Arizona Law Journal of Emerging Technologies
Volume 7 Article 4, 05-2024
Download Article Here
Image from PEXELS.COM
ADJUSTING THE LEGAL PROFESSION’S PRIVACY RESPONSIBILITIES TO KEEP UP WITH TECHNOLOGICAL CHANGES
Kristin Wolek*
I. Background
In 2020, a group of hackers known as REvil took control of a law firm’s data for ransom.1Akshaya Asokan, Ransomware Gang Demands $42 Million From Celebrity Law Firm, Data Breach Today (May 16, 2020), https://www.databreachtoday.com/ransomware-gang-demands-42-million-from-celebrity-law-firm-a-14292. This law firm was Grubman Shire Meiselas and Sacks, an entertainment law firm with many high-profile clients and a reputation to protect.2Id. REvil threatened to release a huge quantity of information related to the representation of the firm’s celebrity clients unless they were paid $42 million in ransom.3Id. Ultimately, Revil released several gigabytes of confidential legal information onto the dark web.4Id. Much of this information is still being circulated online, affecting the privacy of the firm’s clients and the well-being of the firm itself.5See id. According to an expert in cyber security, “…there is no guarantee if they pay the ransom in full the documents won’t get leaked anyway. The reputational damage is already done. I’m also sure the firm is keenly aware of the potential legal issues they are facing.”6Id.
The attack on Grubman Shire Meiselas and Sacks could have been prevented. The hackers used a malware called Sodinokibi to initiate their attack.7Byron Mühlberg, Ransomware Attack Hits One Public Figure After Another, CPO Magazine (May 26, 2020), https://www.cpomagazine.com/cyber-security/ransomware-attack-hits-one-public-figure-after-another/. Over a year before this attack occurred, Sodinokibi had already been used to attack other businesses, and information about this malware was publicly accessible.8Greg Belding, Malware Spotlight: Sodinokibi, Infosec (Apr. 9 2020), https://resources.infosecinstitute.com/topic/malware-spotlight-sodinokibi/. Other firms could have looked into these attacks and figured out what sort of security vulnerability Sodinokibi was known to take advantage of. The malware still went undetected, likely entering the firm’s systems via email or unsecured networks.9See id. This attack caused severe damage to the clients, the clients’ associates, and the law firm itself.10Asokan, supra note 1. A privacy breach this severe must be avoided at all costs, yet Grubman Shire Meiselas and Sacks was not as prepared as they could have been. It does not appear they attempted to take any steps to protect themselves against a Sodinokibi attack.11Id. REvil took advantage of gaps in their security in order to commit their cyber-attack.12See id.; see Mühlberg, supra note 7. This is not the only attack caused by vulnerabilities in the technology used by a law firm, and it will not be the last.13Asokan, supra note 1. Legal professionals must consider not only how they might prevent a breach in their practice, but also how the legal profession as a whole must work to protect privacy.
Privacy is extremely important in any industry, but it is especially important to protect in the legal profession. Privacy and all of its complexities are something any person involved in the profession should consider. Privacy is sometimes considered a right, and other times it is considered part of other rights;14Judith Wagner DeCew, The Scope of Privacy in Law and Ethics, 5 Law and Phil. 145, 149 (1986). this can make privacy litigation complicated. People believe a right to privacy arises out of the U.S. Constitution, even when a right to privacy is not described directly, causing many Americans to expect and value privacy.15See id. at 146-147, 169-170, 173. Certain Supreme Court cases, such as Griswold v. Connecticut, a case striking down a law that interfered with the privacy of married couples, have given a right to privacy.16381 U.S. 479, 486 (1965). Since then, a general right to privacy has been upheld in multiple cases and is often considered something granted by the Constitution.17DeCew, supra note 14, at 159. While this right has become more contested recently,18See generally Dobbs v. Jackson Women’s Health Org., 597 U.S. 215, 217 (2022). it is still a right that many people expect to have.19Colleen McClain et al., How Americans View Data Privacy, Pew Rsch. Ctr. (Oct. 18, 2023), https://www.pewresearch.org/internet/2023/10/18/how-americans-view-data-privacy/. As a society, we are aware of how much someone can be hurt when their privacy is violated. A lack of privacy, or even a perceived lack of privacy, will impact people. One consequence that often comes with a lack of privacy is a chilling effect, which may make someone reluctant to speak freely or share information in general.20Trina J. Magi, Fourteen Reasons Privacy Matters: A Multidisciplinary Review of Scholarly Literature, 81 Library q. 187, 188 (2011). Most people have some expectation of privacy, potentially more so in certain situations, such as when someone is giving sensitive information to a legal professional that they hope will help them with their legal problems.21Micah Schwartzbach, The Attorney-Client Privilege, NOLO, https://www.nolo.com/legal-encyclopedia/attorney-client-privilege.html (last accessed Apr. 20, 2024). Privacy is a right that is important to a lot of people and is especially important in getting people to feel safe in their interactions with certain professionals.
Privacy is something that legal professionals must always consider. There is an important relationship between privacy and professional responsibility, especially in the legal profession.22See Model Rules of Pro. Conduct r. 1.6 (Am. Bar Ass’n 1983). Lawyers and law firms have strong obligations regarding privacy, and privacy is often expected of them by people who seek out legal advice and representation.23Id. Privacy and confidentiality are especially important since the legal profession deals with sensitive information that is often crucial to the practice of law; anything that interrupts this flow of information could damage the legal profession. Several rules in the Model Rules of Professional Conduct (MRPC) refer to the right to privacy for different people involved in the practice of law.24See, e.g., Id. at r. 1.6; Id. at r. 1.18; Id. at r. 1.9. Legal information is often confidential, and legal professionals are obligated not to share it.25Id. at r. 1.6. Privacy is especially important for a lawyer’s client; when a person gives information to their lawyer, it is considered the lawyer’s professional responsibility to keep that information confidential.26See id. This does not only include protecting the client’s information but also more broadly, all communications between the lawyer and their clients.27Timothy J. Toohey, Beyond Technophobia: Lawyers’ Ethical and Legal Obligations to Monitor Evolving Technology and Security Risks, 21 Rich. J. L. & Tech. 9, 13 (2015).
Confidentiality is a key part of the lawyer-client relationship.28See Model Rules of Pro. Conduct r. 1.6 (Am. Bar Ass’n 1983). In order for the relationship to function properly, a client needs to be able to speak freely with their lawyer and to trust that this information will not be shared.29Wex Definitions Team, Attorney’s Duty of Confidentiality, Legal Info. Inst., https://www.law.cornell.edu/wex/attorney’s_duty_of_confidentiality (last updated June 2022). If a client does not believe their information will be kept private, they may be less inclined to share information, even if it is relevant to their legal goal. Information is powerful in legal proceedings. A lawyer needs all the pertinent information pertaining to their client’s legal matter in order to represent them competently.30See Model Rules of Pro. Conduct r. 1.1 (Am. Bar Ass’n 1983). Another potential harm is that if people do not trust lawyers’ ability to protect sensitive information, then they may even be less likely to seek legal help altogether.
Ultimately, lawyers have a special obligation to protect their client’s information to uphold and maintain their trust. To that end, a lawyer should not intentionally share any sensitive information, but should also take reasonable precautions in order to protect information from getting leaked.31Id. at cmt. 8. Any information leak or breach of privacy is not only harmful overall to the person, but is harmful to the relationship between lawyers and clients.32Toohey, supra note 27, at 1; Andrew Conte, Unprepared Law Firms Vulnerable to Hackers, TribLIVE (Sept. 13, 2014, 10:40 PM), https://archive.triblive.com/local/pittsburgh-allegheny/unprepared-law-firms-vulnerable-to-hackers-2/#axzz3S2IsKaPf [https://perma.cc/9DUR-HQXF]. In addition to the obligations that a lawyer has towards their client, a lawyer also has obligations towards third parties. Generally, these obligations focus on not doing anything to bring unnecessary harm upon third parties or to infringe upon their rights, which could include the third party’s right to privacy.33E.g., Aviva M. Kaiser, Respecting Others’ Privileged Information: Lawyers’ Obligations to Third Persons, State Bar of Wis.: WisconsinLawyer (Apr. 1, 2017), https://www.wisbar.org/NewsPublications/WisconsinLawyer/Pages/Article.aspx?ArticleID=25528. According to the Model Rules of Professional Conduct, a lawyer must not obtain any information about a third party that would violate their rights.34Model Rules of Pro. Conduct r. 4.4 (Am. Bar Ass’n 1983). Legal professionals must attempt to uphold privacy, both out of ethical obligations and in order for key aspects of the legal profession to function.
Protecting privacy is rarely simple. Privacy is a right that has significant limitations, especially where legal actions are concerned. For example, there are situations in which privacy laws may be relaxed, especially when it comes to criminal activity.35See, e.g., 661. Privacy Protection Act of 1980, Justice, https://www.justice.gov/archives/jm/criminal-resource-manual-661-privacy-protection-act-1980 (last accessed April 20, 2024). In these instances, information being shared may not necessarily be considered a breach of ethics.36See generally id. Moreover, there are situations in which a lawyer may be allowed to violate their duty of confidentiality, such as when they have confidential information that would prevent harm to another person.37Attorney’s Duty of Confidentiality, supra note 29. In these instances, it can be complicated for lawyers to assess the nuances of the situation, especially when their client shares information—in confidence—about criminal activity.38See Judith Wagner DeCew, The Scope of Privacy in Law and Ethics, 5 L. & Phil. 145, 1466 (1986). Thus, an ethical lawyer must often consider how to properly and ethically use the sensitive and private information they obtain.
The obligations lawyers have regarding information are very serious. A breach of privacy ethics could have a drastic impact on individual clients and on the practice of law in general. The legal profession remains fairly traditional compared to other industries, and as a result, modern technology is something many lawyers may not be especially knowledgeable about.39Toohey, supra note 27, at 4. Legal professionals may not understand the risks associated with this technology, especially when it comes to cyber security.40Id. at 6. However, they must learn about technology and the ways in which it may impact privacy in the legal field in order to uphold legal ethics.41See Model Rules of Pro. Conduct r. 1.1 cmt. 8 (Am. Bar Ass’n 1983).
II. Issues and Current Standards
Changing technology has made privacy issues more complex and has created new ethical problems. Protecting privacy now requires more technological awareness than it may have previously. More information is being stored on the Internet, often on an online cloud.42Natasha Babazadeh, Legal Ethics and Cybersecurity: Managing Client Confidentiality in the Digital Age, 7 J. L. & Cyber Warfare 85, 110 (2018); Toohey, supra note 27, at 2-3. Information being stored digitally and online can lead to an increased risk of privacy breaches. This may occur for a number of reasons, including cyber security attacks or user errors.43Tim Maurer & Garrett Hinck, Cloud Security: A Primer for Policymakers 2, 4, 26 (Carnegie Endowment for International Peace, Working Paper, 2020). For example, a hacker may find a way to gain access to a law firm’s data, or a lawyer may make a careless mistake that leads to data being exposed.44Toohey, supra note 27, at 24. This might occur as a result of a lack of sufficient network security, or from a lawyer simply sending an email to the wrong person.45Id. As a result of information being stored on the Internet, the information can potentially be accessed from a wider variety of locations.46Id. This potentially increases points of access that require protection, and thus, legal professionals shall be acutely aware of the potential security vulnerabilities that may arise.
Cyber security is a growing issue that has not been adequately addressed in the legal field. Many lawyers are uninformed about how to best protect digital information from cyber- attacks.47Babazadeh, supra note 42, at 92. Even if they have heard about cyber security being important in other industries, they may not understand that a law firm is just as vulnerable to a cyber-attack, if not more so, than any other business.48Toohey, supra note 27, at 4-5. With the increase in digital data, a cyber security breach can cause severe privacy issues. If proper cyber security precautions are not taken, it will be more possible for a hacker to expose the data of lawyers or law firms.49Babazadeh, supra note 42, at 108. Cyber security in the legal profession is largely unregulated and the guidelines for cyber security are vague- lawyers have to make reasonable efforts to keep up with cyber security practices, but law firms may not train their lawyers about cyber security.50See generally Teresa Matich, 2024 Law Firm Data Security Guide: How to Keep Your Law Firm Secure, Clio, https://www.clio.com/blog/data-security-law-firms/ (last accessed Apr. 20, 2024). This increases the chance for potential breaches.51See id. Many law firms, especially smaller law firms, have been slow to adopt good cyber security practices, which makes them vulnerable to hackers and cyber-attacks.52Daniel B. Garrie et al., Small Law Firms Must Take Action and Address Cybersecurity and Privacy Regulations, ALM: Legaltech News (Feb. 15, 2024), https://www.law.com/legaltechnews/2024/02/15/small-law-firms-must-take-action-and-address-cybersecurity-and-privacy-regulations. Arguably, knowledge of current cyber security issues is required by Section 1.6 of the Model Rules of Professional Responsibility, which discusses confidentiality.53See Model Rules of Pro. Conduct r. 1.6 (Am. Bar Ass’n 1983). The ABA’s guidelines state that a lawyer must make reasonable efforts in order to prevent unauthorized access to the client’s information, which may include cyber security precautions.54See John P. Ratnaswamy, Ethics 20/20 and Confidentiality, 29 Priv. & Confidentiality 40, 42 (2012). However, it is unclear exactly how far “reasonable efforts” would extend and its associated obligations.55See generally Model Rules of Pro. Conduct r. 1.6 (Am. Bar Ass’n 1983). Many lawyers are not especially knowledgeable about cyber security and are often not expected to be.56Toohey, supra note 27, at 4-5.
Furthermore, there are other privacy concerns that can arise out of new technology, even when what occurs would not typically be considered a cyber security breach. A privacy breach may occur even without a hacker or other malicious actor.57See Protecting Your Law Firm’s Reputation: Tips to Prevent Accidentally Sending Confidential Client Information Via Email, VIPRE Safesend (June 15, 2023), https://safesendsoftware.com/protecting-your-law-firms-reputation/. Many communications between a lawyer and client will be through email. These technologies make it easy for mistakes to happen, leading to breaches in privacy.58See id. A lawyer might prepare an email that contains sensitive information and send it to the wrong person, and thus, unintentionally revealing confidential information.59Babazadeh, supra note 42, at 108; Megan E. McEnroe, E-Mail in Attorney-Client Communications: A Survey of Significant Developments April 2009—June 2010, 66 Bus. Law. 191, 192 (2010). There are also concerns about information that may be unintentionally attached to an email or to a file that is being shared- this is especially likely to occur with the increase in metadata, which causes information to be passively attached to files and emails.60Dave Kinsey, Ethics and Metadata: What Law Firms Need to Understand, Att’y L. Mag. (Oct. 23, 2016), https://attorneyatlawmagazine.com/practice-management/legal-ethics/ethics-and-metadata-what-law-firms-need-to-understand.
a. Forms of Cyber Security Breaches
Cyber security is a growing concern, as more businesses rely on digital technology and are susceptible to cyber-attacks. Cyber security breaches can occur in a number of ways that law firms may not be prepared for. This includes phishing, where “a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts.”61What Is Phishing?, Phishing, https://www.phishing.org/what-is-phishing (last visited Apr. 20, 2024). Essentially, this is a way cybercriminals could be given sensitive information or even obtain login details in order to gain access to a law firm’s data.62Id. In 2016, there was a massive phishing attempt committed by a Russian hacker that targeted many top US law firms.63Sharon D. Nelson, Russian Cybercriminal Aims to Breach Top U.S. Law Firms, Sensei Enters. (Apr. 4, 2016), https://senseient.com/ride-the-lightning/russian-cybercriminal-aims-to-breach-top-us-law-firms/. It is possible this led to massive security breaches due to the law firms lacking sophisticated cybersecurity systems,64See Russian Cybercriminals Target 50 Law Firms Nationwide, CIAB, https://www.ciab.com/resources/russian-cybercriminals-target-50-law-firms-nationwide/ (last accessed Apr. 20, 2024). or not training their lawyers about cyber security and spotting phishing schemes. Lawyers should be acutely aware of these threats and should be motivated to protect information against them.
Ransomware is a cyber security issue that law firms must be aware of and be prepared to deal with. In 2022, 17% of cyber-attacks involved ransomware.65What Is Ransomware?, IBM (2022), https://www.ibm.com/topics/ransomware (last visited Apr. 20, 2024). Also, different types of cyber-attacks are connected, as ransomware can sometimes occur from a hacker gaining access to someone’s systems via phishing.66Id. Typically, ransomware involves the installation of a program, which then makes the network or computers unusable until some amount of money is paid.67Id. There is often also a threat that data will be released or otherwise stolen if the ransom is not paid.68Id. Someone may be tricked into installing ransomware, potentially via phishing or by the software being attached to a program that appears legitimate.69Id. At times, ransomware may be used to access data and threaten to release that data if the owners do not comply, which is what occurred during REvil’s attack on Grubman Shire Meiselas and Sacks.70Akshaya Asokan, Ransomware Gang Demands $42 Million From Celebrity Law Firm, Data Breach Today (May 16, 2020), https://www.databreachtoday.com/ransomware-gang-demands-42-million-from-celebrity-law-firm-a-14292. In light of the multiple instances of legal data being seized and held for ransom by hackers,71E.g., Y. Peter Kang, ‘Cryptolocker’ Virus Holding Law Firm Data for Ransom, Law360 (Mar. 9, 2015, 6:49 PM), http://www.law360.com/articles/629305/cryptolocker-virusholding-law-firm-data-for-ransom; Isha Marathe, The Dark Side of Tech: 8 Law Firms That Suffered Data Breaches in 2023, ALM L.: Legaltech News (Dec. 21, 2023, 2:59 PM), https://www.law.com/legaltechnews/2023/12/21/the-dark-side-of-tech-8-law-firms-that-suffered-data-breaches-in-2023/. law firms suffer financially because breaches involving ransomware are very costly. Even if one excludes the cost of the ransom payment itself, it is estimated that a ransomware attack costs $4.62 million on average.72The True Cost of a Ransomware Attack, CybelAngel, https://cybelangel.com/the-true-cost-of-a-ransomware-attack/ (last visited Apr. 20, 2024).
Big data has created ethical issues. Due to new technology, massive amounts of information is being collected by many industries; much of this information has the potential to be relevant to legal professionals.73Big Data: What It Is and Why It Matters, SAS, https://www.sas.com/en_us/insights/big-data/what-is-big-data.html (last visited Apr. 20, 2024). This has created unprecedented problems, even in industries that have always dealt with data, as data of this quantity cannot be dealt with via traditional data processing software.74Id. Oftentimes, there is a large amount of data that is created unintentionally—such as metadata that may be attached to files or emails— and a person may be unaware of the information they are sharing.75See generally Bennett B. Borden, Big Data, Analytics and Ethics: Lawyering in the Information Age, Nat’l Comm. on Vital & Health Stat. 1-3 (2017), https://ncvhs.hhs.gov/wp-content/uploads/2017/11/B3-Bennett-Borden-PCS-2017Nov28-Big-Data-Analytics-and-Ethics-Lawyering-in-the-Information-Age-508.pdf. While much of this data may be useful in practicing law, it also comes with various ethical concerns. This includes data that may be privileged information in other fields; lawyers must consider the ethical obligations of these fields as well.76See generally Eric Y. Drogin, Ethical Conflicts in Psychology 257 (Am. Psych. Ass’n, 5th ed. 2019). One example of data that is now available to more people is psychological test data, which is often intended to only be used for mental health treatments and would not be expected to be utilized in the legal practice.77See id. The excess of data allows for more analytical decisions. However, it also opens up ethical questions regarding how much data should be used, and for what purposes.78See generally Borden, supra note 75, at 7. There is an increased risk of evidence being collected that may contain information that would risk violating the privacy of third parties.79See generally Toohey, supra note 27, at 31-33.
Another important aspect of information that has emerged due to new technology is metadata. Metadata is information attached to data, sometimes without the person being informed that this information is being shared.80See Emma Witman, What Is Metadata? Understanding the Types of Data That Describes Data Sets and Determines Much of What You See Online, Bus. Insider: Revs. (Jun. 17, 2021, 11:54 AM), https://www.businessinsider.com/guides/tech/what-is-metadata. The concept of metadata and the lack of awareness about it, especially in the legal profession, means that it is easier for information to be transmitted unintentionally.81Ratnaswamy, supra note 28, at 43. Various information might be included in metadata.82Kinsey, supra note 60. This can include the original author of a document, the location that a photo was taken, the edit history of a file, and more.83Id. There are generally less regulations surrounding metadata than there are surrounding regular data, and the ABA has not provided many guidelines regarding metadata.84Jonathan Mayer et al., Evaluating the Privacy Properties of Telephone Metadata, 113 Procs. Nat’l Acad. Scis. U.S. Am. 5536, 5540 (2014). This makes a lawyer’s obligations regarding metadata even less clear than other forms of information. This is made more difficult when a lawyer does not know about metadata and is unaware of what kind of information they may be giving away by not carefully considering the metadata of any documents, emails, or other files that they may be sharing.
b. Technology and the Practice of Law
Many people in the legal profession are not knowledgeable about technology in general, and often know little about cyber security practices. The legal profession has a strong history of traditionalism, which sometimes means pushback on technological focus.85Toohey, supra note 27, at 1-2; 4-6. Not only have certain technological issues not been addressed, but some lawyers may not even be fully aware of these problems and how they pertain to their confidentiality obligations.86Id. The legal profession has generally not invested many resources into dealing with these potential issues. Law firms tend to spend less money on cyber security experts compared to companies of similar size in other industries; they are often reluctant to spend time and money on data protection despite the growing threats.87Conte, supra note 32. Law firms often do not utilize the same security processes that are expected of large corporations in other industries, leaving law firms especially vulnerable.88Id. Moreover, certain cyber-attacks can be difficult to detect, and thus, leaves people being unaware that their data has been exposed. A 2013 report found that 65% of cyber espionage attacks took months to detect.89Toohey, supra note 27, at 7-8. In 2020, many lawyers reported they had experienced a breach, and many others were unaware of whether or not a breach had occurred.90John Loughnane, 2020 Cybersecurity, Am. Bar Ass’n (Oct. 19, 2020), https://www.americanbar.org/groups/law_practice/resources/tech-report/archive/cybersecurity/. This exemplifies how vulnerable many law firms are to cyber-attacks. Also, in 2020, more than half of all lawyers were not using any kind of email encryption or file encryption.91Id. This means that in the event of any kind of breach, the information in those emails or files would be easily readable and available to anyone who gained access to them. In light of this data, it is clear that law firms are not as secure as they could be.
The lack of security protocols and an unwillingness to utilize security technology is concerning because law firms are increasingly being targeted by cyber-attacks.92AJ Shankar, Ransomware Attackers Take Aim at Law Firms, Forbes (Mar. 12, 2021, 8:50 AM), https://www.forbes.com/sites/forbestechcouncil/2021/03/12/ransomware-attackers-take-aim-at-law-firms/?sh=335060daa13e. Law firms are prime targets for ransomware due to the large amount of sensitive information they store.93Id. Even law firms that are considered technologically savvy and are more aware of these problems are still at risk.94Daniel W. Hagar, Enhanced Cybersecurity Is Imperative for Arizona Lawyers, Att’y L. Mag. (June 20, 2019), https://attorneyatlawmagazine.com/legal-vendors/insurance/enhanced-cybersecurity-imperative-arizona-lawyers.
Many legal communications, including ones that possess confidential information, take place via electronic communications. The increased use of electronic devices can cause different issues, depending on the nature of the device and the precautions taken. The increased use of cellphones as a primary method of communication can potentially cause breaches, as both digital and analog phone conversations can be intercepted.95David J Bilinsky & Laura Calloway, Lawyers, Cell Phones, Ethics, and Security, 20 Sec. & Ethics 34, 36 (2003). Even if a lawyer is careful to only use methods of communication that they know to be secure, it is likely that the client will be less careful and privileged conversations may be vulnerable.96Id. Therefore, lawyers must always consider the potential vulnerabilities associated with shared information.
There are even more risks associated with communications that occur electronically, especially over the Internet. A large number of corporate communications, including communications related to legal business, now occur over email, connecting these conversations and the information associated with them to the Internet.97Toohey, supra note 27, at 2. Tablets and other forms of portable computers can cause privacy breaches, especially now that these devices are increasingly used for legal work.98Bilinsky, supra note 95, at 38. These devices are frequently lost or misplaced, making any data stored on them vulnerable.99Id. Data is often unnecessarily left available and vulnerable on devices that lawyers use to work remotely; less than half of all lawyers in 2020 used any kind of remote device management or wiping tool.100Loughnane, supra note 90.
c. Current Guidelines
The American Bar Association has made decisions regarding emerging technology, often attempting to use the Model Rules to deal with these changes.101See A Re-Examination of the ABA Model Rules of Professional Conduct Pertaining to Client Development in Light of Emerging Technologies, Am. Bar, https://www.americanbar.org/groups/professional_responsibility/resources/professionalism/professionalism_ethics_in_lawyer_advertising/ethicswhitepaper/ (last accessed Apr. 20, 2024). However, this has only occurred in a limited fashion, and there are still issues that have not been addressed. Additionally, every state bar has not followed the recommendations given by the ABA, and many of these guidelines are in comments and other non-authoritative recommendations.102Model Rules of Pro. Conduct Preamble & Scope (Am. Bar Ass’n 1983). In 1999, it was determined by the American Bar Association that it is acceptable to use email for legal communications and to send confidential information via email because the Internet offers a sufficient degree of privacy compared to the methods of communication used by lawyers in the past.103McEnroe, supra note 59, at 191. However, it can be argued that times have changed significantly since the years in which these decisions were made. Questions have arisen regarding the safety of email and there has been increasing concern about cyber security attacks and the ways electronic communications could be intercepted.
Metadata is a bigger concern now than it was in the past because an increasing amount of information may be transmitted that the sender may not be aware of or intend to transmit. This decision was made because email has a similar level of privacy to phone calls via landline and physical mail via the post office.104Toohey, supra note 27, at 23. However, this does not take into account how easy it is to transmit an email to another person.105Id. A phone call cannot be mass-shared in the way that an email can.106Id. In the event of a breach, email messages are much more likely to be stored and therefore vulnerable to being leaked.107Id. This means emails carry many risks that other forms of communication may not have. But, a 2010 opinion by the American Bar Association stated that it is acceptable to utilize a personal wireless system for communications as long as the system has “appropriate security features,” which may include encryption and firewalls.108Id. at 20. However, it is important to highlight that the opinion warns about utilizing public wireless communication systems because they typically lack these security features.109Id.
In 2009, the ABA discussed how the Model Rules apply to emerging technology and addressed some issues associated with these technologies.110James Podgers, The Fundamentals: Lawyers Struggle to Reconcile New Technology with Traditional Ethics Rules, 100 ABA J. 22, 22 (2014). At this time, an important change was made to Model Rule 1.1, which addresses the competency requirements for lawyers; in order to be considered competent under the model rules, lawyers are now required to keep up to date regarding “the benefits and risks associated with relevant technologies.”111Model Rules of Pro. Conduct r. 1.1 cmt. 8 (Am. Bar Ass’n 1983). This could mean that a lawyer could potentially be accused of violating professional ethics for failing to be aware of the potential harm associated with the technology they are using. However, it is unclear exactly how knowledgeable lawyers must be to satisfy their competency requirements, especially regarding the quickly evolving field of technology. Generally, lawyers must only have a “reasonable” amount of knowledge regarding current technology.112Podgers, supra note 110, at 23. Different people and different jurisdictions will have widely varying ideas about what a reasonable amount of knowledge is. Therefore, it is unclear how much technology training a lawyer must go through to continue practicing.
In 2012, the American Bar Association added a comment to Model Rule 1.6(c).113Model Rules of Pro. Conduct r. 1.6 cmt. 18 (Am. Bar Ass’n 1983). This comment “requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.”114Id. Competently safeguarding information could include putting precautions in place to prevent unauthorized persons from gaining access to information electronically, which could lead to enacting cyber security protections. Whether a lawyer’s attempts to protect the information will be considered reasonably sufficient depends on a number of factors, including “sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.”115Id. There is significant leeway for lawyers in the actions they take to protect data, especially since there are allowances made for safeguards that would be difficult or costly to implement. Regulations regarding data tend to be reactive. Many problems will not be addressed until harm comes as a result of the lack of regulation. Even with harm occurring and privacy being clearly at risk, the legal profession has been slow to react.116See Borden, supra note 75, at 1-8.
There are regulations that may potentially apply to lawyers and law firms, depending on the State they operate in. Some of these issues have been addressed to some extent by the bars of individual states. Recently, the Arizona State Bar published an ethics decision regarding metadata.117Bradley Perry, Metadata: Landmine or Buried Treasure?, Ariz. Att’y Mag., Oct. 2022, at 10; see generally Witman, supra note 70. This decision prohibits lawyers from mining metadata, as well as requiring legal professionals to scrub metadata from any confidential documents electronically sent.118Id. Mining metadata means “searching for metadata using software applications that are designed to retrieve metadata despite a sending lawyer’s reasonable efforts to scrub it.”119Ariz. Att’y Ethics Advisory Comm., Op. EO-20-0008 (2022).
In most states, there are obligations involving data security that apply to all businesses. In forty-eight states, there are laws requiring that in the event of a security breach, any business must inform those who may have had their information accessed.120Toohey, supra note 27, at 14. A few states, such as California, have more requirements, including that businesses—including law firms—must “implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use modification, or disclosure.”121Id. at 23.
While the privacy issues caused by more recent technology are something that has been addressed by some authoritative bodies, awareness is still lacking in the legal profession. These issues are not being properly dealt with, and most of the available guidelines are vague or overly lenient regarding the obligations of legal professionals. This leaves legal data and confidential communications to significant risk.
III. Recommendations
It is important for the legal profession to consider the problems resulting from current and future technology, especially when this technology becomes an integral part of the industry and of everyday life. The legal profession must especially be aware of how technology is impacting the obligations that lawyers have in protecting privacy. In order for a lawyer to be considered competent enough to practice under MRPC 1.1, it is the responsibility of lawyers to weigh the benefits of using certain technologies against the harms that may occur as a result of using them.122See Model Rules of Pro. Conduct r. 1.1 cmt. 8 (Am. Bar Ass’n 1983). The usage of some newer technology cannot be avoided. In these cases, lawyers should be aware of the potential risks and the ways in which these technologies may impact privacy.123See McEnroe, supra note 59, at 192-94. Legal professionals are not the only ones who must contend with the ways in which technology has caused problems regarding privacy ethics. The legal profession should self-regulate their technology in a way similar to other industries that must deal with sensitive information, such as the medical and banking industries.124Kenneth N. Rashbaum et al., Cybersecurity: Business Imperative for Law Firms; Outside Counsel, N.Y. L. J. (2014), https://plus.lexis.com/api/permalink/1d9852d7-230c-4c4c-b95f-1e7fecea8ec4/?context=1530671. Moreover, the legal profession must enact more and stricter guidelines regarding technology. Client data should be kept as safe as possible, which means that the legal profession must do whatever it can to regulate the safety of legal information. Otherwise, the profession’s reputation will suffer and people will be less likely to trust their lawyers.125Matich, supra note 50.
a. Data Protection Procedures
Lawyers need to be up to date on cyber security. They must be aware of current risks and take precautions to protect data. It is already recommended by the American Bar Association they implement “reasonable” safeguards126Model Rules of Pro. Conduct r. 1.6 cmt. 18 (Am. Bar Ass’n 1983).– a lawyer should consider what these safeguards may be and be willing to potentially spend time and money implementing them. Lawyers must also understand the amount of information they are potentially sharing at all times. This is especially important when considering metadata; a lawyer must understand metadata well enough to avoid sharing information that they should not be.127Mayer, supra note 84, at 5536. New technology may often have complicated implications that may not be easily foreseen, especially by someone who does not have a good understanding of that technology.128Borden, supra note 75, at 7-8. Lawyers must remember to analyze the technological advancements impacting their legal work, which may require an increased level of technological knowledge.
Lawyers should be expected to utilize technology that would keep their data more secure. Lawyers who are storing or transmitting data electronically should use some form of encryption. Encryption is a way of encoding data so that it cannot be accessed or altered by someone who has not been given the ability to do so.129Box Communications, What Is File Encryption?, Box Blogs (Oct. 28, 2021), https://blog.box.com/what-is-file-encryption. Encryption is used by too few lawyers, which means that confidential legal data will be easy to read if it is accessed by a third party.130Loughnane, supra note 90. Encrypting files is a safeguard that would make it more difficult for a malicious actor to access data, albeit it is possible for a malicious actor to de-encrypt files. Encryption would also prevent someone who received the email by accident from easily reading sensitive information.131Box Communications, supra note 129. Ultimately, encryption is a basic and typically inexpensive piece of technology that may make it more difficult for unknown parties to access a law firm’s sensitive data, thus decreasing both the chances of a privacy breach, as well as decreasing the potential harm done by a breach.132See Matich, supra note 50. Therefore, using encryption should be considered a “reasonable” security precaution.133See Model Rules of Pro. Conduct r. 1.6 cmt. 18 (Am. Bar Ass’n 1983).
Client data should only be used for the client’s legal representation. After someone is no longer a client, it may be best if their data is not saved. If the past client’s data is not saved, then the data would no longer be vulnerable to privacy breaches and the amount of data a lawyer is responsible to protect would decrease. If a data breach does occur, less sensitive information will be available to hackers, which decreases the amount of potential harm. Law firms should consider what information is really necessary and whether it is worth the risk to keep. Part of the reason why certain technologies are regarded as safe is because it was previously assumed that any sensitive information would end up being deleted relatively quickly.134Toohey, supra note 27, at 24. This was especially true in the 1990s, when many opinions about technology were being formed and the American Bar Association’s decision regarding email was made.135Id. at 24-25. At this time, storage space was more expensive, which meant that data was not kept as long.136Id. at 24. Email providers during this time period, such as AOL, would delete emails from their servers after only a matter of days.137Id. This has changed significantly in recent years.138Id. Now, digital storage space is cheap, and it is easy to keep huge quantities of data saved indefinitely.139Id. Not only are many companies able to keep data over prolonged periods, but someone may not even be aware of the data still being saved because a backup of any file could exist on Internet web servers, such as those used by Google and Microsoft.140Id. Lawyers should stay aware of the data-saving policies of any communication or data storage product that they are using, especially if it is saving data to a cloud; otherwise they may not be fully aware of how long that data will exist or who might be able to gain access to it. Lawyers should have policies regarding how much data they will save and for how long. Additionally, they should be aware of any related policies in the products or services that they are using.
Currently, the only rules regarding technology in the ABA’s Model Rules focus on efforts that individual lawyers should make when protecting confidential information and when learning to use new technology.141See generally Model Rules of Pro. Conduct r. 1.6 (Am. Bar Ass’n 1983). These rules are not very specific about what those efforts should be.142See generally id. For the legal profession to deal with certain issues, there must be more requirements that force legal professionals to take more specific precautions. Lawyers should also be adjusted as new technology is invented, as well as when the current technology changes; one cannot rely on old statements that were made before several modern-day innovations. These changes should include stricter and more detailed rules for law firms and legal professionals. It is important for there to be improved rules for law firms. Law firms must be willing to invest more time and money into cyber security precautions. Currently, law firms invest very little in cyber security, making the legal profession especially vulnerable.143Conte, supra note 32. Law firms are already an enticing target for hackers due to the amount of sensitive information they commonly have stored, and because law firms have less cyber security than similar businesses they are even more attractive for hackers to target.144Id. Legal professionals must become more prepared to safeguard against cyber-attacks and to deal with them if they do happen; this may require regulatory bodies to step in and ensure that these precautions are taken. However, it would be best if the legal profession can properly self-regulate with these issues as it does for other issues.145See generally, Hathaway et al., The Law of Cyber-Attack, 100 Cal. L. Rev. 817, 859-66 (2012).
b. Increasing Technological Knowledge
Law firms should ensure that their employed are knowledgeable enough about technology to be able to take reasonable precautions to protect client privacy. In many jurisdictions, awareness about technology is no longer optional, as the Model Rules of Professional Conduct consider being knowledgeable about current relevant technology to be a requirement for competency in lawyers.146Model Rules of Pro. Conduct r. 1.1 cmt. 8 (Am. Bar Ass’n 1983). This is a fairly broad requirement, but many jurisdictions have additional, more specific rules that lawyers must be aware of.147See, e.g., Perry, supra note 117. For example, in Arizona, it is required that lawyers remove any confidential metadata from the documents they send to people other than their clients.148Id. This means that these lawyers must have some degree of technological knowledge and understanding of what metadata is.149Id. There must be more focus on training lawyers to be knowledgeable about technology to avoid mistakes, especially mistakes that may lead to breaches of privacy.150Toohey, supra note 27, at 21-22. Law firms should be prepared to train their employees about technology in general and in any technology used by the firm. They must also be prepared to alter their protocols and training procedures when they implement new technology or when the technology that they are already using undergoes any significant changes.
Lawyers are already required to undergo certain training to begin and to continue practicing. In most states, lawyers are required to take continuing legal education classes to continue practicing law. In Arizona, fifteen hours of continuing legal education are required; three of these hours must have a focus on ethics.151Arizona CLE Requirements and Courses, Am. Bar Ass’n, https://www.americanbar.org/events-cle/mcle/jurisdiction/arizona/ (last visited Feb. 17, 2024). A lawyer’s continuing legal education should include classes focusing on how to properly use emerging technologies and about issues that might arise from using this technology. Rather than increase the overall number of hours required for continuing legal education, the number of hours can remain the same, but some of those hours should be spent learning about technological issues in the legal profession like, how three hours are already required to be focused on ethics.152Id. The tech-based classes for lawyers could include education about cyber security, information ethics, metadata, and new technology that may be relevant in legal practice. Some of these topics are already discussed in Continuing Legal Education classes.153E.g., Preventing Your Worst Tech Nightmare: Protecting Your Firm and Clients from Cybercriminals, Nat’l Acad. Continuing Legal Educ., https://www.nacle.com/CLE/Courses/Preventing-Your-Worst-Tech-Nightmare-Protecting-Your-Firm-and-Clients-from-Cyber-2156 (last visited Feb. 17, 2024). For example, one Continuing Legal Education class available to legal professionals in Arizona is titled “Preventing Your Worst Tech Nightmare: Protecting Your Firm and Clients from Cybercriminals.”154Id. This course is meant to educate legal professionals about cyber security and teach different ways that one might protect their confidential information against cyber-attacks.155Id. This is an example of the type of class that should be made mandatory. For this initiative to be successful, it would also be important to increase the number of Continuing Legal Education classes available that are related to technological issues. There should not only be classes about cyber security, but there should also be classes about the ethical usage of any new technology that becomes a part of the legal profession.
Additionally, law firms should also be involved in keeping the legal profession informed about technological issues. Law firms should ensure that all of the lawyers they hire are properly trained and knowledgeable about any technology that they may be using or involved with. Lawyers should be trained on how they are expected to deal with emails. This could include ensuring that any emails are sent to the correct person and that the email, as well as any files sent with it, do not contain sensitive metadata. Lawyers should also be taught how to receive emails. A lawyer clicking on a link or submitting information to a fraudulent email can cause a lot of security problems for a law firm.156See Roberta Tepper, Not Being Scammed, Ariz. Att’y Mag., Apr. 2021, at 10, 10. Lawyers should be trained on how to spot fraudulent emails, and it may be best for them to act proactively even if they only have a slight suspicion about an email. Lawyers should send any potentially fraudulent emails along to the law firm’s IT department.157Id. Every law firm must have a consistent protocol for emails. Law firms must especially plan for how to identify and deal with fraudulent emails. This may involve both training their employees to follow specific practices, as well as ensuring that they have a robust IT department that is aware of cyber security threats and can deal with them appropriately.
c. Tightening Existing Guidelines
Law firms must also be prepared to invest more into cyber security. The legal profession should be spending just as much time and money on cyber security as other industries. In fact, they may need to spend more because law firms have been so frequently targeted and it is especially crucial that legal information be kept private. While it may be costly, it will be worth it in the long run due to how costly a cyber-attack can be.158Kate Myers, “Affirmative” and “Silent” Cyber Insurance Protecting Your Firm in 2022, Ariz. Att’y Mag., Oct. 2022, at 42, 42. Additionally, doing everything possible to protect clients’ privacy should be considered an ethical and professional obligation for all legal professionals. In one survey, it was found that 25% of all law firms experienced a cyber security breach in 2021.159Id. This is far too high a number for the legal profession to ignore. While proper security measures can be expensive, the harm caused by cyber security attacks can be far more costly.160See id. Even when proper precautions are in place, law firms also need to be prepared for how they will address a cyber security breach if one does occur. Many law firms would benefit from looking into their insurance coverage for cyber security, which is not always covered by more general insurance packages.161Id. at 44, 46. Choosing a cyber security insurance package requires law firms to perform research and consider where there might be flaws in their security.162Id. at 44-46. Law firms must spend more resources understanding the technology it uses and the problems that may arise from those technologies.
The legal profession should follow in the footsteps of other industries when it comes to electronic privacy. Other industries that deal with protected information are highly regulated. The medical industry is a good example to follow because medical information is also very sensitive, and medical professionals are meant to have a code of professional ethics regarding privacy.163See infra notes 158, 161. In their code of professional ethics, medical professionals have similar obligations regarding confidentiality.164See Privacy, Confidentiality & Medical Records, Ama Code Med. Ethics, https://www.ama-assn.org/delivering-care/ethics/code-medical-ethics-privacy-confidentiality-medical-records (last visited Feb. 17, 2024). Like a lawyer’s client, a patient expects the information they give to a medical professional to be kept private.165See id. However, the medical industry differs from the legal profession in that there are more specific regulations regarding how this information is kept secure, and some of these regulations are enforced by the federal government.166See generally Summary of the HIPAA Privacy Rule, U.S. Dep’t of Health & Hum. Servs., https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html (last updated Oct. 19, 2022). This includes guidelines for storing and securing electronic records.167Confidentiality & Electronic Medical Records, Ama Code Med. Ethics, https://www.ama-assn.org/delivering-care/ethics/confidentiality-electronic-medical-records (last visited Apr. 20, 2024). Medical professionals are required to form a consistent system regarding medical records; this system must “conform to acceptable industry practices and standards.”168Id. Medical ethics also require that “measures to ensure data security and integrity” must be included in their information security system.169Id. Additionally, the Code of Medical Ethics gives specific instructions for dealing with a security breach if one does occur, which requires disclosing the breach to all relevant parties and taking steps to mitigate the harm done by the breach.170Breach of Security in Electronic Medical Records, Ama Code Med. Ethics, https://www.ama-assn.org/delivering-care/ethics/breach-security-electronic-medical-records (last visited Apr. 20, 2024). There are further legal consequences for medical professionals who fail to protect the privacy of their patients.171Id. This is included in the Health Insurance Portability and Accountability Act (HIPAA), a federal law that regulates healthcare professionals and creates obligations for them to protect medical records.172Health Insurance Portability and Accountability Act of 1996 (HIPAA), Ctrs. for Disease Control & Prevention https://www.cdc.gov/phlp/publications/topic/hipaa.html (last updated June 27, 2022). HIPAA has specifications regarding electronically protected health information, which includes an obligation to “detect and safeguard against anticipated threats to the security of the information.”173Id. This implies an obligation to be aware of cyber security issues, as well as proper protocol for securing digital information.174See Id. Medical professionals cannot ignore technological threats to privacy like legal professionals can, or they may face more severe legal ramifications.175See HIPAA Violations & Enforcement, AMA, https://www.ama-assn.org/practice-management/hipaa/hipaa-violations-enforcement/ (last accessed Apr. 20, 2024). Like the medical industry, the legal profession should further codify requirements regarding cyber security and privacy breaches. The legal profession should also have more guidelines regarding digital information and could potentially use the medical industry as a template for these guidelines.
The banking industry is another potential example of how to handle privacy. The federal government primarily regulates privacy through the Federal Deposit Insurance Corporation (FDIC) and the Federal Trade Commission (FTC).176See Privacy Rule Handbook, FDIC, https://www.fdic.gov/regulations/examinations/financialprivacy/handbook/ (last updated Nov. 8, 2023); Protecting Consumers’ Financial Privacy, Fed. Trade Comm’n, https://www.ftc.gov/news-events/topics/protecting-consumer-privacy-security/financial-privacy (last visited Apr. 20, 2024). The FDIC handbook describes several regulations regarding how to protect banking customers’ privacy.177Privacy Rule Handbook, supra note 176. Agencies are expected to take certain steps to secure data.178Id. The FTC has specific guidelines regarding how to keep private data secure.179Standards for Safeguarding Customer Information, 86 Fed. Reg. 70272, 70272 (Dec. 9, 2021) (to be codified at 16 C.F.R. pt. 314), https://www.federalregister.gov/documents/2021/12/09/2021-25736/standards-for-safeguarding-customer-information. A financial institution must create an information security program, and is expected to “identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information.”180Id. There are guidelines in the banking industry that the legal profession could utilize. In particular, the FTC gives very specific regulations regarding cyber security and other technological threats to privacy, while similar rules in the legal profession are much broader.181See, e.g., FTC Extends Deadline by Six Months for Compliance with Some Changes to Financial Data Security Rule, Fed. Trade Comm’n (Nov. 15, 2022), https://www.ftc.gov/news-events/news/press-releases/2022/11/ftc-extends-deadline-six-months-compliance-some-changes-financial-data-security-rule; ABA Urges Lawyers to Raise their Cybersecurity Game, Esquire Deposition Solutions (Aug. 10, 2023), https://www.esquiresolutions.com/aba-urges-lawyers-to-raise-their-cybersecurity-game/. If the legal profession had more specific rules like the banking industry has, there would be much more standardization in how information is protected.
The legal profession could benefit from taking some of the precautions other industries have taken. The medical and banking industries in particular are good examples because these industries also deal with a lot of very sensitive information and are expected to be heavily regulated due to the severe consequences that can occur if this information is leaked.182See Breach of Security in Electronic Medical Records, supra note 170; Privacy Rule Handbook, supra note 176. The legal profession currently has many of the same expectations regarding privacy as these other industries do, as well as a similar overall set of professional values, but the legal profession has not always fulfilled these expectations or upheld these values successfully.183See Asokan, supra note 1; Mühlberg, supra note 7; Toohey, supra note 27, at 3-4, 45-47. This is partially due to the fewer rules committed to dealing with new privacy issues.184See generally Model Rules of Pro. Conduct (Am. Bar Ass’n 1983).
There are certain ways the legal profession is unique which means they probably cannot be regulated the same way these other industries are. The medical and banking industries are regulated significantly by the government.185See Breach of Security in Electronic Medical Records, supra note 170; Privacy Rule Handbook, supra note 176. However, the legal profession regulates itself;186Model Rules of Pro. Conduct Preamble & Scope (Am. Bar Ass’n 1983). thus, people cannot rely on government standards when seeking legal help but must instead trust the standards of the profession. Despite the different hierarchies of authority present in the legal profession, there are still elements from other industries that could be applicable.
The legal profession should enact stricter rules regarding the use of technology and how it pertains to privacy. The idea of tightening guidelines surrounding information issues will not be new to the profession.187Data Privacy Principles All Legal Providers Should Adopt, Thomson Reuters, https://legal.thomsonreuters.com/en/insights/articles/data-privacy-principles (last accessed Apr. 20, 2024). The American Bar Association has already enacted detailed ethical obligations connected to confidentiality.188E.g., Model Rules of Pro. Conduct r. 1.6(b) (Am. Bar Ass’n 1983). For example, keeping client information confidential is not an absolute obligation; several exceptions are fairly specific.189Id. More rules could have this level of detail, especially when pertaining to a lawyer’s technological obligations and level of required knowledge. The American Bar Association must also prepare to enforce these rules. There is already a structure for enforcing legal ethics and potentially punishing those in breach.190Id. at r. 8 (Am. Bar Ass’n 1983). There should be potential for suspension for those not taking appropriate steps to protect confidential information, as this issue can cause significant harm if the person is allowed to continue practicing in this unsafe fashion.
The legal profession must act on these privacy issues as soon as possible. It must also be ready to deal with new issues arising from continually advancing technology. There are several possible negative consequences if the legal profession does not take steps to adjust to modern technology.191Matich, supra note 50. A perceived lack of privacy tends to make people more reluctant to speak about certain things.192See Magi, supra note 20, at 188. If clients believe that their sensitive information may not be safe, they may be less likely to share information with their lawyers, even if this information is crucial to their legal proceedings. This will limit how much a lawyer is able to help them. The previous pattern of reactive regulation is not sufficient. The legal profession cannot wait until a crisis happens before it will change; it must instead take preventative measures as soon as possible. A privacy breach can cause significant damage. For example, a law firm’s data being leaked could mean that all of their clients have now had sensitive information made more public. Moreover, this would have a severe impact on the reputation of both the law firm and of the noble legal profession.
IV. Conclusion
Modern technology is not something that the legal profession can avoid; the problematic implications these technologies have for privacy also cannot be avoided but can be ameliorated. Legal professionals must be prepared to deal with the potential ethical consequences of using this technology. Information is increasingly vulnerable, making privacy ethics more important than ever. Lawyers especially have an obligation to be concerned with privacy due to their professional responsibilities regarding confidentiality. Professional conduct in the legal profession must be adjusted in order to reflect the changing technological landscape. These changes would include a variety of approaches, including more comprehensive education about technological issues and more specific guidelines.
REvil’s attack on Grubman Shire Meiselas and Sacks could have been prevented if the firm had kept more up-to-date about recent cyber security threats and were more aware of possible vulnerabilities in their data protection plan. If the firm had taken more precautions, then the massive amount of leaked data would have likely been protected. Legal professionals have the potential to prevent ethical crises before they happen by increasing awareness of technological threats to privacy and by increasing regulations surrounding how technology is used by the industry. The legal profession must act now rather than wait to respond.
* J.D., University of Arizona James E. Rogers College of Law, May 2023.