B
y now, it should come as no surprise
to hear that law firms are prime
targets for cybersecurity attacks.
Indeed, law rms collect and store
large amounts of condential, highly
valuable corporate records that are attractive
to hackers including intellectual property,
strategic business data, and records collected
through e-discovery. The failure to protect
client data can cause considerable damage
to the client and the law rm itself (espe-
cially reputational) in the event of a cyber
attack. Given the increasing susceptibility of
law rms to cyber attacks, it is thus impor-
tant for lawyers to be aware of their ethical
obligations to implement reasonable secu-
rity practices to protect the condentiality
of client data and to understand the industry
standard frameworks to implement effective
security programs.
The Duty of Confidentiality
The most important ethical rule relating
to lawyer and law rm information security
is the duty to protect the condentiality of
client condences. Rule 1.6 of the New York
Rules of Professional Conduct (the “Rules” or
“New York Rules”) provides that “[a] lawyer
shall not knowingly reveal condential infor-
mation … unless the client gives informed
consent” or “the disclosure is impliedly
authorized to advance the best interests of
the client and is either reasonable under the
circumstances or customary in the profes-
sional community.”
The duty of condentiality extends to all
forms of data including data stored on law
rm servers, emails, data accessed remotely,
or when such data is provided to third-party
vendors.
1
In that regard, Rule 1.6(a) contains
prohibitions against the knowing disclosure of
condential information and Rule 1.6(c) pro-
vides that an attorney “shall exercise reason-
able care to prevent … others whose services
are utilized by the lawyer from disclosing
or using condential information of a client”
except to the extent disclosure is permitted
under the rule. Along the same lines, ABA
Model Rule 1.6(c) provides that “[a] lawyer
shall make reasonable efforts to prevent the
inadvertent or unauthorized disclosure of, or
unauthorized access to, information relating
to the representation of a client.”
2
Comment 17 to Rule 1.6 of the New York
Rules provides some additional guidance to
reect the advent of the information age:
[17] When transmitting a communication
that includes information relating to the
representation of a client, the lawyer must
take reasonable precautions to prevent
the information from coming into the
hands of unintended recipients. This
duty does not require that the lawyer use
special security measures if the method
of communication affords a reasonable
expectation of privacy. Special circum-
stances, however, may warrant special
precautions. Factors to be considered in
determining the reasonableness of the
lawyer’s expectation of condentiality
include the sensitivity of the information
and the extent to which the privacy of the
communication is protected by law or by
a condentiality agreement.
With advances in technology in recent
years, ethical opinions and the ABA have too
attempted to address the interplay between
technology and condentiality. According
to Comment 17 of ABA Model Rule 1.6(c),
factors to be considered in determining the
reasonableness of the lawyers’ efforts to
secure client data include “the sensitivity of
the information, the likelihood of disclosure if
additional safeguards are not employed, the
cost of employing additional safeguards, the
difculty of implementing the safeguards, and
the extent to which the safeguards adversely
affect the lawyer’s ability to represent clients
(e.g., by making a device or important piece
of software excessively difcult to use).”
Several New York State Bar Association eth-
ics opinions provide further guidance on the
duty of attorneys to secure client data. Ethics
Opinion 842, for example, opined in consider-
ing an attorneys’ duty to secure condential
client data stored on an online “cloud” com-
puter backup system that “exercising ‘reason-
able care’ under Rule 1.6 does not mean that
the lawyer guarantees that the information is
secure from any unauthorized access.” (empha-
sis in original). Opinion 842 then set forth the
following considerations for attorneys to take
to help ensure that client condential data is
secure in the cloud including:
1. Ensuring that the online data storage
provider has an enforceable obligation to pre-
serve condentiality and security, and that
the provider will notify the lawyer if served
with process requiring the production of cli-
ent information;
S
E
R
V
I
N
G
T
H
E
B
E
N
C
H
A
N
D
B
A
R
S
I
N
C
E
1
8
8
8
Volume 254—No. 125
Thursday, december 31, 2015
Get Your Head out of the ‘Cloud’ When Protecting
Client Data
ETHICAL OBLIGATIONS
Expert Analysis
daNa PosT serves as special counsel, e-discovery and
data management, in the litigation group at Freshfields
Bruckhaus Deringer in New York.
JoNaThaN elsNer is
an associate in the firm’s dispute resolution group, also
in New York.
www. NYLJ.com
The most important ethical rule
relating to lawyer and law firm
information security is the duty
to protect the confidentiality of
client confidences.
By
Dana
Post
And
Jonathan
Elsner
2. Investigating the online data storage
provider’s security measures, policies,
recoverability methods, and other procedures
to determine if they are adequate under the
circumstances;
3. Employing available technology to guard
against reasonably foreseeable attempts to
inltrate the data that is stored; and/or
4. Investigating the storage provider’s abil-
ity to purge and wipe any copies of the data,
and to move the data to a different host, if the
lawyer becomes dissatised with the storage
provider or for other reasons changes stor-
age providers.
3
Because “technology and the security of
stored data are changing rapidly,” Opinion
842 provided that “[e]ven after taking some
or all of these steps … [a] lawyer should
periodically reconrm that the provider’s
security measures remain effective in light
of advances in technology.”
Additionally, New York State Bar Associa-
tion Ethics Opinion 1019—which opined on
the application of Rule 1.6 when lawyers are
given remote access to client les—stated
with regard to the duty to secure client data:
Because of the fact-specic and evolving
nature of both technology and cyber risks,
we cannot recommend particular steps
that would constitute reasonable precau-
tions to prevent condential information
from coming into the hands of unintended
recipients, including the degree of pass-
word protection to ensure that persons
who access the system are authorized,
the degree of security of the devices that
rm lawyers use to gain access, whether
encryption is required, and the security
measures the rm must use to determine
whether there has been any unauthor-
ized access to client condential infor-
mation. However, assuming that the law
rm determines that its precautions are
reasonable, we believe it may provide
such remote access.
4
The common theme running through these
ethical rules and ethics opinions is that attor-
neys have an afrmative duty of care to secure
client information. The requirement to protect
client information is, in essence, an informa-
tion security obligation. There are a number
of accepted frameworks and standards for
developing, implementing and maintaining a
security program of which law rms should be
aware, including the International Organiza-
tional of Standardization,
5
Information Tech-
nology Infrastructure Library
6
and National
Institute of Standards and Technology Special
Publication 800 series and Federal Informa-
tion Processing Standards.
7
Fortunately, these
frameworks are generally consistent, and a
number of the requirements overlap in the
various security frameworks and standards
overlap. Thus, regardless of the framework
standard a law rm follows, it is important
to undertake all of the activities of a security
program.
8
Duty of Competence
In addition to the duty of condentiality,
a lawyer’s use of technology also implicates
Rule 1.1 of the Rules, which deals with an
attorney’s ethical duty to provide competent
representation. New York Rule 1.1 provides
that “[c]ompetent representation requires
the legal knowledge, skill, thoroughness and
preparation reasonably necessary for the rep-
resentation.” Moreover, comment 8 to New
York Rule 1.1 states that “to maintain the
requisite knowledge and skill [to satisfy the
duty of competence], a lawyer should … keep
abreast of the benets and risks associated
with technology the lawyer uses to provide
services to clients or to store or transmit
condential information.”
Recent ethics opinions have conrmed that
Rule 1.1 of the Rules encompasses technologi-
cal competence.
9
See, e.g., New York State Bar
Association Ethics Opinion 1020 (stating that
the use of electronically stored information
may not only require reasonable care to pro-
tect electronically stored information under
Rule 1.6, but may also, under Rule 1.1, require
the competence to determine and follow a
set of steps that will constitute such reason-
able care.); New York City Bar Association
Formal Opinion 2015-3 (“The duty of compe-
tence includes a duty to exercise reasonable
diligence in identifying and avoiding common
Internet-based scams, particularly where those
scams can harm other existing clients.”).
Notwithstanding this duty, a lawyer can
turn to the expertise of outside experts when
needed to provide technological assistance.
In that regard, the ABA cybersecurity hand-
book specically states that “[i]f a lawyer is
not competent to decide whether use of a
particular technology (e.g., cloud storage,
public Wi-Fi) allows reasonable measures to
protect client condentiality, the ethics rules
require that the lawyer must get help, even
if that means hiring an expert information
technology consultant to advise the lawyer.”
Conclusion
The threat of a law rm—or a third-party
vendor of a law rm storing client data—suf-
fering a cyber attack is a very real possibility.
In many cases, data breaches or other types of
cyber incidents could have been prevented or
detected if the organization had undertaken
proper security planning and implemented
appropriate security safeguards. Lawyers
have an ethical duty to ensure the conden-
tiality of client data stored electronically and
must keep abreast of the best ways to do so
technologically. As such, failing to take such
measures have the potential to not only com-
promise client data but to expose a lawyer to
liability and reputational damages.
•••••••••••••
•
•
•
•••••••••••••
1. The ABA Cybersecurity Handbook—which was writ-
ten in an effort to help lawyers and law rms improve
their information security programs—explains that “[t]
his obligation to maintain condentiality of all informa-
tion concerning a client’s representation, no matter the
source, is paramount” and “is no less applicable to elec-
tronically stored information than to information con-
tained in paper documents or not reduced to any written
or stored form.”
2. ABA Model Rule 1.6(c) (as amended).
3. New York State Bar Association Opinion 940 opined
that these principles governing use of “cloud storage sys-
tem would also govern use of backup tapes maintained
away from the rm’s premises.” The reasoning in Opinion
842 would undoubtedly also apply to attorneys using e-
discovery vendors to process client data. As such, due dili-
gence should be undertaken by attorneys prior to engaging
any third-party vendor that will process or store client data.
4. See also New York State Ethics Opinion 1020 (in ex-
amining whether a lawyer may post and share data using
a cloud data storage, the opinion stated that the proposed
technology may be used “provided that the lawyer takes
reasonable steps to ensure that condential information
is not breached” by, for example, “try[ing] to ensure that
only authorized parties have access to the system on which
the information is shared.”); New York State Ethics Opinion
842 (approving the use of Internet service provider that
scanned emails to assist in providing user-targeted adver-
tising, in part based on published privacy policies of the
provider).
5. www.iso.org/iso/home/standards/management-stan-
dards/iso27001.htm.
6. http://itil-ofcialsite.com.
7. http://csrc.nist.gov.
8. The ABA Cybersecurity Legal Task Force Report to the
House of Delegates sets forth in detail the measures law
rms need to undertake to develop an effective security
program.
9. As of December 2015, in addition to New York, 16 other
states have adopted an ethical duty of technology compe-
tence.
Thursday, december 31, 2015
Reprinted with permission from the December 31, 2015 edition of the NEW YORK
LAW JOURNAL © 2016 ALM Media Properties, LLC. All rights reserved. Further
duplication without permission is prohibited. For information, contact 877-257-3382
or [email protected]. # 070-01-16-01
A lawyer can turn to the expertise
of outside experts when needed to
provide technological assistance.
