Ethics Corner Article
Dear Ethics Committee,
I regularly handle a number of matters for a small local bank. Recently, they had some information security issues and have changed how they communicate. They would like me to encrypt all email communications with them using a two-factor authentication system. Do I have to? I think it will take more time than simply using Outlook and will probably cost both of us money.
If it is your client’s wish that you use a two-factor authentication system, you should use it. N.H. R. of Prof. Conduct R. 1.6(c) states that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” ABA Comment 18 to the Model Rules 1.6(c) clarifies your obligations to your client by stating that “[a] client may require the lawyer to implement special security measure not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this rule.” So, if it is your client’s wish that you encrypt your email communications with them using a two-factor authentication system, you will need to use one, but, you do not need to bear the cost for that service. The cost may be passed onto the client consistent with N.H. R. of Prof. Cond. R. 1.5(a). Additionally, if the requirements are too onerous, you may also consider withdrawing from the representation, subject to the normal constraints on withdrawing a representation. N.H. R. of Prof. Cond. R. 1.16 (b)(6).
This may be a good opportunity to re-examine how you communicate with all your clients, over and above what you may be separately required to by law. You need to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation” of all your clients. There is no hard and fast rule when determining what are “reasonable efforts.” ABA Formal Opinion 17-477 concludes that the “reasonable efforts” standard “…rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”
The ABA Comment 18 to Model Rule 1.6(c) lists a number of non-exclusive factors that you should consider. These include “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).” You also have a duty of competence to your clients under N.H. R. of Prof. Cond. 1.1. This duty requires that you know the benefits and risks associated with relevant technology used in your practice. It is worth reading ABA Formal Opinion 17-477 as it deals with these and related issues in a fair bit of depth. It may be found at this location: https://www.americanbar.org/news/abanews/publications/youraba/2017/june-2017/aba-formal-opinion-477r–securing-communication-of-protected-cli/
This Ethics Corner Article was submitted for publication to the NHBA Board of Governors at its June 17, 2021 Meeting. The Ethics Committee provides general guidance on the New Hampshire Rules of Professional Conduct and publishes brief commentaries in the Bar News and other NHBA media outlets. New Hampshire lawyers may contact the Committee for confidential and informal guidance on their own prospective conduct or to suggest topics for Ethics Corner commentaries by emailing the Ethics Committee Staff Liaison.