American Bar Association Issues New Guidance on Cybersecurity Ethics

Long gone are the days when attorneys could take an “as needed” approach to technology. Over the past few years, the American Bar Association (ABA) has continued to update its guidance on ethical requirements related to technology and cybersecurity, including Formal Opinion 477R in 2017 and Formal Opinion 483 in 2018. Prompted by the massive shift in the way attorneys – and nearly every business, for that matter – are interacting with their clients and engaging in the practice of law remotely due to the coronavirus pandemic, the ABA issued Formal Opinion 498 in March 2021.

The opinion takes a fresh look at the latest technological advances and changes to the ways attorneys practice law in a remote work environment and provides guidance on how to navigate the heightened cybersecurity risks attorneys face.

“At all times, but especially when practicing virtually, lawyers must fully consider and implement reasonable measures to safeguard confidential information and take reasonable precautions when transmitting such information,” the opinion states.

Expanding on the recommendations outlined in Formal Opinion 477R, ABA Opinion 498 provides guidance on general cybersecurity responsibilities, including:

• Ensuring that attorneys have carefully reviewed the terms of service applicable to their hardware devices and software systems to assess whether confidentiality is protected;
• Being diligent in installing any security-related updates and using strong passwords, antivirus software, and encryption;
• Ensuring that routers are secure and considering using virtual private networks (VPNs);
• Periodically assessing whether their existing systems are adequate to protect confidential information as technology evolves; and
• Maintaining reliable access to client contact information.

The opinion also addresses activities that have been more prevalent in light of our remote work arrangements:

• Virtual meetings: Access to accounts and meetings should be only through strong passwords. All recordings and transcripts should be secured and only with client consent.
• Maintaining Privilege: For many attorneys working remotely, a “home office” may be nothing more than a table in a bedroom or kitchen, not separated from the rest of the home by a closed door. Nonetheless, attorneys always must be diligent about maintaining privilege and should take care to ensure that client-related meetings and information cannot be overheard or seen by others in the household, office, or other remote location, or by other third parties.

• Virtual offices: When lawyers are practicing virtually—even on short notice, as happened in March 2020 – they must have reliable access to client contact information and client records. A reputable cloud service should be used, with data regularly backed up and accessible in the event of a data loss.
• Smart Speakers, such as Alexa: Attorneys should disable the listening capability of devices or services such as smart speakers, virtual assistants, and other listening-enabled devices while communicating about client matters.

Formal opinion 498 reiterated that supervising attorneys have an obligation to ensure that attorneys on their team are abiding by these rules as well, and specifically recommended “routine communication and other interaction…to  discern the health and wellness of the lawyer’s team members.”

The complex relationship between technological advances and the accompanying risks can create a confusing landscape for attorneys, and the unique circumstances of the past year have exacerbated these complexities. But one thing remains certain: competence in technology cannot simply be outsourced and attorneys’ ethical obligations cannot be minimized. The Model Rules – and ABA’s recent opinions – make it clear that attorneys must educate themselves on the ever-changing risks and the benefits of technology.