Last July, I wrote an article for where I argued that as a basic tenet of our profession, Canadian lawyers should be required to have a minimum understanding of technology, privacy, and cybersecurity in order to adequately service their clients. The same is true for lawyers in the U.S.
Regardless of whether there is a mandatory legal duty of technological competence required of lawyers by our law societies, arguably lawyers practicing law during this time of pandemic now have an even greater duty to understand and deploy the necessary technological measures and practices to protect client data from unwanted intrusion.
In Ontario, § 3.1.1. of the Rules of Professional Conduct sets out the various positive duties of competence that lawyers are supposed to possess. For example, a “competent lawyer” is a lawyer who has and applies relevant knowledge, skills, and attributes in a manner appropriate to each matter undertaken on behalf of a client, applying appropriate legal skills, pursuing appropriate professional development to maintain and enhance legal knowledge and skills, and adapting otherwise to changing professional requirements, standards, techniques, and practices.
Unfortunately, Canada currently lags behind the United States in recognizing this duty. As Massachusetts lawyer Robert J. Ambrogi notes in his excellent blog , the ABA formally approved a change to the Model Rules of Professional Conduct in 2012 to clarify that lawyers have a duty to be competent, not only in the law and its practice, but also in technology. By way of reminder, Model Rule 1.1 provides that “a lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation”.
Comment 8 to Model Rule 1.1 specifically requires U.S. attorneys to maintain technological competence as follows:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.
To date, 38 U.S. states have adopted the duty of technological competence. While California has not formally adopted the change to its rules of professional conduct, Ambrogi notes that the state has issued an ethics opinion (State Bar of California Formal Opinion No. 2015-193) that expressly acknowledges a duty of lawyers to be competent in technology, i.e. requiring lawyers who represent clients in litigation either to be competent in e-discovery or associate with others who are competent. The opinion expressly cites the ABA’s Comment 8 and states:
Maintaining learning and skill consistent with an attorney’s duty of competence includes “keeping abreast of changes in the law and its practice, including the benefits and risks associated with technology.”
The global ascendance of COVID-19 has only spurred the activities of phishing, malware, and ransomware attacks. Rob , Corporate Vice President for Microsoft 365 Security, reported in his April 8, 2019, blog that every country in the world has seen at least one COVID-19-themed attack, with China, the United States, and Russia being hit the hardest.
Given the heightened security risks of working during a pandemic, I believe more than ever that technological competence must be read into the "duties of competence" that all lawyers are “supposed to possess” today, even if some regulators haven’t caught up with this new reality.
What does technological competence look like for lawyers practicing during a pandemic?
First and foremost, lawyers must take steps to ensure they have in place reasonable measures to protect client data against unauthorized access. Technology that contains or is used to access client data should be hardened against the increased threat of third-party hackers and malware, using firewalls, encryption tools, appropriate up-to-date antivirus technology/URL threat protection, and other security software. Outdated legacy software should be shelved, free unsupported versions of software should no longer be used, and all security patches and updates received from vendors should be implemented in a timely fashion. Lawyers should only use dedicated VPNs and secured Wi-Fi to access critical networks.
Additionally, lawyers wishing to better protect their clients’ confidential information should consider the following tips:
(1) Zoom wisely. Videoconferencing has been a boon to organizations that have traditionally relied on face-to-face meetings to get things done. But as anyone following recent headlines regarding the vulnerabilities of video conferencing services can attest, it is not without privacy and security risks.
The Office of the Federal Privacy Commissioner in Canada recently provided a series of privacy tips for using videoconferencing services The suggestions are both timely and useful for lawyers practicing anywhere. For example the OPC recommends that users that sign up for a new account with a videoconferencing service should use unique passwords, not existing social media accounts, to sign into a new service. Meetings should be made private or only accessible to invited participants, and they should not be publicly posted to social media to prevent unwanted guests from joining. Disable features such as “join before host,” screen sharing, or file transfers to minimize the threat of “Zoombombing,” gate crashing, and other intrusions. Video conferencing calls should be protected with a password if possible, especially if the parties intend to discuss sensitive personal information. Each call should have its own password to prevent uninvited participants. Lawyers that host should consider disabling their participants’ ability to record the call.
Other helpful advice includes being careful about where one sits during the call, as background details can reveal a lot of information that you might not want to share. Anyone using a web browser for the video call should open a new window with no other browser tabs and close other applications to avoid inadvertently sharing notification pop-ups (e.g., incoming emails) with other participants and the videoconferencing service provider. Of course all personal home assistants (Alexa, Siri, Google Home, etc.), and smart speakers should be turned off during videoconference to avoid accidentally triggering the assistant and/or recording the call.
(2) Retain and Dispose of Confidential Information Securely. Now is not the time to discard highly sensitive client confidential information with your used coffee grounds and pet litter. Significant data breaches have occurred when documents containing personal information and health information were found tumbling around in alleyways and on city streets. Working from home does not mean that lawyers cease to have a duty to protect sensitive client data from prying eyes or other third party exposures. Sensitive information should be securely stored (whether in locked cabinets, boxes, or otherwise). Invest in a decent paper shredder and use it. Or save all of your confidential information until you can return it your office for secure disposal.
(3) Have adequate (and secure) backup. It’s critical for lawyers and their law firms to invest in the acquisition of professional backup, recovery, and restoration software, and to establish a relationship with a reputable backup/data recovery provider, so that if any confidential or client data is inadvertently lost, the organization can seek to recover such data with a minimum of panic and fuss. Law firms and lawyers should never rely on free backup software downloads to protect sensitive client data.
Not all backup and restore software is created equally. Lawyers should choose vendors whose software (i) can safely remove malware or other viruses, verify that the backups do not contain infections, and ensure that any restored files are clean to forestall additional infections; (ii) has two-factor authentication enabled to prevent credential theft, leading to unlawful access and deletion of backup data; and (iii) has the backup data stored on immutable storage media.
(4) Develop and Maintain Data/Cyber Breach Incident Response Plans. All law firms should ensure that they have a proper privacy/cybersecurity incident response plan in place. The plan should clearly identify the specific contact information for the individuals or committee initially tasked with investigating, containing, and managing the breach, as well as those charged with evaluating risk and handling mitigation.
If you do make a mistake and expose client data, you will need to know who to contact internally immediately in order to contain the risk and threat exposure promptly. It’s much too late to figure all of this out in the middle of the incident. To avoid the loss of valuable time, this incident response plan should be carefully crafted in advance and approved by firm management. All lawyers and staff should be made familiar with it. It’s also critical to have such a plan in place to forestall internal confusion that could lead to inadvertent disclosures of such incidents on social media or elsewhere.
It is worth reminding lawyers that law firms may have to comply with mandated time-sensitive reporting obligations to federal, provincial, or state privacy regulators, and potentially other regulators, individuals, and third party organizations, depending on the nature of the breach and the type and sensitivity of the data involved. Additional service providers, such as preferred cybersecurity experts, credit monitoring services, and media firms should also be chosen and retained in advance. Plans should be reviewed at least annually and updated as required to stay current and effective. Smaller firms and solo practitioners should adopt modified versions of these plans as relevant to them.
Regardless of whether lawyers are now formally obliged to check off one more box on their yearly state bar annual filing or other regulatory report, one may argue that all lawyers today already have a positive and meaningful duty of technological competence. Our clients deserve nothing less.
Lisa R. Lifshitz