Data protection long has been a legal responsibility for lawyers. The American Bar Association now is proposing to make clear that the protection of a client’s data is an ethical responsibility of the lawyer as well.
The Commission on Ethics 20/20 of the American Bar Association released its Report to the House of Delegates recommending several modifications to the ABA Model Rules of Professional Conduct regarding lawyers’ use of technology and protection of client confidences. The proposals will be considered at the ABA’s 2012 Annual Meeting, and several of these proposed modifications incorporate established concepts from existing data protection and breach notification laws.
Comments to existing Rule 1.6 of the ABA Rules indicate that lawyers must act competently to safeguard information against inadvertent or unauthorized disclosures. The Commission concluded, however, that “technological change has so enhanced the importance of this duty that it should be identified in the black letter of Rule 1.6 and described in more detail through additional Comment language.” The proposed Model Rule 1.6(c), which uses language commonly found in data breach notification statutes, states:
A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to information relating to the representation of a client.
A Comment explains that an unauthorized disclosure is not a violation of the proposed Rule if the lawyer made “reasonable efforts” to avoid the disclosure. In evaluating whether reasonable efforts were made, the proposed Rule cites the following factors:
- sensitivity of the information
- likelihood of disclosure if additional safeguards are not employed
- cost and difficulty of implementing additional safeguards
- extent to which the safeguards adversely affect the lawyer’s ability to represent clients
The Commission also proposes that the ABA develop and offer a “user-friendly website” to provide guidance on lawyers’ use of common technology, information about the latest data security standards and the administrative, technical and physical safeguards that should be implemented by lawyers. The website will be designed to respond to rapidly developing security standards in a way that ethics rules cannot.
In addition, the Commission proposes to make clear that a lawyer’s professional duty of competence includes knowledge of the “benefits and risks” of technology associated with the legal practice. In the words of the Commission, “lawyers must understand technology in order to provide clients with the competent and cost-effective services that they expect and deserve.”
These proposed Rules together serve as a reminder of the importance of implementing effective policies and procedures that prevent a data breach. A breach already frequently results in significant financial and reputational costs under existing laws, and now the Commission has made clear that a breach may affect a lawyer’s status with the bar and legal practice. In the event that other professional accreditation bodies follow the Commission’s lead, the consequences of a breach will only become more widespread and punitive to businesses and professionals alike.