Client data confidentiality is paramount while lawyers and law office staffers work remotely during the coronavirus pandemic, the Pennsylvania Bar Association said in an opinion written to address ethical concerns voiced by lawyers ordered to close their offices.
“The COVID-19 pandemic has caused unprecedented disruption for attorneys and law firms, and has renewed the focus on what constitutes competent legal representation during a time when attorneys do not have access to their physical offices,” the bar’s legal ethics committee said April 10.
The committee pointed out that while the issue of remote work isn’t new, and past ethics opinions have addressed related topics like technological competence, many attorneys and staff weren’t prepared to work from a home office once the state’s stay-at-home order went into effect, prompting the opinion.
The duties of competence and confidentiality are the major ones implicated by working from home, it said.
In order to protect computer systems and paper files, lawyers have to be competent in the “benefits and risks of technology,” the committee said. Some “reasonable precautions” for lawyers and staff to take to protect confidentiality under professional ethics rules include:
- Requiring the encryption or use of other security to assure that information sent by electronic mail are protected from unauthorized disclosure;
- Using firewalls, anti-virus and anti-malware software to prevent the loss or corruption of data;
- Requiring the use of a Virtual Private Network or similar connection to access a firm’s data; and
- Requiring the use of two-factor authentication or similar safeguards.
Many attorneys might also have paper files at home and so should make sure they aren’t accessible by anyone not authorized to see them, it said.
Confidentiality also extends to conversations, the committee said. Attorneys need to be careful during phone or online conferences about being overheard, particularly by smart devices like Amazon’s Alexa and Google’s voice assistants, which “may listen to conversations and record them,” it said.
However, not all information requires the same level of protection, the committee said.
An ABA opinion on securing communication of protected client information advocates a “fact-specific approach to business security obligations,” it said. This takes into account what type of information is being communicated—highly sensitive, insignificant—and what reasonable efforts lawyers can take to protect it.
The committee also provided general suggestions for lawyers on how to meet their ethical obligation of competence while maintaining confidentiality. They should consider:
- Avoid using free Wi-Fi;
- Use Virtual Private Networks;
- Use multi-factor authentication to prove their identity;
- Employ strong passwords to prevent hacking;
- Back up remotely stored data; and
- Have a secure home office through the use of firewalls, up-to-date software, and antivirus software.
“Although the pandemic created an unprecedented situation, the guidance provided applies equally to attorneys or persons performing client legal work on behalf of attorneys when the work is performed at home or at other locations outside of outside of their physical offices, including when performed at virtual law offices,” the committee concluded.
The opinion is Penn. Bar Ass’n Committee on Legal Ethics & Prof’l Responsibility, Formal Op. 2020-300, 4/10/20.