Stacked3Here is a recent Daily Record column. My past Daily Record articles can be accessed here.

*****

Michigan Bar weighs in on technology competence for lawyers

Technology competence has been an ethical requirement for lawyers in many jurisdictions for years now. Specifically, ethics committees have generally required that lawyers take steps to ensure that they have a sufficient understanding of the technologies available to them iso that they can make educated decisions about when and how to use the technologies in their law firms.

Of note is that this ethical obligation is all the more important in 2020 as many lawyers routinely work remotely due to COVID-19 restrictions. Because lawyers are regularly relying on technologies such as mobile and cloud-based software to facilitate remote work, it’s imperative that they have a sufficient understanding of the tools that they’re using and are ensuring that they’re being used in a secure manner that protects confidential client information.

The good news is that technology competence is now a requirement in the majority of jurisdictions, and a few times each year a new state joins the club and adopts the ethical requirement of technology competence for lawyers in its jurisdiction. One of the most recent jurisdictions to do so was Michigan. Earlier this year the Michigan State Bar Association issued Ethics Opinion RI-381, which established that the technology competence requirement applied to Michigan lawyers.

In adopting this ethical requirement, the Michigan Bar mirrored the American Bar Association’s approach and added the following language to the comment that follows MRPC 1.1: “Maintaining Competence. To maintain the requisite knowledge and skill, a lawyer should engage in continuing study and education, including the knowledge and skills regarding existing and developing technology that are reasonably necessary to provide competent representation for the client in a particular matter. If a system of peer review has been established, the lawyer should consider making use of it in appropriate circumstances. (emphasis added).”

The Committee explained that the duty of technology competence means that lawyers “have ethical obligations to understand technology, including cybersecurity, take reasonable steps to implement cybersecurity measures, supervise lawyer and other firm personnel to ensure compliance with duties relating to cybersecurity, and timely notify clients in the event of a material data breach.”

According to the Committee, the technology competence requirement centers around safeguarding electronically stored information (ESI), supervising the competence of law firm employees, and understanding and responding to cybersecurity threats.

First, the Committee explained that the technology competence duty does not require absolute security. Instead, taking reasonable steps to ensure security are what’s required: “A lawyer cannot reasonably be expected to be a guarantor of client data security…A lawyer must, however, exercise reasonable care in safeguarding client ESI…To discharge that duty, a lawyer must formulate, adopt, and follow policies and procedures, appropriate to the lawyer’s field(s) of practice, regarding the use, transmission, and storage of client ESI. In addition, a lawyer must evaluate whether specific cybersecurity measures are appropriate for the representation of a client in a particular matter.”

Importantly, the Committee emphasized that the definition of what constitutes reasonable care will necessarily evolve over time and change as technology advances: “As with substantive law, what may be considered ‘reasonable’ cybersecurity changes over time…Therefore, the duty to exercise reasonable care includes an obligation to assess periodically whether the lawyer’s policies and procedures keep pace with evolving technology risks.”

Of particular note now that lawyers regularly work remotely is that the Committee adopted the ABA’s standard regarding secure communication with clients as set forth in ABA Formal Opinion 477R. Specifically, the Committee opined that unencrypted email is often insufficient for sharing confidential information with clients and that more secure methods, including encrypted online client communication portals, may be required: “What constitutes ‘reasonable measures’ in fulfilling the duty to exercise reasonable care regarding client ESI depends on the circumstances, including the degree of sensitivity of the information to the client, potential threats, the risk of harm to the client in the event of unauthorized disclosure…and the availability of protective technology….As noted in ABA Formal Opinion 477R…‘the use of unencrypted routine email generally remains an acceptable method of lawyer-client communication,’ but ‘particularly strong protective measures, like encryption, are warranted in some circumstances.’”

Finally, regarding potential data breaches, the Committee adopted the ABA’s standard for client notification, and concluded that “When a data breach occurs involving, or having a substantial likelihood of involving, material client information, lawyers have a duty to notify clients of the breach and to take other reasonable steps consistent with their obligations under these Model Rules.”

So with Michigan adopting the technology competence requirement, that’s one more state down, 22 more to go. If you’re not sure where your state falls, you can find an updated list of states that already require lawyers to have technology competence here.

 

Nicole Black is a Rochester, New York attorney, author, journalist, and the Legal Technology Evangelist at MyCase  law practice management software for small law firms. She is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a Thomson Reuters treatise. She writes legal technology columns for Above the Law and ABA Journal and speaks regularly at conferences regarding the intersection of law and technology. You can follow her on Twitter at @nikiblack or email her at niki.black@mycase.com.