Welcome to Module 4-K.

Lawyer’s Duty of Confidentiality.

This module focuses on a lawyer’s ethical duty of confidentiality. It consists of a video by Ralph Losey in two parts lecturing on this important subject, followed by an essay on ABA Formal Opinion 477.  This new Opinion is covered in detail after the videos.

Rule 1.6 – Confidentiality of Information

This class is based on the ABA Model Ethics Rule 1.6 – Confidentiality of Information:

(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.

See eg: NY Bar Opinion 749, 2/21/17 (“Duty to protect a client’s confidential information from cybersecurity risk and handling e-discovery when representing clients in a litigation or government investigation.”)

______

See: ABA Formal Op. 99-413 (Mar. 10, 1999):

A lawyer may transmit information relating to the representation of a client by unencrypted e-mail… because the mode of transmission affords a reasonable expectation of privacy from a technological and legal standpoint.

Also see: Cal. Op. 2010-179

Encrypting email may be a reasonable step for an attorney to take … when the circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.

See: State Bar of Texas, Opinion 648 (2015) that identified several instances where encryption or some other method of security may be appropriate, including:

  • communicating highly sensitive or confidential information via email;
  • sending an email to or from an account that the email sender or recipient shares;
  • sending an email to a client when it is possible that a third person (such as a spouse in a divorce case) knows the password to the email account, or to an individual client at that client’s work email account, especially if the email relates to a client’s employment dispute with his employer (see ABA Comm. on Ethics and Prof’l Responsibility, Formal Op. 11-459 (2011));
  • sending an email if the lawyer is concerned that the NSA or other law enforcement agency may read the lawyer’s email communication, with or without a warrant.

_______

May 11th 2017 ABA Opinion: Securing Communication of Protected Client Information

After we created the above video the ABA published a new opinion on lawyer confidentiality, Formal Opinion 477 (May 11, 2017) (hereinafter “Opinion“). It was published by the American Bar Association Standing Committee on Ethics and Professional Responsibility and is entitled Securing Communication of Protected Client Information.

The Opinion addresses the reasonable efforts that lawyers and law firms must take to ensure that communications with clients are secure and not subject to inadvertent or unauthorized security breaches. It updates Formal Opinion 99-413 quoted above and discussed in the video. This update was sorely needed and very well done. Here is the ABA introductory synopsis:

Securing Communication of Protected Client Information

A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.

The Standing Committee on Ethics and Professional Responsibility goes on to explain in the Opinion how much things have changed since the 1999 opinion on the use of unencrypted email.

[T]he term “cybersecurity” has come into existence to encompass the broad range of issues relating to preserving individual privacy from intrusion by nefarious actors throughout the Internet. Cybersecurity recognizes a post-Opinion 99-413 world where law enforcement discusses hacking and data loss in terms of “when,” and not “if.”4 Law firms are targets for two general reasons: (1) they obtain, store and use highly sensitive information about their clients while at times utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.5

Opinion pg. 2.

The Standing Committee again “rejects requirements for specific security measures (such as firewalls, passwords, and the like)” and stays with the “reasonable efforts” standard. This somewhat controversial position is made in reliance of the ABA Cybersecurity Handbook (ABA 2013) which, instead of mandating specific security measures such as encryption:

… adopts a fact-specific approach to business security obligations that requires a “process” to assess risks, identify and implement 101 appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.12

Opinion quoting Cybersecurity Handbook at pg. 4. You see the Committee is moving slowly and cautiously. That is prudent here because so much training is required to bring the Bar up to speed on the many arcane technicalities involved in cybersecurity and encryption. This is fast becoming The Hot Specialty in the legal profession. Electronic Discovery is so yesterday. If I were not so involved in the AI aspects of searching for evidence in near-infinite haystacks of information, I would try to include this specialty too. But for now at least it is too challenging to try to do both at once.

The Opinion points out that a fact-based analysis means that strong protective measures, like encryption, are necessary in some circumstances. Encryption software and use-procedures are becoming easier. Now any intelligent person can understand the processes and use them effectively, not just cryptologists. All lawyers should either learn this or associate with an attorney who does. We all need more training in this area, myself included, to stay competent in the fast moving information explosion era. All of the illegal hacking going on today is outrageous.

In other circumstances involving certain highly sensitive information (such as, in my opinion, classified military information, or certain trade secrets sought by Chinese corporations, as well as certain personal and corporate divorce investigations or political) it may be reasonable to avoid electronic communications altogether. Opinion at pgs. 4-5.

But in most circumstances,

… for matters of normal or low sensitivity, standard security methods with low to reasonable costs to implement, may be sufficient to meet the reasonable efforts standard to protect client information from inadvertent and unauthorized disclosure.

Opinion at pg. 5.

The Committee does not specify the reasonable efforts required in such matters, but does say that “unencrypted routine email generally remains an acceptable method of lawyer-client communication.” Opinion pg. 5. The Opinion at pgs. 5-10 then provides a list of considerations as guidance:

  1. Understand the Nature of the Threat.
  2. Understand How Client Confidential Information is Transmitted and Where It Is Stored.
  3. Understand and Use Reasonable Electronic Security Measures.
  4. Determine How Electronic Communications About Clients Matters Should Be Protected.
  5. Label Client Confidential Information.
  6. Train Lawyers and Nonlawyer Assistants in Technology and Information Security.
  7. Conduct Due Diligence on Vendors Providing Communication Technology.

Well done by the Committee. An update on this topic was sorely needed. Now a wide-spread education program to explain the seven guidance points is in order. Time will tell how long this complex technical guidance will suffice. How long will it be before encryption of some level becomes a per se rule. How long before encryption is required in all attorney communications. It will be required some day, of that I am sure. Just not today. Still, if I were the Committee I would be working on a draft. My prediction is we have five years to prepare, at the most.

Analysis and Projections

Confidentiality is a critical problem facing all lawyers today. We all need to stay proficient in this area, including especially concerning the power and importance of encryption. The smooth operation of our system of justice depends on the confidentiality of the attorney client relationship. Lawyers must be able to maintain the secrecy of their clients’ ESI. They must also protect their own work-product, including investigations, strategies, mental impressions and communications. The ABA Formal Opinion 477 (May 11, 2017) is a helpful addition to this literature.

The Opinion is the last word for now, but we predict that sometime within the next five years the American Bar Association Standing Committee on Ethics and Professional Responsibility will agree on a new Formal Ethics Opinion. The next opinion will require encryption in all electronic communications and all Electronic Information, whether in transit or in storage. The “it depends” exceptions in the current Opinion will be eliminated.

This will be a very difficult, disruptive change to the profession. But we predict the Bar will have no choice because of accelerating advances in technology. These advances will further empower criminal and state hacking. See eg.: , Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool (NYT, 5/12/17); , We must act now to prevent future malware epidemics (Financial Times, 5/14/17). We are unsure what will happen when quantum computing develops further, but some think it could defeat encryption. The development of Bitcoin and other anonymous currencies adds to our problem because they facilitate untraceable extortion payments. Unprotected email will be an invitation to blackmail. Nothing will be safe without encryption, including attorney client communications. Even mundane communications may have metadata value. As a result we will be required to use encryption and other confidentiality tools in all communications, include the mundane. It will be automatic. There will be no if and or buts.

In view of what seems to be an inevitable requirement of full encryption, all lawyers and law firms should start preparing now. Your CISOs and attorneys should start working together on this requirement as soon as possible. It never hurts to stay ahead of the curve. You will succeed if you work together as a team for the common good. Neither technologists nor lawyers should dominate. Natural leader(s) of the team can emerge from both sides and change over time.

 _______________

SUPPLEMENTAL READING: You must carefully read the 2o17 Opinion in full. You should also become familiar with these information  resources.

Joe Lazzarotti

EXERCISE: Learn about encryption by doing. Encrypt your hard drive, if you have not already done so. Research and take the steps necessary to send an encrypted email, an encrypted text. The more you know about encryption, the better. There are many articles on the subject, but start by looking at the blogs and other information on GoldenFrog.com, ProtonMail.com and elsewhere.

Also study the state of cybersecurity today and consider what facts and circumstances might occur to force the Standing Committee on Ethics and Professional Responsibility to amend the ethics code as predicted within five years. What might happen to delay the implementation of full encryption?

Students are invited to leave a public comment below. Insights that might help other students are especially welcome. Let’s collaborate!

Copyright Ralph Losey 2017

Ralph Losey is a practicing attorney who specializes in electronic discovery law. He is a principal in a U.S. law firm with over 50 offices & 800 lawyers where he supervises electronic discovery work and litigation support. Ralph has written over two million words on law and technology, including six books on electronic discovery. His latest books are "E-Discovery for Everyone" (ABA 2017) and "Perspectives on Predictive Coding" (ABA 2017) (ed. & contributor). His blog is widely read in the industry: "e-DiscoveryTeam.com." Ralph is the founder and principal author of "Electronic Discovery Best Practices" and "e-Discovery Team Training," a free online course covering all aspects of e-discovery. Ralph's sub-speciality is the search and review of electronic evidence using multimodal methods, including artificial intelligence. He also has a free online training program to teach these advanced methods - the "TAR Course." Ralph has devoted a month of his time each year since 2013 to research and test various AI-enhanced document review methods. In 2015 and 2016 Ralph and his Team participated in the TREC Total Recall Track experiments sponsored by the National Institute of Standards and Technology. Ralph has been involved with computers and the law since 1978. His full biography is found at RalphLosey.com. Ralph is the proud father of two children, Eva M. Losey and Adam Colby Losey, a high-tech lawyer married to another e-discovery lawyer, Cat Jackson Losey, and, best of all, Ralph has been married since 1973 to Molly Friedman Losey, a mental health counselor and life-long friend.

One Comment on “Sec. 4 – Mod. K

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: