Mobile Devices and Attorney Ethics: What Are the Issues?

Mobile devices such as iPhones, iPads, Android smartphones, and Blackberries have become indispensable for many attorneys. They allow users to e-mail, text, make phone calls, browse the web, access maps, and take photographs. They also often allow users to purchase “apps”—a type of computer program—that can be enormously useful to the practice of law, including apps that enable legal research, file sharing, document scanning, timekeeping, billing, and invoicing.

This helpful technology comes with some risks. Attorneys’ increased use of mobile devices can lead to increased concerns that confidential client information will be lost, stolen, or inadvertently disclosed. Consider the possibilities: a lost iPhone full of attorney-client e-mails and texts; a wireless iPad communication session hacked, allowing the hacker full access to the information stored on the device; a malicious banking app on an Android phone allowing hackers to obtain attorney bank account information.

To date, the ethical risks associated with attorneys’ use of mobile devices have received relatively little attention. Fortunately, however, local, state, and national bar associations have issued a variety of opinions on the ethical risks of technology more generally. These opinions provide a helpful framework for understanding the security risks associated with mobile device technology, how those risks may implicate attorneys’ ethical responsibilities, and how these risks may be minimized.

Ethical Standards

Many local, state, and national bar associations have issued opinions regarding attorneys’ use of technology. While their approach and specific conclusions vary, they generally refer to two overarching ethical responsibilities: the duty of competence and the duty of confidentiality.

The duty of competence, as reflected in the American Bar Association’s Model Rule of Professional Conduct 1.1, provides that an attorney must have “the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” Bar associations have interpreted this rule to require not only knowledge regarding the particular area of law at issue in the case, but also knowledge of the security issues involved in attorneys’ use of technology.

The duty of confidentiality, as set forth in Model Rule 1.6, provides that an attorney generally may not “reveal information relating to the representation of a client.” The commentary to Rule 1.6 provides additional detail, stating that a lawyer must “act competently” to avoid inadvertent or unauthorized disclosures, either by the lawyer or by others participating in the representation, and that, when transmitting information, a lawyer “must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.”

Bar association opinions apply these general concepts to many different technologies, including e-mail, cloud computing, document metadata, and wireless internet connections. While it is beyond the scope of this article to discuss the specifics of each opinion, they collectively impart several important themes that are useful to keep in mind.

First, it is no longer acceptable to plead ignorance of technology. ¹See, e.g., Colorado Bar Association Opinion 119, 76 U.S.L.W. 2771 (2008). If you use technology (and nearly all of us do), you generally will be held responsible for making reasonable efforts—including efforts to understand and address security risks posed by technology—to ensure that your client data remains secure.

Second, your duty to be “competent” in technology likely will be held to extend not only to educate yourself on technological security issues but in addition, if this self-education is not enough to make you competent, to retain experts who can handle security issues for you. ²See, e.g., Iowa State Bar Association Ethics Opinion 11-01, 80 U.S.L.W. 718 (2011); Colorado Bar Association Opinion 119, 76 U.S.L.W. 2771 (2008). Moreover, your duty of competence extends to attorneys and non-attorney staff that you supervise. ³See, e.g., New York State Bar Association Opinion 842, 79 U.S.L.W. 1548 (2010). They need to make reasonable efforts to use technology in a secure manner, just like you.

Third, just being aware of current technological security issues is not enough. You likely will be held responsible for keeping reasonably informed about the rapidly evolving technology, security threats, and legal developments in the field. ⁴See, e.g., New York State Bar Association Opinion 842, 79 U.S.L.W. 1548 (2010); North Carolina State Bar Association Proposed 2011 Formal Ethics Opinion 6 (2011); Florida Bar Association Opinion 06-2 (2006).

Technology

Few, if any, bar association ethics opinions focus explicitly on mobile devices. The opinions instead discuss technologies that are not specific to any particular type of device or product, such as e-mail, cloud computing, metadata, or wireless internet access.

E-Mail:

There are many security issues associated with e-mail, ranging from the simple to the complex. On the simple end of the spectrum are the situations where attorneys simply misaddress an e-mail (or, more notoriously, hit “reply all” instead of reply) and thereby inadvertently send confidential information to unintended recipients. Confidentiality may also be compromised if a client reads personal attorney-client e-mails at work—the employer may have an e-mail usage policy that makes the e-mails fully accessible to the employer, potentially seriously jeopardizing the attorney-client privilege. ⁵See, e.g., ABA Opinion 11-459, 80 U.S.L.W. 364 (2011) (if client communicates regarding substantive issues while using employer’s computer, attorney must assume that the employer has the right to access the communications, and warn client accordingly); Scott v. Beth Israel Medical Center, 847 N.Y.S.2d 436 (N.Y. Sup. 2007) (e-mails between hospital employee and his personal attorneys were not privileged because employer’s computer use policy stated that employees had no reasonable expectation of privacy in e-mails). On the more complex end of the spectrum is the fact that the technological structure of e-mail—the way most computers send and receive it—is inherently somewhat insecure. It is therefore comparatively easy for hackers to obtain the username and password of e-mail users, to read messages that are in transit, and to access e-mail messages stored long-term, often without the user’s knowledge, on e-mail servers halfway around the world, including through the use of relatively easy to acquire “tools” designed to “bust” passwords. Various technologies exist, including e-mail encryption, virtual private networks, and secure transmission protocols, that can address many of these problems.

Despite these security concerns, most bar associations have concluded that it is generally permissible for an attorney to use unencrypted e-mail to communicate with clients. ⁶See, e.g., New York State Bar Association Opinion 709 (1998); Utah State Bar Ethics Advisory Opinion No. 00-01, 68 U.S.L.W. 2664 (2000); Massachusetts Bar Association Opinion 00-1 (2000); New York City Bar Opinion 1998-2 (1998); Maine Bar Association Opinion 195 (2008); ABA Committee on Ethics and Professional Responsibility, Formal Opinion 99-413, 67 U.S.L.W. 2645 (1999). Potential exceptions include if the attorney has some reason to believe that the particular transmissions will not be secure, or if the matter involves unusually sensitive information. Some bar associations also recommend that attorneys discuss e-mail usage with their clients to agree on an appropriate e-mail communications policy (or even get written client consent), and to include prominent language on the e-mail warning that the e-mail contains confidential information. ⁷See, e.g., New York City Bar Opinion 1998-2 (1998); Arizona Bar Association Opinion 97-04 (1997); Iowa Supreme Court Board of Professional Ethics and Conduct Op. 96-01 (1996).

Accessing e-mail on a mobile device generally should be equally permissible, with some important caveats. First, attorneys should keep in mind that mobile devices are distressingly easy to lose. Before using a device for client e-mails, attorneys therefore should seriously consider password protecting it and installing a “find” and/or “wiping” feature. A “find” feature, as its name suggests, allows the device’s internal technology to show its geographic location if it gets lost. The owner then can use another computer to look up the location of the lost device and, with luck, retrieve it. A “wiping” feature can be set up to make the device “wipe” or delete all of its contents if someone (i.e., the thief) repeatedly enters an incorrect password or, alternatively, can allow the user to send a command to the lost device instructing it to immediately delete its contents. It is important to note that the choice of a mobile device is critical and security should be a high priority. Certain manufacturers have significantly more sophisticated security measures in place. Attorneys should not consider open service devices.

A second caveat for mobile devices relates to the fact that some attorneys may be tempted to use their “personal” mobile devices for “work” e-mail communications, often because it is simply more convenient to do so. A personal device, however, does not have security features set up in a manner appropriate for confidential transmissions, and the risk of inadvertently transmitting confidential information on a personal device could be greater. If possible, it is generally better to confine work communications to work devices which, in many institutional environments at least, tend to have more advanced security configurations.

Cloud Computing:

Cloud computing can benefit attorneys enormously, enabling them to increase efficiency by “outsourcing” tasks such as hosting electronic discovery, timekeeping, case management, and billing. The entrusting of sensitive data to third parties, of course, can lead to significant security concerns—for example, your data could be intercepted or compromised when you send it to the third party, the third party could mishandle or misuse the data once they receive it, or the third party may not give back or properly dispose of the data when the engagement terminates. ⁸See Cloud Security Alliance, “Top Threats to Cloud Computing V1.0,” March 2010 (available at http://pub.bna.com/lw/cloudsecurity.pdf). On the other hand, if your in-house capabilities are not sufficient, outsourcing actually could increase your overall security, particularly if you contract with a reputable third party committed to keeping its customers’ data secure.

Bar associations generally regard cloud computing as acceptable provided that attorneys sufficiently consider and address the risks. ⁹See, e.g., Alabama State Bar Ethics Opinion 2010-2, 79 U.S.L.W. 1800 (2010); Nevada State Bar Standing Committee on Ethics and Professional Responsibility Opinion 33, 74 U.S.L.W. 2499 (2006); New Jersey Advisory Committee on Professional Ethics Opinion 701, 74 U.S.L.W. 2691 (2006); ABA Formal Opinion 95-398 (1995).Several opinions require attorneys to consider a series of security-related questions, ¹⁰Iowa State Bar Association Ethics Opinion 11-01, 80 U.S.L.W. 718 (2011); New York State Bar Association Opinion 842, 79 U.S.L.W. 1548 (2010); North Carolina Bar Association Proposed 2011 Formal Ethics Opinion 6 (2011); Maine Bar Association Opinion 194, 76 U.S.L.W. 2419 (2007). including:

• Will the attorney have unrestricted access to the stored data? Does the attorney have another copy of the data in case the vendor limits access or goes out of business? Where physically will the data be located in the United States or abroad?

• Is the company reputable? Has the company experienced security breaches in the past? How were they handled? Where is the company located? Are there any limitations or restrictions in the agreement with the vendor regarding liability, choice of law, or limitation of damages?

• What does the vendor agreement provide regarding who has access to or “owns” the data? What happens to the data at the end of the relationship? Will it be “wiped” or otherwise destroyed and, if so, will the vendor provide written confirmation of this destruction?

• Does the vendor agreement provide an enforceable obligation to preserve confidentiality and security? What security measures does the vendor use? If passwords are used, who has access to them? Is encryption used?

• Can the vendor’s employees view the data? What steps does the vendor take to screen its employees to ensure they are trustworthy?

• What is the company’s disaster recovery protocol? Does it keep a backup copy of the data for emergency purposes?

• Will the company notify the attorney if the company is served with process seeking the production of client information?

• What are the company’s data breach notification policies?

• Should the client be consulted regarding the potential risks involved in cloud computing services?

The opinions do not require specific number of “correct” answers for a service to be acceptable. The standard is not one of perfection, but rather of reasonable efforts to ensure data is kept secure. These efforts moreover must extend into the future: attorneys generally are expected to “stay current with the technological advances” to ensure that the vendor’s security procedures remain adequate over time. ¹¹See, e.g., New York State Bar Ethics Opinion 842, 79 U.S.L.W. 1548 (2010).

Cloud computing manifests itself in mobile devices through “apps,” computer programs that users often can acquire for their mobile devices, usually through an online “app store.” The same considerations that relate to cloud computing generally relate to apps—if you plan to entrust highly confidential data to the app, you likely will be expected to diligently investigate security issues associated with it, consistent with the considerations outlined above. Although certainly not dispositive, it also may be worth keeping in mind that the apps associated with Apple products generally pass through a screening process before Apple approves them for sale in its “app store.” Android apps, on the other hand, proceed from more of an “open source” development model, and therefore do not undergo the same screening process. This has resulted in a few examples of hackers creating malware programs disguised as legitimate apps, and offering them for sale for Android devices. ¹²See “Malware: Android Apps Threaten Mobile Security,” PC World Business Center (Jan. 10, 2010), at http://www.pcworld.com/businesscenter/article/186720/malware_android_apps_threaten_mobile_security.html (site last visited Dec. 5, 2011).

Metadata:

Metadata is data “embedded” into an electronic document that contains some information about that document. Metadata generally includes the identity of the author, the date the document was created, and the program used to create it, and also can include edits, comments, and prior document drafts. This information can be highly sensitive, and can easily be inadvertently produced, as much of it is hidden during normal document viewing. Opinions dealing with metadata generally advise that attorneys be aware that metadata can contain confidential information and therefore implicate their duties of confidentiality and competence. ¹³See, e.g., New York State Bar Association Opinion 782, 73 U.S.L.W. 2454 (2004); Florida Bar Association Opinion 06-2 (2006); Maine Bar Association Opinion 196, 77 U.S.L.W. 2339 (2008); Alabama Bar Association Opinion 2007-02, 75 U.S.L.W. 2659 (2007); Maryland Bar Association Ethics Opinion 2007-09, 75 U.S.L.W. 2371 (2007); Colorado Bar Association Ethics Opinion 119, 76 U.S.L.W. 2771 (2008); Pennsylvania Bar Ethics Opinion 2007-500, 76 U.S.L.W. 2467(2007); District of Columbia Bar Association Opinion 341, 76 U.S.L.W. 2211 (2007). Some also counsel that attorneys should be aware of the methods available to eliminate metadata from documents, which include using “scrubbing” programs, converting documents to image files such as .pdfs or tiffs, or limiting the use of certain word-processing features, such as “red-lining” or “track changes,” which may create highly-sensitive metadata. ¹⁴ABA Committee on Ethics and Professional Responsibility, Formal Opinion 06-442 (2006); New York State Bar Association Opinion 782, 73 U.S.L.W. 2454 (2004); Maine Bar Association Opinion 195 (2008). A much more controversial subject concerning metadata is what ethical responsibilities an attorney has if he or she receives metadata inadvertently. There currently is no consensus on the issue—several jurisdictions say that attorneys may review or “mine” the metadata of documents they receive, and several others say they may not.

An additional metadata-related consideration arises from the fact that many mobile devices have a built-in camera. The software that handles the photography function on some devices may be set up to embed geo-location metadata into a photograph, which could enable someone to determine precisely where a particular photograph was taken. This location information could be highly sensitive in certain situations—it could, for example, reveal the location of a crime victim, an informant, or other sensitive witness. Attorneys would be well advised to keep this in mind and consider “scrubbing” this location information as appropriate. ¹⁵While not specific to attorney ethics, mobile devices also have been shown to transmit information regarding their user’s browsing habits to advertising clearinghouses. See Eric Smith, “iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs),” available at http://www.pskl.us/wp/wp-content/uploads/2010/09/iPhone-Applications-Privacy-Issues.pdf (last visited Dec. 5, 2011).

Wireless Access:

Wireless Internet access is generally less secure than traditional wired access because of the simple fact that a physical “wired” connection to the network is not necessary (among other reasons). A hacker therefore can access a wireless network surreptitiously from the street outside, or anonymously intrude on your wireless session at the local coffeehouse. A recent bar opinion on wireless access therefore warns attorneys using unsecured wireless networks that they risk violating their duties of competence and confidentiality. ¹⁶State Bar of California Formal Opinion No. 2010-179, 79 U.S.L.W. 1877 (2010). The opinion lists several specific technologies that could help address the security concerns, including file encryption, encryption of wireless transmissions, a personal firewall, antivirus software, secure username and password combinations, file permissions, and use of virtual private networks. The opinion stops short, however, of saying that use of any particular technologies would fulfill an attorney’s duties. Instead, it recommends that attorneys considering using any specific technology consider:

• The security of the technology, including how secure it is compared to other technologies and media; whether the security of the technology can be readily increased through measures such as encryption, enabling a personal firewall, or using passwords; and imposing limitations on who is permitted to monitor the use of the technology.

• The legal consequences to third parties of improperly accessing the information, including criminal or civil penalties. The opinion states that the fact that improper access could lead to such penalties would support a claim that an attorney would have a reasonable expectation of privacy in the communication.

• The degree of sensitivity of the information. According to the opinion, the greater the sensitivity of the information, the more careful an attorney should be about how it is conveyed, and the less risk an attorney should take with technology.

• The potential impact on the client of an inadvertent disclosure of privileged or confidential information or work product, including possible waiver of the privileges and embarrassment from the disclosure of sensitive information.

• The urgency of the situation. If exigent circumstances exist, and no alternatives are reasonably available, it may be reasonable for an attorney to use a particular technology that might not be appropriate in other circumstances.

• Client instructions and circumstances. If the client disapproves of the use of the technology, or the attorney is aware of specific risks associated with it under the circumstances (including that others may have access to the client’s e-mail account, for example), an attorney should avoid using it.

The “wireless” security concerns are heightened for mobile devices because they often are designed to communicate through various different wireless technologies, including WiFi, cellular networks, and Bluetooth. ¹⁷“WiFi” is a technology that transmits communications through high frequency radio waves. The radio waves travel from the device to a wireless access point, which then transmits the information over the internet. The access point must be relatively close to the mobile device (usually around 100 feet or less) to receive its WiFi signal. Cellular communications also involve radio waves, but use technology that divides large geographic service areas into smaller areas called cells. Each cell contains a “cell site” device that sends radio waves to and from mobile devices. Bluetooth is a technology that allows “paired” devices that are physically close to each other to wirelessly communicate so that, for example, a person could use a wireless earpiece to speak through that person’s mobile phone. Each of these technologies presents unique security vulnerabilities: for example, Bluetooth exploits have been reported that allow hackers, by simply standing near a Bluetooth-enabled mobile device, to run malicious software that can surreptitiously read the victim’s phone call lists, text messages, photographs, calendars, contacts, and even make long-distance phone calls using the victim’s device. One easy way to reduce these vulnerabilities, of course, is to simply turn the services off when you are not using them and, more broadly, attorneys would be well advised to assess their use of these technologies in light of the risks outlined above.

Conclusion

Mobile devices can help make us all more efficient attorneys, but they create risks. While the specific duties and responsibilities vary between jurisdictions, attorneys should assume that they will be held responsible for being “competent” to address the security risks involved in their use of technology, including but not limited to e-mail, cloud computing, metadata, and wireless connections. Their competence, moreover, must continue into the future, as the technology—and the law related to it—will develop over time. As technology changes and improves, so must the attorneys who use it.