“The basic responsibilities that a lawyer owes the client – competence, diligence, communication, and confidentiality - lie at the core of lawyer’s professional obligations and remain unchanged irrespective of the lawyer’s physical location. What has changed is discharging these responsibilities effectively in a world increasingly dominated by technology and, more recently, in an environment where lawyers are isolated from their clients, their partners, their opponents and the courts in the face of the COVID-19 pandemic. The role of the partners, managers and supervising attorneys, whose responsibilities include insuring that both attorneys and non-attorneys in the firm, regardless of their location, comply with the requirements of SCR Chapter 20, is of increasing importance. Although certain current modifications in practice may diminish as the pandemic does, many are likely to continue as the profession and technology evolve. This opinion addresses several ways a lawyer’s responsibilities are affected.”
– Opening synopsis, Wis. Formal Ethics Op. EF-21-02: Working Remotely
Although the pandemic has had a variety of effects, my sense is that most lawyers found a way to continue working, by adapting to remote work, adding cloud-based tools, and becoming more savvy with technology. Lawyers also learned, however, that working remotely, or at least differently, did not change their ethical obligations or the duties of competence and confidentiality they have to clients.
Since the pandemic started, the American Bar Association1 and the State Bar of Wisconsin2 have issued opinions to help guide lawyers through virtual practice, cybersecurity, and the associated ethical obligations.
The Wisconsin opinion outlines ethical obligations and guidelines based on remote work. Kate Campbell, a cybersecurity expert who practices at Godfrey & Kahn S.C. in Milwaukee, recently said the following to an audience of lawyers at a Wisconsin Lawyers Mutual Insurance Co. online webinar: “This is a great opinion that provides a lot of good information for lawyers who are trying to understand the substance of the requirements when it comes to technology. What does it mean to be technologically competent?”
Campbell says that as things return more to “normal,” lawyers can apply these guidelines to their practice even when they’re not working remotely. “The opinion hammers home the idea that you as a lawyer have a duty to understand and be competent in various technologies. So, what does that mean? At minimum, it means a knowledge of the types of devices available for communication; software options; how to prepare, transmit, and store documents; understanding the cloud options and what they mean; and how to keep different devices and the information you are transmitting secure and private. That’s all part of basic technological competence.”
State Bar ethics counsel Aviva Kaiser, who helped write Wis. Formal Ethics Op. EF-21-02, agrees. “The ethical duties owed to clients remain unchanged regardless of whether the lawyer is working in the office or remotely. What has changed, however, is the variety of circumstances under which the lawyer must fulfill those ethical obligations.”
Kaiser says the goal of the opinion was to give lawyers useful guidance and information that will help them beyond the pandemic. Bob Ambrogi, in his recent article 20/20 Hindsight: 20 Legal Tech Trends,3 discussed lawyers’ continued use of technology after the pandemic. “It’s important to remember that the pandemic has forever changed the legal industry’s relationship with technology, for the better. I have written for years about the ethical duty of technology competence and about how slow – even resistant – many lawyers have been to becoming competent. Technology competence became a survival skill. No longer can legal professionals stay afloat without the lifeline tech provides. The legal industry is not yet where it should be in use of technology, but 2020 pushed it forward by leaps and bounds.”
Working Remotely Is Not So Unusual Anymore
Ambrogi observed that working remotely redefined the workplace. “At first, forced shutdowns of legal offices seemed unthinkable and unworkable. But then some legal professionals found that they kind of liked working from home. And many law firms and legal departments realized they could carry on quite nicely even with their workers dispersed and remote.”4
Ambrogi noted that rent typically is a law firm’s second-biggest expense, after salaries. “Estimates say it generally eats up 6 to 15 percent of gross revenue, depending on firm size and location. Well before the pandemic, many firms were already looking to reduce their physical footprints as a way of cutting expenses, and technology increasingly made that possible.”5
When lawyers began to work remotely because of the pandemic, there was little time for them to prepare their remote work spaces and to anticipate the technology and security that they would need to communicate with their clients, opposing counsel, and the courts, says Kaiser. “Because working remotely relies on technology, competence in technology and cybersecurity practices are essential. This opinion also provides guidance for training and supervising lawyers and nonlawyer assistants when working remotely.”
Wis. Formal Ethics Op. EF-21-02 includes a section on general guidance. It contains a lengthy list of recommended cybersecurity practices. Campbell says, “These are things we recommend to clients all the time. Some of the guidelines may seem basic, but I think they are very important to remember.”
The list of guidelines includes the following:
Require strong passwords to protect data and access devices.
Use multifactor authentication on all devices.
Avoid public WiFi that is not secure.
Use a virtual private network (VPN) when accessing or transmitting client information.
Use firewalls and secure router settings.
Use and keep current anti-virus and anti-malware software.
Keep all software current; install updates immediately.
Provide or require employees to use secure and encrypted laptops.
Do not use USB drives or other external devices unless they are owned by the firm or they are provided by a trusted source.
Save data permanently only on the office network, not personal devices.
Use reputable vendors for cloud services.
Encrypt emails or use other security to protect sensitive information from unauthorized disclosure.
Encrypt electronic records.
Do not open suspicious attachments or click unusual links in messages, email, tweets, posts, and online ads.
Campbell says, “These are great tips to review and keep in mind. Always consider, ‘What are the little things I should be doing, and the bigger things as well, such as encrypting emails and encrypting electronic records.’”
Brent Hoeft of Hoeft Law LLC, Madison, has operated a web-based law practice for many years and concentrates in the use, security, and ethics of technology in law firms. He likes the emphasis on confidentiality, and he urges lawyers to consider taking all reasonable efforts to protect against disclosure of confidential files and information.
According to Hoeft, “Those include always doing your due diligence on any software or service that you are thinking of using as a tool for working from home. There are a lot of options out there, and the levels of security steps taken by these providers can vary greatly. If possible, try to stick to services that are geared toward business rather than personal use and, if you can, find some that are designed for use by lawyers and the legal industry; always use a VPN when connecting to the internet even while on your home network and doing business online. There are a lot of options out there.”
Hoeft says, “The main thing is to choose a commonly used VPN and always choose the paid version. The free accounts of even good VPNs are not reliable and can be very slow; and finally, because lawyers have a duty to take reasonable efforts to become competent in the technology tools that we are using in our practice, we can’t just jump right in and start using the tools without understanding the tool and its default settings, how to change these settings to become more secure, and what setting options are available to make sure the tool is as secure as possible to use in a law firm setting.”
Questions about ethics or practice management? Confidential assistance is a phone call or click away:
Formal Ethics Opinions:
(800) 254-9154 or (608) 229-2017
9 a.m. to 4 p.m., Monday through Friday.
(800) 957-4670 or email@example.com
Kaiser hopes lawyers pay attention to the guidance offered by the State Bar opinion and the ABA opinion. She says some of the changes during the past year may turn out to be temporary, but others are likely to remain and become part of the legal profession’s increased reliance on technology.
Is much of what we’ve seen over the past year the “new normal?” Maybe. If it is, Kaiser says, lawyers will have to develop the skills and knowledge necessary to comply with the duties and responsibilities they have to their clients.
“I think the import is the same for both opinions. First, the ethical responsibilities that a lawyer owes the client, such as competence, diligence, communication, and confidentiality, remain unchanged irrespective of the lawyer’s physical location; second, what has changed is discharging these responsibilities effectively in a world increasingly dominated by technology and, in an environment where lawyers are working remotely (whether by choice in a virtual practice or by circumstances) and isolated from their clients, their partners, their opponents and the courts; and third, the role of the partners, managers, and supervising attorneys, whose responsibilities include ensuring that both attorneys and nonattorneys in the firm – regardless of their location – comply with the ethical requirements, is of increasing importance.
“Let’s face it, technology will continue to evolve and we must keep up.”
» Cite this article: 94 Wis. Law. 41-44 (June 2021).
EF-21-02 Working Remotely: Recommended Cybersecurity Practices
Wisconsin Formal Ethics Opinion EF-21-02 includes a section on general guidance. It contains a lengthy list of recommended cybersecurity practices. The list of guidelines includes the following:
- Require strong passwords to protect data and access devices.
- Use multifactor authentication on all devices.
- Avoid public WiFi that is not secure.
- Use a virtual private network (VPN) when accessing or transmitting client information.
- Use firewalls and secure router settings.
- Use and keep current anti-virus and anti-malware software.
- Keep all software current; install updates immediately.
- Provide or require employees to use secure and encrypted laptops.
- Do not use USB drives or other external devices unless they are owned by the firm or they are provided by a trusted source.
- Save data permanently only on the office network, not personal devices.
- Use reputable vendors for cloud services.
- Encrypt emails or use other security to protect sensitive information from unauthorized disclosure.
- Encrypt electronic records.
- Do not open suspicious attachments or click unusual links in messages, email, tweets, posts, and online ads
1 ABA Formal Op. 498 (March 10, 2021), www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba-formal-opinion-498.pdf.
2 Wis. Formal Ethics Op. EF-21-02 (Jan. 29, 2021), www.wisbar.org/formembers/ethics/Ethics%20Opinions/EF-21-02%20Working%20Remotely.pdf.
3 94 Wis. Law. 30-37 (March 2021), www.wisbar.org/NewsPublications/WisconsinLawyer/Pages/Article.aspx?Volume=94&Issue=3&ArticleID=28271.