Taking information-security-related steps consistent with Rule 1.6(b)(7) might also help in complying with new Rule 1.16(e), which provides that “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” This may sound alarming: can a lawyer be disciplined for being a victim of hacking?
But as new Comment 18 explains, this is not a rule that makes lawyers strictly liable, in a disciplinary sense, if they have the misfortune of being hacked or otherwise having their clients’ information compromised. The key is to make “reasonable efforts” to prevent unauthorized access or disclosure of client information. The comment discusses ways in which reasonableness can be judged in this context:
the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Most commercially available information technology systems and software may have protections that enable basic compliance with Rule 1.6(e). But vigilance is still required. Sometimes the software we become accustomed to using loses its vendor’s support, like Windows has, or otherwise fails to meet evolving security standards. When that happens, lawyers – and the employees or contractors they likely rely on to assist them with technological issues – must adapt, or risk acting in a manner inconsistent with Rule 1.6(e).
Other times, lawyers are at risk of being hacked through means they may never have envisioned. That spammy-looking email may not be just an annoyance, or a virus delivery system; it may be a means to an end for a hacker looking for corporate secrets. A well-intentioned firm taking steps to try to preserve data can be foiled by a simple human error like leaving an unencrypted drive containing sensitive information on a train while transporting it to an offsite location for backing up. That’s just one of the horror stories that Pittsburgh attorney David G. Ries has told compellingly in recent years, particularly in this survey of information security issues prepared for a 2014 ABA conference. Ries’ paper provides a detailed and thorough exposition of many of the advanced and evolving risks to lawyers’ information security – and given that we’re now two years on, the threats may have evolved in still different and more substantial ways. Stay tuned (outmoded technology reference)!
Note that according to Comment 18, clients can consent to the use of systems that provide lesser security; but if they do consent, lawyers should make sure that they can demonstrate that. If a technological failure happens because of a lesser system chosen by the client, the lawyer is best protected if she has evidence of the client’s choice and the reasons behind it.
Prudent practitioners have likely already put one or more readily available and appropriate information security measures in place. If you feel like your systems might need an upgrade, though, now is the time.
