The American common law system is not static; laws adapt over time to reflect social, economic, political, and technological changes. Because of this fluidity, the practice of law requires that its professionals constantly engage in legal education and edification. Specifically, advancements in communication technology have created a new paradigm in which practicing lawyers must develop a working knowledge of information technology to maintain their ethical duty to protect confidential client information. While professional liability for this ethical duty may seem punitive to those reluctant to change, it provides an incentive that ultimately benefits the client, the attorney, and the profession as a whole.
In 2009, the American Bar Association (ABA) created the “ABA Commission on Ethics 20/20” (20/20 Commission) to begin a multi-year review of the ABA Model Rules of Professional Conduct to update the rules to acknowledge and reflect the additional ethical considerations that modern technology continues to introduce in the legal practice. The 20/20 Commission’s goal was to evaluate the current rules and update them where specific reference to technological advancement created a need for clarity in both the rule language and in the comments that follow each rule. With respect to ethical guidance for eDiscovery and the lawyer’s duties arising from use of Electronically Stored Information (ESI), the 20/20 Commission made several key amendments to the rules concerning competency of the attorney, confidentiality of client information, and the way attorneys monitor communications with third party vendors hired to provide technological services for a particular case or firm. Once the ABA rules were amended, the individual states were left to evaluate their own state model rules in and make commensurate changes to their state model rules. The end result, expected to take between one and five years, will be a national standard of professional ethical conduct that holds attorneys accountable for maintaining a basic understanding of the technological tools that continue to pervade and affect the legal profession in theory and in practice.
Whether in front of the bar or behind a desk, every lawyer should have a reasonable understanding of how electronic information is created, stored, and protected; not only is this good advice, it is required by the new ABA rules. Two amendments to the Comments to Rule 1.1 add general and specific references to technology, stating that lawyers “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology” (emphasis added). Adding a reference to relevant technology explicitly imputes upon every lawyer a duty to know the basic features of the technology used in legal practice and implicitly means that a lawyer should also know when to seek outside help when dealing with some new technological elements beyond the lawyer or firm’s technological capability. The implication of this duty from an ethical standpoint is often complicated within the specific context of eDiscovery.
As more and more people rely on electronic technology for communication each day, the volume and complexity of discoverable documents expands exponentially. To that end, many firms dealing with high-volume ESI from clients now hire outside companies to perform eDiscovery functions such as data retrieval and Computer Assisted Review. In Computer Assisted Review, the vendor can take a sample set from the total volume of electronic documents and establish a relevance index with the attorney by ranking each document in the sample set on a scale (i.e., 0% to 100% relevance). Then, the attorney can decide to limit his or her own review to the electronic documents that score above a certain ranking. Where reviewing documents one-by-one would be cost prohibitive for the client, the benefit of Computer Assisted Review could be worth the expense. However, it is not without risks. Because of the new amendments to the Rule 1.1 comments, attorneys involved in eDiscovery-rich litigation have an ethical duty not only to understand how the technology itself works, but more importantly how the limitations of attorney-client privilege interact with the use of that technology. Specifically, where a court may require parties relying on Computer Assisted Review to identify how each party determined which types of documents were relevant, and more importantly which documents were deemed not relevant, disclosing that information to justify the scope of the discovery request may reveal strategy and opinion information, which encroaches on the attorney work product boundary protected by attorney-client privilege.
Begin with a Backup Plan
Data security and cloud storage are equally important concepts for an attorney to understand given the ethical duty contained in Rule 1.1, as well as the duty under Rule 1.6(c) that requires lawyers to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of…[client information].” Whether stored in an on-site server or “in the cloud,” the security of client information can always be compromised by both sophisticated (e.g., hackers) and unsophisticated (e.g., accidental email) intrusions. To avoid the risk of being held liable in a legal malpractice suit for inadvertent disclosure of confidential client information, attorneys should have a conversation with their clients at the outset of representation to explain the firm’s client data storage and retention practices. This conversation will benefit the attorney-client relationship not only by establishing trust, but also by establishing the limitations on the client when conveying sensitive information to the attorney. Further, attorneys who access client information remotely (via smartphone, tablet, or laptop) have a duty to “make reasonable efforts” to protect those devices from being compromised. In other words, attorneys should take care to keep their electronic devices physically safe and to password protect them as well.
Imputing Liability on the Ignorant
Client confidentiality is paramount to the fundamental goal of zealously representing the interest of the client, and the new amendments from the 20/20 Commission establishing an attorney’s ethical duty to develop a dynamic understanding of technology are absolutely critical to ensuring client confidentiality. Innovation in information technology undoubtedly outpaces innovation in the legal profession, where much of the practice still occurs on paper. Since clients increasingly utilize new technology for business and social interaction, an attorney who lacks a sufficient understanding of electronic communication could actually be a danger to his clients. Imputing an ethical duty upon the attorney establishes a professional liability to learn about new technology and incentivizes legal professionals to crawl out from under the proverbial rock. After all, we have an obligation to maintain a keen understanding of the changes in the law and the profession, as reflected by state bar requirements for pursuing continuing legal education, and now this necessarily includes education about technology.
Holding an attorney professionally liable for the security of client information may seem unfair in an age of sophisticated computer viruses and identity thieves, but would we really hold liable a law firm for inadvertent disclosure of confidential information to a cat burglar? Probably not, unless the law firm never locked its doors. The same logic applies to storing ESI: Whether storing information locally or remotely, the amended rules implore attorneys to make reasonable efforts to prevent inadvertent and unauthorized disclosure of confidential client information. “Reasonableness” is a moving target in this context, but it is also a very large one. Taking care not to leave a company laptop or iPad out in the open at Starbucks is an effort reasonable enough to prevent inadvertent disclosure. And to hedge your bets, if you do inadvertently abandon your mobile device while refilling that double-shot mocha Frappuccino, password protection is yet another reasonable effort to prevent a breach of confidentiality.
Manage Client Expectations for Electronic Confidentiality
Another way to mitigate the risk of a legal malpractice suit for inadvertent disclosure of information is to have a conversation with each client both to assess their security needs and to educate them about your capacity and limitations. Attorneys should inform their clients about the benefits and risks associated with using outside vendors for eDiscovery matters so the clients can give informed consent where attorney-client privilege may need to be waived. Further, if the client wants his ESI stored in, say, an underground bunker, but your firm’s data bunker is above-ground, the client can give written informed consent to allow you to store their communications nonetheless. If security is compromised, they cannot hold you liable because they consented to that level of protection. As with any other intentional disclosure of client information, informed consent is vital in the context of ESI.
With the new amendments to ethical duties from the ABA 20/20 Commission comes an added professional liability that leaves little room for luddites. Further, attorneys who fear the potential for malpractice liability due to inadvertent disclosure of information can easily implement reasonable efforts under the model rules. The cost of these efforts may be small for some and substantial for others, but the overall benefit of increased trust and client confidence justifies the investment. Those who refuse to adapt, however, should heed the sage advice of Bob Dylan: “Your old road is rapidly agin’. Please get out of the new one if you can’t lend a hand, for the times they are a changin’.”
ABA Model Rules of Professional Conduct
ABA Commission on Ethics 20/20, AmericanBar.Org (2013),URL
Exterro, Inc., New ABA Rule Amendments: Changing Attorneys’ Relationship with Technology (Sep. 4, 2012), http://player.vimeo.com/video/48826705.
Maureen O’Neill, Top 5 Ethical Issues in eDiscovery, ABA Labor & Employment Section Conference (2012).