Cybersecurity

The Bencher—November/Deccember 2020

By John P. Ratnaswamy, Esquire

I am willing to wager (for no stakes) that during the COVID-19 pandemic most lawyers have taken a webinar on “working remotely” that focused in whole or in part on the subject of cybersecurity and legal ethics. You also may have read articles and opinions such as the helpful Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility’s Formal Opinion 2020-30 (April 10, 2020) (“Ethical Obligations for Lawyers Working Remotely”).

Yet, “working remotely” is not new, although the current immense scope of activity is new. You also “work remotely” when you work from your hotel while on “vacation.” You work remotely when you work from home unless your home is your regular physical office. You work remotely when you work on a train while commuting.

Even more importantly, the foundational legal ethics principles that apply to the cybersecurity aspects of working remotely are the same principles that apply while working in your usual physical office. The two main legal ethics principles that apply to cybersecurity are competence and confidentiality. Here is how the American Bar Association (ABA) defines the two:

  • ABA Model Rule of Professional Conduct 1.1 is “Competence,” and its Comment [8] states: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject.” (Emphasis added.) As of 2019, at least 37 states had adopted some form of a lawyer duty of technology competence. J. Calloway, “The Risks of Technology Incompetence,” ABA GPSolo magazine (November/December 2019, p. 8.)
  • ABA MRPC 1.6 is “Confidentiality of Information,” and its Comment [18] states in part: “Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule.” (Emphasis added.) See also Comment [19] on safeguarding communications that include information relating to the representation of a client; see also, e.g., ABA Standing Comm. on Ethics and Professional Responsibility (SCEPR) Formal Opinion No. 477 (Rev. May 22, 2017) (“Securing Communication of Protected Client Information”).

Other legal ethics principles, as well as other bodies of law, also may inform various cybersecurity topics, such as the ethical principles relating to safeguarding of client property (see, e.g., ABA MRPC 1.15) and data privacy statutes. Principles relating to responsibilities in supervising other lawyers, staff, and outside resources also may apply.

Legal ethics principles are also a part of the assessments made when, despite the lawyer’s efforts, a lawyer must address a cybersecurity event such as an electronic data breach, although, again, other laws also might apply, such as general data breach statutes. See, e.g., ABA SCEPR Formal Opinion No. 483 (Oct. 17, 2018) (“Lawyers’ Obligations After an Electronic Data Breach or Cyberattack”).

Any size law practice can face electronic security risks. Solo practitioners and firms of two to nine lawyers made up nearly two-fifths of law firm electronic security breaches (ever) as of 2018. See ABA Techreport 2018 at www.americanbar.org/groups/law_practice/publications/techreport/ABATECHREPORT2018/2018Cybersecurity.

Fortunately, there are many resources available to help lawyers with cybersecurity efforts, such as the ABA’s Legal Technology Resource Center, found at www.americanbar.org/groups/departments_offices/legal_technology_resources.

Please also be mindful of authorities regarding the specific jurisdictions in which you practice.

John Ratnaswamy, Esquire, is the founder of The Law Office of John Ratnaswamy, LLC, in Chicago, Illinois. This column should not be understood to represent the views of any of those entities or Ratnaswamy’s or the firm’s current or former clients.

© 2020 John P. Ratnaswamy, Esquire. This article was originally published in the November/December 2020 issue of The Bencher, a bi-monthly publication of the American Inns of Court. This article, in full or in part, may not be copied, reprinted, distributed, or stored electronically in any form without the written consent of the American Inns of Court.