RI-381
February 21, 2020
SYLLABUS
Lawyers have ethical obligations to understand technology, including cybersecurity, take reasonable steps to implement cybersecurity measures, supervise lawyer and other firm personnel to ensure compliance with duties relating to cybersecurity, and timely notify clients in the event of a material data breach.
References: MRPC 1.1, 1.3, 1.4, 1.6, 5.1, and 5.3; R-1, RI-86, RI-187, RI-245, RI-249, RI-313, RI-344, and RI-355.
TEXT
Duty to Understand Technology, Including Cybersecurity
Rule 1.1 of the Michigan Rules of Professional Conduct (MRPC) provides: "A lawyer shall provide competent representation to a client." The comment to MRPC 1.1,1 like its ABA Model Rule counterpart, expressly references technological competence as follows:
Maintaining Competence. To maintain the requisite knowledge and skill, a lawyer should engage in continuing study and education, including the knowledge and skills regarding existing and developing technology that are reasonably necessary to provide competent representation for the client in a particular matter. If a system of peer review has been established, the lawyer should consider making use of it in appropriate circumstances. (emphasis added).
Given the realities of modern law practice, a lawyer has a duty to be familiar with and use technology to the extent needed to provide a client with competent representation in a specific matter. This duty includes a lawyer’s safeguarding of clients’ electronically stored information (ESI) through cybersecurity. Cybersecurity includes, but is not limited to, protection against and response to data breach, ransomware,2 or other security concerns with regard to protecting client ESI.
Reasonable Steps to Safeguard Client ESI
A lawyer cannot reasonably be expected to be a guarantor of client data security.3 A lawyer must, however, exercise reasonable care in safeguarding client ESI.4 To discharge that duty, a lawyer must formulate, adopt, and follow policies and procedures, appropriate to the lawyer’s field(s) of practice, regarding the use, transmission, and storage of client ESI. In addition, a lawyer must evaluate whether specific cybersecurity measures are appropriate for the representation of a client in a particular matter. As with substantive law, what may be considered "reasonable" cybersecurity changes over time.5 Therefore, the duty to exercise reasonable care includes an obligation to assess periodically whether the lawyer’s policies and procedures keep pace with evolving technology risks.
A lawyer’s duty to exercise reasonable care to protect client ESI applies to the lawyer’s exchange of client ESI with clients and third parties. MRPC 1.6 provides in pertinent part that, subject to specific exceptions, a lawyer must not "knowingly . . . reveal a confidence or secret of a client." MRPC 1.6(b). The comment to MRPC 1.6, like its ABA Model Rule counterpart, references confidentiality when transmitting client information electronically as follows:
Confidentiality of Information. When transmitting a communication that contains confidential and/or privileged information relating to the representation of a client, the lawyer should take reasonable measures and act competently so that the confidential and/or privileged client information will not be revealed to unintended third parties.
What constitutes "reasonable measures" in fulfilling the duty to exercise reasonable care regarding client ESI depends on the circumstances, including the degree of sensitivity of the information to the client, potential threats, the risk of harm to the client in the event of unauthorized disclosure6 and the availability of protective technology.7 As noted in ABA Formal Opinion 477R,8 "the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication," but "particularly strong protective measures, like encryption, are warranted in some circumstances."
The duty to exercise reasonable care in handling client ESI extends to responsible storage of client ESI. Lawyers store client ESI on computer hard drives, CDs, DVDs, flash drives, smartphones, servers maintained by law firms, and in cloud-based data centers maintained by others.9 While these various means of storage facilitate a lawyer’s use of client ESI for the representation, decentralized storage and transmission create additional opportunities for client ESI to be illicitly accessed, intentionally corrupted, held hostage, or stolen.10 If portable storage media are used to store client ESI, a lawyer must exercise reasonable care to implement security controls for such media, including those restricting accessibility, use, and custody. Equally important, a lawyer must exercise reasonable care with respect to portable storage media originating from external sources, as such media may contain malware that could be used to corrupt or steal client ESI. When a lawyer outsources storage of client ESI to a third party, the lawyer must exercise reasonable care to ensure that the third-party vendor itself uses reasonable security measures. Rule 1.6(d) provides in pertinent part that "[a] lawyer shall exercise reasonable care to prevent employees, associates, and others whose services are utilized by the lawyer from disclosing or using confidences or secrets of a client." (Emphasis added.)11
Thus, a lawyer must conduct appropriate due diligence to ensure the vendor’s data security controls will reasonably protect against cyber risks, including inadvertent or unauthorized disclosure (to vendor affiliates as well as to third parties), access, corruption, destruction, ransom, or theft of client ESI.
Additional Duties of Partners & Supervisory Lawyers
Partners in a law firm must "make reasonable efforts" to ensure that the firm implements measures giving "reasonable assurance" that all lawyers in the firm conform to the MRPC.12 Further, lawyers with direct supervisory authority over other lawyers and other firm personnel must "make reasonable efforts" to ensure that such supervised firm personnel conform to the MRPC.13 To those ends, law firms and supervisory lawyers must educate firm personnel regarding risks, threats, and safeguards relating to the use, transmission, and storage of client ESI, including acceptable use of computers for online activity that may allow for unauthorized access, corruption, and/or theft of client ESI.14
Duty to Notify Clients of Material Data Breach
A lawyer has a duty to inform a client of a material data breach in a timely manner. See MRPC 1.3 (duty to act with reasonable diligence and promptness in representing a client.) A data breach is "material" if it involves the unauthorized access, destruction, corruption, or ransoming of client ESI protected by MRPC 1.6 or other applicable law,15 or materially impairs the lawyer’s ability to perform the legal services for which the lawyer has been hired. The duty to inform16 includes the extent of the breach and the efforts made and to be made by the lawyer to limit the breach.17
MRPC 1.4(a) provides in pertinent part that "[a] lawyer shall keep a client reasonably informed about the status of a matter." Like the Michigan counterpart rule, ABA Model Rule 1.4 does not directly require disclosure of data breaches. However, in ABA Formal Opinion 483,18 the ABA Standing Committee on Professional Ethics opined: "When a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations under these Model Rules." This Committee agrees.
CONCLUSION
Lawyers have ethical obligations to understand technology, including cybersecurity, take reasonable steps to implement cybersecurity measures, supervise lawyer and other firm personnel to ensure compliance with duties relating to cybersecurity, and timely notify clients in the event of a material data breach.
1. The Michigan Supreme Court adopted amendments to the comments to MRPC 1.1 and 1.6, effective January 1, 2020, to help lawyers understand that these Rules are interpreted to include technological competence.
2. Ransomware is a type of malicious software designed to block access to a computer system or data until a sum of money is paid.
3. In ABA Formal Opinion 477R (May 22, 2017), styled "Securing Communication of Protected Client Information," (May 2017), the ABA Standing Committee on Professional Responsibility reviewed security breach risks for law firms and concluded that while a lawyer cannot be expected to be a guarantor of client data security, a lawyer is required to exercise reasonable care in safeguarding client data.
4. See ABA Formal Opinion 477R (May 22, 2017).
5. See ABA Commission on Ethics 20/20 Report 105A (Aug. 2012). See alsoJill D. Rhodes & Vincent I. Polley, The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals 48–49 (2013) (adopting "a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.")
6. See Sharon D. Nelson, David G. Ries, and John W. Simek, What to Do When Your Data is Breached, Michigan Bar J, September 2018, pp 54–57, David G. Ries, Cybersecurity for Attorneys: Addressing the Legal and Ethical Duties, November 4, 2019.
7. The 2012 amendments to ABA Model Rule 1.6 include additions to comment [18], which states: [18] Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1, and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of these Rules. For a lawyer’s duties when sharing information with nonlawyers outside the lawyer’s own firm, see Rule 5.3, Comments [3]–[4].
8. ABA Formal Opinion 477R (May 22, 2017).
9. See Ethics Opinion RI-355.
10. David G. Ries, Safeguarding Client Data: Attorneys' Legal and Ethical Duties (November 2019).
11. See Ethics Opinions RI-104, RI-187, and RI-344.
12. MRPC 5.1(a).
13. MRPC 5.1(b), 5.3.
14. See MRPC 5.1 and 5.3; see also Ethics Opinions R-1, RI-249, and RI-313.
15. See for example the notice requirements under the Michigan Identify Theft Protection Act, MCL 445.72. See also the IT Governance website for laws in other jurisdictions and other information on this topic.
16. A lawyer may have duties prescribed by laws involving data privacy, in addition to the ethical duties discussed in this opinion.
17. See ABA Formal Opinion 483 (October 17, 2018).
18. Id.