ABA Offers General Guidance for Virtual Law Practices, But Leaves Questions Unanswered
The American Bar Association (ABA) has issued Formal Opinion 498, which outlines several of the ethical implications of maintaining a virtual law practice but focuses primarily on data privacy and security issues. Although the opinion, released on March 10, 2021, identifies potential areas of concern for lawyers with virtual offices, it offers little specific guidance regarding what lawyers must do to address such issues. Lawyers with a virtual practice, therefore, will need to continue to make sure they understand the ethical issues and risks at play in connection with their particular areas of practice in order to choose and manage technologies that will aid such practices without creating undue risk.
Overview of Opinion
Formal Opinion 498 applies the now well-established principles that lawyers must reasonably stay abreast of the benefits and risks of technology, make reasonable efforts to avoid breaches of confidentiality, and implement policies to ensure that subordinate lawyers and staff do the same. See Model Rules 1.1 (competence), 1.6 (confidentiality), 5.1 (supervision of lawyers) and 5.3 (supervision of non-lawyers). These principles come into play in connection with all hardware and software used in a law practice, including:
- virtual meeting platforms and videoconferencing
- remote document access platforms
- virtual document and data exchange platforms
- smart speakers, virtual assistants and other listening enabled devices
The opinion discusses each of these aspects in the context of a remote practice. The general guidance provided for most of these issues involves ensuring that the lawyer takes steps to reasonably protect confidential information. Such steps include ensuring that terms and conditions require technology vendors to maintain confidentiality, and making sure the lawyer understands the risks inherent in using certain technologies (e.g., knowing when and how third parties might be able to listen in on a videoconference).
The use of remote access or virtual data exchange platforms, for example, may be aided by the use of encryption technologies and/or a virtual private network — especially if a client matter involves highly sensitive information or the platform is lacking in other security features. The use of virtual assistants may require that certain automated or "smart" features are disabled to avoid inadvertently disseminating client confidences. The use of virtual meeting platforms may require the lawyer to ensure that transcriptions or recordings are securely stored.
Beyond pointing out issues that should be considered by lawyers, the opinion does offer a few concrete examples of what lawyers with virtual practices must be doing, including implementing data backup systems and adopting breach policies. To that end, the opinion notes:
Lawyers must ensure that data is regularly backed up and that secure access to the backup data is readily available in the event of a data loss. In anticipation of data being lost or hacked, lawyers should have a data breach policy and a plan to communicate losses or breaches to the impacted clients.
Similarly, the opinion notes that virtually practicing managerial lawyers must adopt and tailor policies and practices to ensure ethical conduct by subordinates, with heightened requirements for firms who allow subordinates to use their own devices for work. For firms in the latter category, policies and practices should include remote-wiping capabilities, protections against access by family members or others, and archiving of client-related data for later retrieval.
Finally, the opinion reiterates several best practices, including using strong passwords that are periodically changed, regularly installing security updates, and implementing firewalls and anti-malware/antispyware/antivirus software on all devices upon which clients' confidential information is transmitted or stored.
Conclusion and Takeaways
Beyond a few specific requirements, Opinion 498 still leaves a number of decisions to each lawyers' discretion based on individual circumstances, including when to use a virtual private network (VPN), when to use encryption technology and which specific technology vendors fail to offer sufficient protections to justify adoption by law firms. The opinion ultimately serves as an excellent tool for identifying issues that the lawyer may not have considered. But whether and how to respond to those issues will remain a practice-specific and client-specific analysis.
As with many ethics issues, risk in this area can be heavily mitigated with good documentation and communication. Lawyers can discuss what technology will and will not be used in their engagement letters with clients and, if needed, at various points in the representation — especially if a new technology will be implemented for the client. Similarly, lawyers can document policies for subordinate lawyers and staff regarding the use of firm technology and/or personal technology on behalf of clients. Often, even if a problem such as a data breach arises, having such documentation will go far in protecting the lawyer against liability.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.