Question
I heard that the confidentiality rule was amended to make me responsible if someone hacks into my computer and accesses client information. Is this true?
Answer
The Wisconsin Rules of Professional Conduct were amended in 2016 to change the language in SCR 20:1.6, which is Wisconsin’s confidentiality rule. It is not accurate to say that a lawyer becomes automatically responsible if someone hacks into the lawyer’s computer system and gets access to client information. But it is important to understand that lawyers have a heightened duty to protect the confidentiality of client information, whether from an inadvertent disclosure of the information or an unauthorized access to the information.
This does not mean that the lawyer is the “guarantor” of the confidentiality of all information, but it does mean that lawyers must be much more cautious and take reasonable steps to protect client information.
New language, which took effect Jan. 1, 2017, has been added to SCR 20:1.6 Confidentiality. The new language in subsection (d) states as follows:
“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
As you can see, this does not mean that each lawyer becomes the guarantor of the protection of client information, but it certainly means that each lawyer has an ethical duty to take reasonable steps to protect the confidentiality of client information and to ensure there is no inadvertent or unauthorized access to that information.
A recent opinion from the ABA’s Standing Committee on Ethics and Professional Responsibility addressed the issue of reasonable efforts to provide additional guidance to lawyers. The standing committee first noted in the amendments to comment 18 of the Model Rule 1.6 that:
“Paragraph (c) (Wisconsin SCR 20:1.6(d)) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure.”
This does not mean that the lawyer is the ‘guarantor’ of the confidentiality of all
information, but it does mean that lawyers must be much more cautious and take
reasonable steps to protect client information.
The committee went on to note that a determination whether the lawyer exercised reasonable efforts is not something that can be judged based on a “hard and fast rule” but rather is contingent on many factors and how those factors would apply in each situation. The committee adopted language from the ABA Cybersecurity Handbook, which identified the reasonable standard with the following:
“[The standard] rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”
The committee identified factors that would be considered in doing a fact-based analysis. Factors would include:
-
The sensitivity of the information;
-
The likelihood of disclosure if additional safeguards are not employed;
-
The cost of employing additional safeguards;
-
The difficulty of implementing the safeguards; and
-
The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (for example, by making a device or important piece of software excessively difficult to use).
The committee went beyond this to offer different considerations that should be used as guidance for lawyers in determining reasonable steps to take. Those considerations will be addressed in future articles.
Need Ethics Advice?
As a State Bar member, you have access to informal guidance and help in resolving questions regarding Wisconsin’s Rules of Professional Conduct for Attorneys.
Ethics Hotline: To informally discuss an ethics question, contact the State Bar ethics counsels, Timothy Pierce or Aviva Kaiser. They can be reached at (608) 229-2017 or (800) 254-9154, Monday through Friday, 9 a.m to 4 p.m.