Legal professionals have been adopting security measures to protect communications and client-sourced documents from unauthorized access. Of particular concern are trade secrets and other types of proprietary information provided to counsel for production in a case.

Protecting the confidentiality of these materials can prove challenging in an age of routine cyberattacks. Counsel has to account for rapid changes in technology used to gain unauthorized access to these materials as well as the technology available to protect them. What duty does a legal professional have to protect a client's information?

Relevant Rules Governing Professional Conduct

Bar associations routinely stress the critical importance of protecting the confidentiality of attorney-client communications. Although the Texas Disciplinary Rules of Professional Conduct do not specifically address the risk of unauthorized disclosure of these communications when they are conveyed by email, the larger issue of client confidentiality is addressed and bears relevance to an attorney's technological stewardship of a client's information. In short, an attorney in Texas has a duty to safeguard “confidential information,” which is defined broadly to include both privileged and unprivileged attorney-client communications (Tex. Comm. On Prof'l Ethics, Op. 648, 78 Tex. B.J. 480 (2015)).

The American Bar Association suggests that an attorney's duty includes staying current on technological changes affecting the confidentiality of client communications. This issue of “competency” is embodied in the ABA's Model Rule of Professional Conduct 1.1, which, since 1983, has required that a “lawyer shall provide competent representation to a client … [which] requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”

Taking this even further, the ABA Standing Committee on Ethics and Professional Responsibility issued a formal opinion (Formal Op. 11-459 (2011)) acknowledging counsel's duty to address the risk of unauthorized disclosure when communicating by electronic means. In its opinion, the ABA standing committee determined that a “lawyer sending or receiving substantive communications with a client via email or other electronic means ordinarily must warn the client about the risk of sending or receiving electronic communications using a computer or other device, or email account, where there is a significant risk that a third party may gain access.” This resulted in certain disclaimers appearing at the bottom of an attorney's signature block in every email.

In 2012, the ABA adopted certain “technology amendments” to its Model Rules of Professional Conduct, including updating the comments to Rule 1.1 on competency, adding paragraph (c) to the same rule, and providing guidance through a new comment to Rule 1.6. These “technology amendments” address a lawyer's obligation to take reasonable measures to prevent unauthorized disclosure of client information.

Comment 8 to Rule 1.1 defining professional “competency” now requires that counsel “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

Paragraph (c) was added to Rule 1.6 of the Model Rules requiring that a “lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 18, addressing the new paragraph (c), explains that it “requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer,” but that “the unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”

What constitutes “reasonable efforts” in this context? The committee decided it was best not to commit to a “hard and fast rule,” but to rely instead on upon a set of factors that “depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of electronic communications employed, and the types of available security measures for each method.” (See Formal Op. 477 (2017).) These factors include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer's ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

As referenced in the “ABA Cybersecurity Handbook” by Jill D. Rhodes & Vincent I. Polley, the “reasonable efforts” standard “rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a 'process' to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”

As a result, a lawyer does not have a duty to guarantee a client's data safety. Rather, the current view is that “paragraph (c) does not mean that a lawyer engages in professional misconduct any time a client's confidences are subject to unauthorized access or disclosed inadvertently or without authority. … The reality is that disclosures can occur even if lawyers take all reasonable precautions. The commission, however, believes that … lawyers have a duty to take reasonable precautions, even if those precautions will not guarantee the protection of confidential information under all circumstances.”

Ramifications for Your Practice

Lawyers should evaluate the technology they employ in protecting client information from unauthorized disclosure, particularly when working with sensitive financial information or closely guarded trade secrets. If a law firm is providing the same level of basic protection to email as it does to its client's confidential intellectual property when the records are “hacked,” the firm likely fails to satisfy the factors identified as a measure of “reasonable efforts” to protect the client's information. Give careful thought to engaging in the “process” of assessing these risks, identifying and implementing appropriate security measures responsive to these risks, and updating them over time.

James W. Walker is a member of the litigation department at Cole Schotz and is resident in the firm's Dallas office. Walker has trial and appellate experience in federal districts and appellate courts across the United States. He represents Texas-based and Fortune 500 companies in the energy and finance areas, as well as in all types of professional liability, director and officer liability, employment and other complex commercial contract and business tort claims.