Ethical Obligations and the Use of Electronic Devices
New Jersey Law Journal
November 30, 2020
New Jersey lawyers have a longstanding ethical obligation to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of information relating to the representation of a client. The actual scope of that obligation, however, remains uncertain in light of the dearth of guidance on the issue and the never-ending advances in technology that facilitate efficient and effective professional services. A recent California ethics opinion serves as an important guide to New Jersey lawyers regarding the use of electronic devices that contain confidential client information and the obligations of a lawyer in the event of actual or suspected unauthorized access by third parties to confidential client information.
In Formal Opinion No. 2020-203, the California State Bar Standing Committee on Professional Responsibility and Conduct (“Committee”) analyzed “a lawyer’s ethical obligations with respect to unauthorized access by a third person to electronically stored confidential client information in the lawyer’s possession.” The Committee concluded that a lawyer’s ethical obligations require: (i) assessing the risks of having confidential client data on all electronic devices and systems; (ii) taking reasonable steps to secure all electronic devices and systems to minimize the risk of unauthorized access; and (iii) in the event of a breach, conducting a reasonable inquiry to determine the scope of the breach, and notifying any client that has a reasonable possibility of being negatively impacted by the breach.
At the outset, the Committee confirmed that (as in New Jersey) lawyers’ general duties of competence and confidentiality require them to make reasonable efforts to prevent unauthorized disclosure or destruction of any confidential client data. The Committee opined that, to fulfill this duty with respect to electronic data and the use of mobile devices, lawyers must have a basic understanding of the risks associated with using each type of electronic device employed in their practices, understand where and how confidential client information may be vulnerable to unauthorized access or disclosure for each device, and take reasonable efforts to prevent such access or disclosure.
Relying on ABA Formal Opinion 18-483 (“Opinion 483”), the Committee found that “reasonable efforts” to safeguard confidential client data “are those which are reasonably calculated under the circumstances to minimize particular identified risks.” This standard does not require a lawyer’s data security measures to be impenetrable or invulnerable; nor does it require specific security measures—i.e., firewalls, passwords, etc. Instead, lawyers must implement processes to identify risks, choose and enact security measures tailored to those risks, ensure such measures are effectively implemented, and continually update the security measures to address new developments.
The Committee did not stop, however, with a lawyer’s duties to prevent unauthorized access, disclosure, or destruction of confidential client data. It went on to declare that under the lawyer’s duty of communication with the client, a lawyer must inform any client whose data is subject to a breach. In so holding, the Committee again relied on Opinion 483, which defined the term “data breach” as an event where confidential information is misappropriated, destroyed, or compromised, or where the event has “significantly impaired the lawyer’s ability to provide legal services to its clients.” While not every incident involving lost or stolen devices or unauthorized access to client information will necessarily be a breach, it is clear that a lawyer’s obligation is much broader than most data breach notification laws (including New Jersey’s), which typically require notification only when an incident implicates certain “personal information.” Specifically, the definition of “breach” in Opinion 483 may apply to any confidential client information in the attorney’s possession (whether it qualifies as “personal information” or not) and includes events that may “significantly impair the lawyer’s ability” to provide client services regardless of the scope of the security incident.
The Committee also concluded that, although not every incident will be considered a breach, lawyers must nevertheless fully investigate every security incident to determine which clients were affected, which files, if any, were accessed, the sensitivity of the client information involved, and “the likelihood that the information has been or will be misused to the client’s disadvantage.” The investigation a lawyer conducts will determine whether an incident rises to the level of a data breach that would require disclosure to affected clients. In this regard, the key question is whether there is a reasonable possibility that the client’s interests might be negatively impacted. According to the Committee, when in doubt, lawyers should err on the side of disclosure.
If disclosure is required, lawyers must make disclosure as soon as possible so that the client can take steps to remedy the harm, the Committee found. Indeed, according to the Committee, lawyers are required to act reasonably and promptly to not only stop a breach, but also to mitigate any damage resulting from a breach. Although promptness is required, it is reasonable for a lawyer to retain a security expert to investigate the nature and extent of a breach before making any disclosure, because the lawyer must be able to explain the matter in sufficient detail to allow the client to determine what to do about it. Doing so may help the client formulate an appropriate response plan.
It is clear that a lawyer’s ethical obligations require more from the professional than is required from the general public or other businesses. This is particularly true in New Jersey, where at this time, there are no state statutes or regulations that establish data privacy or security requirements for New Jersey businesses that collect, process, and store the vast amount of personal or confidential information used in daily operations. Moreover, New Jersey’s breach notification laws generally apply only to data security incidents involving unauthorized disclosure or access to personal information, such as Social Security Numbers, driver’s license numbers, account numbers, or online account log-in information. A lawyer’s ethical duty to safeguard confidential client information and potentially report a security incident, however, is far broader, applying to all information relating to the representation, whether it constitutes “personal information” or not.
In April 2006, the New Jersey Supreme Court’s Advisory Committee on Professional Ethics issued Opinion 701, which states that the ethical duty of confidentiality under RPC 1.6 requires lawyers in New Jersey to “take reasonable affirmative steps to guard against the risk of inadvertent disclosure” of confidential client information available in electronic medium. While lawyers need not guarantee that the information is “utterly invulnerable against all unauthorized access,” they must “exercise sound professional judgment on the steps necessary to secure client confidences against foreseeable attempts at unauthorized access.”
It is important to note that New Jersey’s RPCs do not include a specific requirement of competence under RPC 1.1 with respect to technology. In fact, in May 2015, the New Jersey Supreme Court Special Committee on Attorney Ethics declined to recommend that RPC 1.1 be amended to include a requirement that lawyers keep abreast of the benefits and risks of relevant technology, concluding that there is no need for the RPCs to “single out technology” because it “is just one component of lawyers’ general duties.”
At the same time it rejected amending RPC 1.1, however, the Special Committee on Attorney Ethics recommended that the requirement that attorneys take reasonable steps to prevent inadvertent disclosure of confidential information be expressly incorporated into New Jersey RPC 1.6(f). The Rule was formally amended in August 2016 and states that lawyers “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” The comment that accompanied this amendment explains in broad strokes how a lawyer might undertake reasonable efforts to protect client information, including consideration of “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients … .”
In light of the widespread use of various electronic devices to transmit, store, and review confidential client information, lawyers should assess how they use electronic devices, how they can minimize particular risks that are identified or readily apparent, and how they will respond in the event of a security incident in order to mitigate or eliminate harm to the client. At this juncture, a lawyer’s ethical obligations to use “reasonable efforts” to prevent unauthorized access or disclosure may include taking affirmative steps to:
- Prepare a comprehensive inventory of all devices and systems that may contain client information, including firm-issued and personal devices utilized for business;
- Understand (or retain a third party who understands) the technologies, devices, and platforms that are being used to store and transmit client information, as well as the technologies that can enhance privacy and security for all devices and platforms;
- Assess the risks of potential unauthorized access or disclosure associated with the use of all electronic devices to store, access, and share data—particularly on cloud-based platforms and public or other unsecure networks;
- Implement policies applicable to all employees to enhance the privacy and security of all client information (including a principle of “least access” that limits access to client information only to essential individuals), and conduct regular training on the appropriate use, transmission, storage, and disclosure of client information;
- Incorporate appropriate privacy and security requirements into all third-party vendor contracts;
- Determine with the client how confidential and highly confidential client information will be transmitted, stored, used, and disposed of when retention is no longer necessary; and
- Take immediate and comprehensive action in the event of a security incident, including identifying a security expert who can assist in investigating the incident, and regularly update affected clients so that they can make informed decisions about responsive action.
Reprinted with permission from the November 30, 2020 issue of the New Jersey Law Journal. © 2020 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved. For information, contact 877-257-3382 or firstname.lastname@example.org or visit www.almreprints.com.