A friend once told me that he was not comfortable using computers because he could not really understand how they worked. Compare it to a car engine, he said. A person does not need to be a mechanic to understand that gasoline gets sprayed into a cylinder, then it explodes, then a piston moves, etc. But all those electrons flying through chips, motherboards, cables, servers – who really understands how any of that stuff works?
One could say the same about client files and information. When a lawyer has a paper file with the pages neatly clipped in place and she puts that file in alphabetical order in a drawer of a big, sturdy, metal file cabinet, she knows exactly where it is and who has access to it (some lawyers claim to know exactly where their files are amongst multiple vertical stacks of paper in their offices, much as squirrels know where their nuts are buried. But I digress). The paperless lawyer knows their files are . . . where exactly? In a cloud someplace? Would that be a cumulus or a nimbostratus cloud?
None of us should be surprised that when lawyers combine our human tendency to be cautious or fearful of what we do not understand with our sacred obligation to safeguard confidential client information, it produces an abundance of anxiety. This is what most ethics discussions about confidentiality seem to focus on lately. Big fears about hackers, data breaches, HIPAA, e-mail security, metadata, the dark web, temporal anomalies, worm holes! One slip and Mrs. Lipschitz’s confidential divorce settlement will go viral and your law license will be shredded in a very public way.
Not so much. Don’t get me wrong. Lawyers certainly have an obligation to protect their client’s confidential electronic information. There can be big consequences for failing to do so: IT costs to fix breaches, pure embarrassment, hours lost to implementing new protections, worry over distressed clients and the unknown impact of unauthorized disclosures, and time lost to restoring data or recreating files. Breaches can turn your world upside down for days or weeks afterwards.
From an ethics perspective, however, hacks and attacks are not the types of confidentiality failures that typically get lawyers in trouble. Your duty under the Rules of Professional Conduct, as interpreted through ethics opinions in numerous U.S. jurisdictions, is to take reasonable measures to prevent hacks. Perfection is not required. Yes, lawyers should definitely have security systems in place that are reviewed and upgraded when necessary. They should use two-factor authentication to access critical systems, use a VPN if they intend to use wifi outside the office, and educate their employees to recognize and avoid phishing, spear-phishing, whaling, and other maritime-themed social-engineering e-mail scams. You cannot likely make your practice bulletproof from cybercrime but by taking reasonable precautions your law license should not be at risk. In fact, although lawyers are often the targets of hackers, there are very few discipline cases that arise from breaches, outside of “Nigerian Prince” and other certified check scams, which are less about confidentiality than they are about pure con artistry.
Instead, when it comes to confidentiality, it’s the small stuff that leads to discipline. It’s the slip of the tongue, the boastful indiscretion, or confused loyalty that is all about being human but not at all about the hazards of technology. In one case, a lawyer’s client in a personal-injury case backed out of a settlement and then fired the lawyer. The lawyer e-mailed the claims adjuster to convey what had happened. Reading between the lines, one suspects that the lawyer was concerned about what the adjuster would think of the lawyer and whether it might affect the lawyer’s future relationship with that adjuster. Part of the e-mail stated, “I advised [client] that he already accepted [the settlement] and there’s no rescinding his acceptance.” That one sentence, devoid of any earth-shattering revelations, disclosed attorney-client privileged information and violated Rule 1.6, MRPC. The Minnesota Supreme Court affirmed the private admonition that had been issued to the lawyer.
This is typical of the level of violations in other cases. Saying just a little too much to a reporter without the client’s authorization. Responding to a client’s attempt to convince a credit-card processor to reverse a fee payment and offering gratuitous information about the client’s attitude or personal issues (fee disputes with clients are fertile ground for inappropriate disclosures of confidential information). Replying to a client’s one-star online review of your services by “setting the record straight” regarding what happened in the case. Recognizing the need to withdraw because of a conflict but disclosing the name of one client to the other. Sending to the person who referred a client to you a copy of your e-mail defending your position in a fee dispute. Each of these scenarios resulted in a private admonition.
These situations have a common theme: emotion. Anger, resentment, embarrassment, frustration, hubris, and guilt lead lawyers to make mistakes. Perhaps they do bear some relationship to phishing schemes, which take advantage of lawyers being rushed or busy or gullible enough to click a link too quickly. It’s not the hackers who are going to get you; you’re more likely to get yourself. Pay attention to the small stuff to keep yourself out of trouble.
(Originally published in the January 2021 issue of Hennepin Lawyer)