♫ Further on up the road baby,
things gonna change... ♫
— Music and lyrics by J.L. Hooker, C. Thompson, C. Santana;
recorded by Santana.

The State Bar of California’s Committee on Professional Responsibility and Conduct has just issued Formal Opinion No 16-0002. It looked at a lawyer’s ethical obligations with respect to unauthorized access by third persons to electronically stored client confidential information in the lawyer’s possession. In some ways it parallels what is set forth in s. 10-4 Security of Records of the Rules of the Law Society. What is illustrative is that “the Committee adopted an approach that posed questions lawyers should consider in order to comply with the duties of competency and confidentiality. In light of ever-changing technology, the Committee concludes that an on-going engagement with that evolving technology, in the form of security issues to consider and re-consider, was preferable to a “bright line” or “categorical approach.”

The Committee looked at four scenarios: An attorney’s laptop is stolen; an attorney’s smartphone is left in a restaurant overnight; a firm is infected by Ransomware and a lawyer’s laptop was accessed while the lawyer was using an unsecured public Wi-Fi network. Hypothetically the Committee looked at the factors to consider in each scenario.

The requirement to make reasonable efforts to protect client information from unauthorized disclosure or destruction was affirmed. California went further, however, and stated that: “Given the obligation to preserve client confidences, secrets and propriety information, it is appropriate to assume that reasonable clients would want to be notified if any of that information was acquired or reasonably suspected of being acquired by unauthorized persons.” In BC, we have an obligation to notify the Executive Director of the Law Society but the Rules and Code are silent on the duty to notify a client if the firm lost control or custody of any of the lawyer’s records [10-4 (a)] or if anyone had improperly accessed or copied any records [10-4 (b)].

California also affirmed the American Bar Association formal opinion of 18-483 that holds: “lawyers with managerial authority within a law firm must make a reasonable effort to establish internal policies and procedures designed to protect confidential client information from the risk of inadvertent disclosure and data breaches as the result of technology use, which includes monitoring the use of technology and office resources connected to the Internet and external data sources.”  They also held that a law firm should: “consider preparing a data breach response plan so that all stakeholders know how to respond when a breach occurs.”

This opinion, I believe, foreshadows what could be eventually adopted in other jurisdictions. Prudent firms may wish to examine the formal opinion with a view to revamping their policies and procedures to reflect this evolving thinking because further up the road, I believe, the thinking is gonna change.