Legal technology experts have long extolled the business benefits of embracing technological advances as a core component of law practice management. Technology can help lawyers respond to clients and prospects more quickly, run their offices more efficiently, and trim overhead costs. But in recent years lawyers have been given another, perhaps even more compelling reason to keep up with technology: it is likely required under their state’s ethics rules.
Currently over half of all jurisdictions have enacted rules mandating that attorneys become and remain familiar with technologies that may impact their practices. These changes come on the heels of a 2012 revision to the American Bar Association’s (“ABA”) Model Rules of Professional Conduct (“Model Rules”) Rule 1.1, which added comment 8. This provision states that in order for lawyers to maintain their professional competence, they must “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” The addition of comment 8 and other related changes resulted from the ABA Commission on Ethics 20/20’s research and recommendations regarding the growing role of technology in the legal profession.
While this update to the Model Rules, which are not binding but have been adopted in some form by most states, did not necessarily represent a change in a lawyer’s obligations relative to technology, it certainly served to highlight them. Since comment 8 was adopted, dozens of states have followed suit, but the relatively vague wording of the new language may leave lawyers in many states wondering what their obligations actually are under this standard.
Looking at the bigger picture, the primary reason for the technology rule’s broad wording is that technology is constantly changing. The legal industry is arguably slow to catch up such advances to begin with, making enforcement of highly particularized requirements somewhat unrealistic. However, a number of states have gone further than simply adopting the language of comment 8, issuing opinions that have provided guidance regarding specific scenarios and technologies, and what they can mean for various ethical duties, including competence, confidentiality, supervision of non-lawyers, and preservation of evidence.
Competence, Confidentiality, and Data Security
In late 2016 the Illinois State Bar Association published Opinion No. 16-06, which concluded that an attorney’s duty of competence in that state when using cloud computing is not fulfilled simply by exercising due diligence in selecting a provider. The use of cloud computing, which the opinion clearly stated was permitted under the amended Illinois rule addressing technological competence, also implicated the lawyer’s duty of confidentiality. Discussing analogous authority from other states related to cloud computing as well as electronic storage of client information by outside vendors, the Bar Association concluded that the duties of competence, confidentiality, and supervision of non-lawyers in this situation included an ongoing obligation to ensure that the cloud computing vendor employed adequate measures to to protect confidential data.
A number of other states, including Tennessee and Washington, have issued opinions on cloud computing or other applicable technology questions and reached similar conclusions, often relying on something like a reasonable care standard. Indeed, ABA Model Rule 1.6(c) (also updated as part of the effort that added the technological competence language to Rule 1.1) mandates that lawyers make “reasonable efforts” to prevent inadvertent disclosure of or unauthorized access to confidential information. This is especially relevant in light of reports that law firms have increasingly become prime targets for hackers due to the high concentration of sensitive client information they possess. In addition to ethical implications, data breaches can also lead to legal liability, creating a strong incentive for lawyers and law firms to to undertake appropriate precautions.
Though it may seem unclear what would constitute “reasonable efforts” to prevent a breach, comment 18 to Model Rule 1.6(c) provides some guidance in this regard. The comment states that factors that may be relevant to a determination of reasonableness in this context can include the sensitivity of the information at issue, the cost of additional safeguards, and the extent to which such safeguards may impair a lawyer’s ability to represent their clients. Further, Pennsylvania and other states (including those discussed above) have issued opinions that include detailed lists of factors to consider in determining whether a lawyer’s efforts to safeguard client secrets when using technology such as cloud computing are sufficient under a reasonable care standard. Model Rule 5.3, comment 3, also updated through the work of the Commission on Ethics Commission 20/20, additionally includes language regarding the “reasonable efforts” a lawyer must take to ensure that nonlawyer outside service providers (e.g. cloud computing vendors) handle client data in a manner that is consistent with the lawyer’s professional duties. The extent of this obligation is fact-dependent, but relevant questions can include the experience level of the nonlawyer, the nature of the contracted services, and the terms of the arrangement as to protecting client information. In sum, ethical duties related to competence and confidentiality are inextricably linked in the world of data security, and lawyers would be well-advised to consider whether their practices (regardless of the particular technology or device at issue) conform to a reasonable care standard, and any other applicable rules in their jurisdiction.
E-Discovery and Internet Research
California has provided specific guidance regarding a slightly different aspect of technological know-how and ethics, addressing e-discovery in a 2015 formal opinion. The opinion presents a hypothetical in which a corporate attorney defending a client company in litigation with a competitor likely breaches ethical duties on multiple fronts by failing to conduct a proper e-discovery evaluation at the outset of the case, inadequately supervising non-lawyers, neglecting to confirm that responsive documents were preserved and sensitive documents withheld, and generally being unfamiliar with electronic discovery procedures. Citing the revised Model Rule 1.1, comment 8 language discussed above, the Opinion provides that in order to fulfill his duty of competence, this lawyer should have, upon evaluating the e-discovery needs in the case, become familiar with the requisite technology and procedures or enlisted an expert to help him. His other option was to decline the representation. Because he did not do any of these things, the attorney potentially failed to represent his client competently. He also may have breached the duty of confidentiality by producing his client’s privileged and proprietary information without consulting an e-discovery expert, and by being uninformed regarding e-discovery norms.
Another issue courts have provided some guidance on regarding an attorney’s obligation to use technology in fulfilling their professional duties is doing adequate internet research for purposes such as locating parties and evaluating jurors. Similarly, and in line with the California opinion discussed above, in many litigation matters it is critical to know how to pursue discoverable information in social media accounts and wearable devices such as fitness trackers. On the flip side of this obligation to pursue such information are the ethical pitfalls lawyers must be aware of in, for example, researching someone’s social media accounts (e.g. not “friending” potential jurors to gain access to information about them). The good news is that a number of opinions, articles, and MCLEs have addressed the social media topic in many jurisdictions.
The constantly evolving world of technology may seem like an overwhelming new frontier, especially as it relates to the already complex ethical rules that attorneys must follow. The challenge of complying with new ethics and technology standards can seem even more difficult given the somewhat general wording of applicable rules. However, and while the discussion above does not provide an exhaustive guide to compliance in this area, the clear takeaway for today’s lawyers is that they will be unable to claim ignorance in the event of a technology-related ethical lapse, and must undertake reasonable efforts to use technology in a manner that is consistent with their professional responsibilities.
On the positive side, the duty to remain current on relevant technologies is one that parallels the many other duties lawyers must fulfill on an ethical level, such as remaining up-to-date on new procedural rules and case law changes. In addition, numerous guides and resource centers on law firm security and technology best practices are available not only on the Internet, but also in the form of MCLE courses (which may now even be required as to technology by your jurisdiction’s rules). These resources are often free or low-cost, and can provide an overview of basic steps you can implement, such as encryption and two-factor authentication, to begin improving your firm’s security. It may also be advisable to consult a legal technology expert (and of course check your state’s ethics rules) when you are ready to implement broader tech updates in your practice. These changes will not only help you fulfill important ethical obligations, but they can help you run your practice in a more efficient manner, free up your time to attract and work with more clients, and maintain a competitive edge.
Disclaimer: The information in this blog post (“post”) is provided for general informational purposes only, and may not reflect the current law in your jurisdiction. No information contained in this post should be construed as legal advice from Justia Inc. or the individual author, nor is it intended to be a substitute for legal counsel on any subject matter. No reader of this post should act or refrain from acting on the basis of any information included in, or accessible through, this post without seeking the appropriate legal or other professional advice on the particular facts and circumstances at issue from a lawyer licensed in the recipient’s state, country or other appropriate licensing jurisdiction.