Pennsylvania has long been a leader in ensuring that its lawyers can use technology responsibly and ethically.  The 2011 Pennsylvania Bar Association (PBA) opinion on cloud computing was among the first of its kind across the country, preceding the American Bar Association (ABA)’s efforts by six years.

Today, the PBA distributed its April 10, 2020 opinion on “Ethical Obligations for Lawyers Working Remotely”.  In this Formal Opinion 2020-300, it cites its 2011 cloud computing opinion and cites the ABA’s 2017 opinion, while building on both.  Some key takeways:

From the 2011 opinion:

  • Cloud computing is allowed, as long as the attorney “takes reasonable care to assure that (1) all materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss and other risks.”
  • Virtual law offices (including home offices) are permitted as long as attorneys use appropriate safeguards to “(1) confirm the identity of clients and others; and, (2) address those circumstances in which a client may have diminished capacity.”

Be aware of the risks and benefits of technology

  • Attorneys can ethically use technology, provided that they understand the risks and benefits of any specific technology to their practice, and that they either use best practices to secure confidential information, or rely on the expertise of others to do so.  In essence, a lawyer doesn’t need to become an expert in cybersecurity, but he or she must use software or a consultant to ensure that their practice is protected against cybersecurity threats.
    • My example:  While many lawyers use information technology services to keep their computers and networks properly configured.  I generally do this myself, since I have the experience and skill to do so.  Most attorneys wouldn’t be able to set up multiple wifi access points, remote-access software, and an Internet-based phone system.  While I know how to do these things, I’m also exposing myself to the risk of mis-configuring my systems.  For this reason, I use hosted platforms when I’m outside my area of technological comfort.

Protect confidential information

  • Communications need to minimize the risk of inadvertent disclosure of confidential information.  So, it’s not a good practice to text your attorney about your health condition, given that text messages are not generally encrypted.
  • Attorneys can use remote workspaces but must take “reasonable precautions” to “prevent the disclosure of confidential information in both paper and electronic form”.
  • Proper data security is required, including secure and current electronic backups

Remember the Rules

  • The opinion discusses the relevant Rules of Professional Conduct, including those regarding confidentiality,  competence, the duty to supervise subordinate lawyers and staff (as well as other non-lawyer providers).

Best practices recommended

  • Avoid placing digital assistants (Amazon Alexa, Google Home, etc.) near where attorneys communicate with clients, since recordings of these communications could be overheard by employees of the company.
  • Use encryption, though the need for this is dependent on the sensitivity of the information being transmitted.  PA Rule of Professional Conduct 1.6 provides a list of factors to use in a “reasonable efforts” analysis.
  • Avoid public/unsecured wifi
  • Use strong passwords and two-factor authentication
  • Use Virtual Private Networks (VPNs) to securely access another network, such as when an attorney prints from a home office to the main office.  A VPN is an encrypted tunnel through which the information is transferred.
  • Make sure that video conferences are secure.
    • Require meeting passwords, and don’t share meeting credentials publicly, such as on social networks
    •  Share the link only with specific people who will attend the meeting
    • Restrict who can share screens during the meeting (for example, restrict this to only the host)
    • Ensure that users’ meeting software is up to date.  I’m not sure how this is to be enforced, but it is always wise to set an office-wide policy, and to remind users to update their software before the meeting is held.
  • Follow security practices for all devices used in remote locations. (Some examples would be to update antivirus software on your home office’s computer, change the default password on your Internet router, not use USB drives that aren’t yours, don’t click on suspicious e-mail links, etc.)
  • Backup data that you store on the Internet
  • Use websites with “https” security, which helps prevent hackers from stealing information that you share on a website.  On my website, for example, the Contact Us form is at https://fixmyaicontract.com/, so any information shared by a prospective client is encrypted during transmission.

Be Nice

  • Attorneys should be nice.  The 2000 Code of Civility is optional, but the new opinion recommends that lawyers and judges recognize extenuating circumstances (such as the coronavirus pandemic upending all of our lives), and give clients, opposing counsel, judges, and others a bit of kindness (this is my rough translation).

Conclusion

The 2020 opinion isn’t anything ground-breaking, but it does update prior guidance, and it’s a helpful one-stop location for current best practices.  Any attorney, whether practicing in Pennsylvania or elsewhere, would be well-advised to follow its guidance.  Kudos to the PBA.  Thanks for looking out for the welfare of lawyers and clients.  Read the PBA opinion here.