Competence, Confidentiality, and Cybersecurity

January 2, 2018

By: Cecil E. Morris, Jr.

Reflecting on developments in legal ethics in 2017, especially for in-house counsel, one of the most significant involves lawyers' duties of competence and confidentiality and the challenge of cybersecurity.


In 2016, the Colorado Supreme Court adopted amendments to the Rules of Professional Conduct, based on changes to the ABA Model Rules recommended by the ABA Ethics 20/20 Commission.  Among other things, these amendments require lawyers to keep abreast of changes in communications and other relevant technologies as part of their duty of competence, Colo. RPC 1.1, cmt. [8]; they require lawyers to use reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, client information as part of their duty of confidentiality, Colo. RPC 1.6(c) & cmts. [18], [19]; and they clarify that when outsourcing, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer's professional obligations as part of the lawyer's duty of supervision, Colo. RPC 5.3, cmts [3], [4].


New comments [18] and [19] to Rule 1.6 identify several general factors to be considered in determining the reasonableness of the lawyer's efforts to prevent the inadvertent disclosure of, or unauthorized access to, confidential information and in determining the reasonableness of the lawyer's precautions to prevent communications from coming into the hands of unintended recipients.  However, these factors provide only limited guidance.


Two developments in 2017 provided lawyers with more specific guidance beyond the general factors identified in the new comments to Rule 1.6.  These developments were the issuance of ABA Formal Ethics Opinion 477R on securing the communication of protected client information and the issuance of the Association of Corporate Counsel's Model Information Protection and Security Controls for Outside Counsel Possessing Company Confidential Information ("Model Controls").


ABA Formal Ethics Opinion 477R updates ABA Formal Ethics Opinion 413 on protecting the confidentiality of unencrypted email, which was issued in 1999.  Formal Opinion 413 concluded that unencrypted email is generally sufficient, given the expectation of privacy relating to email.  However, changes in technology and the Rules of Professional Conduct since 1999 required a re-examination of the issue.


Formal Opinion 477R continues with the basic premise of Formal Opinion 413, but Formal Opinion 477R concludes that lawyers cannot always rely on unencrypted email and may have to take special security measures, given the increased risk and sophistication of cyber threats.  Formal Opinion 477R is available here. 


Formal Opinion 477R acknowledges that it is not possible to specify reasonable steps under any given set of facts in advance, but it offers the following considerations "as guidance" beyond the general factors set forth in comment [18] to Rule 1.6:  understand the nature of the threat; understand how confidential client information is transmitted and where it is stored; understand and use reasonable electronic security measures; determine how electronic communications about client matter should be protected; label confidential client information; train lawyers and non-lawyer assistance in technology and information security; conduct due diligence on vendors providing communication technology, and communicate with the client about these issues.  On each of these considerations, Formal Opinion 477R provides more specific and valuable direction.


Another significant development in 2017, especially for in-house counsel, was the issuance of the ACC Model Controls. Although the Model Controls are directed at outside counsel, they also provide guidance for the lawyer within the in-house law department itself.  The Model Controls are a draft form of agreement between a company and its outside counsel about the handling of company confidential information.  The Model Controls define terms, require outside counsel to have policies and procedures in place, and address a range of specific issues:  retention and return/destruction; data handling, including encryption in transit, encryption at rest, and encryption on portable devices or transmitted over non-secure communication channels; physical security; logical access control; monitoring; vulnerability controls and risk assessments; system administration and network security; security review rights; industry certification/additional security requirements; background screening of outside counsel employees, subcontractors, and contingent workers; cyber liability insurance; and subcontractors.


For further specific guidance, the ABA Cybersecurity Legal Task Force is expected to release any time a revised second edition of the publication Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals.


This Article is published for general information, not to provide specific legal advice. The application of any matter discussed in this article to anyone's particular situation requires knowledge and analysis of the specific facts involved.

Copyright © 2018 Fairfield and Woods, P.C., ALL RIGHTS RESERVED.