No Safe Harbors for Luddites
Generally, ethics rules tell us what we cannot do and professionalism deals with what we should do.
Question presented
When it comes to cyber- and data security what legal or ethical duties does a Georgia lawyer owe their client?
Working definitions
le•gal eth•ics “Legal ethics set forth the standards of conduct required of an Attorney; professionalism includes what is more broadly expected.” It is safe to say that conventional definitions of “ethics” (i.e., “right vs. wrong”) are more closely akin to legal professionalism. Legal ethics is a more utilitarian concept. Like a carpenter’s hammer, an accountant’s calculator, or a surgeon’s scalpel, “ethics” are a tool of the lawyer’s craft the practical purpose of which is to minimize conflict and instill confidence in the (self-regulating) legal profession.
pro•fes•sion•al•ism “Professionalism concerns the knowledge and skill of the law faithfully employed in the service of client and public good and entails what is more broadly expected of attorneys. It includes courses on the duties of attorneys to the judicial system, courts, public, clients, and other attorneys; attorney competency; and pro-bono obligations.”
General Cyber- and Data-Security Risks
What cyber- and data-security risks do law firms face?
Malicious Threats
Malware (anything that disrupts computer operation, gathers personal data, gains unauthorized access to a computer), ransomware (malware that extorts money), spoofing (disguising the true identity of the email sender), phishing (using social engineering — such as a spoofed email — to install malware or to trick one into revealing private information, or to access a malignant website), snooping (unauthorized access to data), port scanning (scanning for a network’s connections to the Internet).
Email Fraud and “Spoofed Faxes.”
The Use of email or fax to communicate with clients presents obvious risks of interception or inadvertent disclosure (for a more in-depth blog on this subject, see https://alembik.com/blog/security-tips-when-buying-a-home/ ).
Fraudulent wire transfer schemes.
Even facsimile transmissions via the Internet (‘efax”) are presenting a security risk in the context of communicating payoff or wiring instructions.
Portable devices and devices that retain data
Notebook computers, tablets, printers and scanners that store data, flash/thumb drives, cell/smart phones, often contain confidential client information that can be easily lost or disclosed.
Cloud computing
Web-based data storage with inappropriate security and network settings that could enable loss or disclosure of confidential information.
Loss of data from physical hardware failure or theft
Includes deactivated / retired equipment.
Metadata leaks
Metadata is ‘data about data.” It includes such data as document-author information, document revisions, tracked changes, routing information, improperly redacted data, hidden text, and comments. It can even be used to identify encryption methodology, facilitate hacker reconnaissance (e.g., file paths) and other critical data. “Scrubbing” published or shared files of metadata should be an automatic process.
Outsourcing
Vendors such as IT professionals, software vendors and supporters whose cyber security practices are less than ideal can be a threat.
Social media and list-serves
Discussions regarding client situations and confidences that may tend to disclose the identity of the client or other confidential information. Beware of your on-line activities and contacts being tracked and preserved. Anything posted to the Internet should be considered on your “permanent record.”
General Cyber- and Data-Security Protections
Technical Safeguards of Data
Using the implementation of HIPAA’s regulations as a guide, it becomes readily apparent that the concept of a unified / one-size-fits-all cyber-regulatory scheme for any industry or profession is virtually unattainable. “[T]he entities affected by [HIPAA] are so varied in terms of installed technology, size, resources, and relative risk, that it would be impossible to dictate a specific solution or set of solutions that would be useable by all covered entities.” (Dept. Of Health and Human Services, Commentary on final rule adoption 45 CFR Pts. 160, 162, 164, Fed. Reg. Vol. 68, No. 34 8335 -Feb. 20, 2003.) The following is a (HIPAA-inspired) conceptual outline of cyber- and data security safeguards.
Confidentiality / Access control
Access procedures, context-based, role-based, and/or user-based access; ability to obtain appropriate consent to usage of data from an entity whose rights in the data are implicated. Policies authorizing remote access to employees’ personal devices to permit wiping of firm data.
Entity authentication.
Ability to corroborate that an entity is who they claim to be: examples include unique user ID, password ID system, biometric ID system, personal ID number, telephone callback (“two-step”), “token” system (using a physical device for user ID, automatic logoff, etc.
Integrity / authentication.
Ability to corroborate that data has not been altered or destroyed in an unauthorized manner, including audit controls and the ability to record, examine, and report system activity.
Availability
Safeguards against inability to access data due to natural or unnatural events (weather disasters, power interruption, Internet interruption, hacking, etc.), such as offsite data backup and storage.
Communications network / transmission security.
Ability to protect data when transmitted from one point to another.
- Network firewall. Network security device that monitors traffic to or from a private office’s computer and data network. It allows or blocks access based on a specific security rule.
- Use of Private networks / VPN. Limiting access to data interception.
- Encryption. Encryption involves scrambling information so that only the encryption key holder can access the original data and read it. Hard drives, notebook computers, thumb drives, and data stored in the cloud are good candidates for encryption. Email may also be considered for encryption for sensitive matters.
- Protective Software. Protect against viruses, malware, ransomware, malicious websites, etc.
- Alarm capability. Incident detection and alerts to appropriate parties to security incidents of appropriate significance.
Limiting physical access to equipment and premises
Limit physical access to in-office or remote- operating equipment and to equipment that has been retired (i.e., out-of-service computers, hard drives, storage media, devices, etc.).
Firm-wide “Cyber-Secure Culture”
Establishing standard operating procedures and a firm culture of sensitivity to cyber-threats and social engineering may be the most important protection against cyber- and data-security threats.
- Culture. “Your organization’s culture is critical to establishing a successful cybersecurity posture. Its culture must emphasize, reinforce, and drive behavior toward security. A resilient workforce will not exist without a cyber-secure culture.” Cybersecurity is Everyone’s Job, National Initiative for Cybersecurity Education Working Group Subgroup on Workforce Management at the National Institute of Standards and Technology. https://www.nist.gov/sites/default/files/documents/2018/10/15/cybersecurity_is_everyones_job_v1.0.pdf
- Vigilance. Conventional protections include strong and constantly changing passwords, multi-factor authentication, procedures for data retention and destruction of information, and scrubbing metadata.
Third-party collaboration
“Chain of trust” agreements between a “covered entity and its business associate” or with vendors to protect confidentiality, integrity, and availability of data, report security incidents, authorize termination of contract for violations.
- Selected legal authorities on Cyber- and Data
Security and the attorney-client relationship
Cyber-torts and other causes of action.
Negligence
“[I]t is the general rule in the majority of states that in a legal malpractice action, the client has the burden of establishing three elements: (1) employment of the defendant attorney, (2) failure of the attorney to exercise ordinary care, skill and diligence, and (3) that such negligence was the proximate cause of damage to the plaintiff. Rogers v. Norvell, 174 Ga. App. 453, 457 (1985). Unclear what, if any, published cases exist in which attorneys have been successfully sued for the negligent breach of a duty arising from cyber- or data-security matters.
Breach of Fiduciary Duty
“All attorneys at law are agents for their principal ….” Jackson v. Fincher, 128 Ga. App. 148, 151 (1973). Thus, consider the law of agency and of fiduciary duties as also being a source of authority for an attorney’s duty to their client.
- Lawyer as “fiduciary.” “The relation between a principal and an agent is one of a fiduciary character.”
- Loyalty and good faith. “The law imposes upon every agent the obligation to exercise for and in behalf of his principal, skill, loyalty, and absolute good faith. It is of the essence of the contract of the agent that he will use his best skill and judgment to promote the interest of his employer.” Napier v. Adams, 166 Ga. 403 (1928) (cits. omitted). Unclear what, if any, published cases exist in which attorneys have been successfully sued for the breach of a fiduciary duty arising from cyber- or data-security matters.
Common law conversion
Where an attorney negligently compromises or discloses client data can the client file an action for conversion? Roughly three approaches to a theory of liability based on conversion appear to have emerged. But none appear to involve attorneys.
- First view: “Loss” of duplicate data is not conversion. The federal district court for the District of Columbia in Council on American–Islamic Relations Action Network, Inc. v. Gaubatz, 793 F.Supp.2d 311, 340 (D.D.C. 2011), observed that a claim for conversion cannot be constructed on a defendant’s having obtained “copies of documents while the plaintiff retains the originals because the mere copying of documents does not seriously interfere with the plaintiffs right of control.” Id. at 340.
- Second view: Intermediate standard requiring a “merger” of the intangible data with a physical document. The majority of courts (and the Restatement (Second) of Torts) have adopted an intermediate, or “merger” theory, which authorizes a conversion claim for intangible goods “where the intangible property relations are merged into a document….” (Integrated Direct Marketing, LLC v. May, 143 F. Supp. 3d 418, 426 – E.D. Va. 2015.) The Restatement suggests that a “merger” occurs when a document embodies “an intangible obligation” or “is regarded as equivalent to the obligation” and the physical document can therefore “be the subject of conversion as the embodiment of and as representing … the obligation.” Restatement (Second) of Torts § 242 cmt. a (1965). According to the Restatement these intangibles can include “promissory notes, bonds, bills of exchange, share certificates, and warehouse receipts, whether negotiable or non-negotiable.” Hinkle Oil & Gas v. Bowles Rice Mcdavid Graff & Love LLP, 617 F.Supp.2d 447 (W.D. Va., 2008) (quoting Restatement (Second) of Torts § 242 cmt. b).
- Third view: Conversion of the benefit of the data can arise where its exclusivity or secrecy is “converted.” Other courts have rejected the tangible/intangible distinction. Where disclosure deprives the client of the benefit of confidential data — even though the client continues to retain (non-exclusive) ownership of it, an intangible property right has nevertheless been converted:
- Website. Astroworks, Inc. v. Astroexhibit, Inc., 257 F.Supp.2d 609, 618 (S.D.N.Y. 2003) (allowing a conversion claim for a copyrighted and trademarked website embodying plaintiff’s idea);
- Domain name. Eysoldt v. ProScan Imaging, 194 Ohio App. 3d 630, 957 N.E.2d 780, 786 (2011) (finding that “the law has changed” to allow claims for conversion of “identifiable intangible property rights” including domain names and email accounts);
- Patient list. Warshall v. Price, 629 So.2d 903, 904–05 (Fla.Dist.Ct.App.1993) (allowing a claim for conversion of a patient list when the defendant copied the list and used it to solicit patients because those actions denied the plaintiff “the benefit of his confidential patient list” even though plaintiff never lost access to the list);
- Computer data. Conant v. Karris, … 520 N.E.2d 757, 763 (1987) (finding that allegations that defendants disclosed and used confidential information “contained in a computer printout” were sufficient to state a claim for conversion because “the original owner would be deprived of the benefit of the information” through such disclosure and use….) – Integrated Direct Mktg., LLC v. May, 143 F.Supp.3d 418, 427 (E.D. Va., 2015).
- Economic Loss Doctrine. “The economic loss doctrine provides that certain economic losses are properly remediable only in contract.” Giles v. GMAC, 494 F.3d 865, 873 (9th Cir., 2007). This theory arose in the 20th century in response to manufacturers’ practice of insulating themselves from personal-injury product-liability claims under onerous contractual limited-warranty provisions. The economic loss doctrine pierced limited warranties by authorizing tort claims to proceed but at the same time enforcing the contractual warranty limitations where “a defective product causes purely monetary harm.” See East River Steamship Corp v. Transamerica Delaval, Inc, 476 U.S. 858, 868 (1986).The application of the economic loss rule outside of product-liability cases “has produced difficulty and confusion.” Giles at 874 (citations omitted). The economic loss rule “has been stated with ease but applied with great difficulty.” Id. And, indeed “Many courts have explicitly refused to extend the economic loss doctrine beyond the product liability context or beyond claims for negligence and strict liability.” Giles at 875. When applied to conversion cases, the “economic loss doctrine” can limit recovery to intentional tort cases, but not where the cause of action “does not duplicate a contract claim,” and arises from an “independent duty imposed under tort law not to take Appellants’ property without legal duty to do so.” Giles at 880.
Trade secret appropriation
Unauthorized use of a trade secret for commercial use. It seems unlikely for this tort to be able to arise from an attorney-client relationship, but it does seem to be an extension of the “conversion-of-the-benefit” theory discussed above.
Invasion of seclusion or privacy
Restatement: See § 652A Restatement (Second) of Torts at 376:
- One who invades the right of privacy of another is subject to liability for the resulting harm to the interests of the other.
- The right of privacy is invaded by
- unreasonable intrusion upon the seclusion of another
- appropriation of the other’s name or likeness
- unreasonable publicity given to the other’s private life
- publicity that unreasonably places the other in a false light before the public.
Georgia case law:
“Under Georgia case law, the concept of invasion of privacy encompasses four loosely related but distinct torts, as follows: (1) intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs; (2) public disclosure of embarrassing private facts about the plaintiff; (3) publicity which places the plaintiff in a false light in the public eye; and (4) appropriation for the defendant’s advantage of the plaintiffs’ name and likeness.” – Johnson v. Allen, 272 Ga. App. 861, 863 (2005) (quoting Sun v. Langston, 170 Ga.App. 60, 61(2), 316 S.E.2d 172 (1984)
Duplicative claims
As a general rule, any claim against an attorney arising out of the same conduct — i.e., failure to meet relevant professional standards — is considered to be duplicative of associated breach-of-contract and breach of fiduciary duty claims. “Georgia courts routinely dismiss fiduciary duty and contract claims when they rely on the same allegations and implausible inferences as in the legal malpractice claim.” Hays v. Page Perry, LLC, 26 F. Supp. 3d 1311, 1320 (N.D. Ga. 2014), aff’d, 627 Fed. Appx. 892 (11th Cir. 2015).
Selected Georgia statutes regarding data protection
Civil Practice Act — O.C.G.A. § 9-11-17.1 (a) Redacted filings
“Except as provided in subsections (b) and (c) of this Code section or unless the court orders otherwise, a filing with the court that contains a social security number, taxpayer identification number, financial account number, or birth date shall include only: (1) The last four digits of a social security number; (2) The last four digits of a taxpayer identification number; (3) The last four digits of a financial account number; and (4) The year of an individual’s birth.”
Penalty. There is apparently no penalty for a violation of 9-11-17.1, except, perhaps, contempt.
Title 10 of the Georgia Code (Commerce and Trade / Business Administration — O.C.G.A. § 10-15-1, et seq.):
Addresses discarded personal information.
- Personal information. This chapter of Title 10 protects “personal information,” which is defined under O.C.G.A. § 10-15-1 as: (A) Personally identifiable data about a customer’s medical condition, if the data are not generally considered to be public knowledge; (B) Personally identifiable data which contain a customer’s account or identification number, account balance, balance owing, credit balance, or credit limit, if the data relate to a customer’s account or transaction with a business; (C) Personally identifiable data provided by a customer to a business upon opening an account or applying for a loan or credit; or (D) Personally identifiable data about a customer’s federal, state, or local income tax return.
- Coverage. The chapter (O.C.G.A. § 10-15-1, et seq.) applies to any “[b]usiness,” i.e., “a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit.” It does not apply to any bank / financial institution subject to the privacy/security provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801, et seq., any entity subject to HIPAA (see below), or any business subject to a federal law mandating similar regulation of personal information.
- The chapter identifies acceptable methods of discarding records containing personal information (O.C.G.A. § 10-15-2): A business may not discard a record containing personal information unless it: (1) Shreds the customer’s record before discarding the record; (2) Erases the personal information contained in the customer’s record before discarding the record; (3) Modifies the customer’s record to make the personal information unreadable before discarding the record; or (4) Takes actions that it reasonably believes will ensure that no unauthorized person will have access to the personal information contained in the customer’s record for the period between the record’s disposal and the record’s destruction.
- The chapter affords no private cause of action. These provisions are only enforceable by Georgia’s Attorney General. See O.C.G.A. § 10-15-5. Under O.C.G.A. § 10-15-6(a), a violation of O.C.G.A. § 10-15-2 can result in a civil penalty of $500 per incident not to exceed $10,000. But an affirmative defense to the charge can be established “if the business can show that it used due diligence in its attempt to properly dispose of or discard such records.”
- The chapter fails to address substandard use or retention of data. The activity that triggers liability is not the improper use or retention of personal information. It is the act of “discarding” same. The term “Discard” is defined to mean “to throw away, get rid of, or eliminate.” O.C.G.A. § 10-15-1(5). If a malign third-party actor takes it upon themselves to “throw away, get rid of, or eliminate” a business’s negligently stored data the business would not be liable, no matter how negligently the data was maintained, because that business did not actually “discard” the data.
Fair Business Practices Act (O.C.G.A. § 10-1-393.8)
Prohibits any “person, firm, or corporation” from “(1) Publicly post[ing] or publicly display[ing] in any manner an individual’s social security number.”
Selected Federal statutes regarding data protection
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Pub. L. 104-191, 110 Stat. 1936 (1996), codified at 42 U.S.C. § 300gg, 29 U.S.C. § 1181, et seq., and 42 U.S.C. § 1320d, et seq. Regulations at 45 CFR parts 160, 162, and 164. A study of HIPAA reveals how difficult it is to create a practical regulatory scheme addressing cyber-data and cyber-security.
- Electronic protected health information (“EPHI”) standards. HIPAA’s so-called “Security Rule” establishes national standards to protect an individual’s EPHI that is created, received, used, or maintained by “a covered entity.” Rules implemented under HIPAA require “appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of [EPHI].” https://tinyurl.com/yayfnzo8. See 45 CFR § 154.308.
- Covered entities. HIPAA applies to “covered entities,” i.e., health plans, healthcare clearinghouses, healthcare providers who transmit health information electronically, and “business associates” of covered entities. Such business associates can include law firms representing covered entities. But business associates do not include
- Qualified protective order. A litigant seeking EPHI from a covered entity has several options available to them under 45 C.F.R. § 164.512(e)(1). One option is to secure a so-called “qualified protective order” (“QPO”) from a “court or administrative tribunal.” Remarkably, the regulation does not impose a data-security requirement on the party seeking EPHI under the QPO. It only prohibits the litigants “from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested”; and, it “[r]equires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.” 45 C.F.R. § 164.512(e)(1)(v)(A) and (B).
- No private right of action. There is no private right of action under HIPPA. “HIPAA provides both civil and criminal penalties for improper disclosures of medical information.… However, HIPAA limits enforcement of the statute to the Secretary of Health and Human Services.” Acara v. Banks, 470 F.3d 569 (5th Cir. 2006) (citing 42 U.S.C. §§ 1320d-5, d-6).
Sarbanes-Oxley Act (“SOX”),
Pub. L. 107-204, 116 Stat. 750 (2002), codified at 15 U.S.C. § 7201, et seq. Expands the scope of the Security Exchange Act of 1934 and mandates “adequate internal control structure,” for publicly traded companies. 15 U.S.C.A. § 7262. Such internal controls include data-security standards. See Thomas v. Tyco Int’l Mgmt. Co., 262 F.Supp.3d 1328, 1336 (S.D. Fla. 2017). While SOX doesn’t necessarily apply to law firms, it could implicate firms representing publicly traded corporate clients.
Ethical Duties Implicated by Cyber- and Data Security
Ethical duties and legal standards of liability
“While the Code of [Professional Conduct] provides specific sanctions for the professional misconduct of the attorneys whom it regulates, it does not establish civil liability of attorneys for their professional misconduct, nor does it create remedies in consequence thereof.” See Davis v. Findley, 262 Ga. 612, 613 (1992).
Rule 1.1 Competence
Compare the Georgia Rule of Professional Conduct with its American Bar Association counterpart in the following table:
Rule | Georgia Rules of Professional Conduct | ABA Model Rules of Professional Conduct |
1.1 Competence | A lawyer shall provide competent representation to a client. Competent representation as used in this Rule means that a lawyer shall not handle a matter which the lawyer knows or should know to be beyond the lawyer’s level of competence without associating another lawyer who the original lawyer reasonably believes to be competent to handle the matter in question. Competence requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation. | A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation. |
Comments re: continuing study and education. | [Cmt. 6] To maintain the requisite knowledge and skill, a lawyer should engage in continuing study and education. [Silent about “technology” per se.] | [Cmt. 8] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject. [Emphasis added.] |
ABA Formal Opinion 99-413 (1999)
ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 99-413 (1999), in which it concluded that “[p]rotecting the Confidentiality of Unencrypted Email. email communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy.” However, different cases may merit different approaches to security; the opinion emphasized:
[A] lawyer’s obligation to consider with her client the sensitivity of the communication, the costs of its disclosure, and the relative security of the contemplated medium of communication. Particularly strong protective measures are warranted to guard against the disclosure of highly sensitive matters. Those measures might include the avoidance of email, just as they would warrant the avoidance of the telephone, fax, and mail.
ABA Formal Opinion 11-459 (2011)
Regarding a lawyer’s duty to Protect the Confidentiality of Email Communications with One’s Client, emphasizes a lawyer’s duty to warn their client about the risk of using a “workplace device or system for sensitive or substantive communications.”
“Technology amendments” to the ABA Model Rules (2012)
ABA updated comments to Rule 1.1 on lawyer technological competency, added Para. 1.1(c), and a new comment to Rule 1.6 regarding a lawyer’s affirmative duty to take reasonable measures to prevent “inadvertent or unauthorized disclosure of information relating to the representation.
ABA Formal Opinion 477R (2017)
“In Formal Opinion 99-413 this Committee addressed a lawyer’s confidentiality obligations for email communications with clients. While the basic obligations of confidentiality remain applicable today, the role and risks of technology in the practice of law have evolved since 1999 prompting the need to update Opinion 99-413.”
Rule 1.6(a) Confidentiality. Compare the Georgia and ABA rules in the following table:
Rule | Georgia Rules of Professional Conduct | ABA Model Rules of Professional Conduct |
1.6(a) Confidentiality of Information | A lawyer shall maintain in confidence all information gained in the professional relationship with a client, including information which the client has requested to be held inviolate or the disclosure of which would be embarrassing or would likely be detrimental to the client, unless the client gives informed consent, except for disclosures that are impliedly authorized in order to carry out the representation, or are required by these Rules or other law, or by order of the Court. | A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b). |
1.6(c) (affirmative duty regarding unauthorized disclosure) | [Not adopted in Georgia] | A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. |
ABA’s Model Rule 1.6(c)
This model rule, which is not adopted in Georgia, imposes an affirmative duty to “prevent … inadvertent or unauthorized” disclosures.
ABA’s reasonable-efforts standard
Rule 1.6(c) does not prescribe specific measures but prescribes a “reasonable efforts” standard on lawyers to assess risks and implement security measures according to the facts of the case. The reasonable efforts standard:
. . . rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a “process” to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.
See Rhodes & Polley, The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals at 48–49 (2013).
Comment [18] to ABA Model Rule 1.6:
Factors to guide lawyers in exercising “reasonable efforts”:
- The sensitivity of the information;
- The likelihood of disclosure if additional safeguards are not employed;
- The cost of employing additional safeguards;
- The difficulty of implementing the safeguards; and,
- The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
ABA Formal Opinion 477R (May 22, 2017)
The ABA’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477R to provide guidance for securing clients’ electronic communications. F.O. 477R updates Formal Opinion 99-413 (“Protecting the Confidentiality of Unencrypted E-Mail”) and relies on ABA Model Rules 1.1 and 1.6 — including 1.6(c) which is not adopted in Georgia. The fundamental guiding principle of F.O. 477R is that each attorney must assess their own circumstances in designing and implementing cyber- and data-security safeguards. The following “general considerations” should be applied to any given set of facts:
- Understand the Nature of the Threat. Balance the magnitude of the “sensitivity of a client’s information and whether the client’s matter is [at] a higher risk for cyber intrusion” against protections that would be proportionate to the risk. “‘Reasonable efforts’ in higher risk scenarios generally means that greater effort is warranted.”
- Understand How Client Confidential Information is Transmitted and Where It Is Stored. Understand where the law firm’s electronic communications are created and stored to best manage “the risk of inadvertent or unauthorized disclosure of client-related information.”
- Understand and Use Reasonable Electronic Security Measures. This consideration is based on Model Rule 1.6(c) [not adopted in Georgia]. It requires a lawyer to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. As Comment [18] makes clear, what is deemed to be “reasonable” may vary, depending on the facts and circumstances of each case. Consider such tools as data encryption and multi-factor authentication. “Deleted” data does not necessarily mean it is permanently inaccessible.
- Determine How Electronic Communications About Client Matters Should Be Protected. Levels of security should be appropriate to the context and the sensitivity of the data. Communicate with the client to discuss appropriate levels of security.
- Label Client Confidential Information. Identify confidential data with appropriate labels, including in the subject matter line of emails and in other documents.
- Train Lawyers and Nonlawyer Assistants in Technology and Information Security. Reference to Rule 5.1 regarding the duty to train nonlawyer assistants in information security.
- Conduct Due Diligence on non-attorney vendors Providing Communication Technology. Factors to consider in vendor selection:
- “the education, experience, and reputation of the nonlawyer”;
- “the nature of the services involved”;
- “the terms of any arrangements concerning the protection of client information”; and
- “the legal and ethical environments of the jurisdictions in which the services will be performed particularly with regard to confidentiality.”
Are there Legal or Ethical Cyber-Safe-Harbors?
Join the Luddite movement and unplug
The only true “cyber-safe-harbor” is to unplug from the Internet, and to throw out your computers, cell phones, and other digital devices (but only after properly wiping them of any client data). You may keep your landline telephones and (landline) fax machine. You may also keep your typewriters, pens, pencils, and legal pads. But in the modern world, few attorneys can really operate in this fashion. But remember, too, that social engineering has been occurring since Eve was tempted by the serpent.
Short of unplugging there is no perfect safe harbor
There is no “one-size-fits-all” legal or ethical standard that can guarantee that any lawyer will have no exposure to ethical or legal liability involving cybersecurity.
Technology is evolving
Each actor in every marketplace will be exposed to different and evolving cyber- and data-security risks, and should thus be expected to deploy different, tailored, cyber- and data-security protections. What might be a safe practice today, could be dangerous tomorrow.
Legislation / Regulation is imprecise
Legislators and government agencies can’t keep up with evolving technology. They can’t promulgate universally appropriate standards applicable to every actor. Consider that Sarbanes-Oxley’s standard of care for covered businesses is a platitude: “adequate internal control structure.” HIPAA’s is not much different: “appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security,” of data. These sorts of standards are defined in the “eye of their beholder.”
State Bar opinions may provide a degree of protection or direction
- Rule 4-401 (Informal Advisory Opinions). See Bar Rule 4-401 regarding “Informal Advisory Opinions.” They don’t represent a defense to an ethics complaint. “An Informal Advisory Opinion is the personal opinion of the issuing attorney of the Office of the General Counsel and is neither a defense to any complaint nor binding on the State Disciplinary Board, the Supreme Court of Georgia, or the State Bar of Georgia.”
- Hotline. The state bar’s ethics hotline: 404.527.8720 or 800.334.6865 provides informal advisory opinions.
- Rule 4-403 (Formal Advisory Opinions). More formality and more, albeit imperfect, protection.
- Georgia AO 41 (Nov. 15, 1985). In the context of client secrets and confidences, Advisory Opinion 41 may be worth studying, even though it was published prior to the adoption of the Code of Professional Responsibility. “[I]n responding to a general Notice to Produce Lawyer X must not voluntarily reveal the name/identity of his clients to the Georgia Department of Revenue unless he obtains the consent of the client or clients affected after a full disclosure. [Standard 28(b)(1)] Further, Lawyer X must resist disclosure until a court orders disclosure [Standard 28(b)(2)] and thereafter he may pursue all reasonable avenues of appeal.” Although AO 41 deals with intentional disclosure of a client’s identifying information, at some point a lawyer’s inadvertent disclosure of such information that could have been prevented might implicate the confidentiality protections of Rule 1.6(a).
Identifiable “Un-Safe Harbors” that must be addressed:
In this writer’s opinion, a cyber- or data-security safe harbor is a mythical place. But there do exist certain risks (conceptual “floating explosive mines” or “hidden reefs,” if you will) that are too dangerous to ignore. These security failures are likely to make one’s law office a dangerous harbor for “docking” client data or for the purpose of communicating with the outside world. Avoiding them only represents the bare minimum standard to which a lawyer or law firm should adhere for the purpose of compliance with Rules 1.1 and 1.6(a). A list of these risks would include the following:
Backup
Failure to implement proper (i.e., automated and offsite) data-backup and data-continuity procedures, including appropriate levels and methods of redundancy;
Employee SOP
Failure to implement proper standard operating procedures (“SOPs”) to control administrative privileges, prevent social engineering and phishing, and failure to cancel the credentials of terminated employees or vendors;
Network security
Failure to implement proper network security (i.e., network “firewall,” obtaining reliable, up-to-date DNS information, etc.);
User authentication
Failure to implement sensible password/user-authentication policies for all equipment and devices; two-factor authentication is becoming more common place, if not state of the art, for remote access and VPN; password managers are also critical for ensuring that every password for every site or device is unique;
Malware software
Failure to implement and update anti-malware software;
Patches and updates
Failure to regularly check for and install patches and updates to operating systems and application software;
Obsolescence
Failure to retire obsolete / unsupported operating systems, hardware, and software;
Physical access
Failure to prevent physical access to critical equipment (including proper disposal of retired devices) by unauthorized persons;
Mobile devices
Failure to protect mobile devices (smart phones, notebooks, tablets, home computers, etc.) containing sensitive client data through theft-prevention, encryption, and access controls, including remote data-wipe capability;
Backup
It’s worth repeating.
The Bottom Line
Proactive ethical duty
In this writer’s opinion, Rules of Professional Conduct 1.1 and 1.6 impose on a lawyer an ethical duty to their clients to acquire reasonable levels of expertise in applicable data-storage and cyber-security technology. This is true even though Georgia hasn’t formally adopted ABA Model Rule 1.6(c). A lawyer has a fundamental duty to protect their client’s legal interests, and property — not just from destruction or compromise, but also from improper disclosure.
Avoid un-safe harbors
The policies and protections deployed by any law firm should, at minimum, include reasonable measures to eliminate the “explosive mines” and “hidden reefs” identified above.
Scalability
The cyber- and data security precautions recommended in this outline should be considered “scalable.” They can be scaled up to the requirements of a large national firm. And, they can be scaled down to the requirements of a medium-sized firm or solo practitioner in a way that is both responsible and economically proportionate to the risks presented.
Cyber- and IT Professional consultations
With ABA Formal Opinion 477R as a guideline, a law firm should consult with competent cyber- and data-security and IT professionals regarding the particular risks faced by that firm. In consultation with such professionals, and to maintain the confidentiality of client data and communications, the law firm should expend reasonable efforts to design appropriately scaled cyber- and data-protection policies and protections.
Consider Cyber-Insurance
The law firm should consider consulting with insurance professionals to determine whether an appropriate enhancement or rider to an existing E&O policy or a new cyber-risks policy is cost-effective and appropriate under the circumstances.
Other management policies
The law firm should consider consulting the State Bar’s Law Practice Management office (http://tinyurl.com/lfq3utg) or other professional consultants for additional assistance or feedback regarding its law-practice management practices and policies.
By Rick Alembik, Richard S. Alembik, PC, Decatur, Georgia. For questions or comments feel free to contact the author. Apologies to Luddite readers.
The scope of this outline does not address other highly relevant issues such as the duties owed to third parties (e.g., opposing counsel or the courts) with respect to cyber- and data security.