The ABA Commission on Ethics 20/20 published its revised draft resolutions for comment regarding Technology and Confidentiality at the end of last month. Under Comment  to Rule 1.6 “Confidentiality of Information”, the revised draft contains a list of factors that determine whether the lawyer has made reasonable efforts to prevent “unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information.” Comment  states:
Factors to be considered in determining the reasonableness of the lawyer’s efforts include the sensitivity of the information, the
likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
These are all relatively broad factors and leave much up to the judgment of the lawyer. This Comment addresses the storage of electronic communications, while the almost identical comment  covers the transmission of data. I found this sentence, which appears after the list of factors, to be interesting:
A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forego security measures that would otherwise be required by this Rule.
If I am reading this correctly, even if a lawyer weighs those factors and finds that there is a risk, he or she may discuss it with the client and include in an engagement or other agreement that the client is aware of that risk, but finds that in their case, the benefits exceed the risk or that the risk does not matter to them. This is interesting because I know some states have discussed making it a requirement that lawyers obtain client consent for the use of technology where there is a risk of any third-party access to confidentiality information. This comment does not require written consent, but it does hint to the lawyer – at least I’m thinking about my own limited scope agreement and CYA practices – that getting informed consent regarding the technology and security that is a part of that should be a best practice. Then, after you conduct reasonable efforts to ensure that you are safeguarding the client’s information, and something still happens (because only a fool will tell you a system or technology is 100% safe), then if there’s a breach you can hold up your agreement and say to the client “well, I did tell you there was that 1% risk.” Wonder if the malpractice insurance carriers agree with me on this one.
As the report following the revised draft states, the Commission is aware that risks will exist even when the lawyer has made reasonable efforts to prevent inadvertent disclosure of confidential information. They state:
The Commission concluded…that technology is changing too rapidly to offer such guidance and that the particular measures lawyers should use will necessarily change as technology evolves and as new risks emerge and new security procedures become available.
Instead, they provided these broad factors and have suggested that the ABA create website with updated and more detailed information about technology and security. I think that the Legal Technology Resource Center might be a great place for such a site.
Included in Comment  is a reference to the “monitoring” responsibility that has been added to the revised proposed draft of Rule 5.3. That rule now has been expanded to include cloud computing providers and other “nonlawyer assistance.” Additionally, Rule 1.1 “Competency” has an added reference to cloud computing providers: “When using the services of nonfirm lawyers in providing legal services to a client, a lawyer also should reasonably believe that such services meet the standard of competence under this Rule. ” In this context, if you are relying on a document automation or assembly program to generate a legal document that you then review and sell to the client, it’s still your responsibility to ensure 1) that this was best for the client based on their legal needs and 2) that the final product constituted competent representation under the circumstances. Well, that’s a no-brainer, but maybe there are lawyers out there who use tech to produce legal work and rely on that system completely without reviewing the final work.
The report following the proposed draft of 5.3 states, “[t]he word “monitoring” was chosen intentionally to reflect the idea that, under these circumstances, a lawyer may have a duty to remain aware of how the nonlawyer service provider is performing its services, even if the lawyer has not chosen the provider and may not have any direct supervisory obligations.” I’m still not clear on how to monitor a cloud computing vendor. If my firm chooses to use the professional version of Google Apps, does this just mean I have to keep an eye on any changes in our user agreement or that I need more in-depth monitoring of server information, security risks, etc. that Google manages?
At first glance, these changes almost appear that they would have more affect on some of the nonlawyer legal service companies that are engaging with licensed lawyers to provide the “lawyer add-on” value to their online legal services. These additions to the rules send a strong message to those lawyers that they need to be aware of competency in the final product they deliver through those networks to clients as well as monitoring how those networks are perhaps engaging with clients not only from a security standpoint, but also from the perspective of initiating the attorney/client relationship, duty to prospective clients, etc. I’m not as sure that these proposed rule changes are dictating that I have a call weekly with the CTO of my SaaS product to discuss his or her management of the technology I use.
It looks like they are accepting comments on these revised proposed drafts. Looking forward to reading those and hopefully they will shed some more insight.
The point you make regarding how these obligations affect the relationship of the nonlawyer service companies and the lawyers who are listed on them is an important one. Nonlawyer service companies do not have attorney ethical obligations with regard to the technology they use, their security standards, etc. Do the lawyers who are listed on these sites have an obligation to do their technology due diligence or LPO “oversight” obligations, and others you mention before they agree to list themselves on the site?
DO you think that the change to 5.3 will act as a impediment to law firms subscribing to and adopting cloud computing technology? “monitoring” is not as a strong as “supervision” so maybe this is the minimum that could be expected of lawyers when they buy into a cloud computing vendor. How will law firms and malpractice insurers interpret the word “monitoring?”
You make an excellent point, Richard. I think without further clarification of what constitutes “monitoring”, it will be difficult for the lawyer to predict how their insurer or state bar is going to interpret that. It is not as strong as supervision, but the level of monitoring will be different depending on the service they are subscribing too, the size of the company, among other factors. I don’t know if this change to MR 5.3 will necessarily impede law firm adoption of cloud computing technology, but it may push state bars and other lawyer regulatory bodies to consider similar changes in their versions of 5.3 and it will be interesting to see if they choose to clarify the term in ways that would be more restrictive.