Ethics in Cybersecurity: Selected Obligations & Considerations
Chris Schultz, Level 2 Legal’s EVP & General Counsel, recently led a panel discussion on Ethics in Cybersecurity at Today's General Counsel Institute “The Exchange” Data Privacy and Cybersecurity Forum in New York. The following is an excerpt of his remarks.
The Model Rules of Professional Conduct promulgated by the ABA – though non-binding in and of themselves – nonetheless serve as the framework for the ethics rules governing the professional conduct of attorneys in most states of the United States. Although attorneys and other professionals should always consult the specific, binding rules of professional conduct in the state or jurisdiction where they are practicing law (or where they may happen to be admitted pro hac vice), an understanding of the Model Rules provides an efficient way to identify the potentially relevant rules applicable to an ethical issue.
Several Model Rules come to mind when thinking about issues raised by cybersecurity. And in this regard, the excellent white paper published by The Sedona Conference® entitled “The Sedona Conference Commentary on Privacy and Information Security: Principles and Guidelines for Lawyers, Law Firms, and Other Legal Service Providers,” 17 Sedona Conf. J. 1 (2016), is a resource that every legal professional should have at the ready.
Relevant Rules include:
Model Rule 1.1
- Requires “[a] lawyer [to] provide competent representation to a client.”
- This in turn “requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation,” including competence in selecting and using technology.
- Specifically, in August 2012, the ABA House of Delegates added a comment to Model Rule 1.1 that imposes an additional professional competency responsibility to keep “abreast of changes in the benefits and risks associated with relevant technology” as the changes relate to the law and to legal practice.
- The upshot: the duty of competence requires attorneys to know what technology they need and how to use it.
- And this means that if an attorney lacks the necessary technical competence concerning (for example) the security aspects of technology, then he or she must consult with someone who has the requisite expertise.
Model Rules 1.18, 1.6 & 4.4
- Model Rule 1.6 states that a “lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by [other provisions of this rule].”
- As an aside, lawyers have the same duty to safeguard the confidential information of prospective clients, per Model Rule 1.18.
- All 50 states and the District of Columbia have an ethical rule implementing such an obligation.
- The ABA House of Delegates’ Comments to Rule 1.6 specifically address a lawyer’s obligation to preserve confidentiality, requiring lawyers to act competently to safeguard information relating to the representation of a client.
- Other comments to Rule 1.6 require that attorneys take “reasonable precautions” to prevent unauthorized access to client communications.
- They go on to provide that attorneys generally do not need to take “special security measures if the communication affords a reasonable expectation of privacy,” but note that special circumstances may warrant special precautions.
- Relevant factors include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or a confidentiality agreement, protective order, etc.
- And finally, Model Rule 4.4 provides that lawyers also have a duty to protect the confidential information of third parties, including adversaries.
- Model Rules 5.1, 5.3 & 5.7
- Lawyers are responsible for the professionals they hire and should have reasonable checks in place to ensure good hiring practices, confidentiality, and security.
- This includes the host of professionals that an attorney might hire to assist with litigation or other matters.
 Such ethical considerations are in addition to various common law causes of action, including (1) legal malpractice, (2) breach of fiduciary duty, (3) breach of contract, and (4) general tort, including individual and putative class action negligence claims.