When the American Bar Association trotted out its model rules of professional conduct in 1983, the world, for the most part, was still one of the pencils, paper, and typewriters.
Accordingly, Rule 1.6(c)—spelling out lawyer obligations to keep client information confidential—didn’t contemplate developments such as the Internet, mobile devices, and cloud computing.
Neither did it contemplate things like data breaches and cyberterrorism, which are now facts of life.
Even though none of that was on the ABA’s radar in 1983, Rule 1.6(c) is just as valid now. Indeed, four years ago, the ABA issued Formal Opinion 483 to reaffirm and enlarge the rule’s requirements.
In a nutshell, the rule and the opinion say you’re screwed if you fail to take reasonable steps [emphasis mine] to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Sensitivity of the Information
Let’s circle back to those words “reasonable steps.” I bolded them for a reason.
The big question they raise is what qualifies as reasonable steps?
Per the ABA, one of the major factors that disciplinary bodies can use in determining whether the steps you took to safeguard data were reasonable is the sensitivity of the information. The greater the sensitivity, the bigger the steps you’re expected to make.
Of all the information in your possession, the most sensitive is the personally identifiable stuff: client names, addresses, Social Security numbers, financial and health records, employment histories, and the like.
Because you collected this highest-sensitivity data, you’ll need to show that you tried really, really hard to prevent theft or loss in the event theft or loss occurs.
Likelihood of Disclosure
Another major factor the ABA says should affect a determination of reasonableness is the likelihood of disclosure if additional safeguards are not employed.
ABA cyber statistics show that 29% of all law firms have had a data breach. What does this tell you? It tells you that among this, 29% of all law firms are some that have implemented safeguards and some that have not.
It also tells you that if a data breach has affected nearly one in three law firms despite some of them using security safeguards, then the ones NOT using additional safeguards must be running a sky-high risk of breach.
Therefore, firms with no additional safeguards have failed to take reasonable steps to prevent disclosure. Is this you?
Cost and Difficulty of Procurement
Yet another significant factor the ABA cites in its list of reasonableness-gauging criteria is the cost of additional safeguards and/or the trouble you have to go through to procure them.
A lot of solo and small-firm lawyers try to wriggle free of Rule 1.6(c) reasonableness hook by asserting that it’s just too darn expensive to obtain sufficient protection—and, besides, it’s a huge hassle because the only way to lay hands on good protection is piecemeal from many different vendors.
In other words, only large firms have the resources to track down and afford adequate additional safeguards.
Well, apologies to you, solo and small-firm lawyers, who plan to raise this argument. I’m about to shoot holes in it. Big ones.
As you may know, I’m the creator of a sweeping suite of best-of-class cyber security safeguards called BobaGuard. It offers in a single package the same comprehensive set of protection tools utilized by the largest law firms, and—get this—it costs just $80 a month per user.
Eighty bucks. That’s the very embodiment of Rule 1.6(c) reasonableness because anyone can afford to pay that.
Therefore, owing to the existence of BobaGuard, you likely won’t be able to excuse your duty to take reasonable safeguarding steps by claiming prohibitive costs and/or procurement headaches.
Difficulty of Use
One other reasonableness-determination factor worthy of mention is the degree of difficulty involved in setting up and using the additional security measures you’ve chosen.
The idea here is that you can’t be held to the Rule 1.6(c) standard of care if the only available safeguards are beyond your level of technical know-how.
However, BobaGuard requires no special skills to put into action. Almost all the set-up work is done for you by my team of tech wizards during a one-hour Zoom call (your involvement is mostly limited to answering questions the team asks and striking the occasional key command when prompted).
As for use, BobaGuard does its thing in the background, so you never really need to give it a second thought. Meanwhile, my team continually monitors everything BobaGuard does and keeps it fully up to date.
Taken as a whole, BobaGuard is the most reasonable way to fulfill your ABA Model Rule 1.6(c) duty to protect confidential client data.
Exactly what is BobaGuard, you ask? It’s a turnkey cybersecurity suite that protects credentials, secures and updates computers, monitors identities, trains staff, backs up 365/Google Workspace data, and more. There’s nothing like it. Try BobaGuard and see—cancel anytime if you can find a more reasonable step for comprehensive protection under Model Rule 1.6(c).