Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

ABA Issues New Formal Opinion on Practicing Law Virtually

March 30, 2021

On March 24, law firm Pullman and Comley posted about the ABA’s new Formal Opinion 498 on practicing law virtually.

The opinion was issued on March 10, 2021 by the American Bar Association’s Standing Committee on Ethics and Professional Responsibility, giving guidance on ethical obligations when a lawyer practices virtually or what the Committee called “beyond the traditional brick-and-mortar law firm” setting.

I have noted a few of our recommendations below in italics.

1. Confidentiality. The Committee noted that, as with any electronic form of communication, lawyers have a particular duty to “‘prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.'” In addition, when lawyers practice virtually, they should “implement reasonable measures to safeguard information.” The Committee noted that the virtually practicing lawyer is not required to “use special security measures,” but must take special precautions as the circumstances warrant, with particular concern for the sensitivity of the client information at issue.

The Committee stressed the obligation to protect any client information transmitted via Wi-Fi, a particular concern given the vulnerability of certain portable communication devices. It emphasized the best practices of “‘using unique Spyware/Antivirus software on all devices upon which client confidential information is transmitted or stored, and applying all necessary security patches and updates to operational and communications software.'” The Committee mentioned the use of a Virtual Private Network (VPN) as one such best practice.

The Committee did not mention that Zero Trust Architecture (ZTA) is expected over time to make VPNs obsolete but note that for the future!

The Committee emphasized the need for lawyers and law firms to “periodically assess whether their existing systems are adequate to protect confidential information.”

Our recommendation is that such an assessment be performed at least once a year.

2. Accessing remotely stored client files and data. Citing an earlier opinion, the Committee urged lawyers using cloud-based storage systems to “‘choose a reputable company, and … take reasonable steps to ensure that the confidentiality of client information is preserved'” while also ensuring that “‘the information is readily accessible to the lawyer.'” In addition, as is the case for all law firms that rely on electronically stored information, a law firm whose attorneys are practicing virtually must have in place a data breach policy to address a potential security breach whether caused by internal inadvertence or external hack.

Every firm should have an up-to-date incident response plan.

3. Supervision of subordinates. The Committee suggested law firms adopt a bring-your-own-device (BYOD) policy. As in a traditional law firm setting, to the extent lawyers or non-lawyer assistants use their personal devices to access, transmit or store client related information, the firm needs to “ensure that [any lost or stolen device may be remotely wiped, that client-related information cannot be accessed by, for example, staff members’ family or others, and that client-related information will be adequately and safely archived and available for later retrieval.” The Committee emphasized that all law firm employees “must receive appropriate oversight and training on [their] ethical obligations to maintain the confidentiality of client information” and particularly when working virtually.

Increasingly, we are seeing law firm buy and deploy devices for working remotely so that the security for the devices is provided by the law firm.

4. The risk of “peeping” by unauthorized persons. As with any remote law firm setting, the lawyer must ensure that confidential information, including information transmitted over a virtual meeting platform such as Zoom or through traditional video conferencing is not overheard or seen by others in “the location in which the professional is working,” such as the professional’s home.

Headphones will solve half of the problem, since only one half of the conversation is audible, but closed doors and working in a remote room (to the extent possible) is desirable. And turn off those Internet of Things devices!

5. Contact information for a virtual practice. Even if a lawyer does not practice at a physical office address, the lawyer should publicly designate a physical address for the receipt of mail or other deliveries. In addition, if the lawyer does not have the ability to have face-to-face meetings with a client, the lawyer should indicate through “online instructions” that he or she “is available by appointment only.”

This is easily done by checking out the language on the websites of other law firms! If you don’t have a website, and many solo practitioners do not, this is much more problematic.

6. Trust account obligations. The Committee noted the obvious point that practicing virtually does not excuse or relax the strict obligations for trust fund accounting. Even when practicing virtually, “the lawyer must still be able to … write and deposit checks, make electronic transfers, and maintain full trust-accounting records …”

Happily, remote deposit of checks is fairly simple these days, as is the electronic transfer of funds.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email:  Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson