Massachusetts Adopts New Disciplinary Rules on Tech Use
Technological change has increased dramatically in recent years, making it difficult for lawyers to keep up. Confusion over the ethical obligations of lawyers when using new technologies only makes adoption of new tools such as cloud computing all the more difficult. Fortunately, many states have gradually rolled out revised ethics rules designed to address these issues.
Most recently, on July 1, the revised Massachusetts Rules of Professional Conduct became effective. These new rules included revisions to sections addressing the obligation to maintain the confidentiality of client information when using new technologies and the duty to stay abreast of changes in technology.
The new provisions and the comments thereto largely mirror the revised Model Rules adopted by the American Bar Association a few years ago. The revised rules include changes which clarify the obligations of lawyers when it comes to using technology in their law practices.
First, Comment 8 to Rule 1.1, which addresses the duty of competence, was revised to require lawyers to stay abreast of changes in technology. It now states that “(t)o maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, and engage in continuing study and education.”
Next, Rule 1.6(c) now provides that a “lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, confidential information relating to the representation of a client.” In newly added Comment 18 to Rule 1.6 it states that if a lawyer makes reasonable efforts to prevent access or disclosure of confidential information, then the inadvertent or unauthorized disclosure of confidential information is not a violation of this section.
As explained in the comment, “[f]actors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients …”
Finally, the new rules also address an attorney’s obligation when using a third-party provider, such as a cloud computing software vendor, to store confidential client information. Rule 5.3, which requires lawyers to make reasonable efforts to ensure the security of their client’s confidential information when hiring an outside technology vendor, now includes Comment 3.
This comment explicitly states that “(a) lawyer may use nonlawyers outside the firm to assist the lawyer in rendering legal services to the client. Examples include the retention of retaining an investigative or paraprofessional service, hiring a document management company to create and maintain a database for complex litigation, sending client documents to a third party for printing or scanning, and using an Internet-based service to store client information.”
But, when lawyers do so, they are required to “make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations. The extent of this obligation will depend upon the circumstances, including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality … When retaining or directing a nonlawyer outside the firm, a lawyer should communicate directions appropriate under the circumstances to give reasonable assurance that the nonlawyer’s conduct is compatible with the professional obligations of the lawyer.”
The comments to this section, including the comment set forth above, do not imply that lawyers have a duty to supervise nonlawyers, such as software vendors, whom they’ve hired and who work outside of the firm. Instead, the comments indicate that lawyers must provide the appropriate levels of oversight given the circumstances to ensure services are provided in a way that protects confidential client information.
In the past I’ve expressed concern regarding mandates in other jurisdictions which require lawyers to supervise cloud computing providers in the performance of their duties, even though most lawyers have no IT expertise. I don’t see that being an issue in this case in light of the language used in this comment.
Nicole Black is a Rochester, New York attorney and the Legal Technology Evangelist at MyCase, intuitive web-based law practice management software for the modern law firm. She is also the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a West-Thomson treatise. She is the founder of lawtechTalk.com and speaks regularly at conferences regarding the intersection of law and technology. She publishes four legal blogs and can be reached at firstname.lastname@example.org.