The Confluence of “E-Competence” And Technology-Based Attacks: Protecting Clients and Confidential Information from Invisible Threats

American jurisprudence is by necessity steeped in traditions and stare decisis, and to many observers, any changes to the existing state of affairs is deliberate, halting, and sometimes cumbersome.  The same may be said about an attorney’s professional and ethical obligations, as reflected in the California Rules of Professional Conduct.  Members of the State Bar of California are well-versed in their duties of competency under Rule 3-110(A): “A member shall not intentionally, recklessly, or repeatedly fail to perform legal services with competence.”  However, the legal profession received a disturbing “wake-up call” recently when it was revealed that DLA Piper, LLP, the second largest law firm in the United States of America, was paralyzed by a ransomware attack that resulted in a shutdown of their technology systems.

Ransomware is a type of malicious computer program that blocks access to the victim’s data and threatens to publish or delete it unless a ransom is paid.  In the case of sensitive client information, the consequences may be catastrophic.  In stark contrast to the pace of change in American jurisprudence, the emergence of “hacking” or malware attacks on the legal profession appears to be increasing in terms of frequency and variation. The new reality of data security brings into sharp focus the requisite level of “E-Competence” that is expected from attorneys and the legal professionals that they supervise.

Rule of Professional Conduct 3-110 states, in no uncertain terms, that a lawyer “shall not intentionally, recklessly, or repeatedly fail to perform legal services with competence.” “Competence,” under Rule 3-110(B), in any legal service, “shall mean to apply the (1) diligence, (2) learning and skill, and (3) mental, emotional, and physical ability reasonably necessary for the performance of such service.” If an attorney is not sufficiently competent, Rule 3-110(C) provides that the attorney is still permitted to perform services by, “(1) associating with or, where appropriate, professionally consulting with another lawyer reasonably believed to be competent, or (2) by acquiring sufficient learning and skill before performance is required.”

Although the “E-Competence” is not specifically referenced in Rule 3-110, the language of the rule is sufficiently broad to justify an interpretation that extends to competence in technology.  Indeed, the Comment Section to the American Bar Association’s Model Rules of Professional Conduct, Rule 1.1 Competence, states in Section 8, “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”  In other words, under the Model Rules of Professional Conduct, competence requires sufficient knowledge and skill in understanding the “risks associated with relevant technology[.]” Twenty-seven states have adopted the standard contained in the Model Rules including: Arizona; Colorado; New Mexico; and Washington.

Currently, although the State Bar of California has not yet followed the Model Rules regarding “E-Competence,” the proverbial “writing is on the wall,” suggesting that it is quickly moving in that direction.  The State Bar of California’s Standing Committee on Professional Responsibility and Conduct issued Formal Opinion No. 2015-193, wherein the Committee concluded that attorneys have a duty under Rule 3-110 to be “E-Competent” notwithstanding Rule 3-110’s omission of specific references to technology.  Although Formal Opinion No. 2015-193 addressed e-discovery competence, its rationale is equally applicable to an attorney’s duty to implement reasonable and adequate measures to protect against hacking and technology based attacks on privileged and confidential client information.

Indeed, Business & Professions Code Section 6068 (e)(1) imposes a fundamental duty on attorneys, “[t]o maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client.”  The American Bar Association’s Standing Committee on Ethics and Professional Responsibility recently issued Formal Opinion No. 477.  Among other conclusions, Formal Opinion No. 477 stated that attorneys have a duty to supervise their technology vendors to ensure that these vendors’ “conduct is compatible with the professional obligations of the lawyer.”  Stated another way, attorneys are not relieved of the “E-Competence” duties by outsourcing technology services to independent contractors or vendors.

The unfortunate calamity that befell DLA Piper, LLP should serve as a cautionary example to all attorneys, and the legal professionals that they supervise, to remain vigilant to these new and emerging threats.  The insidious nature of hacking and technology based attacks require a reassessment of the data security protocols in place to protect clients and confidential information.  Attorneys and law firms, irrespective of size or practice area, face emerging and increasing threats from hacking, malicious computer software, and other forms of unauthorized access to sensitive client information.  Therefore the affected individuals and entities should ensure that their “E-Competence” is current, relevant, and ready to respond to evolving technology-based threats.  The modern definition of “E-Competence” has moved beyond simply installing anti-virus programs on computers and avoidance of hyperlinks from unknown senders, and the legal profession and its members should respond accordingly.

Blog by: Jimmy Ly, Associate, San Francisco