Citing the increased importance of data security in the face of rapid technological developments, the ABA Commission on Ethics 20/20 last week floated an amendment to existing rules that would require lawyers to make "reasonable efforts" to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
This proposed revision, which the commission filed with with the ABA House of Delegates on May 7 for its consideration at the ABA's annual meeting in August, would enhance an existing rule that indicates that lawyers must "act competently" to safeguard information against inadvertent or unauthorized disclosures.
"The proposed rule ... serve[s] a reminder of the importance of implementing effective policies and procedures that prevent a data breach," Hogan Lovells attorney Scott Loughlin said in a post on the firm's Chronicle of Data Protection blog on Monday. "A breach already frequently results in significant financial and reputational costs under existing laws, and now the commission has made clear that a breach may affect a lawyer's status with the bar and legal practice."
In the event that other professional accreditation bodies follow the commission's lead, the consequences of a breach will only become more widespread and punitive to businesses and professionals alike, Loughlin added.
This proposal came as part of the commission's report to the House of Delegates recommending several modifications to the ABA Model Rules of Professional Conduct regarding lawyers' use of technology and protection of client confidences.
The changes regarding data security relate to existing ABA Model Rule 1.6, which governs the confidentiality of client information. Currently, the rule bars lawyers from revealing information relating to the representation of a client unless the client gives informed consent, and sets out several instances — such as to prevent reasonably certain death or to prevent a client from committing a crime that would result in financial harm — where lawyers can reveal information without a client's permission.
But the commission found that this rule was insufficient in an atmosphere where "technological change has so enhanced the importance of this duty" to keep client information secure.
"Technology has transformed how lawyers communicate with their clients and store their client's confidences," the commission's report said. "This shift has created new concerns and questions about lawyers' obligations, including their duty to protect confidential information."
In order to "offer lawyers the guidance they need," the commission recommended adding a new paragraph to Rule 1.6 that "would make clear that a lawyer has an ethical duty to take reasonable measures to protect a client's confidential information from inadvertent disclosure, unauthorized disclosure and unauthorized access, regardless of the medium used."
Despite this pronouncement, the commission stressed that it understood that lawyers cannot guarantee electronic security any more than lawyers can guarantee the physical security of documents stored in a file cabinet or offsite storage facility, and said that its proposal would not impose a duty upon lawyers "to achieve the unattainable."
Instead, the proposal identifies various factors based on established concepts from existing data protection and breach notification laws that lawyers should take into account when determining whether their precautions are reasonable.
"The factors, which include the cost of the safeguards and the sensitivity of the information, recognize that each client, lawyer or law firm has distinct needs and that no single approach should be or can be applied to the entire legal profession," the report said. "The proposal makes clear that a lawyer does not violate the rule simply because information was disclosed or accessed inadvertently or without authority."
The commission also proposes that the ABA create and maintain a regularly updated "user-friendly" website to provide more specific and timely guidance than the model rules can provide regarding lawyers' use of commonly encountered technology.
"Data protection long has been a legal responsibility for lawyers," Loughlin said. "The [ABA] now is proposing to make clear that the protection of a client's data is an ethical responsibility as well."
--Editing by Katherine Rautenberg.
