"Nearly ubiquitous connectivity generates nearly ubiquitous vulnerability."¹

Yes, the vulnerability to cyber-attack is ever present: major retailers, hospitals, law firms,² and governmental agencies have been hacked.³ But there is no need to panic or to scream "hackmageddon" or "hackpocalypse." There is, however, a need to be reasonable.

Lawyers are not required to guarantee that a breach of security cannot occur when using the internet. Nor are they required to use only the most infallibly secure methods of communication. Lawyers are, however, required to use "reasonable efforts to protect their clients' information from unauthorized or inadvertent disclosure. To be reasonable, the lawyer's efforts must be commensurate with the risks presented."⁴

Several Rules of Professional Responsibility are implicated by a lawyer's use of technology. These rules are SCR 20:1.1 Competence; SCR 20:1.4 Communication; SCR 20:1.6 Confidentiality; SCR 20:5.1 Responsibilities of partners, managers, and supervisory lawyers; and SCR 20:5.3 Responsibilities regarding nonlawyer assistants.

This article briefly summarizes these rules. A related article, "7 Ways to Protect Your Data," provides some "reasonable measures" that lawyers can take today to protect their clients and themselves.

The Applicable Rules of Professional Responsibility

SCR 20:1.1 Competence. SCR 20:1.1 requires a lawyer to perform legal services competently. ABA Comment [8] to Rule 1.1 recognizes that technology is an integral part of contemporary law practice and explicitly reminds lawyers that the duty to remain competent includes keeping up with technology: "[t]o maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology ..."

Consequently, lawyers who use technology have a duty to understand the potential impact of the technology on their obligations under the applicable law and under the rules. To determine whether a particular technology or its particular use complies with the lawyer's professional obligations, a lawyer must use reasonable efforts. Wisconsin Formal Ethics Op. EF-15-01. Moreover, as technology, the regulatory framework, and privacy laws change, lawyers must keep abreast of the changes.

SCR 20:1.4 Communication. SCR 20:1.4(b) requires that a lawyer explain a matter to the extent reasonably necessary to permit the client to make informed decisions concerning the representation. Of concern is whether a lawyer must inform the client about the lawyer's use of particular technologies, such as the means by which the lawyer processes, transmits, and stores the client's information in all representations, or only when the circumstances call for it, such as when the information is particularly sensitive.

Although it is not necessary for a lawyer to communicate every detail of a client's representation, the client should have sufficient information to participate intelligently in decisions concerning the objectives of representation and the means by which they are to be pursued. ABA Comment [5] to Rule 1.4 explains: "The guiding principle is that the lawyer should fulfill reasonable client expectations for information consistent with the duty to act in the client's best interests, and the client's overall requirements as to the character of representation."

No ethics opinions anywhere have suggested that a lawyer is required in all representations to inform the client of the means by which the lawyer processes, transmits, and stores information. However, it may be necessary, depending on the type of representation and the sensitivity of the client's information involved, to inform the client of the nature of the lawyer's use of technology, its advantages as well as its risks.

For example, while a lawyer is not required in all representations to inform clients that the lawyer uses the cloud to process, transmit, or store information, a lawyer may choose, based on the needs and expectations of the clients, to inform the clients. A provision in the engagement agreement or letter is a convenient way to provide clients with this information.

If there has been a breach of the service provider's security that affects the confidentiality or security of the client's information, SCR 20:1.4(a)(3) and (b) require the lawyer to inform the client of the breach.

SCR 20:1.6 Confidentiality. The duty to protect information relating to the representation of the client is one of the most significant obligations imposed on the lawyer. SCR 20:1.6(a) prohibits a lawyer from revealing information relating to the representation of a client unless that client gives informed consent or unless the disclosure is impliedly authorized to carry out the representation. The use of technology to process, transmit, and store client information may be deemed an impliedly authorized disclosure to the provider as long as the lawyer takes reasonable steps to ensure that the provider of the services has adequate safeguards.

Although a lawyer has a professional duty to protect information relating to the representation of the client from unauthorized disclosure, this duty does not require any particular means of handling protected information and does not prohibit the employment of service providers who may handle documents or data containing protected information. Lawyers are not required to guarantee that a breach of confidentiality cannot occur when using a cloud service provider, and they are not required to use only infallibly secure methods of communication. They are, however, required to use reasonable efforts to protect information relating to the representation of their clients from unauthorized disclosure. EF-15-01.

ABA Model Rule 1.6 and its Comment make "clear that a lawyer has an ethical duty to take reasonable measures to protect a client's confidential information from inadvertent disclosure, unauthorized disclosure, and unauthorized access, regardless of the medium used." Moreover, ABA Comment [18] to Rule 1.6 emphasizes that unauthorized access to or the inadvertent or unauthorized disclosure of information relating to the representation of a client does not constitute a violation of the rule "if the lawyer has made reasonable efforts to prevent the access or disclosure."

A lawyer using technology may encounter circumstances that require unique considerations to secure client confidentiality. For example, if a server used by a cloud service provider is physically located in another country, the lawyer must be sure that the information on that server is protected by laws that are as protective as those of the United States. Whether a lawyer is required to take additional precautions to protect a client's information in order to comply with other laws, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of the Rules of Professional Conduct.

SCR 20:5.1 Responsibilities of partners, managers, and supervisory lawyers. A lawyer who is a partner or who has managerial authority is required to make reasonable efforts to ensure that the firm – even if it is a firm of one – has policies and procedures in place so that all lawyers in the firm comply with the Rules of Professional Conduct. In addition, a lawyer who supervises another lawyer is required to make reasonable efforts to ensure that the other lawyer complies with the rules. Consequently, a firm must have policies and procedures regarding the use of technology.

SCR 20:5.3 Responsibilities regarding nonlawyer assistants. The responsibilities of a partner, manager, or supervising lawyer regarding nonlawyer assistants parallel the responsibilities regarding lawyers. A lawyer who is a partner or who has managerial authority is required to make reasonable efforts to ensure that the firm has policies and procedures in place so that the conduct of all nonlawyer assistants in the firm is compatible with the Rules of Professional Conduct. In addition, a lawyer who supervises a nonlawyer assistant is required to make reasonable efforts to ensure that the conduct of the nonlawyer assistant is compatible with the rules. Consequently, a firm must have policies and procedures regarding the use of technology.

This rule also applies when a lawyer uses nonlawyer assistants outside the firm to help provide legal services. SCR 20:5.3 requires the lawyer to make reasonable efforts to ensure that the services are provided in a manner that is compatible with the professional obligations of the lawyer. The extent of this obligation when using a service provider to process, transmit, store, or access information protected by the duty of confidentiality will depend greatly on the experience, stability, security measures, and reputation of the provider as well as the nature of the information relating to the representation of the client. See Wisconsin Formal Ethics Opinion EF-15-01.

Conclusion

So, while law firms, like other businesses and institutions, are vulnerable to cyber-attack, there is no need to panic or to scream "hackmageddon" or "hackpocalypse." To comply with the Rules of Professional Responsibility, lawyers just need to make reasonable efforts to keep client information secure.

Endnotes

¹ Roland L. Trope & Sarah Jayne Hughes, Red Skies in the Morning – Professional Ethics at the Dawn of Cloud Computing, 38 Wm. Mitchell L. Rev. 111, 118 (2011).

² According to the 2015 American Bar Association Legal Technology Survey Report, 15 percent of law firms have experienced a breach.

³ In this article, the term hack is used in its broadest sense for the reader's ease. For example, hacking includes phishing. Hacking and phishing are related in that they are both ways of obtaining information, but they differ in their choice of methods. A phish, which is ultimately a hack, occurs when a user is baited with an email, phone call, or, perhaps, a text message and tricked into "voluntarily" responding with sensitive information.

⁴ Wis. Formal Ethics Op. EF-15-01.