Protection of Client Information: What ABA Opinion 477R Means for You

As technology progresses, the standards for protecting client information, particularly online, demand modern strategies and considerations from lawyers. A new opinion from the ABA Standing Committee on Ethics and Professional Responsibility offers some assistance.

On May 11, the committee issued Formal Opinion 477R to address a lawyer’s ethical obligations to protect confidential client information when transmitting information about the representation over the internet. Opinion 477R updates Formal Opinion 99-413, “Protecting the Confidentiality of Unencrypted E-Mail,” from 1999. It takes a fresh look at advances in technology and ever-increasing cybersecurity threats, and provides guidance on when enhanced security measures are appropriate.

In 1999, the committee concluded that since email provided a reasonable expectation of privacy, lawyers could use it to communicate with their clients, as it would be just as illegal to wiretap a telephone as it would be to intercept an email transmission. At the same time, the committee recognized that some information is so sensitive that a lawyer might consider using particularly strong protective measures depending on the sensitivity of the information, even to the point of avoiding the use of email completely (see Formal Opinion 99-413, page 2).

But now with the development and prevalence of new devices, cloud storage, Wi-Fi, and expanded social media, lawyers often need guidance in what strategies to put in place. These modern problems are also reflected in amendments to Rule 1.1, “Competence,” and Rule 1.6, “Confidentiality of Information,” in the ABA Model Rules of Professional Conduct, which were updated to reflect a lawyer’s obligation to protect client confidences when transmitting information over the internet. Paragraph 8 of the Comment to Rule 1.1 now states that “a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks of technology.”

The commission also added a new subpart (c) to Rule 1.6 that states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

What should you consider when assessing security needs?

On page 5, Formal Opinion 477R advises lawyers to assess the security that’s appropriate for client information using these factors (see paragraph 18 of the Comment to Model Rule 1.6):

• The sensitivity of the information
• The likelihood of disclosure if additional safeguards are not employed
• The cost of employing additional safeguards
• The difficulty of implementing the safeguards
• The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use)

What steps can you take to protect client information?

After you assess security needs, the committee recommends the following measures to guard against disclosures:

1. Understand the nature of the threat. Consider the sensitivity of the client’s information and whether higher levels of protection are warranted.

2. Understand how client confidential information is transmitted and where it is stored. Have a basic understanding of how your firm manages and accesses client data. Be aware that every device you grant access to firm information is an access point and should be evaluated for security compliance.

3. Understand and use reasonable electronic security measures. Know what security measures are available, and adopt the right practices for your firm. This may include things like secure Wi-Fi, firewalls, anti-spyware/antivirus software, and encryption.

4. Determine how electronic communications about clients’ matters should be protected. Simply put: Ask your client! Discuss the level of security that’s appropriate when communicating electronically. If the information is sensitive or warrants extra security, consider safeguards like encryption or password protection for attachments. Also, consider the client’s level of sophistication. If the client is unsophisticated or has limited access to appropriate technology protections, alternative non-electronic communication may be best.

5. Label client confidential information. Mark electronic communications as privileged and confidential to put any unintended lawyer recipient on notice that the information is privileged and confidential. Under Model Rule 4.4(b), “Respect for Rights of Third Persons,” the inadvertent recipient would be on notice to promptly notify the sender.

6. Train lawyers and nonlawyer assistants in technology and information security. Both lawyers and support personnel must understand how to use reasonably secure methods of communication with clients. You and your employees are the number one source of inappropriate disclosures!

7. Conduct due diligence on vendors providing communication technology. Take steps to ensure that any outside vendor’s conduct comports with the professional obligations of the lawyer.

Remember, as technologies become more affordable and easier to use, you’ll increasingly be expected to know how to use them to observe your duties to clients. If you need to update your client paperwork for the digital age, download our e-kit, “5 Forms to Modernize Your Attorney-Client Agreements” for some ready-to-use templates to get you started.