Ethical Rules Require Reasonable Care When Using Technology in the Practice of Law
At its core, the ethical requirements relating to the use of technology are analytically no different than in a nontechnological setting, and the law imposes no greater requirements. The foundation of every attorney’s duty is the duty of the attorney to “maintain inviolate the confidence, and at every peril to himself or herself to protect the secrets, of his or her client.”1 “Secrets” extends to anything that would be embarrassing or detrimental to a client2 and even extends to information that is publicly available.3 This duty is not a bar to the use of technologies, so long as the attorney acts in a reasonable manner to protect the client’s confidential information.4 The reasonableness of an attorney’s actions to ensure both that secrets and privileged information of a client remains confidential and that the attorney’s handling of the information does not result in a waiver of any privileges or protections is considered to be a fundamental part of an attorney’s duty of competence.5
The obvious question, then, is what does an attorney need to do to meet the “reasonableness” standard? First and foremost, while the rules do not require that attorneys be technology experts when assessing the technology being used, attorneys need to have a basic understanding of the electronic protections afforded by the technology used in their practice.6 If they lack the expertise to assess that technology, they must seek additional information or consult with someone who possesses the necessary knowledge, such as an information technology consultant.7
At a minimum, an attorney should employ the standard security protections that are readily available and/or are oftentimes preloaded onto many mobile devices—such as firewalls, virus protection, malware protections, unique passwords8—and use common sense before downloading attachments or clicking on phishing links from unknown sources, which may contain malware or viruses that could infect all types of mobile devices.9 The attorney should also consider the availability of and then use backup systems for the recovery of lost data and remote data locking and/or wiping capabilities in the event of the loss or destruction of the device.10
An attorney should also consider how the particular technology differs from other media use.11 For example, while California does not generally require the use of encryption when sending or receiving standard attorney-client e-mails,12 whether encryption should be used to safeguard confidential information being transmitted may depend on the nature of the information involved or the ease by which security measures may be invoked. In a world where no information is 100 percent safe,13 the higher the information's degree of sensitivity, the more an attorney may be required to do to protect that information to meet the “reasonableness” standard—which can include using specialized security measures and ultimately may require the attorney to refrain from using the technology at all without informed client consent.14 This may involve not only the transmission of information over the Internet via e-mail but can also include the consideration of what type of information can or should be uploaded into any cloud-based data storage system and/or downloaded onto an easily transportable (and easily lost or stolen) device, ranging from a laptop to standard small thumb drive or memory card, which oftentimes can come without password or encryption capabilities.
The attorney should also consider the impact of potential waiver issues relating to inadvertent disclosure through the improper handling of confidential information. A communication does not lose its privileged character only because it is communicated by electronic means or because persons involved in the delivery, facilitation, or storage of electronic communications may have access to the content of the communication.15 However, the attorney-client privilege will protect confidential communications between the attorney and client in cases of inadvertent disclosure only if the parties act reasonably to protect that privilege.16 In this regard, attorneys should consider not only their own actions and that of their agents and employees17 but also educate their clients on the risks of waiver and steps to avoid it. For example, from the transmission of documents with unscrubbed metadata containing confidential information18 to the use of insecure pathways and networks to transmit information such as public WiFi19 to a client communicating with the attorney on a company computer resulting in the waiver of the privilege20 to the public discussion of client matters on the Internet or social media (by the attorney and/or the client), the risks of inadvertent waiver are significant and must be carefully considered by both sides to the attorney-client relationship. Relatedly, the attorney should also consider and educate the client about the potential consequence of disqualification in the event of misuse of another party’s confidential information, even if such information is not inadvertently obtained.21
Finally, if a device is going to be retired, replaced, discarded, and/or returned (if leased), the attorney should take all necessary steps to wipe and remove all confidential data from the device before it leaves the attorney’s custody.22
Think before you use that technology, and take reasonable steps to protect your client’s information.
1 Cal. Bus. & Prof. Code §6068(e)(1).
2 State Bar of Cal., Comm. on Prof'l. Responsibility and Conduct, Formal Op. No. 1981-58.
3 See Mitchell v. Superior Court, 37 Cal. 3d 591, 599 (1984); In re Johnson, 4 Cal. State Bar Ct. Rptr. 179, 189 (Rev. Dept. 2000).
4 State Bar of Cal., Comm. on Prof'l. Responsibility and Conduct, Formal Op. No. 2010-179; see also Los Angeles County Bar Assn., Prof'l Responsibility & Ethics Comm., Formal Op. No. 374 (1978) (under conditions where certain safeguards are observed, disclosure of client secrets and confidences to a central data processor does not violate Section 6068(e), equating such disclosure to that of disclosures to nonlawyer office employees).
5 State Bar of Cal., Comm. on Prof'l. Responsibility and Conduct, Formal Op. No. 2010-179.
9 David G. Ries, Safeguarding Confidential Data: Your Ethical and Legal Obligations, ABA Law Practice (July/August 2010, Vol. 36, No. 4, at 49).
10 See, e.g., Jamie Lendino, Kill Your Phone Remotely, PCmag.com (September 11, 2009).
11 State Bar of Cal., Comm. on Prof'l. Responsibility and Conduct, Formal Op. No. 2010-179.
12 Los Angeles County Bar Assn., Prof'l Responsibility & Ethics Comm., Formal Op. No. 514 (2005) (cited in State Bar of Cal., Comm. on Prof'l. Responsibility and Conduct, Formal Op. No. 2010-179).
13 “[I]f somebody wants to get into your system, they have a very, very good chance of doing it. So if you don’t want your system compromised, disconnect it from the Internet. Turn it off and don’t allow people to touch it, and then open up the box and take a hammer to the hard drive. At that point, you’re relatively secure.” Philip Reitinger, Director of National Cybersecurity Center, Department of Homeland Security, at the 2009 Annual Review of the Field of National Security Law, a conference cosponsored by the ABA Standing Committee on Law and National Security, in Ed Finkel, Cyberspace Under Siege, ABA Journal (11/1/10).
14 State Bar of Cal., Comm. on Prof'l. Responsibility and Conduct, Formal Op. No. 2010-179.
15 Evid. Code §917 (cited in Cal. State Bar Formal Op. No. 2010-179).
16 Regents of University of California v. Superior Court (Aquila Merchant Services, Inc.), 165 Cal. App. 4th 672, 683 (2008).
17 See Cal. R. of Prof'l. Conduct R. 3-110, discussion and citations contained therein (duty to supervise staff and attorneys).
18 N.Y. Bar Assn. Ethics Op. 782 (modified 2004) (2004 WL 3021157).
19 State Bar of Cal., Comm. on Prof'l. Responsibility and Conduct, Formal Op. No. 2010-179.
20 Holmes v. Petrovich Development Co., 119 Cal. App. 4th 1047 (2011).
21 Clark v. Superior Court (Verisign), 196 Cal. App. 4th 37 (2011); Rico v. Mitsubushi Motors Corp., 42 Cal. 4th 807 (2007); State Comp. Ins. Fund v. WPS, Inc., 70 Cal. App. 4th 644 (1999).
22 If the equipment is leased, the lease should preserve the right of the attorney to do so.