ABA to Tackle Technology Issues in Model Rules at August Meeting
By John Barkett
June 25, 2012
Ethics commission offers language acknowledging lawyers’ responsibility to understand technology.
Since 1908, the American Bar Association has published ethical rules to govern the conduct of lawyers. The Canons of Ethics became theModel Code of Professional Responsibility in 1969. The Model Rules of Professional Conduct replaced the Model Code in 1983. The model rules are not binding on lawyers in a jurisdiction until that state’s supreme court adopts them. With variations in some of the rules, 49 states and the District of Columbia have done so. The one exception is California, which has its own ethics rules.
The ABA periodically reviews the model rules and their explanatory comments in relation to trends in the practice of law, and when necessary makes amendments to the rules or comments. States typically follow suit with conforming amendments.
In 2009, the ABA Commission on Ethics 20/20 was formed to, among other goals, adapt the model rules to technology innovations in the practice of law. To achieve this aim, the 20/20 Commission has proposed amendments to several rules or comments that will be voted on by the ABA House of Delegates, which meets during the organization’s upcoming annual meeting, August 2-7, in Chicago.
The amendments appear modest but their import is significant.
Model Rule 1.1 requires lawyers to provide competent representation to a client. To do so, the comment to Rule 1.1 has always required lawyers to “keep abreast of changes in the law and its practice.” The 20/20 Commission’s recommended amendment to Rule 1.1 provides that this mandate will now include “the benefits and risks associated with technology.” Lawyers who in the past blindly relied on third-party service providers for electronic discovery, search technology, data storage and security, cloud computing, and other technology needs will, to provide “competent” representation, have to conduct a reasonable level of due diligence about what can go wrong in their use of technology to serve client needs.
Lawyers are bound to maintain the confidentiality of client information, as Model Rule 1.6 explains. In the paper world, the risk of inadvertent disclosure of client information was not high. It might occur in a large production of documents in litigation but it was otherwise rare.
In the electronic world, the risk is much greater. Microsoft Outlook’s automatic address feature has caused many lawyers to send emails to the wrong person. Hackers are constantly seeking to penetrate firewalls to access confidential information. “Track changes” and “comment” fields in Microsoft Word; a lost thumb drive, notebook or tablet computer that is not password protected; and cloud storage without sufficient data security measures are among other ways that technology ceases to become a lawyer’s friend.
To remind lawyers of these risks, a new sub-paragraph (c) will be added to Rule 1.6. It requires lawyers to “make reasonable efforts” to prevent “inadvertent or unauthorized disclosure of, or unauthorized access to” confidential client information. This is a dynamic requirement; it will vary as technology improves data protection tools or practices. Cost will play a role in defining what is reasonable. However, as more lawyers adopt state-of-the-art data protection techniques — or as malpractice carriers require such tools to be adopted — lawyers who are unable to afford to do so may be in jeopardy of being confronted with an allegation of a breach of a duty of care if an unauthorized or inadvertent disclosure occurs.
Model Rule 4.4 provides that a lawyer who receives a privileged document and “knows or reasonably should know” that the document was inadvertently sent “shall promptly notify the sender.” Does the word “document” include “electronically stored information?” Most persons would say “yes,” but to eliminate any confusion, a change to Rule 4.4 will use the phrase “receives a document or electronically stored information.” Model Rule 4.4 does not require the recipient to return ESI that is privileged. And a new comment to Rule 4.4 states that because ESI contains metadata, that does not, by itself, mean that the document was inadvertently sent.
A number of state ethics’ opinions have, however, already addressed lawyers’ duties under those states’ version of Rule 4.4 in the context of “metadata mining.” Most of these opinions interpret their state’s version of Rule 4.4 to prohibit a lawyer from looking for metadata that may represent privileged information or, if any are discovered, from reading it.
A similar change will occur in the comment to the definition of “screen” in Model Rule 1.0. To avoid a conflict of interest, the model rules, under certain limited circumstances, permit a lawyer to be “ethically screened” within a law firm so that the lawyer will be insulated from “any firm files or other materials” relating to the matter that gave rise to the conflict. Going forward, “materials” has been replaced with the words “or other information including information in electronic form.” Does this mean that the ethically-screened lawyer should be restricted in the lawyer’s access to ESI in an electronic document management system? The honor system that is in place in some law firms — the screened lawyer has access but just does not look — is likely to be followed even after this change is adopted, but the better practice is to restrict access electronically.
Many lawyers outsource electronic data discovery to document review service providers of their or their clients’ choosing. A growing number of lawyers engage in cloud computing, using third-party servers to store documents that can be accessed from anywhere where the lawyer has an internet connection. These “competence” issues are now going to be addressed by a new comment in Rule 1.1. The comment requires a lawyer “ordinarily” to obtain a client’s informed consent before outsourcing something like document review to outside lawyers.
Whether outsourcing is even “reasonable,” will depend, the new comment explains, on circumstances such as the “education, experience and reputation” of the outsourcing lawyers; the nature of the work to be done; and the “legal protections, professional conduct rules, and ethical environments” of the jurisdictions in which outsourced services will be performed. Where a client has dictated the use of outsourcing legal services, the new comment explains that the lawyer has a consultation duty to the client to discuss the “allocation of responsibility for monitoring and supervising any non-firm lawyers.”
This is dangerous territory for lawyers who do not perform due diligence or obtain a clear allocation of monitoring responsibility depending upon whether the lawyer or the client is retaining the outsourced firm. It is one thing to be responsible for protecting client confidential information in the lawyer’s possession. It is quite another to entrust that information to a third party who by contract promises data security but in practice may not be able to guarantee it.
The comments to Model Rule 5.3, addressing the supervision of non-lawyer service providers, will undergo a similar change. Rule 5.3 requires a lawyer to make “reasonable efforts” to ensure that the lawyer “has in effect measures giving reasonable assurance” that the third-party engages in conduct that is “compatible with the professional obligations” of the lawyer.
To demonstrate compatibility is again a function of circumstances: the education, experience, and reputation of the service provider; the nature of the services; the terms of the engagement especially those regarding data security; and the legal and ethical environments where the third-party’s servers might be located. The comment also urges lawyers to consult with their clients about the responsibility for monitoring the third-party’s work.
Technology has allowed lawyers to become more efficient at a lower cost. Its benefit to lawyers is incalculable. But technology has a dark side. Lawyers who embrace it without understanding its vulnerabilities and protecting against them may be in violation of the rules of professional conduct after the technology amendments to the Model Rules take effect across the country. For lawyers, technology due diligence is going to become never ending.