Cyber Crime and the Standard of Care
Protecting the confidentiality of communications and client-sourced documents can prove challenging in an age of routine cyberattacks.
June 29, 2018 at 01:25 PM
6 minute read
Legal professionals have been adopting security measures to protect communications and client-sourced documents from unauthorized access. Of particular concern are trade secrets and other types of proprietary information provided to counsel for production in a case.
Protecting the confidentiality of these materials can prove challenging in an age of routine cyberattacks. Counsel has to account for rapid changes in technology used to gain unauthorized access to these materials as well as the technology available to protect them. What duty does a legal professional have to protect a client's information?
|Relevant Rules Governing Professional Conduct
Bar associations routinely stress the critical importance of protecting the confidentiality of attorney-client communications. Although the Texas Disciplinary Rules of Professional Conduct do not specifically address the risk of unauthorized disclosure of these communications when they are conveyed by email, the larger issue of client confidentiality is addressed and bears relevance to an attorney's technological stewardship of a client's information. In short, an attorney in Texas has a duty to safeguard “confidential information,” which is defined broadly to include both privileged and unprivileged attorney-client communications (Tex. Comm. On Prof'l Ethics, Op. 648, 78 Tex. B.J. 480 (2015)).
The American Bar Association suggests that an attorney's duty includes staying current on technological changes affecting the confidentiality of client communications. This issue of “competency” is embodied in the ABA's Model Rule of Professional Conduct 1.1, which, since 1983, has required that a “lawyer shall provide competent representation to a client … [which] requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”
Taking this even further, the ABA Standing Committee on Ethics and Professional Responsibility issued a formal opinion (Formal Op. 11-459 (2011)) acknowledging counsel's duty to address the risk of unauthorized disclosure when communicating by electronic means. In its opinion, the ABA standing committee determined that a “lawyer sending or receiving substantive communications with a client via email or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or email account, where there is a significant risk that a third party may gain access.” This resulted in certain disclaimers appearing at the bottom of an attorney's signature block in every email.
In 2012, the ABA adopted certain “technology amendments” to its Model Rules of Professional Conduct, including updating the comments to Rule 1.1 on competency, adding paragraph (c) to the same rule, and providing guidance through a new comment to Rule 1.6. These “technology amendments” address a lawyer's obligation to take reasonable measures to prevent unauthorized disclosure of client information.
Comment 8 to Rule 1.1 defining professional “competency” now requires that counsel “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
Paragraph (c) was added to Rule 1.6 of the Model Rules requiring that a “lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 18, addressing the new paragraph (c), explains that it “requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer,” but that “the unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”
What constitutes “reasonable efforts” in this context? The committee decided it was best not to commit to a “hard and fast rule,” but to rely instead on upon a set of factors that “depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of electronic communications employed, and the types of available security measures for each method.” (See Formal Op. 477 (2017).) These factors include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer's ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
As referenced in the “ABA Cybersecurity Handbook” by Jill D. Rhodes & Vincent I. Polley, the “reasonable efforts” standard “rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a 'process' to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”
As a result, a lawyer does not have a duty to guarantee a client's data safety. Rather, the current view is that “paragraph (c) does not mean that a lawyer engages in professional misconduct any time a client's confidences are subject to unauthorized access or disclosed inadvertently or without authority. … The reality is that disclosures can occur even if lawyers take all reasonable precautions. The commission, however, believes that … lawyers have a duty to take reasonable precautions, even if those precautions will not guarantee the protection of confidential information under all circumstances.”
|Ramifications for Your Practice
Lawyers should evaluate the technology they employ in protecting client information from unauthorized disclosure, particularly when working with sensitive financial information or closely guarded trade secrets. If a law firm is providing the same level of basic protection to email as it does to its client's confidential intellectual property when the records are “hacked,” the firm likely fails to satisfy the factors identified as a measure of “reasonable efforts” to protect the client's information. Give careful thought to engaging in the “process” of assessing these risks, identifying and implementing appropriate security measures responsive to these risks, and updating them over time.
James W. Walker is a member of the litigation department at Cole Schotz and is resident in the firm's Dallas office. Walker has trial and appellate experience in federal districts and appellate courts across the United States. He represents Texas-based and Fortune 500 companies in the energy and finance areas, as well as in all types of professional liability, director and officer liability, employment and other complex commercial contract and business tort claims.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'A Prime Target': AT&T Hit With Class Action One Month After Disclosing Massive Data Leak
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250