Bench & Bar

SEP 2018

The Bench & Bar magazine is published to provide members of the KBA with information that will increase their knowledge of the law, improve the practice of law, and assist in improving the quality of legal services for the citizenry.

Issue link:

Contents of this Issue


Page 38 of 67

37 BENCH & BAR | DISCUSSION QUESTION 1: An attorney's ethical responsibility to implement cybersecurity measures to protect clients' information is founded upon four (4) separate requirements of the Rules as they relate to competence (SCR 1.1(6)); communications (1.4); confidentiality of information (1.6) and safekeeping of client's property (1.15). Paramount among these ethical obligations is the requirement to "... not reveal information relating to the representation of a client unless the client gives informed consent." 11 e Commission has previously acknowledged that this provision not only applies to traditional paper communications, but it also applies to the use of emails with clients and opposing counsel, as well as the storing of client information 'in the cloud'. Above all, the attorney must use 'reasonable care' to ensure that the client's confidential information is protected, and that the client's property is safeguarded. 12 Comment (8) to ABA Model Rule 1.1 states that for an attor- ney to maintain the 'requisite knowledge and skill' required by this provision of the Model Rule, the attorney must keep abreast of the changing risks and benefits of relevant technology. 13 Effective January 1, 2018, the Kentucky Supreme Court similarly revised its "Maintaining Competence" Commentary (6) of SCR 3.130 (1.1) to include "... the benefits and risks associated with relevant technology...." Further, KBA Opinion E-437 makes it clear that Kentucky lawyers should be competent in the use of technology in their law practices. is 'competence requirement' includes the knowledge of traditional cyber defense tools to protect client data. us, "(b)ecause the protection of confidentiality is an element of competent lawyering, a lawyer should not use any particular mode of technology to store or transmit confidential information before considering how secure it is, and whether reasonable precautions such as firewalls, encryption, or password protection could make it more secure." 14 It should be noted that the type of communication with a client, and/or the method of storing a client's data may require different levels of security. "At the beginning of the client-lawyer relationship, the lawyer and the client should discuss what levels of security will be necessary for each electronic communication about client matters. Communications to third parties containing protected client information requires analysis to determine what degree of protection is appropriate. In situations where communication (and any attachments) are sensitive or warrant extra security, additional electronic protection may be required." 15 Due to the constant changing of technology, it is impossible to give specific requirements of what constitutes 'reasonable efforts' by an attorney to prevent cybersecurity breaches. 16 What is 'reasonable' depends upon the facts and circumstances taken to prevent access or disclosure of confidential information. Comment 18 to the Model Rules provides some guidance: "Factors to be considered in determining the reasonable- ness of the lawyer's efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards and the extent to which the safeguards adversely affect the lawyer's ability to represent clients (eg. By making a device or important piece of software excessively difficult to use)" By no means, however, is an attorney ethically held to a 'strict liabil- ity' standard in efforts to prevent cyber attacks. Nor do we mandate specific measures or suggested safeguards that an attorney must take to avoid 'hacks' in order to satisfy this ethical responsibility. 17 Instead, this Opinion updates historically held ethics guidelines for keeping client information confidential in light of the ever-chang- ing use of technology in the practice of law. Furthermore, as an attorney is under a continuing obligation pur- suant to SCR 3.130 (1.1) to "... keep abreast of changes in the law and its practice ..." 18 so too is the attorney to undertake continuing technology education to increase cyber-preparedness, and to con- tinually reevaluate policies and procedures in place to minimize data breaches of a client's confidential information. QUESTION 2: An attorney is required to "... reasonably consult with the client about the means by which the client's objectives are to be accomplished." 19 e 'means' employed by the attorney includes discussing the use of technology in client communications, the handling of confidential client information within the law firm, and the storage of that information. 20 Further, an attorney is required to " . . . keep the client reasonably informed about the status of the matter (that the attorney is han- dling for the client." 21 e Commentary to this Rule 22 explains that this includes telling the client about 'significant developments' affecting the time or the substance of the representation. While an attorney is allowed to withhold certain information from the client in limited circumstances, "(a) lawyer may not withhold information to serve the lawyer's own interest or convenience or the interests or convenience of another person." 23 SCR 3.130(1.4) does not mandate the disclosure to a client about general cyber attacks against the law firm, or breaches of secu- rity within an attorney's computer systems. However, if there is a disclosure of the client's specific confidential and/or privileged information to third parties, which we believe would constitute a 'significant development' affecting the client's representation, then a disclosure must be made to the client about this development. We are further mindful of KRS 365.732 which imposes a statutory duty upon an 'information holder' 24 to give written notice to persons affected by a computer security 'breach' involving their unencrypted 'personally identifiable information'. While this statute does not establish a cause of action for a violation, KRS 446.070 allows a person injured by the violation of any Kentucky statute to recover damages sustained as a result of that violation. us, if an attorney failed to disclose to the client a breach involving the client's unen- crypted personally identifiable information then the attorney may be unethically withholding that information to protect the lawyer's own interest to avoid a lawsuit or an ethical charge by the client.

Articles in this issue

Archives of this issue

view archives of Bench & Bar - SEP 2018