The American Bar Association has recently released Formal Opinion 477, covering data security obligations of lawyers and law firms, including with respect to encryption. You can access a full copy of the opinion, as well as a summary of its content, at my friend Bob Ambrogi’s always hyper-relevant LawSites blog.
As usual, when something like this happens, people start freaking right the hell out. However, when viewed through the lens of the already-existing obligations that attach to lawyers’ management of their clients’ data, the opinion does not lump any more responsibility upon law firms than that which already exists. Essentially, the publication serves as a gentle reminder, to start walking the line, for lawyers who have not heeded the trend line of the new technology competence angle attached to Model Rule 1.1 (and the states’ heavy adoption of it) and the updates to Model Rule 1.6.
At this point, every state has a data security law. Lawyers are not exempt from those laws; neither should they be. If there are universal principles of those laws, they are as follows: (1) Make reasonable efforts to secure your clients’ data. (2) Use encryption for particularly sensitive data categories, e.g. — social security numbers, financial account numbers. (3) ‘Reasonable’ efforts are determined based on business-specific factors. (4) Vet vendors who will retain your data. (5) Determine vulnerabilities and address solutions, preferably in written format; update the risk assessment from time to time. The new ABA opinion basically adopts these requirements. So, if you’re following your state law covering data protection already, you’re likely to be at, or above, where the ABA wants you to be.
Of course, the majority of solo and small firm attorneys do not meet state requirements for data protection, in part because they are (perhaps ironically), taking a calculated risk — there have not been many high-profile data breach investigations made against or penalties imposed upon solo and small firm lawyers. Now, that doesn’t mean there won’t be. And, now that the ABA is highlighting, and offering tacit approval of, state law requirements, the less compliant your law firm is, the more likely you will be exposed to state- and bar-imposed penalties.
The ABA opinion also addresses a fact scenario in which a lawyer and a client have agreed to approach data security in a certain way. The advice is that the lawyer should follow the terms of that agreement. . . . Well, thank you, Captain Obvious. Some state bars are more specific about this, and recommend that the genesis of that discussion derives from inside the fee agreement — the Massachusetts Bar Association has done so — and, I think that is the better approach; every lawyer knows or should know that her first obligation is to follow-through on promises made to clients. The ABA opinion noses around suggesting such a fee agreement clause, but never quite gets there. And, in the real world, it’s the rare instance where small firm lawyers and their clients are settling up a specific data security program for a particular client’s case. Clients expect that lawyers will, and lawyers should, dictate the terms of that arrangement — which, yes, must represent a reasonably secure approach.
The ABA is also more generic than state law in determining what specific types of information are particularly sensitive, thus warranting a higher level of protection — some state laws also prescribe specific protection mechanisms and levels of protection. Of course, the ABA is stacking generalities intentionally. Lawyers lust after generalities, because as soon as you start defining down, you construct loopholes. If ten items are included in a list, there are tens of thousands of items that could conceivably be excluded from that list. It also makes good sense not to drill too deeply, given the pace of technological change in the legal industry; there is the risk of legislating against something that will become passé in three months’ time. However, this is not just a philosophical choice. The fact is that those who most frequently utilize ethics opinions (malpractice attorneys, bar overseers, bar associations) are ill-equipped to engage high-level discussion of the specifics of technology applications, including in the realm of data security. A broad application allows those folks a larger sandbox in which to play, and reduces the technical knowledge outside of substantive law that they must bring to bear.
So, here’s the deal:
Formal Opinion 477 actually changes very little about your practical responsibilities as a law firm in terms of managing your clients’ data.
If you follow your state’s laws respecting data protection and/or strive for ‘best practices’ rather than ‘minimum competency’, you should be good not only in terms of your ethics and malpractice obligations, but also in terms of your clients’ belief in your ability to secure their data, and your own belief that you are doing everything you can to safeguard your client’s data.
Many solo and small firm lawyers complain about encryption because their clients complain about encryption, as evidenced in the comments to Bob’s post. But, there are myriad ways to manage encryption, and also to educate clients on, not only the importance of data security, but also about how convenience often butts against security. Even so, delivering encrypted matter to clients is getting ever simpler; and, probably the easiest current market solution is the use of a client portal available through a law practice management system — which is a solution that the opinion itself alludes to on page 7.
Things I Like and Do Not Like
The problem with ethics opinions like these is that they almost always read like they were written by your Grandma(ma). On page 5 of the opinion, reference is made to the purported fact that some information is so sensitive that it should not be transmitted electronically at all. But, that’s a virtually impossible solution for a modern practice, and cuts against a lawyer’s ability to keep electronic records, which is essential in resolving malpractice disputes. On page 5, there is also discussion of the potential for issues related to ‘message boards’. And, let me tell you: message boards, chat rooms — they have been proxy harbingers of disasters lurking in ethics opinions since at least the mid-90s. The problem is that there’s little to no definition about what these are, and how they work in a modern environment. There are public communication tools (Reddit) and there are private communication tools (invite-only listservs); there are internal communication tools (Slack) and external communication tools (limited access client portals). I think most attorneys are aware that you don’t directly solicit clients via ‘message boards’, and that you don’t post in public fora information about the case you’re working on. For real, wake me up when someone writes an ethics opinion about Reddit.
That being said, I do think that, as far as ethics opinions go, there is a solid chunk of good, practical detail that is addressed. For example, there is a great discussion at the end of page 7 about when and how privilege may be waived; for example: when clients communicate with their attorneys via their work-issued devices. The application of disclaimers to email, as referenced at the top of page 8, is interesting, insofar as it will trigger the recipient lawyer’s responsibilities under Rule 4.4 — with respect to data security, most people think only of the obligation of the sender; but, lawyers are a special case. I also like that there is an admission that it is not a measure of weakness for lawyers to ask for help on matters of data security, as outlined at page 9: ‘Any lack of individual competence by a lawyer to evaluate and employ safeguards to protect client confidences may be addressed through association with another lawyer or expert, or by education.’ (I mean, you could hire a law practice management consultant for that, if you wanted. Just sayin’. . . . AHEM.) Finally, and not for nothing; but, in attempting to write for an entire nation of lawyers, where various jurisdictions may expand on the principles outlined in this opinion, it’s probably better to go broad anyway.
Ultimately, even if a pronouncement like ABA Formal Opinion 477 is more sound than fury, it will hopefully serve as a jolt to those solo and small firm attorneys who don’t care a fig for data security, and provide them incentive to step up their respective games. In turn, it will also be interesting to see whether a proclamation like this will empower bar ethics staff to more aggressively deter technology incompetence perpetrated by lawyers, where state laws have not been used to address issues present in the legal vertical.
We shall see what results.