Bench & Bar

SEP 2018

The Bench & Bar magazine is published to provide members of the KBA with information that will increase their knowledge of the law, improve the practice of law, and assist in improving the quality of legal services for the citizenry.

Issue link: https://kentuckybenchandbar.epubxp.com/i/1032347

Contents of this Issue

Navigation

Page 39 of 67

| SEPTEMBER/OCTOBER 2018 38 Similarly, the duty imposed by SCR 3.130 (1.15) to 'safekeep' a client's 'property' not only applies to a trust account in which a client's funds are maintained, but also to the client's files; client data stored on the law firm's computer system or 'the cloud'; and the client's intellectual property retained by the attorney because of pending matters. e Commentary to this Rule explains: "A lawyer should hold property of others with the care required of a professional fiduciary." Accordingly, the theft or loss of a client's funds or property as a result of a cyberattack must also be disclosed to the client. QUESTION 3: An attorney may not delegate ethical responsibilities to third parties. However, when the attorney lacks sufficient infor- mation, education and/or training to comply with the Rules, then the attorney should seek assistance from others, including nonlaw- yers and/or support services. "Any lack of individual competence by a lawyer to evaluate and employ safeguards to protect client confidences may be addressed through association with another lawyer or expert, or by education." 25 Due to the rapid change of cybersecurity options, an attorney may determine that taking 'reasonable measurers' to avoid a theft or loss of confidential client information includes contracting with a professional to create and/or maintain the cybersecurity plan for the law firm. "When a lawyer selects a provider of any support services, the duty of competence, the duty to protect a client's property, and the duty of confidentiality require the lawyer to investigate the qual- ifications, competence and diligence of the provider. 26 A lawyer who does not investigate whether a warehouse he or she is considering for the storage of files had adequate security to safeguard client files fails in his or her confidentiality and competence obligations to the client. Likewise, an attorney selecting an online provider of storage or other services must investigate the provider to be sure that client information is reasonably sure to remain confidential and secure." 27 Notably, each attorney within a law firm does not need to personally have all of the requisite technology competencies to meet this ethical responsibility. e lawyer can utilize another attorney within the law firm, the expertise of the law firm's nonlawyer staff, and/or outside experts to comply. "Getting expert help is a recurring theme (as well as good advice) in ethics opinions on this 28 subject." QUESTION 4: Partners or managers of attorneys, as well as supervisory lawyers, are required under the Rules to make 'rea- sonable efforts' to ensure that those lawyers that they manage or supervise conform to the Rules. 29 at requirement extends to nonlawyers or assistants employed or retained by, or associated with, a lawyer. us, the attorney who has direct supervisory over the nonlawyer must ensure their conduct complies with the Rules. 30 At the same time, lawyers who have managerial authority within a law firm are required to make "... reasonable efforts to establish internal policies and procedures designed to provide reasonable assurances that nonlawyers in the firm will act in a way compatible with the Rules...." 31 While all lawyers have a duty to evaluate their client data and systems and take reasonable steps to secure confi- dential information, attorneys who have managerial roles have the added duty of evaluating and correcting security issues within the law firm and prescribing policies and procedures to reduce cyber threats. Having an effective data security program will reduce the risk of confidential client information being disclosed for all lawyers in the law firm. e Opinion does not mandate the specific policies or procedures that an attorney must employ to have an effective data security pro- gram, nor does it contend that there is a 'one shoe fits all' solution for every attorney for cybersecurity. Instead, each attorney must understand what devices the law firm uses that are connected to the office network or the internet; how client information is exchanged or stored through that system and who has access to the data, and make 'reasonable efforts' to combat cyber threats. An attorney's policies will thus depend upon an attorney's use of electronics; the method used to communicate with clients and the nature of the client's information. 32 "ese requirements are as applicable to electronic practices as they are to comparable office procedures." 33 Establishing policies and procedures for cybersecurity alone, how- ever, does not end the partner, attorney manager or supervising attorney's responsibility under the Rules. Implementation of the BAR NEWS

Articles in this issue

Archives of this issue

view archives of Bench & Bar - SEP 2018