The California State Bar has published its newest ethics opinion, FEO 2010-179, related to the use of technology in law practice, specifically addressing the attorney’s duty of confidentiality to clients when using technology that may be accessed by a third-party. Given the wording of the opinion, this could include everything from an attorney using wireless to connect to the Internet to any cloud computing application used to store or transmit law office data.
The specific scenario that the opinion poses will be familiar to those of us engaging in virtual law practice and who deliver legal services online: The attorney takes his or her firm-provided laptop to a cafe and accesses the public wireless to transmit information to the client and to conduct legal research on a case. The attorney in the scenario also takes his or her work laptop home and conducts work using a personal home wireless connections. What does the attorney have to do to ensure that he or she is upholding the duty of confidentiality and competence to the client?
The opinion was published in December 2010 after an extended period of review and specifically phrases the issue as:
Does an attorney violate the duties of confidentiality and competence he or she owes to a client by using technology to transmit or store confidential client information when the technology may be susceptible to unauthorized access by third parties?
The opinion’s conclusion is summarized in the following digest:
Whether an attorney violates his or her duties of confidentiality and competence when using technology to transmit or store confidential client information will depend on the particular technology being used and the circumstances surrounding such use. Before using a particular technology in the course of representing a client, an attorney must take appropriate steps to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client’s instructions and circumstances, such as access by others to the client’s devices and communications.
What I appreciate about the wording of this opinion is that it does not make any attempt to lump attorneys’ use of technology into a single category. The opinion recognizes that there are varying degrees of security risks depending on a number of factors, not only the chosen technology solution, but also the attorney’s devices and practices for using it. The opinion also acknowledges that in that risk/benefit analysis, the attorney needs to consider the sensitivity of the information being transmitted.
I believe this is the first ethics opinion related to technology that actually puts in writing that attorneys should not use public WIFI and flat-out says that the attorney who does not know how to take security precautions when using wireless is not fulfilling their duty of confidentiality to the client.
It may also be the first ethics opinion that I’ve read that puts the notice and consent requirement in there for the use of technology. Fortunately it does not require notice and consent for the general use of technology or wireless or cloud computing in general. Instead, if the attorney believes that there is a security risk in the method that he or she is using, such as the public WIFI, or if they don’t have firewalls and other security protections on their personal wireless, then they have to notify the client of this risk and get the client’s consent. That’s certainly one way of getting attorneys to pay attention to security when they are working online.
Here’s the opinion’s statement about use of wireless:
Depending on the sensitivity of the matter, Attorney may need to avoid using the public wireless connection entirely or notify Client of possible risks attendant to his use of the public wireless connection, including potential disclosure of confidential information and possible waiver of attorney-client privilege or work product protections, and seek her informed consent to do so.
With regard to the use of a public wireless connection, the Committee believes that, due to the lack of security features provided in most public wireless access locations, Attorney risks violating his duties of confidentiality and competence in using the wireless connection at the coffee shop to work on Client’s matter unless he takes appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall.
Expect to see similar state bar opinions on this issue. Hopefully they will be along the lines of this opinion and urge the attorney to pay attention to security risks on their own, rather than attempt to dictate specific notice and consent requirements or go a dangerous step beyond that by trying to lock down specific technology standards in an ethics opinion.