New Normal of Remote Lawyering Has Ethical Implications
The “new normal” of remote lawyering has serious implications related to the legal profession’s ethical mandate to serve clients competently and confidentially, even under such unprecedented circumstances. Set forth below is a discussion of the ethical implications of the new paradigm of remote legal representation in light of the duties of competence, confidentiality, and supervision under the New York Rules of Professional Conduct (the “Professional Rules” or “Rule(s)”) and recommendations of specific measures that lawyers working remotely should consider in order to comply with such duties.
Relevant New York Rules of Professional Conduct
Lawyering from home implicates at least three important Professional Rules and corresponding duties: Rule 1.1 on the duty of competence; Rule 1.6 on the duty of confidentiality; and Rules 5.1 and 5.3 on supervisory responsibilities. Under these Professional Rules, attorneys in a remote work environment must conduct themselves in the following manner:
- Evaluate the benefits and risks of the remote-work technology they use to work on client matters and to store and transmit confidential information (Rule 1.1);
- Make reasonable efforts to safeguard confidential information against unauthorized disclosure by the attorneys or their supervisees and against unauthorized access by third parties, such as household members (Rule 1.6); and
- If managing or supervising others, make reasonable efforts to ensure that other attorneys and non-attorneys comply with the above Rules (Rules 5.1 and 5.3).
Duty of Competence
Under Rule 1.1 (“Competence”), an attorney should provide “competent representation to a client,” which requires “the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” To maintain the requisite knowledge and skill, an attorney should “keep abreast of the benefits and risks associated with technology the lawyer uses to provide services to clients or to store or transmit confidential information.” In other words, attorneys should, at minimum, educate themselves about the pros and cons of the home-office technology used in storing client data and communicating confidential information, and update their technological knowledge so as to competently handle client information while working from home.
Duty of Confidentiality
Under Rule 1.6 (“Confidentiality of Information”), an attorney “shall not knowingly reveal confidential information … obtained during or relating to the representation of a client,” absent informed client consent or other applicable exceptions. An attorney thus “shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to,” such confidential information. Comment 16 to this Rule further specifies that these reasonable efforts should safeguard against (1) inadvertent or unauthorized disclosure by the attorney or other persons participating in the representation or otherwise subject to the attorney’s supervision, and (2) unauthorized access by third parties. The attorney also may have to implement special security measures beyond the scope of this Rule, if required by client demands or by court orders or other laws.
Notably, unauthorized disclosure or access is not in itself a Rule violation, as long as the attorney has made reasonable efforts to preserve confidentiality. Comment 16 lists the following nonexclusive factors to evaluate the reasonableness of such efforts: (1) the sensitivity of the information; (2) the likelihood of disclosure without additional safeguards; (3) the cost of employing additional safeguards; (4) the difficulty of implementing these safeguards; and (5) the adverse impact of these safeguards on the lawyer’s ability to represent clients (e.g., software rendered excessively difficult to use).
Accordingly, attorneys working from home must consider the above factors and make reasonable efforts to ensure that any unauthorized persons, such as family members or social visitors, do not access confidential documents stored in a home office or overhear confidential communications.
Under Rule 5.1 (“Responsibilities of Law Firms, Partners, Managers and Supervisory Lawyers”), a law firm and individual lawyers with management responsibility shall make “reasonable efforts to ensure” that all attorneys in the law firm comply with the Rules, which encompass the duties of competence and confidentiality. Similarly, an attorney with direct supervisory authority of another attorney shall make reasonable efforts to ensure that attorney’s compliance with the Rules. Further, under Rules 5.1 and 5.3 (“Lawyer’s Responsibility for Conduct of Nonlawyers”), a supervisory attorney (or a managing attorney at a law firm) may be found liable for a Rule violation incurred by his or her supervisee (or an employee at the law firm), regardless of whether the supervisee is an attorney or non-attorney.
Consistent with these Rules, law firms, managing partners, and supervisory attorneys must make reasonable efforts to ensure that their employees and supervisees (whether lawyers or not) who work from remote locations maintain the confidentiality of client information and communications.
Examples of Best Practices
In light of the above Rules, what specific measures of “reasonable efforts” may attorneys implement while working from remote locations? Consider the below examples of best practices recommended by the Pennsylvania Bar Association’s Formal Opinion 2020-300 and the New York State Bar Association’s Cybersecurity Alert.
First, attorneys should enhance the physical and online security of their workspace by taking the following actions:
- using a Virtual Private Network (VPN) to create a private remotely accessed digital workplace, where only authorized persons can access client data;
- avoiding public internet or free Wi-Fi susceptible to the risk of unauthorized access by hackers or malware installation; and
- securing laptops and devices with encryptions, strong passwords, multi-factor authentication, frequent software updates, firewalls, and anti-virus and malware software programs.
In addition, attorneys should maintain the privacy of confidential communications that take place in their home office by engaging the following conduct:
- maintaining a dedicated private area within the home office where conferences and conversations with clients or regarding client matters are held;
- making reasonable precautions to ensure that family residents or visitors do not overhear ongoing client-related communications or have access to written correspondence;
- avoiding the installation or use of smart devices that may access and record nearby conversations (e.g., Amazon Alexa, Google voice assistant) in locations where work-related communications may take place;
- using secure video-teleconferencing technology with rigorous security protocols (e.g., password-protected meetings, targeted invitation); and
- employing methods of encryption or password protection for written electronic communications that contain particularly sensitive information or data.
It is increasingly important to recognize the vital institutional role law firms play in ensuring that individual lawyers comply with their professional duties in this new era of remote lawyering. Indeed, the Professional Rules require that law firms and managing partners make reasonable efforts to facilitate such compliance. They may do so by providing their employees with necessary technological assistance and training on remote legal representation. Further, as noted earlier, lawyers are only required to make “reasonable efforts” to comply with the Professional Rules. The “reasonableness” of certain confidentiality safeguards depends on balancing factors such as the actual cost or difficulty of implementing such safeguards. Firm-wide institutional support is crucial in this regard, because it would render technologically feasible – hence more “reasonable” – certain security measures (e.g., firm-wide VPN or data backup infrastructure) that would otherwise be unreasonably costly to attorneys at the individual level. But, even small firms and solo practitioners would be wise to be aware of the ethical considerations of working remotely and take steps to safeguard their clients’ confidential information.
Carrie H. Cohen is a partner in the New York office of Morrison & Foerster and a member of the firm’s investigations and white-collar defense practice, where she co-chairs the Workplace Misconduct Investigations Task Force. She was the chair of NYSBA’s Domestic Terrorism and Hate Crimes Task Force and of the Commercial and Federal Litigation Section, and currently serves on NYSBA’s Racial Injustice and Police Reform Task Force. Chan-young Yang is a litigation associate in the San Francisco office of Morrison & Foerster. This article first appeared in N.Y. Litigator, a publication of NYSBA’s Commercial and Federal Litigation Section.
.Comment 8 to Rule 1.1.
.Rule 1.6(a). Confidential information consists of “information gained during or relating to the representation of a client, whatever its source,” that is (1) protected by the attorney-client privilege, (2) likely embarrassing or detrimental to the client if disclosed, or (3) requested to be kept confidential by the client. Id.
.Rule 1.6(c) (“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to, information protected by Rules 1.6, 1.9(c), or 1.18(b)”). Rules 1.9(c) and 1.18(b) address information protected with respect to former and prospective clients.
.Comment 16 to Rule 1.6.
.Rules 5.1(a) and 5.1(b)(1).
.Rules 5.1(d) and 5.3(b).
.See Ethical Obligations for Lawyers Working Remotely, Pennsylvania Bar Association Committee on Legal ethics and Professional Responsibility Formal Opinion 2020-300 (Apr. 10, 2020).
.See Cybersecurity Alert: Tips for Working Securely While Working Remotely, Technology and the Legal Profession Committee of the New York State Bar Association (Mar. 12, 2020).