Home | Databases | WorldLII | Search | Feedback Precedent (Australian Lawyers Alliance)

Gray, Philippe Doyle --- "Digital security and lawyers' duties" [2017] PrecedentAULA 20; (2017) 139 Precedent 24

DIGITAL SECURITY AND LAWYERS’ DUTIES

By Philippe Doyle Gray

Debates about the ethics and negligence of lawyers using technology to practise law – using email, smartphones, iPads, Dropbox, Evernote, and Facebook – have advocates at all parts of the spectrum, from ‘always’ to ‘never’. But, informed lawyers agree there is room for debate only after fundamental safeguards are implemented.

Diligent lawyers have always asked the question: is it ethical to ... ? This article was first prompted by a crop of new lawyers, and some not so new, asking me: Is it ethical to use email? smartphones? iPads? Dropbox? Evernote? iCloud? Facebook?

One might as well ask whether it is ethical to use notepads and pens, lever - arch folders with printed inserts, or mobile telephones. I regularly walk from the Supreme Court of New South Wales down King Street to stop at the intersection with Elizabeth Street. So too do other lawyers. When it’s raining, we huddle under the awning of the old Sydney University Law School, but in fine weather we gather around the traffic lights waiting for the signal that it’s safe for pedestrians to cross. Usually, I see paper files or lever-arch folders neatly stating the names of the clients concerned, and sometimes the nature of their confidential affairs. Often, I can’t help but overhear a colleague talking about his matter. A few times, sensitive material was inadvertently broadcast to passers-by that included me. Once, I even overheard a colleague speaking on his mobile phone discussing settlement negotiations during mediation that had adjourned over lunch: he openly discussed not only the parties’ respective offers but his own client’s bottom line. The real security problems lie not in cloud computing, but in ourselves.^[1]

Asking whether is it ethical to ... ? is the wrong question. Instead, the sensible question is how do I ethically use email? smartphones? iPads? Dropbox? Evernote? iCloud? Facebook? and other technology?

My aim in writing this article was to create a universal framework that examined the ethics and negligence of technology used in legal practice – regardless of the software, hardware or any feature of any technology presently existing or yet to be invented. I did this because, when looking for such a framework in 2013 throughout the common law world, I found to my surprise there was none. Since first publication in 2014, I have presented this article, or it has been presented in my absence, in various American and Australian jurisdictions as part of ongoing continuing legal education.

Fundamental safeguards must first be identified, then dissected, and lastly examined in day-to-day legal practice, to arrive at a series of general propositions which guide decision-making.

I have approached the topic from the perspective of a court (or tribunal) charged with determining, after a complaint by a client, whether a lawyer is guilty of unethical conduct or negligence (malpractice). In making its determination, the court may draw upon both domestic and foreign standards – because technology is the same everywhere and, at least in common-law jurisdictions, so too is day-to-day practice. So, I synthesised international sources into a series of general propositions that I hope reflect an international consensus between lawyers and computer scientists about fundamental safeguards for lawyers’ use of technology. These propositions I have called the pillars of digital security.

This article identifies the sources from which the seven pillars derive, their nature and scope, and it explains how to implement the pillars in legal practice.

A SHORT HISTORY OF LAWYERS AND TECHNOLOGY

It started with the iPad

Between September 2010 and August 2012, the legal profession reached a tipping point. Before then, comparatively few people questioned lawyers’ use of technology – including most lawyers. The extent to which one utilised information technology in the practice of law was a matter of personal preference and entirely optional. Information was usually stored on paper, sometimes in electronic form, typically on site, but always under conditions where it could be accessed and controlled by senior lawyers. But everything changed with the (re-)arrival of cloud computing and the contemporaneous explosion in popularity of internet-enabled mobile computing devices, not least of which was the tablet computer whose time had come.

In 2009, while the Blackberry was the de rigeur smartphone of the 21st-century lawyer, the iPhone became an accepted, and acceptable alternative: of the top 200 American law firms based on revenue, 5 per cent supported attorneys with iPhones in 2008, but in 2009 that had jumped to 55 per cent.^[2] And then on 3 April 2010 Apple Inc starting selling iPads.^[3] They were an instant hit with American lawyers.

In 2011, about one year after the first iPad went on sale, the American Bar Association surveyed lawyers and found that 15 per cent of respondents used a tablet for law-related tasks, and of that 15 per cent, 89 per cent used an iPad.^[4] That same year, of the top 200 American law firms based on revenue, 96% supported attorneys with iPhones (up from 55 per cent), and 99 per cent supported attorneys with iPads. In more than half of all American law firms surveyed, every fourth lawyer used a tablet computer – and anecdotal evidence suggested that over 90 per cent were using iPads.^[5]

In 2012, the American Bar Association found that 33 per cent of respondents used a tablet for law-related tasks (up from 15 per cent ); of that 33 per cent , 91 per cent used an iPad.^[6]

By mid-2012, one out of every three American lawyers surveyed used an Apple iPad in the practice of law. Suddenly significant amounts of information – including client’s confidential information – was in electronic form, accessed over the internet, and – perhaps most worryingly – was controlled by third parties who (gasp) were not lawyers. It was time to examine technology’s effect on the legal profession, and in particular confidentiality-related concerns that arose from lawyers’ increasing transmission and storage of electronic information.^[7]

Internationally, New South Wales was the leader of the pack. By mid-2012, the Ethics Committee of The Law Society of New South Wales in conjunction with the Office of the Legal Services Commissioner had published guidelines for solicitors about social media,^[8] outsourcing (offshoring)^[9] and cloud computing.^[10] But the guidelines remained merely guides and have never been adopted by the Law Society as professional conduct rules.^[11]

The American Bar Association quickly took the lead in the USA. By August 2012, Americans had recognised that technology’s effect on the legal profession had two critical components: (1) the confidentiality-related concerns identified in 2010, but also (2) lawyers’ competence. That month the American Bar Association amended its model rules of professional conduct to reflect those two critical components and to provide guidance regarding lawyers’ use of technology and confidentiality.^[12]

Confidentiality-related concerns

Confidentiality-related concerns were the subject of former American Bar Association rule 1.6:

‘(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by
paragraph (b).
(b) A lawyer may reveal information relating to the representation of a client to the extent the lawyer reasonably believes necessary:
(1) to prevent reasonably certain death or substantial bodily harm.
(2) to prevent the client from committing a crime or fraud that is reasonably certain to result in substantial injury to the financial interests or property of another and in furtherance of which the client has used or is using the lawyer’s services.
(3) to prevent, mitigate or rectify substantial injury to the financial interests or property of another that is reasonably certain to result or has resulted from the client’s commission of a crime or fraud in furtherance of which the client has used the lawyer’s services.
(4) to secure legal advice about the lawyer’s compliance with these Rules.
(5) to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client, to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved, or to respond to allegations in any proceeding concerning the lawyer’s representation of the client; or
(6) to comply with other law or a Court order’.

There is no exact equivalent in Australia.

Barristers, since the Legal Profession Uniform Law (NSW and Vic) started on

1 July 2015, are regulated on the same subject matter by rules 114-122 of the Legal Profession Uniform Conduct (Barristers) Rules 2015, of which rule 114 is the most pertinent:

‘114. A barrister must not disclose (except as compelled by law) or use in any way confidential information obtained by the barrister in the course of practice concerning any person to whom the barrister owes some duty or obligation to keep such information confidential unless or until:
(a) the information is later obtained by the barrister from another person who is not bound by the confidentiality owed by the barrister to the first person and who does not give the information confidentially to the barrister; or
(b) the person has consented to the barrister disclosing or using the information generally or on specific terms.’

Solicitors, under the Legal Profession Uniform Law (NSW and Vic), are regulated on the same subject matter by rules 9-11 of the Legal Profession Uniform Law Australian Solicitors’ Conduct Rules 2015, of which rule 9 is the most pertinent:

‘9 CONFIDENTIALITY
9.1 A solicitor must not disclose any information which is confidential to a client and acquired by the solicitor during the client’s engagement to any person who is not:
9.1.1 a solicitor who is a partner, principal, director, or employee of the solicitor’s law practice; or
9.1.2 a barrister or an employee of, or person otherwise engaged by, the solicitor’s law practice or by an associated entity for the purposes of delivering or administering legal services in relation to the client,
EXCEPT as permitted in Rule 9.2.
9.2 A solicitor may disclose confidential client information if:
9.2.1 the client expressly or impliedly authorises disclosure.
9.2.2 the solicitor is permitted or is compelled by law to disclose;
9.2.3 the solicitor discloses the information in a confidential setting, for the sole purpose of obtaining advice in connection with the solicitor’s legal or ethical obligations;
9.2.4 the solicitor discloses the information for the sole purpose of avoiding the probable commission of a serious criminal offence.
9.2.5 the solicitor discloses the information for the purpose of preventing imminent serious physical harm to the client or to another person; or
9.2.6 the information is disclosed to the insurer of the solicitor, law practice or associated entity.’

Solicitors in Queensland under the Legal Profession Act 2007 (Qld) are regulated on the same subject matter by rules 9-11 of the Australian Solicitors Conduct Rules. Rule 9 is identical to rule 9 of the Legal Profession Uniform Law Australian Solicitors’ Conduct Rules 2015 (NSW and Vic).

The American Bar Association’s August 2012 amendments added a paragraph at the end of rule 1.6 [emphasis added]:

‘(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.’

Subsequent commentary has focused on the words in bold. These form the basis of some pillars: (1) access to information, (2) disclosure of information, (3) inadvertence by the lawyer, and (4) conduct unauthorized by the lawyer.

Lawyers’ competence

Lawyers’ competence was the subject American Bar Association rule 1.1:

‘A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.’

Again there is no exact equivalent in Australia but, for barristers, the same subject is addressed by rule 4 Legal Profession Uniform Conduct (Barristers) Rules 2015:

‘4. These Rules are made in the belief that:
(a) barristers owe their paramount duty to the administration of justice;
(b) barristers must maintain high standards of professional conduct;
(c) barristers as specialist advocates in the administration of justice, must act honestly, fairly, skilfully and with competence and diligence;
(d) ... ‘

For solicitors, rule 4 Legal Profession Uniform Law Australian Solicitors’ Conduct Rules 2015 provides:

‘4 OTHER FUNDAMENTAL ETHICAL DUTIES
4.1 A solicitor must also:
4.1.1 act in the best interests of a client in any matter in which the solicitor represents the client.
4.1.2 ...
4.1.3 deliver legal services competently, diligently and as promptly as reasonably possible.
4.1.4 ... '

Solicitors Manual (formerly Riley Solicitors Manual) acknowledges the well-known proposition that part of the lawyer’s duty to be competent in the service of his or her client (and to the court) is to maintain currency with developments in the law, procedure, and professional rules.^[13] But neither the commentary, nor the authorities commented upon, mention technology.

The same omission afflicts the Code of Conduct 2011 published by the independent regulatory body of the Law Society of England and Wales, the Solicitors Regulation Authority – no mention of technology.^[14]

American Bar Association rule 1.1 includes eight paragraphs of explanatory commentary too long to set out in full^[15] except for paragraph 8; the August 2012 amendments added words that appear in bold:

‘Maintaining Competence
[8] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.’

Later commentary and the balance of the pillars of digital security spring from these terms.

The Canadian Bar Association’s 181-page Code of Professional Conduct contains a competency rule with a fleeting reference in its commentary to technology [sic]:^[16]

‘RULE
1. The lawyer owes the client a duty to be competent to perform any legal services undertaken on the client’s behalf.
...
COMMENTARIES
4. Competence involves more than an understanding of legal principles; it involves an adequate knowledge of the practice and procedures by which those principles can be effectively applied. To accomplish this, the lawyer should keep abreast of developments in all areas in which the lawyer practises. The lawyer should also develop and maintain a facility with advances in technology in areas in which the lawyer practises to maintain a level of competence that meets the standard reasonably expected of lawyers in similar practice circumstances.’

I wonder if that should read ‘... develop and maintain a familiarity with advances in technology ...’ Perhaps the circularity of reasoning made the draftsman dizzy.

Is there any reason to suppose that American lawyers are more ethical than the rest of us?

WHAT ARE THE PILLARS OF DIGITAL SECURITY?

My derivation of the pillars is based upon numerous discussions with many technologically literate lawyers (including judges) from Australia, Canada, Germany, Switzerland, the United Kingdom and the United States of America. It is also based upon many discussions with computer scientists (aka ‘IT guys’) from Australia, Canada, and the United States, who service the legal profession in their respective jurisdictions. I have endeavoured to consider a wide body of professional literature for the legal profession, some of it written by computer scientists and the balance by lawyers.

My formulation reflects, I believe, a consensus among those people and that material, and promotes a common understanding between the fields of law and computer science in a way that links:

1. key terms of the American model rules of professional conduct and their equivalent local regulations,

2. how computing devices work, and

3. how lawyers practise their profession.

The first tranche of pillars concerns access to information:

1. Locks limit access to information when you have temporarily parted possession deliberately.

2. Location tracking facilitates access to information when you have temporarily parted possession inadvertently.

The second tranche concerns use of information:

3. User authentication regulates the authorised disclosure of information,

4. Encryption prevents the unauthorised disclosure of information,

5. Data deletion prevents unauthorised and inadvertent disclosure of information,

6. Backup prevents inadvertent destruction of information, and

7. Pebkac prevents the ineffectual disclosure of information.^[17]

CONCLUSION

If laws of a particular jurisdiction regulate specific activity, then those laws may prevail over the pillars, at least to the extent of any inconsistency. But in the absence of such laws, the pillars fill any void. And the pillars may form a framework by which such laws can be sensibly interpreted and applied.

When it comes to technology in the practice of law, the best investment lawyers can make is in themselves: by undertaking training and education. Start by going to your favourite café with your tablet computer and an internet connection, sit back, relax, and take 10 minutes to read this magazine article: <https://tinyurl.com/cafemagazine>.

Philippe Doyle Gray is a barrister at 8 Wentworth Chambers in Sydney. He was the first lawyer in history practising outside North America to be appointed a councillor of the American Bar Association’s Law Practice Division, which is charged with responsibility for technology in the practice of law, and a position he still holds. He is also the only Australian ever to teach at the Division’s annual technology-in-law conference, TECHSHOW, held each March in Chicago. PHONE 02 9232 3953. EMAIL email@PhilippeDoyleGray.com.

This article is an extract of sections 3 and 4 of The pillars of digital security: How to ethically use technology in legal practice, first published in 2014 and now updated and available on Amazon. The full article examines each of the pillars in detail, with practical illustrations and recommendations along the way. It concludes with some thoughts on marshalling evidence for a court (or tribunal) charged with determining, after a complaint by a client, whether a lawyer is guilty of unethical conduct or negligence, and issues arising in such proceedings that need to be considered by an advocate.

^[1] E Svenson, Security analysis for lawyers: poor, to fairly cloudy (21 February 2013) available at <http://ernietheattorney.net/security-analysis-for-lawyers-poor-to-fairly-cloudy/> .

^[2] J Richardson, Over half of the most profitable law firms use iPhones (10 November 2009) available at <http://www.iphonejd.com/iphone_jd/2009/11/over-half-of-the-most-profitable-law-firms-use-iphones.html> .

^[3] Apple Inc., ‘iPad Available in US on April 3’ (Press Release, 5 March 2010) available at <https://www.apple.com/pr/library/2010/03/05iPad-Available-in-US-on-April-3.html>.

^[4] J Richardson, 2011 ABA Technology Survey suggests around 300,000 US lawyers use an iPhone, around 130,000 use an iPad (11 July 2011) available at <http://www.iphonejd.com/iphone_jd/2011/07/aba-technology-survey-reveals-increase-in-smartphone-use.html> .

^[5] J Richardson, AmLaw 2012 survey shows strong iPhone, iPad support at the most profitable law firms (20 November 2012) available at <http://www.iphonejd.com/iphone_jd/2012/11/amlaw-survey-2012.html> .

^[6] J Richardson, 2012 ABA Tech Survey reveals surge in lawyer iPhone, iPad use (20 July 2012) available at <http://www.iphonejd.com/iphone_jd/2012/07/2012-aba-tech-survey-reveals-surge-in-lawyer-iphone-ipad-use.html> .

^[7] American Bar Association Commission on Ethics 20/20 Working Group on the Implications of New Technologies, Client Confidentiality and Lawyers’ Use of Technology, Issues Paper, (20 September 2010) available at <http://www.americanbar.org/content/dam/aba/migrated/2011_build/ethics_2020/clientconfidentiality_issuespaper.pdf> .

^[8] C Kenny and T Gordon, ‘Social Media Issues for Legal Practice’ (April 2012) 50(4) NSW Law Society Journal pp66-68 available at <http://www.olsc.nsw.gov.au/Documents/lsj_social_media_april2012.pdf> .

^[9] C Kenny and T Gordon, ‘Outsourcing Issues for Legal Practice’' (May 2012) 50(5) NSW Law Society Journal p72-3 available at <http://www.olsc.nsw.gov.au/Documents/lsj_outsourcing_may2012.pdf> .

^[10] C Kenny and T Gordon, ’Cloud Computing Issues for Legal Practices’ (June 2012) 50(6) NSW Law Society Journal p78-9 available at <http://www.olsc.nsw.gov.au/Documents/cldcomputing_lsj_article_june_2012_kenny_gordon.pdf> .

^[11] ’Cloudy conditions at the NSW Law Society’ Justinian (22 January 2013) available at

<http://justinian.com.au/archive/cloudy-conditions-at-the-nsw-law-society.html> .

^[12] American Bar Association House of Delegates, Resolution 105A Revised as amended (Technology & Confidentiality) (6 August 2012) available at <http://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20120808_revised_resolution_105a_as_amended.authcheckdam.pdf> .

^[13] G E Dal Pont, LexisNexis, Solicitors Manual (formerly Riley Solicitors Manual), (updated to service 54) at [29,160].

^[14] Solicitors Regulation Authority Code of Conduct 2011 available at <http://www.sra.org.uk/solicitors/handbook/code/content.page> .

^[15] You can access all 8 paragraphs at <http://www.americanbar.org/groups/professional_responsibility/publications/model_rules_of_professional_conduct/rule_1_1_competence/comment_on_rule_1_1.html> .

^[16] Code of Professional Conduct available at <http://www.cba.org/cba/activities/code/> .

^[17] Pebkac is an acronym for ‘problem exists between keyboard and chair’, which describes what is also commonly referred to as ‘operator error’.