Ethical Considerations For Attorneys In The Evolving World Of Cyber Security And Data Breaches

Hacking and the breach of confidential data in the retail, healthcare, and financial industries have been recurring and well reported events. Law firms are not immune from such incidents, and in fact, are attractive targets given that they may possess client financial and personal data, trade secrets, business plans, and intellectual property data sought after by cyber criminals. Earlier this year, media outlets reported that hackers gained access to the computer networks of a number of large law firms, which represented clients on sensitive merger and acquisition matters. Before a data breach like this occurs, law firms, large or small, should review and evaluate their obligations and duties to protect confidential client electronic data. They should have an incident response team and plan already in place.

Hacks and data breach events raise ethical concerns for attorneys in New York State, if they have not taken reasonable care to protect their clients' confidential information. Rule 1.6 of the New York Rules of Professional Conduct defines the attorney's obligation to protect a client's confidential information. Rule 1.6(a) states that a lawyer shall not knowingly reveal a client's confidential information. Rule 1.6(c) further provides that a lawyer "shall exercise reasonable care to prevent "¦ others whose services are utilized by the lawyer from disclosing or using confidential information of a client "¦". Comment 17 to Rule 1.6 states, "[w]hen transmitting a communication that includes information relating to the representations of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients."

The New York State Bar Association Committee on Professional Ethics has issued a number of opinions over the last two decades articulating ethical concerns associated with electronic data. These opinions are relevant in the evaluation of an appropriate standard of care for an attorney regarding his or her compliance with client duties and ethical responsibilities.

One recent release, Opinion 1019, addresses concerns associated with the remote access to a law firm's electronic file. The question raised to the Committee was whether a law firm could provide its lawyers with remote access to its electronic files. The Committee stated that cyber-security issues continued to be a major concern for lawyers. The Opinion noted that a law firm must determine that the technology it will use to provide remote access provides reasonable assurance that confidential client information will be protected. However, the opinion stated that it could not recommend particular steps that would constitute reasonable precautions, including the degree of password protection and/or encryption required, along with security measures the firm must use to determine whether there has been unauthorized access.

Notably, the opinion stated that when the law firm is able to make a determination that the protection provided is reasonable, a client's consent to the system is not necessary. However, the opinion noted that where a law firm cannot ensure reasonable protection for a client's confidential information, it is allowed to request a client's informed consent. However, in such circumstances, the firm must disclose the risks of the system to the client so that the consent is informed.

As the opinion makes clear, lawyers, whether sole practitioners or members of large firms, have an obligation to determine the appropriate level of protection for client confidential information. While the opinion does not specifically provide the degree of password protection or encryption required, at a bare minimum, some degree of password protection and encryption should be in effect when data is able to be accessed on a remote basis. The Opinion serves as a reminder that attorneys have a duty to protect their clients' confidential information and to follow appropriate practices and procedures as they relate to constantly evolving technology security measures. The failure to do so has the potential to not only damage the client and client relationships, but also to expose a lawyer, law firm, and their insurers to potential liability and damages, as well as disciplinary action.