Written by: Amber B. Garcia
Ushered in by a global pandemic and natural disasters, in 2023 attorneys find themselves working virtually beyond the traditional brick-and-mortar practice. 2023 is an age of the virtual and remote practice of law and this type of practice is here to stay. This article will discuss ethical obligations to consider when working remotely/virtually and the fundamental ways to ensure ethical duties.
Ethics rules govern both traditional and virtual law practices. Attorneys engaged in remote practice must remain cognizant of how virtual practice implicates the key ethics rules. Nothing in the American Bar Association (“ABA”) Model Rules of Professional Conduct or the Louisiana Rules of Professional Conduct prevent it. The Louisiana Rules are modeled off of the ABA Model Rules, and what the Rules of Professional Conduct do require of all attorneys is: (1) competence; (2) communication; and confidentiality of information.
First, attorneys should ensure that they adopt virtual practices that enable them to continue to uphold their duties of competence, diligence, and communication. Rule 1.1 of the ABA Model Rules of Professional Conduct states that “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” Comment 8 to Rule 1.1 of the Model Rules makes clear that it is an attorney’s duty to maintain competence. “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.” Thus, to the extent that an attorney must gain new technological skills to meet these duties while practicing virtually, the attorney must do so.
Second, attorneys must effectively communicate with their clients, even if dome primarily through virtual technology. Under Rule 1.4 of the ABA Model Rules of Professional Conduct attorneys have an obligation to keep their clients informed about the status of their matter(s), comply with reasonable requests for information, and consult with the client concerning how the client’s objective can be accomplished. Communicating now stretches beyond face-to-face client contact and is primarily conducted by virtual means. With this being the case, attorneys will want to make sure they and their firm’s staff have encrypted communications. Attorneys also want to make sure that all communications with clients are clear and the client fully understands. Attorneys must not use virtual means as a way of not communicating effectively with clients. For example, if an attorney and client cannot meet face to face, set up a videoconference. Ensure that the only participants on the videoconference join with a password and they attorney is able to monitor who is allowed in the videoconference meeting. This way you still maintain some type of modern day facetime to make sure your communication is being understood, is effective, and most importantly, confidential.
Third, attorneys have a duty to preserve a client’s confidentiality. Rule 1.6(c) of the ABA Model Rules of Professional Conduct states “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” At all times, but especially when practicing virtually, attorneys must fully consider and implement reasonable measures to safeguard confidential information and take reasonable precautions when transmitting such information. To maintain confidentiality of client information this requires seven key considerations:
- Hard/Software Systems
Attorneys should ensure hardware and software systems are protected from unauthorized access by utilizing encryption, anti-virus software, security updates, secure routers, and other evolving technology, as necessary. The key is to ensure that your existing system is adequate to protect confidential information. Attorneys should ensure that they have carefully reviewed the terms of service applicable to their hardware devices and software systems to assess whether confidentiality is protected. Attorneys should routinely check for security-related updates and use strong passwords. When connecting over Wi-Fi networks, attorneys should ensure that routers are secure and consider using virtual private networks (VPNs). Technology inevitably evolves, so attorneys should periodically assess whether their existing systems are adequate to protect confidential information.
- Accessing Client Files and Data
Attorneys should ensure reliable yet secure virtual access to client records, with the ability to back up data, and should adopt a data breach policy and plan to communicate any data losses to clients. A cloud-based system for storage of client files, such as OneDrive or DropBox, is particularly helpful for virtual practice. However, attorneys using cloud-based systems must ensure the data is regularly backed up and that files are accessible in the event of a data loss. In anticipation of a data loss or hack, attorneys should also have a data breach policy and plan to communicate losses of information to clients impacted.
- Virtual meeting platforms and videoconferencing
Videoconferencing should be secure. Attorneys need to make absolute sure they are not jeopardizing the attorney-client privilege. The ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 498, on March 10, 2021 titled “Virtual Practice,” which addresses the virtual, technologically driven practice of law. Opinion 498 states “any client-related meetings or information should not be overheard or seen by others in the household, office, or other remote location, or by other third parties who are not assisting with the representation, to avoid jeopardizing the attorney-client privilege and violating the ethical duty of confidentiality.” Access to accounts and meetings should be only through strong passwords, and the attorney should explore whether the platform offers higher tiers of security for businesses/enterprises (over the free or consumer platform variants). If you set up a videoconference (i.e. Zoom or Microsoft Teams), do not make the meeting or classrooms public, require a meeting password or use other features that control the admittance of guests, do not share a link to the videoconference on an unrestricted, publicly available platform (i.e. social media), provide links only to specific people, and manage screen sharing options.
- Virtual Document and Data Exchange Platforms
Virtual document and exchange platforms such as those enabling email should ensure appropriate archival and security capabilities. An attorneys’ virtual document and data exchange platforms should ensure that documents and data are being appropriately archived for later retrieval and that the service or platform is and remains secure. For example, Formal Opinion 498 explains that if the attorney is transmitting information over email, the attorney should consider whether the information is and needs to be encrypted (both in transit and in storage).
- Smart Speakers, Virtual Assistants, and Other Listening-Enabled Devices
Attorneys should consider the listening capabilities of devices such as smart speakers and ensure that when not in use to assist practice, these functions are disabled to avoid unauthorized access. Several tools that assist attorneys in practice (i.e. Alexa) need to be checked to make sure a client’s confidential matters are not being exposed. Some of these devices make it possible for sensitive information to be leaked to unauthorized third parties and an increased risk of hacking. Unless the technology is assisting the attorney’s law practice, the attorney should disable the listening capability of devices or services such as smart speakers, virtual assistants, and other listening-enabled devices while communicating about client matters. Otherwise, the attorney is exposing the client’s and other sensitive information to unnecessary and unauthorized third parties and increasing the risk of hacking.
- Supervision
The virtually practicing managerial attorney must adopt and tailor policies and practices to ensure that all members of the firm and any internal or external assistants operate in accordance with the lawyer’s ethical obligations of supervision. Comment [2] to Model Rule 5.1 notes that “[s]uch policies and procedures include those designed to detect and resolve conflicts of interest, identify dates by which actions must be taken in pending matters, account for client funds and property and ensure that inexperienced lawyers are properly supervised.” The Association of Corporate Counsel issued a set of model information security controls for its members. The model controls are expectations regarding the type of security measures outside counsel should have in place to protect a company's confidential information. These rules discuss what is considered confidential information, requires the development of security and privacy policies, requires encryption of information in transit, whether it is email or text messages, or stored on portable devices, removable media, laptops, mobile devices, and also strongly recommends encryption at rest (which is when the information is stored on servers and backups) and when residing on third-party servers, it requires that confidential information be managed on a least privilege and need to know basis, and requires that model security controls be imposed on any third party or subcontractor that has access or possession of company confidential information.
- Possible Limitations of Virtual Practice
Virtual practice and technology have limits and attorneys must be aware of those limits. Attorneys should develop practices to handle checks, mail, and potential clients who arrive at a physical office location and must be able to file and receive court documents to the extent that e-filing is not an option. Formal Opinion 498 notes that an attorney must still be able, to the extent the circumstances require, to write and deposit checks, make electronic transfers, and maintain full trust-accounting records while practicing virtually. Likewise, even in otherwise virtual practices, attorneys still need to make and maintain a plan to process the paper mail, to docket correspondence and communications, and to direct or redirect clients, prospective clients, or other important individuals who might attempt to contact the attorney at the attorney’s current or previous brick-and-mortar office. If an attorney will not be available at a physical office address, there should be signage (and/or online instructions) that the attorney is available by appointment only and/or that the posted address is for mail deliveries only. Finally, although e-filing systems have lessened this concern, litigators must still be able to file and receive pleadings and other court documents.
The virtual practice of law is accelerating rapidly because of improved technology and increased need. Such practice, however, presents practical and ethical hurdles for the technologically incompetent. All attorneys must fully consider and comply with their ethical obligations, including technological competence, diligence, communication, confidentiality, and supervision.