Bench & Bar

SEP 2018

The Bench & Bar magazine is published to provide members of the KBA with information that will increase their knowledge of the law, improve the practice of law, and assist in improving the quality of legal services for the citizenry.

Issue link:

Contents of this Issue


Page 37 of 67

| SEPTEMBER/OCTOBER 2018 36 SUBJECT: Cybersecurity QUESTION #1: Does an attorney have an ethical responsibility to implement cybersecurity measures to protect cli- ents' information? ANSWER: Yes QUESTION #2: Does an attorney have an ethical responsibility to advise clients about cyberattacks against the law practice and/or breaches of security? ANSWER: Qualified Yes. QUESTION #3: Can an attorney utilize third parties and/or non- lawyers to plan and implement cybersecurity measures? ANSWER: Yes. QUESTION #4: Does an attorney have an ethical responsibility to ensure that law firm employees, as well as third parties employed by, retained by, or associated with the lawyer, comply with the attorney's cybersecurity measures? ANSWER: Yes. INTRODUCTION An attorney's use of technology in the practice of law has evolved considerably since this Committee first addressed communicating with clients through electronic mail services in 1998. 1 Since that time, Ethics Opinions have discussed the use of domain names, 2 cloud computing, 3 and most recently, communications between attorneys by email. 4 As noted previously, "Technology provides an ever-changing environment in which to apply the Rules of Professional Conduct." 5 Whether an attorney uses email to com- municate with clients; e-files documents with the courts; stores client information electronically; shares files with others; employs mobile devices and/or accesses the internet, care must be taken to avoid disclosure of confidential client information. As technology has evolved, so has the ability of third parties to attack or 'hack' a lawyer's electronic systems, not only to obtain confidential client information, but also to disrupt the law firm's operations by threatening to destroy client files to collect ransom payments. "Creating, using, communicating, and storing infor- mation in electronic form greatly increases the potential for unauthorized access, use, disclosure and alteration, as well as the risk of loss or destruction (of client information)." 6 Attorneys must therefore be cognizant of cybersecurity measures that can be employed to preserve their client's information. Unfortunately attorneys are consider 'easy targets' for cyberattacks. 7 If 'techno-challenged', or even 'technophobic', the lawyer may not appreciate the cyber risk of electronically communicating with cli- ents, and/or storing collected client information on the law firm's computer systems. Further, the technology employed by an attorney to protect from unauthorized access, theft, or destruction of client information may not be as sophisticated as the client's own cyber defenses. Moreover, while solo practitioners or small law firms may think they are immune to cyber attacks, the size of a law firm doesn't matter when it comes to cyberattacks. Instead, the 'sophistication or lack thereof ' of the attorney's computer system becomes the issue. As learned from the 'Panama Papers' breach, even the largest of law firms whom one would believe would have tech-savy security in place to prevent 'hacks', are not exempt from cyber attacks. 8 In 2012, the American Bar Association ("ABA") established a "Cybersecurity Legal Task Force" that recommended 'technology amendments' to the Model Rules of Professional Conduct ("Model Rules") 1.0; 1.6; and 4.4. ose amendments were subsequently approved by the ABA House of Delegates to specifically provide information and guidance to attorneys on use of electronic com- munications; intrusions on a law firm's systems and networks; and ethical obligations to protect a client's confidential information. e ABA Standing Committee on Ethics and Professional Responsi- bility subsequently issued Formal Opinion 477R on May 22, 2017, that interpreted these amendments to the Model Rules to further explain ethical issues involving the use of electronic means to com- municate regarding client matters. 9 While the Kentucky Supreme Court did not adopt the ABA Model Rules, nor has it amended the Kentucky Rules of Professional Conduct ("Rules") 10 to discuss technology issues as the ABA has done, the discussion in Formal Opinion 477R provides a background to an attorney seeking guidance on technology issues impacting confidentiality of client communications. FORMAL E THICS OPINION K E N T U C K Y B A R A S S O C I A T I O N ETHICS OPINION KBA E-446 · ISSUED: JULY 20, 2018 e Rules of Professional Conduct are amended periodically. Lawyers should consult the current version of the rule and comments, SCR 3.130 (available at, before relying on this opinion. BAR NEWS

Articles in this issue

Links on this page

Archives of this issue

view archives of Bench & Bar - SEP 2018