The American Bar Association<\/a> has recently released Formal Opinion 477, covering data security obligations of lawyers and law firms, including with respect to encryption.\u00a0 You can access a full copy of the opinion, as well as a summary of its content, at my friend Bob Ambrogi\u2019s always hyper-relevant LawSites blog<\/a>.<\/p>\n As usual, when something like this happens, people start freaking right the hell out<\/a>.\u00a0 However, when viewed through the lens of the already-existing obligations that attach to lawyers\u2019 management of their clients\u2019 data, the opinion does not lump any more responsibility upon law firms than that which already exists.\u00a0 Essentially, the publication serves as a gentle reminder, to start walking the line<\/a>, for lawyers who have not heeded the trend line of the new technology competence angle attached to Model Rule 1.1<\/a> (and the states\u2019 heavy adoption of it<\/a>) and the updates to Model Rule 1.6<\/a>.<\/p>\n At this point, every state has a data security law. \u00a0Lawyers are not exempt from those laws; neither should they be.\u00a0 If there are universal principles of those laws, they are as follows: (1) Make reasonable efforts to secure your clients\u2019 data.\u00a0 (2) Use encryption for particularly sensitive data categories, e.g. — social security numbers, financial account numbers.\u00a0 (3) \u2018Reasonable\u2019 efforts are determined based on business-specific factors.\u00a0 (4) Vet vendors who will retain your data.\u00a0 (5) Determine vulnerabilities and address solutions, preferably in written format; update the risk assessment from time to time.\u00a0 The new ABA opinion basically adopts these requirements.\u00a0 So, if you\u2019re following your state law covering data protection already, you\u2019re likely to be at, or above, where the ABA wants you to be.<\/p>\n Of course, the majority of solo and small firm attorneys do not meet state requirements for data protection, in part because they are (perhaps ironic<\/a>ally), taking a calculated risk — there have not been many high-profile data breach investigations made against or penalties imposed upon solo and small firm lawyers.\u00a0 Now, that doesn\u2019t mean there won\u2019t be.\u00a0 And, now that the ABA is highlighting, and offering tacit approval of, state law requirements, the less compliant your law firm is, the more likely you will be exposed to state- and bar-imposed penalties.<\/p>\n The ABA opinion also addresses a fact scenario in which a lawyer and a client have agreed to approach data security in a certain way.\u00a0 The advice is that the lawyer should follow the terms of that agreement.\u00a0 . . . Well, thank you<\/em>, Captain Obvious<\/a>.\u00a0 Some state bars are more specific about this, and recommend that the genesis of that discussion derives from inside the fee agreement — the Massachusetts Bar Association has done so<\/a> — and, I think that is the better approach<\/a>; every lawyer knows or should know that her first obligation is to follow-through on promises made to clients.\u00a0 The ABA opinion noses around suggesting such a fee agreement clause, but never quite gets there.\u00a0 And, in the real world, it\u2019s the rare instance where small firm lawyers and their clients are settling up a specific data security program for a particular client\u2019s case.\u00a0 Clients expect that lawyers will, and lawyers should, dictate the terms of that arrangement — which, yes, must represent a reasonably secure approach.<\/p>\n The ABA is also more generic than state law in determining what specific types of information are particularly sensitive, thus warranting a higher level of protection — some state laws also prescribe specific protection mechanisms and levels of protection.\u00a0 Of course, the ABA is stacking generalities intentionally.\u00a0 Lawyers lust after generalities, because as soon as you start defining down, you construct loopholes.\u00a0 If ten items are included in a list, there are tens of thousands of items that could conceivably be excluded from that list<\/a>.\u00a0 It also makes good sense not to drill too deeply, given the pace of technological change in the legal industry; there is the risk of legislating against something that will become pass\u00e9 in three months\u2019 time.\u00a0 However, this is not just a philosophical choice.\u00a0 The fact is that those who most frequently utilize ethics opinions (malpractice attorneys, bar overseers, bar associations) are ill-equipped to engage high-level discussion of the specifics of technology applications, including in the realm of data security.\u00a0 A broad application allows those folks a larger sandbox in which to play, and reduces the technical knowledge outside of substantive law that they must bring to bear.<\/p>\n The Bottom Line<\/a><\/strong><\/p>\n So, here\u2019s the deal:<\/p>\n Formal Opinion 477 actually changes very little about your practical responsibilities as a law firm in terms of managing your clients\u2019 data.<\/p>\n If you follow your state\u2019s laws respecting data protection and\/or strive for \u2018best practices\u2019 rather than \u2018minimum competency\u2019, you should be good not only in terms of your ethics and malpractice obligations, but also in terms of your clients\u2019 belief in your ability to secure their data, and your own belief that you are doing everything you can to safeguard your client\u2019s data.<\/p>\n Many solo and small firm lawyers complain about encryption because their clients complain about encryption, as evidenced in the comments to Bob\u2019s post<\/a>.\u00a0 But, there are myriad ways to manage encryption, and also to educate clients on, not only the importance of data security, but also about how convenience often butts against security. Even so, delivering encrypted matter to clients is getting ever simpler; and, probably the easiest current market solution is the use of a client portal available through a law practice management system<\/a> — <\/strong>which is a solution that the opinion itself alludes to on page 7.<\/p>\n Things I Like and Do Not Like<\/strong><\/p>\n The problem with ethics opinions like these is that they almost always read like they were written by your Grandma(ma)<\/a>.\u00a0 On page 5 of the opinion, reference is made to the purported fact that some information is so sensitive that it should not be transmitted electronically at all.\u00a0 But, that\u2019s a virtually impossible solution for a modern practice, and cuts against a lawyer\u2019s ability to keep electronic records, which is essential in resolving malpractice disputes.\u00a0 On page 5, there is also discussion of the potential for issues related to \u2018message boards\u2019.\u00a0 And, let me tell you: message boards, chat rooms — they have been proxy harbingers of disasters lurking in ethics opinions since at least the mid-90s.\u00a0 The problem is that there\u2019s little to no definition about what these are, and how they work in a modern environment.\u00a0 There are public communication tools (Reddit<\/a>) and there are private communication tools (invite-only listservs); there are internal communication tools (Slack<\/a>) and external communication tools (limited access client portals).\u00a0 I think most attorneys are aware that you don\u2019t directly solicit clients via \u2018message boards\u2019, and that you don\u2019t post in public fora information about the case you\u2019re working on.\u00a0 For real, wake me up<\/a> when someone writes an ethics opinion about Reddit.<\/p>\n That being said, I do think that, as far as ethics opinions go, there is a solid chunk of good, practical detail that is addressed.\u00a0 For example, there is a great discussion at the end of page 7 about when and how privilege may be waived; for example: when clients communicate with their attorneys via their work-issued devices.\u00a0 The application of disclaimers to email, as referenced at the top of page 8, is interesting, insofar as it will trigger the recipient lawyer\u2019s responsibilities under Rule 4.4<\/a> — with respect to data security, most people think only of the obligation of the sender; but, lawyers are a special case.\u00a0 I also like that there is an admission that it is not a measure of weakness for lawyers to ask for help on matters of data security, as outlined at page 9: \u2018Any lack of individual competence by a lawyer to evaluate and employ safeguards to protect client confidences may be addressed through association with another lawyer or expert, or by education.\u2019\u00a0\u00a0 (I mean, you could hire a law practice management consultant for that, if you wanted<\/a>.\u00a0 Just sayin\u2019<\/a>.\u00a0 . . .\u00a0 AHEM<\/a>.)\u00a0 Finally, and not for nothing; but, in attempting to write for an entire nation of lawyers, where various jurisdictions may expand on the principles outlined in this opinion, it\u2019s probably better to go broad anyway.<\/p>\n Encore<\/a><\/strong><\/p>\n Ultimately, even if a pronouncement like ABA Formal Opinion 477 is more sound than fury<\/a>, it will hopefully serve as a jolt to those solo and small firm attorneys who don\u2019t care a fig for data security, and provide them incentive to step up their respective games.\u00a0 In turn, it will also be interesting to see whether a proclamation like this will empower bar ethics staff to more aggressively deter technology in<\/em>competence perpetrated by lawyers, where state laws have not been used to address issues present in the legal vertical.<\/p>\n We shall see what results.<\/p>\n . . .<\/p>\n Liner Notes<\/em><\/p>\n \u2018Luxury Liner<\/a>\u2019 by Emmylou Harris<\/a><\/p>\n Emmylou Harris had a siiiiiick backing band back in the day<\/a> — <\/strong>Albert Lee is just an animal<\/a>.\u00a0 If the audio quality was better on my link, you would be hard-pressed to pick up the fact that this was a live show.<\/p>\n