ABA Ethics Opinion: Trade-Secrets Lawyers Need to Encrypt Emails

By definition, lawyers working on trade-secrets issues, whether in litigation or otherwise, have access to their clients’ most confidential information. And, of course, these lawyers routinely communicate with clients via email, including about the trade secrets. Sometimes, even the trade secrets themselves are exchanged via email.

This raises ethical issues. Recently, the ABA Committee on Ethics and Professional Responsibility issued a formal opinion addressing lawyers’ ethical obligations when transmitting confidential client information. The opinion can be downloaded here.

All lawyers who deal with trade-secrets issues should read the opinion. But here are some highlights:

The opinion recognizes that law firms are hacking targets because:

(1) they obtain, store and use highly sensitive information about their clients while at times utilizing safeguards to shield that information that may be inferior to those deployed by the client, and (2) the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.

It then discusses applicable ethical rules, concluding that “lawyers must exercise reasonable efforts when using technology in communicating about client matters.” So what are reasonable efforts?

What constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors. In turn, those factors depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of  electronic communications employed, and the types of available security measures for each method.

The opinion specifically mentions lawyers who deal with trade secrets, since those matters “may present a higher risk of data theft.” The fact-based analysis is often relatively simple in trade secrets cases: if you are transmitting your client’s trade secrets or related information, you may need to use “particularly strong protective measures”:

A fact-based analysis means that particularly strong protective measures, like encryption, are warranted in some circumstances. Model Rule 1.4 may require a lawyer to discuss security safeguards with clients. Under certain circumstances, the lawyer may need to obtain informed consent from the client regarding whether to the use enhanced security measures, the costs involved, and the impact of those costs on the expense of the representation where nonstandard and not easily available or affordable security methods may be required or requested by the client. Reasonable efforts, as it pertains to certain highly sensitive information, might require avoiding the use of electronic methods or any technology to communicate with the client altogether, just as it warranted avoiding the use of the telephone, fax and mail in Formal Opinion 99-413.

There is a simple takeaway for all trade-secrets lawyers: think very carefully about how you are transmitting confidential client info. This requires an open dialogue with the client. You need to figure out how you will be protecting this data while in transit (and at rest, but that’s a separate issue). At my firm, we have the capacity to encrypt individual emails on-demand, which can allow for secure transmission of sensitive data.

But this sensitive data isn’t only shared with clients. Often, it will need to be produced in litigation. Lawyers spend a lot of time negotiating protective/confidentiality orders with attorney’s eyes only (AEO) protections. But don’t forget to securely transmit AEO documents to the other side. For example, my firm uses a secure/encrypted document sharing platform.

Trade-secrets cases often move fast. But this ABA opinion shows that regardless of how intense the litigation becomes, lawyers must be cognizant of their obligations to protect clients’ confidential information.

The Cybersecurity Article that Every Executive Should Read Immediately

I love this article, titled Why America’s Current Approach to Cybersecurity Is So Dangerous. It should be required reading for all executives at companies at risk of a cyber attack — in other words, all companies. While the whole article is great, its core message can be reduced to a single sentence: People, not technology, are the key to reducing the risk of cyberattacks. I could not agree more, as I’ve written about before. Every company needs to ask: what can we do to create a culture of protection?

The article starts by identifying the problem:

We should be concerned that, as a society, our minds go mushy when it comes to “digital literacy,” “information security,” “online safety,” or whichever name we choose. In fact, that mushiness is a major reason why America’s current approach to cybersecurity is so dangerous. We’re ignoring the behaviors of the overwhelming majority of actual users, and therefore leaving the largest attack surface undefended. . . . To the extent we are all part of the contest in cyberspace, we’re essentially deploying our troops without armor, our submarines without sonar.

And as a result, “cybersecurity has transformed what is actually a ‘people problem with a technology component’ into its exact opposite.” Yes! Technology is not a panacea for preventing cyber attacks. Technology can’t protect your company’s biggest vulnerability: the people working there. “Until we embrace a vision of public cybersecurity that sees all people, at all ranges of skill, as essential to our collective security, there will be no widespread cybersecurity.” The same goes with your company. You can spend millions or more on tech-based protections, but if you ignore the human risk, your security is virtually certain to fail. And of course, if you are at risk of a cyberattack, you are at risk of trade-secret theft.

The article finishes with a great analogy between cybersecurity and public health:

We need to get better to increase our herd immunity against botnets. We need to see that cybersecurity—like all aspects of safety, security, and resilience—is a shared responsibility. Better devices and apps won’t save us, since there are myriad other ways that individuals—even highly trained ones—become the weak link allowing bad guys to access personal, corporate, and government information assets. And almost all efforts at online safety, while well-meaning, are so poorly designed as to preclude knowing whether they work. It’s not magic: As with health or safety education, we need to start with basic steps and repeatable behaviors—like hand-washing or looking both ways before crossing.

This is the key. In a mature organization that has fully embraced and achieved a culture of protection, the employees will treat cybersecurity as second nature. Good habits will have become routine. Unfortunately, I have yet to encounter a company that has reached this point. For a variety of reasons—dependence on technology first among them—just about all employees have a host of bad habits that put the company at risk.

Creating this culture is not easy. To the contrary, it will require repeated, sustained effort, initiated and supported from the very top of the organization down, over a long period of time. Nor will it guarantee that all cyberattacks will be thwarted. But I see no viable alternative. Any company that has not made employee-level protection a top priority is virtually certain to suffer repeated cyberattacks.

%d