American Bar Association Issues Guidance on Cybersecurity Ethics

The days when attorneys could take an “as needed” approach to technology are long gone. Over the past several years, the American Bar Association (ABA) has continued to update its guidance on ethical requirements related to technology and cybersecurity, including Formal Opinions 477R  and 483. Prompted by the massive shift in the way attorneys, and almost every other business, are interacting with their clients and engaging in the practice of law remotely due to the coronavirus pandemic, the ABA issued Formal Opinion 498.

The opinion takes a close look at the latest technological advances and changes to the ways attorneys practice law in a remote work environment and provides needed guidance on how to navigate the heightened cybersecurity risks attorneys face every day.

“At all times, but especially when practicing virtually, lawyers must fully consider and implement reasonable measures to safeguard confidential information and take reasonable precautions when transmitting such information,” the opinion states.

Expanding on the recommendations outlined in Formal Opinion 477R, ABA Opinion 498 provides guidance on general cybersecurity responsibilities, including:

• Ensuring that attorneys have carefully reviewed the terms of service applicable to their hardware devices and software systems to assess whether confidentiality is protected;
• Being diligent in installing any cybersecurity-related updates and using strong passwords, antivirus software, and encryption;
• Ensuring that routers are secure and considering using virtual private networks (VPNs);
• Periodically assessing whether their existing systems are adequate to protect confidential information as technology evolves; and
• Maintaining reliable access to client contact information.

The opinion also addresses activities that have been brought to light in our current remote work arrangements:

• Virtual meetings: Access to accounts and meetings should be only through strong passwords. All recordings and transcripts should be secured and only with client consent.
• Maintaining Privilege: For many attorneys working remotely, a “home office” may be nothing more than a table in a bedroom or kitchen, not separated from the rest of the home by a closed door. Nonetheless, attorneys always must be diligent about maintaining privilege and should take great care to ensure that client-related meetings and information cannot be overheard or seen by others in the household, office, or other remote location, or by other third parties.

• Virtual offices: When lawyers are practicing virtually—even on short notice, they must have reliable access to client contact information and client records. A reputable cloud service should be used, with data regularly backed up and accessible in the event of a data loss.
• Smart Speakers, such as Alexa: Attorneys should disable the listening capability of devices or services such as smart speakers, virtual assistants, and other listening-enabled devices while communicating about client matters.

Formal opinion 498 reiterated that supervising attorneys have an obligation to ensure that attorneys on their team are abiding by these rules as well, and specifically recommended “routine communication and other interaction…to  discern the health and wellness of the lawyer’s team members.”

The complex relationship between the latest technological advances and the risks which come with it, can create a confusing landscape for attorneys. But one thing remains certain: competence in technology cannot simply be outsourced and attorneys’ ethical obligations cannot be minimized. The Model Rules – and ABA’s recent opinions – make it clear that attorneys must educate themselves on the ever-changing risks and the benefits of technology.