Written by Emilio Jaksetic - 1-6-98
Lawyers who use computers in their practice will have to deal with computer security. Although computer security may seem a technical matter better left to computer specialists and support staff, lawyers have a duty to implement and practice computer security. Indeed, failure to do so could result in violation of a lawyer's responsibilities under the Model Rules of ProfessionalConduct ("Model Rules")(2) or the Model Code ("Model Code") of Professional Responsibility.(3)
There are two categories of threats to computer security: deliberate threats and nondeliberate ones. Deliberate threats involve acts intentionally taken to breach computer security. Nondeliberate threats involve situations when computer security is threatened by non-human forces, or by human actions that are not intended to breach security but have that unintended effect. Although computer security can be considered in terms of categories ofthreats, there is a better analytical framework to use.
Computer security has three basic components: availability, integrity, and confidentiality.(4) Availability is concerned with ensuring a computer or computer system can be operated and used by authorized persons when they need it. Unless computers are available for use by authorized persons when needed, their potential benefits for lawyers and their staffs are merely illusory. Integrity deals with maintaining the completeness and accuracy of information processed by or stored on a computer. Without data integrity, lawyers and their staffs cannot rely on their computer records. Confidentiality is concerned with controlling access to information to protect it from unauthorized persons. Without confidentiality, lawyers would not be able to protect the confidences of their clients or their own work product.
Lawyers are required to practice law in compliance with the requirements of professional responsibility as embodied in the version of the Model Rules or the Model Code adopted by the jurisdictions in which they are licensed. In this discussion, the American Bar Association versions of the Model Rules and Model Code will be cited instead of the versions adopted by various jurisdictions.
Lawyers must provide competent representation to a client, which includes ensuring that degree of thoroughness and preparation required for the representation.(5) Thoroughness and preparation includes the ability to effectively manage a law office.(6) Such management includes the proper implementation and practice of computer security so that the law office's computers are available when needed, and the information processed and stored on those computers is complete and accurate.
A lawyer also is required to act diligently when representing a client.(7) This means a lawyer must handle the matters of a client within a reasonable amount of time and without unnecessary delay. Diligence and promptness requires a lawyer to act with dispatch in handling a client's matters, including meeting legal deadlines such asa statute of limitations or a court-imposed deadline.(8) This requirement clearly implicates the availability component of computer security. Unless the lawyer's computers are available when needed, it is possible that the lawyer could be unable to meet a legal deadline, to the detriment of a client's legal interests.
The requirement of diligence also implicates the integrity component of computer security. If the integrity of a lawyer's computer records has not been adequately maintained, then a lawyer could be faced with a legal deadline while in the middle of an effort to identify and correct the problem that caused the office's computer records to be altered, deleted, or otherwise corrupted.
Related to the duty of competence and diligence is the requirement that a lawyer must keep a client reasonably informed about matters being handled by the lawyer.(9) This obligation imposes a duty to communicate with a client to:(a) avoid causing inconvenience and unnecessary expense to the client; (b) keep a client informed about the status of a matter entrusted to the lawyer; and (c) enable the lawyer to respond to a client's requests for information.(10)
The requirement to communicate with a client implicates the availability and integrity components of computer security. Unless a law office's computers are available when needed and contain complete and accurate information, a lawyer may not be able to fulfill this requirement in a timely, professional manner. Furthermore, if a law office relies on a computer-based case tracking system, then such a system must be available when needed and kept complete, accurate, and up-to-date. Otherwise a lawyer may fail to keep a client properly informed about the status of a legal matter.
A lawyer also is required to "make reasonable effortsto expedite litigation consistent with the interests of the client."(11) Accordingly, a lawyer must act with reasonable diligence in representing a client, including drafting and filing legal documents associated with a litigation in a timely, expeditious manner.(12) The availability component of computer security is implicated by this requirement. Unless a lawyer's computers are available when needed, the lawyer will be unduly hindered in the timely drafting and filing of legal documents in connection with a litigation. In an extreme case, the interests of a client could be placed in jeopardy. To a lesser degree, failure to satisfy this requirement could result in undue delay and avoidable expenses, both of which could be detrimental to the interests of a client.
The requirement of expediting litigation also could implicate the integrity component of computer security. As discussed earlier in connection with the requirement of diligence, failure to maintain the integrity of a lawyer's computer records could leave a lawyer facing a litigation deadline while trying to identify and correct the problem that caused the computer records to be altered, deleted, o rotherwise corrupted.
A lawyer is obligated to protect the confidences of a client.(13) In some jurisdictions, the inadvertent disclosure of confidential information could result in loss of its protected status.(14) The duty toprotect a client's confidence continues even after the lawyer-client relationship ends.(15)
The duty to protect a client's confidences clearly implicates the confidentiality component of computer security. A lawyer must take reasonable steps to ensurethat the information processed and stored on the lawyer's computers is adequately protected from unauthorized disclosure. Failure to do so could run afoul of the requirement to protect the confidences of a client. Furthermore, failure to protect the confidentiality of information processed and stored on a lawyer's computer could result in jeopardy to the protected status of a lawyer's work product. Because of the ease with which e-mail can be disseminated, a lawyer must take care to not inadvertently send confidential information to the wrong addressee. Such a mistake could result in harm or prejudice to a client's interests.(16)
When making arrangements to store back-up tapes and other media off-site, a lawyer must take reasonable steps to ensure that any confidential information is adequately protected during the transport and storage of such media. Furthermore, a lawyer must ensure that the confidentiality of a client's confidences is adequately protected when computer records are archived. Accordingly, a lawyer must exercise care in selecting a person or organization to perform such a task and give appropriate instructions on protecting client confidentiality.(17)
Laptop or notebook computers present special problems with respect to protecting a client's secrets or a lawyer's work product. Such portable computers can be easily lost or stolen. Furthermore, if such portable computers are left unattended, their contents could be readily read or copied. Accordingly, a lawyer must take affirmative security precautions when using portable computers.(18)
Finally, because of the data remanence phenomenon,(19) a lawyer must ensure that floppy disks and computer hard drives that contain confidential client information are disposed of properly. Failure to do so could jeopardize a client's confidences.
A lawyer has a fiduciary duty to safekeep a client's property and funds, and avoid commingling them with the lawyer's property and funds.(20) In addition to ensuring the physical security of a client's property and funds, a lawyer has a fiduciary duty to maintain complete and accurate records concerning the handling of a client's property and funds.(21) Furthermore, a lawyer must be able to account for the property that a client has entrusted to the lawyer.(22) Failure to maintainsuch records properly could result in disciplinary sanction.(23) Even in the absence of any intent to misappropriate, failure to manage proper records could result in sanctions.(24)
This requirement does not implicate computer security in connection with the physical security of a client's tangible property. However, if a lawyer is entrusted with a client's trade secrets, then the lawyer has a fiduciary dutyto ensure that such intangible property is properly protected while in the possession of the lawyer. Failure to properly protect the confidentiality of a client's trade secrets could result in the loss of the legal protection accorded to the trade secrets, which would be detrimental to a client's interests.(25)
The recordkeeping requirement clearly implicates the availability and integrity aspects of computer security. Specifically, a lawyer must ensure that any records concerning a client's property and funds are properly maintained at all times, are available to the lawyer and law staff when needed, and are complete and accurate. Furthermore, if such records contain information about a client's bank account numbers or similar sensitive financial information, then a lawyer must ensure that the confidentiality of such information is properly protected. Finally, the obligation to maintain such records for a period of time after termination of the representation leads to the requirement that a lawyer ensure such records are properly stored and archived.
A lawyer must take reasonable steps to ensure that a law office implements measures that will reasonably assure that legal staff and other nonlawyer assistants (e.g., computer support personnel) conduct themselves in a manner compatible with the professional obligations of the lawyer.(26) This means that a lawyer must ensure that all nonlawyer employees and assistants are properly trained and supervised to ensure that their conduct does not violate any of the lawyer's duties toward the client or otherwise jeopardizes the client's interests.(27)
For example, a lawyer must ensure that employees comply with the duty to communicate with a client.(28) And, the requirement to maintain the confidences of a client extends to nonlawyer assistants and employees of the lawyer, so a supervisory lawyer must take reasonable steps to ensure that employees are reliable and understand the obligation to protect confidential client information.(29) Further, delegation of recordkeeping duties does not relieve a lawyer of responsibility to ensure those duties are carried out properly.(30)
This obligation of supervision requires a lawyer toensure that computer security is properly implemented and maintained by all personnel in the law office. This implicates both the availability and confidentiality components of security clearance. A lawyer must ensure that access to the law office's computers is limited to authorized personnel on a need-to-know basis. Furthermore,when transmitting confidential client information electronically, a lawyer must apply appropriate protective measures (such as passwords and data encryption) to protect the confidentiality of such information.(31)
Furthermore, if a law office keeps backup tapes or other storage media off-site, then a lawyer must take steps to ensure the availability, integrity, and confidentiality of the information contained on the backup tapes or other storage media. Failure to do so could result in violation of a lawyer's professional obligations and be detrimental to the client's legal interests.
Similarly, a partner in a law firm is obligated to ensure that the firm implements measures that will reasonably assure that all lawyers in the firm conform to the requirements of professional responsibility.(32) To the extent that computer security could have an effect on the professional obligations of a lawyer, then the partner must ensure that computer security is properly implemented and maintained by all lawyers in the firm.
Imputed disqualification(33) can arise in situations where lawyers in a firm or law office are assumed to have access to confidential client information in the firm or office, or are assumed to have discussed such information in the ordinary course of working together.(34) Under some circumstances, a lawyer may wish to try to rebut the presumption of shared access to confidential information.(35)
Computer security may be relevant to issues of imputed disqualification under some circumstances. When trying to persuade a court that the presumption of shared access to confidential information has been rebutted, a lawyer must pay careful attention to the manner in which information is processed and stored on the law office's computers. This includes any hardware or software controls that control,limit, or otherwise restrict access to confidential client information. Inadequate access controls could defeat alawyer's effort to rebut the presumption of shared confidences.
The sale of a law practice canhave aspects that implicate computer security. Indiscussing the sale of a law practice, a lawyer isprohibited from revealing client confidences to aprospective buyer.(36) Accordingly, in connection withdiscussing the law practice with a prospective buyer, alawyer needs to ensure that the prospective buyer does notgain access to the law practice's computers until the saleis properly consummated. Even then, the selling lawyer isobligated to take reasonable steps to thoroughly andeffectively remove from the law office's computers (andfloppy disks, other computer storage media, and backuptapes) any confidential information concerning those formerclients that do not remain as clients with the purchased law practice.(37)
Lawyers using computer technology to carry out their work must recognize the importance of computer security and affirmatively deal with it. Computer security is not a technical matter that can be simply left to computer professionals or law office support staff. Rather, it requires the active participation of lawyers.
In the realm of computer security, lawyers have important professional obligations that are cognizable under the Model Code or Model Rules. Those obligations may not always be obvious, but they are nevertheless real. Lawyers who fail to recognize and fulfill those obligations will hamper their ability to practice law effectively, risk alienating their clients, and face possible professional sanctions under the version of the Model Code or Model Rules applicable in their jurisdiction.
There is a large body of literature on computer security. Some publications are highly technical, while others are written for nontechnical readers. The publications listed in this Appendix are representative of the computer security field. Interested readers can find out more about computer security by turning to these publications.
Also, there are various Internet resources on computer security. The Internet sites listed in this Appendix are not exhaustive, but they do provide useful information, including hypertext links to other Internet resources concerning computer security.
1. Administrative Judge, Department of Defense, Defense Office of Hearings and Appeals (DOHA); Chairman, DOHA Appeal Board. Member of District of Columbia Bar. The views expressed in this article are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government. [Return to text]
2. American Bar Association, MODEL RULES OF PROFESSIONAL CONDUCT (1983), as amended. See American Bar Association,Center for Professional Responsibility, MODEL RULES OF PROFESSIONAL CONDUCT, 1998 EDITION (American BarAssociation, 1998). [Return to text]
3. American Bar Association, MODEL CODE OF PROFESSIONAL RESPONSIBILITY (1986). [Return to text]
4. See, e.g., Charles P. Pfleeger, SECURITY IN COMPUTING, 2nd edition (Prentice Hall PTR, 1997) at pp. 4-6; Stephen Cobb,THE NCSA GUIDE TO PC AND LAN SECURITY (McGraw-Hill, 1996) atp. 12; Gregory B. White, Eric A. Fisch, and Udo W. Pooch,COMPUTER SYSTEM AND NETWORK SECURITY (CRC Press, 1996) at p.2; Barbara Guttman & Edward A. Roback, AN INTRODUCTION TO COMPUTER SECURITY: THE NIST HANDBOOK (NIST Special Publication 800-12, U.S. Government Printing Office, 1995) at pp. 5-7; Karen A. Forcht, COMPUTER SECURITY MANAGEMENT (Boyd & Fraser Publishing, 1994) at p. 67. [Return to text]
5. See Model Rule 1.1 ("A lawyer shall provide competentrepresentation to a client. Competent representation requires the legal knowledge, skill, thoroughness andpreparation necessary for the representation."); Model CodeEC 6-1 ("[A] lawyer should act with competence and proper care in representing clients. . . ."); Model Code DR 6-101(A)("A lawyer shall not: (1) Handle a legal matter which he knows or should know that he is not competent to handle,without associating with him a lawyer who is competent to handle it. (2) Handle a legal matter without preparation adequate in the circumstances. . . .") [Return to text]
6. See ANNOTATED MODEL RULES OF PROFESSIONAL CONDUCT, THIRD EDITION (American Bar Association, 1996)(hereinafter ANNOTATED MODEL RULES), at pp. 5-6; Charles W. Wolfram, MODERN LEGAL ETHICS (West, 1986)(hereinafter MODERN LEGAL ETHICS) at p. 186. [Return to text]
7. Model Rule 1.3 ("A lawyer shall act with reasonable diligence and promptness in representing a client."); ModelCode DR 6-101(A)(3)([A lawyer shall not] "[n]eglect a legal matter entrusted to him." See also Model Code EC 6-4 (". .. In addition to being qualified to handle a particular matter, his obligation to his client requires him to prepare adequately for and give appropriate attention to his legalwork."). The duties of competence and diligence are interrelated. See ANNOTATED MODEL RULES, supra note 6 atpp. 26-27. [Return to text]
8. ANNOTATED MODEL RULES, supra note 6 at p. 28. [Return to text]
9. Model Rule 1.4(a)("A lawyer shall keep a client reasonably informed about the status of a matter and promptly comply with reasonable requests for information."). Cf. ModelCode EC 7-8 ("A lawyer should exercise his best efforts to insure that decisions of his client are made only after the client has been informed of relevant considerations. The lawyer ought to initiate this decision-making process if the client does not do so. . . .") and Model Code EC 9-2 (". . .In order to avoid misunderstandings and hence to maintain confidence, a lawyer should fully and promptly inform his client of material developments in the matter being handled for the client. . . .") See also MODEL ANNOTATED RULES,supra note 6, at p. 27 (noting that repeated failure to respond to reasonable inquiries from client could constitute lack of due diligence) and p. 35 (noting duty to communicate with client is element of requirement of competence). For a discussion of some recent cases involving the failure to communicate with a client, see Christine S. Filip and Ann E.Johnston, "Misleading message may spark a suit," 20 National Law Journal (November 1, 1997) at pp. D1+. [Return to text]
10. ANNOTATED MODEL RULES, supra note 6 at pp. 35-36. [Return to text]
11. Model Rule 3.2. Cf. Model Code DR 7-101(A)("A lawyer shall not intentionally: (1) Fail to seek the lawful objectives of his client through reasonably available means permitted by law . . . ."). [Return to text]
12. ANNOTATED MODEL RULES, supra note 6 at p. 304. [Return to text]
13. Model Rule 1.6 (a)("A lawyer shall not reveal information relating to representation of a client unless the client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation, and except as stated in paragraph (b).")(The exceptions set forth in paragraph (b) of Model Rule 1.6 are not relevant to this article.); Model Code Canon 4 ("A Lawyer Should Preserve the Confidences and Secrets of a Client."). [Return to text]
14. ANNOTATED MODEL RULES, supra note 6, at pp. 90-91; MODERN LEGAL ETHICS, supra note 6 at p. 272. See generally Harding, "Waiver: A comprehensive analysis of a consequence of inadvertently producing documents protected by the attorney-client privilege," 42 CATHOLIC UNIVERSITY LAWREVIEW 465 (1993); Comment, "Inadvertent disclosure in theage of fax machines: Is the cat really out of the bag?" 46BAYLOR LAW REVIEW 385 (1994). See also Henry H. Perritt,Jr., LAW AND THE INFORMATION SUPERHIGHWAY (John Wiley & Sons, 1996) at pp. 136-39. [Return to text]
15. See Model Code EC 4-6 ("The obligation of a lawyer to preserve the confidences and secrets of his client continues after the termination of his employment."); ANNOTATED MODELRULES, supra note 6 at pp. 75-76. [Return to text]
16. See Daniel S. Coolidge and J. Michael Jimmerson, A SURVIVAL GUIDE FOR ROAD WARRIORS (American Bar Association,1996) at p. 127. For a detailed discussion of e-mail security issues, see Bruce Schneier, E-MAIL SECURITY: HOW TO KEEP YOUR ELECTRONIC MESSAGES PRIVATE (John Wiley & Sons,1995). [Return to text]
17. American Bar Association, Standing Committee on Lawyers'Responsibility for Client Protection, LAWYERS ON LINE: ETHICAL PERSPECTIVES IN THE USE OF TELECOMPUTER COMMUNICATION (1986) at p. 54 (hereinafter LAWYERS ON LINE).See also Model Code DR 4-101(D)("A lawyer shall exercise reasonable care to prevent his employees, associates, andothers whose services are utilized by him from disclosing or using confidences or secrets of a client. . . ."). [Return to text]
18. See, e.g., Daniel S. Coolidge and J. Michael Jimmerson,supra note 16 at pp. 119, 126. See also Wendy R. Leibowitz, "Even authorized off-site parties imperil security," 20 National Law Journal (January 12, 1998) at pp. A1+. [Return to text]
19. In general, deleting a computer record does not actually remove it from the floppy disk or computer hard drive. Instead, the name of the record is removed from the file directory and the space where the record is stored is marked as being available for future use by the operating system. Under some circumstances, a knowledgeable person with the requisite software can retrieve or recover the supposedly deleted computer record. See, e.g., Michel E. Kabay, THE NSCA GUIDE TO ENTERPRISE SECURITY: PROTECTING INFORMATION ASSETS (McGraw-Hill, 1996) at pp. 44-45; Barbara Guttman & Edward A. Roback, supra, note 4 at p. 160. For anontechnical discussion of this subject, see Jeff Hammond,"When the computer holds the key," 8 Washington Lawyer 15,17-18 (November/December 1993). For a technical discussion of the subject, see National Computer Security Center, A GUIDE TO UNDERSTANDING DATA REMANENCE IN AUTOMATED INFORMATION SYSTEMS (NCSC-TG-025, Version 2, September1991). [Return to text]
20. See Model Rule 1.15(a)("A lawyer shall hold property of clients or third persons that is in the lawyer's possession in connection with a representation separate from thelawyer's own property. . . ."); Model Code EC 9-5("Separation of the funds of a client from those of his lawyer not only serves to protect the client but also avoids even the appearance of impropriety, and therefore commingling of such funds should be avoided."); Model CodeDR 9-102 ("Preserving Identity of Funds and Property of a Client."). See also MODERN LEGAL ETHICS, supra note 6 atpp. 176-181. [Return to text]
21. See Model Rule 1.15(a)(". . . Complete records of such [client] account funds and other property shall be kept by the lawyer and shall be preserved for a period of [five years] after termination of the representation."); ModelCode DR 9-102(B)(3)("[A lawyer shall] [m]aintain complete records of all funds, securities, and other properties of a client coming into the possession of the lawyer and render appropriate accounts to his client regarding them."). See also ANNOTATED MODEL RULES, supra note 6 at p. 234; MODERN LEGAL ETHICS, supra note 6 at pp. 180-181. [Return to text]
22. MODERN LEGAL ETHICS, supra note 6 at p. 181. [Return to text]
23. ANNOTATED MODEL RULES, supra note 6 at pp. 234, 241-42. [Return to text]
24. ANNOTATED MODEL RULES, supra note 6 at pp. 239-240. [Return to text]
25. For a discussion of trade secrets and the need to protect them when they are processed and stored on computers, see Thomas J. Smedinghoff, ONLINE LAW: THE SPA'S LEGAL GUIDE TO DOING BUSINESS ON THE INTERNET (Addison-Wesley DevelopersPress, 1996) at pp. 191-205 ("Protecting Trade Secrets Online"). [Return to text]
26. Model Rule 5.3 ("Responsibilities Regarding Nonlawyer Assistants") and Comment 1. [Return to text]
27. See ANNOTATED MODEL RULES, supra note 6, at pp. 423-424,428. Failure or neglect to properly supervise employees could result in violation of the duty of diligence. Id. atp. 28. [Return to text]
28. ANNOTATED MODEL RULES, supra note 6 at p. 37. [Return to text]
29. Model Code EC 4-2 ("It is a matter of common knowledgethat the normal operation of a law office exposes confidential professional information to non-lawyer employees of the office, particularly secretaries and those having access to the files; and this obligates a lawyer to exercise care in selecting and training his employees so that the sanctity of all confidences and secrets of his clients may be preserved."); Model Code DR 4-101(D)("A lawyer shall exercise reasonable care to prevent his employees, associates, and others whose services are utilized by him from disclosing or using confidences orsecrets of a client . . . ."); ANNOTATED MODEL RULES, supra note 6 at p. 76; MODERN LEGAL ETHICS, supra note 6 at pp.267-268. [Return to text]
30. ANNOTATED MODEL RULES, supra note 6 at p. 429. [Return to text]
31. LAWYERS ON LINE, supra note 17 at pp. 53-58. There are differing opinions whether e-mail should be encrypted to protect confidential information. See, e.g., Paul Jacobsen, NET LAW: HOW LAWYERS USE THE INTERNET (O'Reilly & Associates, 1997) at pp. 62-75; Peter Krakaur, "Treat E-mail Like Other Communications: An Argument Against Mandatory Encryption of Attorney-Client Communications," at http://www.llrx.com/features/e.mail.htm; Bert Slonim, "E-Mail and Privileged Communications" at http://www.ljextra.com/cgi-bin/f_cat?prod/ljextra/data/texts/112497s2.html. For hypertext links to more discussions on this issue, see "E-Mail Issues" at http://www.legalethics.com/email.htm. [Return to text]
32. Model Rule 5.1 ("(a) A partner in a law firm shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct. (b) A lawyer having direct supervisory authority over anotherlawyer shall make reasonable efforts to ensure that the other lawyer conforms to the Rules of Professional Conduct.")(Paragraph (c) is not relevant to this article). [Return to text]
33. See generally Model Rule 1.10 ("Imputed Disqualification:General Rule") and Comment 6; Model Code DR 5-105(D); MODERN LEGAL ETHICS, supra note 6 at pp. 391-409. [Return to text]
34. See, e.g., ANNOTATED MODEL RULES, supra note 6 at pp. 165,166. [Return to text]
35. See generally ANNOTATED MODEL RULES, supra note 6 at pp.171-73 (discussing various cases in different jurisdictions); MODERN LEGAL ETHICS, supra note 6 at pp. 398-401. [Return to text]
36. See Model Rule 1.17, Comment 6; Model Code EC 4-6. Seealso ANNOTATED MODEL RULES, supra note 6 at p. 263. [Return to text]
37. See supra note 19 concerning problem of data remanence. [Return to text]
Written by Emilio Jaksetic - 1-6-98