By Andrea K. Scripps and Charles Berwanger
The American Bar Association reported in October 2019 that 26% of law firms had experienced security breaches. Of those, 9% were serious enough that the firms had to notify clients and law enforcement. The statistic on data breaches for midsize law firms (10–49 attorneys) is even more staggering — 42% of such firms have suffered security breaches. The last year witnessed government shutdown of business offices, including attorney offices, and associated widespread remote legal work. The net effect of that is that partners, associates, paralegals, and secretaries have found themselves working from home and using electronic devices to prepare and process legal work including the remote handling of client confidential information. And it appears to a certainty that such remote legal work will continue in the future even when the COVID-19 pandemic wanes to insignificance.
Such remote legal work presents not only opportunities but also challenges. Those challenges are found in the exposure of electronic devices to hacking and related exposure potentially leading to the loss of the confidentiality of client confidences.
The real life examples of such exposures are many and the examples of resulting litigation are equally numerous. This includes a complaint alleging the hacking of the law firm of Kansas law firm WardenGrier, LLP where the firm’s electronic devices were held hostage to the payment of a ransom. That ransom was paid, however, the hacker felt no constraint in posting client confidences including private medical information of identified persons on the Internet. The firm allegedly failed to do a reasonable investigation to determine whether or not client confidences had been removed; and necessarily failed to advise the clients as to such exposure. The result: litigation; expensive litigation in which in excess of $1 million was sought by reason of the firm’s negligence and alleged failure to identify weaknesses in its electronic devices; to take remedial steps to obviate those weaknesses; to monitor its electronic devices to ensure that there had not been a breach; and to determine the consequence of the breach and alert clients to the breach.
In California, the consequences of such a breach are not only potential litigation and exposure to substantial damages but also the potential of the State Bar taking disciplinary action.
The State Bar of California Standing Committee on Professional Responsibility and Conduct (“COPRAC”) in its Formal Opinion 2020-203 determined that the issues raised by the electronic storage of confidential client information protected by California Rule of Professional Conduct 1.6 are significant enough to require an ethics opinion that specifies exactly what the ethical obligations of attorneys are in handling such information. It concludes that lawyers who use electronic devices, which provide access to confidential client information, must identify the risks of unauthorized access to such data on electronic devices, take reasonable steps to secure the electronic systems to minimize the risk of unauthorized access; and monitor such devices to ensure no disclosure. In the event of a data breach lawyers must conduct a reasonable inquiry to determine the extent and consequences of a breach; and to notify any client where there is a reasonable possibility the client’s interests may be negatively impacted by the breach.
That requirement is found in California Rules of Professional Conduct 1.1 which mandates that a lawyer shall not intentionally, recklessly, with gross negligence, or repeatedly fail to perform legal services with competence. The Rule defines “competence” as requiring the application of the “(i) learning and skill, and (ii) mental, emotional, and physical ability reasonably necessary for the performance of such service.” COPRAC has proposed that the interpretive comments to Rule 1.1 state that “the duties set forth in this rule include the duty to keep abreast of the changes in the law and its practice, including the benefits and risks associated with relevant technology.” Such proposal is before the California Supreme Court for review and approval.
That legal work is being done remotely also implicates several other rules. Rule 5.1 imposes on firm managerial and supervisorial lawyers a duty to ensure firm wide competence of all lawyers. That means that although a firm’s attorneys may be scattered in different locales out of “visual sight” of management, management is not relieved of its duty to supervise such attorneys and their use of electronic devices. A second rule, Rule 5.3 requires that supervision be exercised over non-attorney staff, such as legal assistants and paralegals, who also utilize electronic devices remotely. A third rule, Rule 5.2, requires that non-supervisorial and non-managerial attorneys “comply with these rules and the State Bar Act notwithstanding that the lawyer acts at the direction of another lawyer or other person.” The COPRAC opinion expands upon that duty by imposing upon such lawyers the duty to “not blindly follow firm technological rules that are unreasonable or rely on the absence of a firm rule where there should be one.”
In conclusion, in this era of ever-evolving and ever-changing electronic devices with their enhancements and their vulnerabilities, lawyers are held to a high standard of care to ensure the preservation and protection of confidential client information. The stakes are high. Law firm reputations can be lost; liability can be imposed; and ethical breaches can be found. Thus, the duty to be reasonably proficient and knowledgeable in the handling of electronic devices and protection of confidential client information is paramount.