In May 2017, the American Bar Association issued a formal opinion on attorneys’ duty to ensure the security and confidentiality of attorney-client communications. ABA formal opinions are not binding, but are considered highly persuasive authority and given a lot of deference by state bar associations in defining and interpreting their own ethical rules.
The opinion interprets Rule 1.6(c) of the Model Rules of Professional Conduct, which requires attorneys to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” A comment to the rule outlines five factors that attorneys should use in determining what constitutes “reasonable efforts” with respect to client information: 1) the sensitivity of the information, 2) the likelihood of disclosure if additional safeguards are not employed, 3) the cost of employing additional safeguards, 4) the difficulty of implementing the safeguards, and 5) the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). The formal opinion sets forth the following seven considerations as guidance for attorneys in determining the specific measures they should implement to try to prevent unauthorized disclosure of client information:
1) Understand the Nature of the Threat.
2) Understand How Client Confidential Information is Transmitted and Where It Is Stored.
3) Understand and Use Reasonable Electronic Security Measures.
4) Determine How Electronic Communications About Clients Matters Should Be Protected.
5) Label Client Confidential Information.
6) Train Lawyers and Nonlawyer Assistants in Technology and Information Security.
7) Conduct Due Diligence on Vendors Providing Communication Technology.