Congratulate me — my New Year brings me a new iPad. As I begin the process of preparing my iPad for its new life and workload, I am reminded of the ethical implications of technology and my practice. At the risk of overgeneralization, technology presents two predominant ethical obligations for lawyers: compliance with the duty of competence and compliance with the duty of confidentiality. Both duties are involved with my new iPad.
Attorneys have obligations to be familiar with technology and its legal and ethical implications. As many would similarly state, “ignorance of technology is not an appropriate excuse.” The obligation of familiarity is part of an attorney’s requirement to provide competent legal representation. Competency includes a reasonable familiarity with the risks, as well as the benefits, associated with the technology associated with our profession. Competency is also an ongoing state of mind, as technology changes and changes quickly. A decade ago I would have considered myself on the cutting edge of legal technology. Now, my children are grumbling at my arcane ways.
The benefits of technology are self-evident. As attorneys, we use it every day. Technology also makes us mobile. With the help of mobile devices, we are able to e-mail, text, make phone calls, browse the web, access maps and take photographs for clients virtually anywhere.
That mobility presents a new set of challenges, as attorneys are fallible.Understanding and addressing security risks posed by our individual tools and our methods of communication are essential. Mobile technology puts clients’ confidential or privileged information at the risk of becoming lost, stolen or inadvertently disclosed. These risks are ironically created by mobility — the very benefit of our mobile devices.
As attorneys, we are obligated to not reveal information relating to representation of a client. We must take reasonable efforts to maintain the security of a client’s confidential and privileged information and to safeguard information relating to our representation of a client. The duty to safeguard information includes the obligation to avoid inadvertent or unauthorized disclosure. What if my new mobile device is lost or stolen?
A bit of good advice — as silly as it sounds — is to try not to lose your phone. Enable “finding” software, if available. In the unfortunate event that you do lose your phone, have a strong password that is automatically enabled. Consider installing the device’s “wiping” feature, which permits you to delete its contents remotely. (Certain devices can automatically delete their contents given too many failed login attempts.)
Encrypt confidential data on your mobile device. And don’t stop at encrypting only the data on mobile devices — encrypt any data that is at risk, including data transfers with clients or data placed on a mobile flash or “thumb” drive — especially if the transfer of the drive will be made by any other method than hand delivery. If your mobile computing includes “Cloud”-based computing, make sure to review the provider’s written policies concerning data security both before and after the termination of your contract.
Most attorneys send emails with their smart phones. As with losing a device, operator errors may entail ethical issues: Misaddressing an email by hitting “reply all” or “auto-fill” may inadvertently send confidential information to unintended recipients. Remember that most e-mail messages are sent over networks that are not secure. Without safeguards in place, these messages are subject to interception, review and copying. Simply put, if the information you are sending by email is sensitive, encrypt the email, data or attachments.
Pay attention to your email attachments. Most electronic documents contain some form of “metadata” — hidden information that can include information as to the creation, modification and edits to a document or file. Some metadata may contain confidential or privileged information. This is especially true in instances where a document has been created, or edited, using certain word-processing features, such as “red-lining” or “track changes.” These features may create highly-sensitive metadata.
The answer with regards to metadata is simple: An attorney should exercise reasonable care to avoid the inadvertent electronic disclosure of privileged or confidential information. “Clean” a document of metadata. Specific types of software are available for this purpose. At a minimum, reasonable care requires that you, your firm and your staff have sufficient procedures to prevent or, if appropriate, control the sending of metadata.
Think twice before scouring an opponent’s electronic documents for useful metadata. Recognizing the national split of authority as to whether a receiving attorney may ethically review metadata, the Colorado Bar Association Ethics Committee suggests that an attorney “generally may search for and review any metadata included in an electronic document or file.”(Formal Ethics Opinion 119.) However, if a receiving attorney knows, or should know that metadata contains confidential information, the receiving attorney should treat it as inadvertent confidential information. Under those circumstances, the receiving attorney should then notify the sending attorney for potential resolution of the waiver issues underlying the transmission of confidential or privileged information. If, however, the recipient is notified by the sender before the recipient examines the metadata that confidential information was inadvertently transmitted, then the receiving attorney should not examine the metadata.
Encrypting data and scouring metadata sound pretty high tech to me, even if they don’t seem to impress my thirteen-year-olds. I present my newest technological addition to their uninterested stares. I’ve always known I’m not cool, but not tech savvy? — humbug. D
James S. Bailey is a Co-Managing Director of Senn Visciano Canges, P.C. He specializes in complex family law and domestic cases. Most of Jim’s time is spent attempting to understand his teenage triplets. He can be reached at firstname.lastname@example.org.