Lawyers have an ethical duty to safeguard confidential information in the cloud
With a funeral home in ashes and an insurance company refusing to pay benefits, the last thing you’d expect to hear about is online security and the cloud.
But that’s exactly what happened in 2014 when the Holding Funeral Home lost a building in Castlewood, Virginia, to a fire and Harleysville Insurance Co. refused to pay out the claim, alleging misrepresentation and other issues.
During the investigation, security video footage of the incident was shared between the insurer and the National Insurance Crime Bureau through the cloud storage service Box. The investigator who created the account didn’t password-protect it. Pretty soon that account contained the entirety of the plaintiff’s case file, including privileged information. Anyone who had a link could access it.
Sure enough, the opposing counsels mistakenly received access. After downloading the entire file, the funeral home’s attorneys saw everything, including privileged documents, but they did not notify the insurer’s attorneys, thinking that privilege had been waived.
At first, the insurer and its lawyers seemed out of luck. In 2017, U.S. Magistrate Judge Pamela Meade Sargent sided with the funeral home’s attorneys in Harleysville Insurance Co. v. Holding Funeral Home and determined the failure to limit permissions and create a password did waive privilege. She wrote that it was “the cyberworld equivalent of leaving its claims file on a bench in the public square and telling its counsel where they could find it.”
Luckily for the insurer, U.S. District Judge James P. Jones, on appeal, rejected the magistrate’s reasoning. Jones concluded that the disclosure was inadvertent and the unique URL of 32 randomly assigned characters created by Box, which was needed to access the account, made it “impossible for anyone, let alone a particular person connected with the case, to accidentally stumble across the Box folder.”
While failing at cybersecurity basics, the judge determined that the insurer had acted reasonably and privilege hadn’t been waived.
BE REASONABLE
Whether for personal or professional applications, remote storage has become the standard for millions of Americans. However, this and other internet-enabled technologies can create unique ethical quandaries for lawyers. With changes to ethics rules reflecting technology’s role in the profession, many find the prevailing reasonableness standard difficult to interpret. For cybersecurity ethicists, however, an ethical attorney is not just doing one thing; they are in a constant state of evolution and growth to keep pace with threats and best practices.
When discussing cybersecurity and legal ethics, “there are four basic rules that govern,” says Sharon Nelson, president of Sensei Enterprises, a cybersecurity company. Those are ABA Model Rule 1.1, which deals with competence; Rule 1.4, which involves communications; Rule 1.6, which covers the duty of confidentiality; and rules 5.1 through 5.3, which focus on lawyer and nonlawyer associations. However, she calls competence and confidentiality “the big two.”
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
When the ABA updated the Model Rules of Professional Conduct in 2012, two significant changes occurred regarding confidentiality and competency. The rules now require “reasonable efforts” to avoid the “inadvertent or unauthorized” disclosure and access to client information, and for lawyers to not only keep abreast of the law but technology, as well.
By using terms such as “reasonable,” the new rules “are flexible enough to protect the public in the face of new risks that may not have existed at the times the rules were written,” says Michael McCabe, an attorney in Potomac, Maryland, and a co-vice chair of the Ethics and Professional Responsibility Committee of the ABA Intellectual Property Law Section. Further, he says, what is reasonable cybersecurity for a large, multistate firm may not be reasonable for a small or solo operation.
Similar to negligence standards, reasonable cybersecurity has the potential to create many debates and proceedings, such as in Harleysville. This is because experts, and often official ethics opinions, generally agree that reasonable efforts are about process more so than a particular technology or practice.
For example, the updated comment to Rule 1.6(c) on confidentiality provides a nonexhaustive list of factors to consider whether an attorney acted reasonably in the lead-up to a breach of client data, but it does not endorse a specific approach. The comment recommends considering the type of information stored, the likelihood of a breach without putting safeguards in place, the challenges and costs to implementing safeguards, and how those safeguards may affect the attorney’s ability to represent the client.
LACK OF SPECIFICS
Last May, the Standing Committee on Ethics and Professional Responsibility built on existing guidance concerning confidentiality with Formal Opinion 477R.
“It’s the most current, most thorough guidance on lawyers’ duties to protect confidential and privileged information,” says Lucian Pera, a partner at Adams and Reese in Memphis, Tennessee, and co-author of an article in the second edition of the ABA Cybersecurity Handbook.
This opinion replaced a document from 1999, which many interpreted as a greenlight to send confidential client communications through nonencrypted email in every circumstance, Pera says.
The new opinion says the 2012 Model Rules changes “do not impose greater or different duties of confidentiality.” However, “how a lawyer should comply with the core duty of confidentiality in an ever-changing technological world” does require some reflection.
For many reasons, Pera likes the opinion. Notably, he says, one can give it to an IT vendor and, without too much legalese, the company can comprehend the standards lawyers have to meet.
The guidance recommends that an attorney learn about the nature of threats, how client information is transmitted and stored, and best practices generally. It continues by saying client confidential documents should be labeled appropriately; lawyers and nonlawyers working on a matter should be trained in cybersecurity and confidentiality procedures; and due diligence should be conducted on technology vendors.
This article was published in the April 2018 issue of the ABA Journal with the title "Cloudy Ethics: Lawyers have an ethical duty to safeguard clients’ confidential information—a task that’s become more complicated as the cloud becomes more ubiquitous."