Pennsylvania issues timely ethics opinion on remote working for lawyers
Have you gotten used to what is, at least for now, the new normal? For many lawyers, it’s a work in progress. Firms that already had cloud-based software in place transitioned relatively smoothly. Others, not so much.
What about you? Has your law firm provided remote working tools for its employees? Are you able to access firm files from your home and securely communicate and collaborate with clients and colleagues? Are you ready to participate in court appearances via videoconferencing tools?
If you’re fully prepared, congratulations! You’re one of the lucky ones. But simply having the required tools at your disposal is insufficient; you also have to ensure that your firm’s remote working plan is ethically compliant.
Fortunately, the Pennsylvania Bar Association stepped up to the plate last week and provided guidance to help lawyers navigate the ethics of working remotely. In Formal Opinion 2020-300, the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility addressed the issue of how lawyers and their staff can ethically provide legal services while working remotely.
At the outset the Committee acknowledged that it was releasing this guidance due to the recent shelter in place mandates, but that the information provided was generally applicable whenever an attorney or staff member works remotely.
Next the Committee opined that, as it had previously concluded, it was ethical for lawyers to work remotely and provide virtual legal services using cloud-based software. But in order to do so, if was necessary that lawyers make reasonable efforts to ensure that reasonable safeguards were in place to protect confidential client information.
Next, the Committee talked about the issue of secure communication, explaining that attorneys have an obligation to ensure that safeguards are in place to protect confidential communications via electronic means, including email. Notably, the Committee adopted the analysis of ABA Formal Opinion 477R, and concluded that lawyers must assess the sensitivity of confidential communications on a case-by-case basis and, for particularly sensitive matter, must use encrypted communication methods, such as encrypted email or secure client portals:
“(L)awyers must exercise reasonable efforts when using technology in communicating about client matters … (and use) a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments. … A fact-based analysis means that particularly strong protective measures, like encryption, are warranted in some circumstances.”
As a side note, as I’ve discussed in the past, in order to avoid having to make an ad hoc determination regarding each law firm communication, it makes sense to simply choose one type of encrypted communication method and require that all law firm employees to use it at all times. This is especially so during the current situation, where all members are working remotely from their homes. If everyone uses encrypted email or the secure client portals built into law practice management software for all communications, then you’ll have effectively ensured that all communications are sufficiently protected.
Finally, the Committee provided tips that lawyers should consider implementing in order to enhance the security of their online interactions, such as:
- Avoid using public internet/free Wi-Fi;
- Use Virtual Private Networks (VPNs) to enhance security;
- Use two-factor or multi-factor authentication;
- Use strong passwords to protect your data and devices;
- Backup any data stored remotely;
- Secure all remote locations and devices;
- Verify that websites have enhanced security;
- Lawyers should be cognizant of their obligation to act with civility; and
- Assure that video conferences are secure.
Finally, the Committee provided some very helpful and timely advice on the last point — ensuring the security of videoconferences. The Committee explained that the steps to take to mitigate videoconferencing hijacking attempts include:
- Do not make meetings public;
- Require a meeting password or use other features that control the admittance of guests;
- Do not share a link to a teleconference on an unrestricted publicly available social media post;
- Provide the meeting link directly to specific people;
- Manage screensharing options. For example, many of these services allow the host to change screensharing to “Host Only;” and
Ensure users are using the updated version of remote access/meeting applications.
The entire opinion is worth reading, since I only covered a few choice highlights due to space constraints. So make sure to read the option in its entirety and implement the advice provided therein.
We’re undoubtedly facing challenging times. Fortunately, the technology we need to practice law remotely is readily available and sufficiently secure. So choose the right cloud-based tools for your law firm, use the advice in this opinion to secure your firm’s data, and then rest easy knowing that you’ve done all you can to continue representing your clients’ interests while also protecting their confidentiality during this difficult time.
Nicole Black is a Rochester, New York attorney, author, journalist, and the Legal Technology Evangelist at MyCase law practice management software for small law firms. She is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a Thomson Reuters treatise. She writes legal technology columns for Above the Law and ABA Journal and speaks regularly at conferences regarding the intersection of law and technology. You can follow her on Twitter at @nikiblack or email her at [email protected].