of attorney-client confidentiality.

While software like Zoom has allowed for a continuity of care for countless clients, attorneys must consider their obligations, the security controls they have implemented, and the nature of the client information being conveyed. Additionally, the landscape is always changing, and alternative methodologies for engaging with clients will continue to emerge and evolve. Attorneys must always consider not only the implications of using a specific method of communication, but also the availability and plausibility of methods.

In most circumstances, after considering all the factors, attorneys will find that video conferencing is an appropriate option, particularly considering the lack of in-person alternatives at the present moment. However, they may find that certain communications are adequately sensitive that the risks inherent in most video conferencing platforms are adequate that another mode of communication would be called for.

General engagement with these issues on the part of both attorneys and their non-attorney staff members and specific balancing between the sensitivity of information and the security of the means deployed in each particular instance are essential to adhering to the best professional standards and practices. Even in these unprecedented times, attorneys must always keep abreast of developments, consider how emerging technologies impact their practices and implicate their ethical duties, and be ever ready to meet and fulfill their obligations.

Benjamin Dynkin and Barry Dynkin are co-executive directors of the American Cybersecurity Institute, a nonprofit dedicated to cyber policy. They are also the co-founders of Atlas Cybersecurity, a cybersecurity services firm in New York.