As the COVID-19 pandemic has forced many attorneys and their staffs to work from home for the first time, the Pennsylvania Bar Association has issued an ethics opinion intended to provide guidance now and into the future on working from home and other remote locations.
The opinion, by the bar’s Legal Ethics & Professional Responsibility Committee, also addresses the duty of technological competence and its implications for attorneys and staff when working remotely.
When Pennsylvania Gov. Tom Wolf ordered the closure of all non-essential businesses, including law firms, many attorneys were not prepared to work remotely, and many questions arose concerning their ethical obligations, the opinion says.
The overarching ethical responsibility when working remotely, the opinion says, is that attorneys and staff “must consider the security and confidentiality of their client data, including the need to protect computer systems and physical files, and to ensure that telephone and other conversations and communications remain privileged.”
The opinion affirms prior Pennsylvania opinions holding that it is ethical for attorneys to allow client confidential material to be stored in the cloud and that an attorney may maintain a virtual law office in Pennsylvania, provided appropriate safeguards are taken.
The opinion also adopts Formal Opinion 477R issued in 2017 by the American Bar Association holding that a lawyer may transmit client information over the internet provided the lawyer takes reasonable efforts to prevent inadvertent or unauthorized access, including, when appropriate, the use of email encryption.
With regard to the duty of technological competence, the opinion says that it requires attorneys to understand the risks and benefits of technology as it relates to the specifics of their practice, such as engaging in electronic discovery.
But the duty also goes further than that, the opinion says.
“This also requires attorneys to understand the general risks and benefits of technology, including the electronic transmission of confidential and sensitive data, and cybersecurity, and to take reasonable precautions to comply with this duty.”
If attorneys lack the requisite knowledge and skill to implement technological safeguards, then they should consult with staff or other entities capable of providing the appropriate guidance.
At a minimum, the opinion says, when working from home or remotely, attorneys and their staff have an ethical obligation to take reasonable precautions to assure that:
- All communications, including telephone calls, text messages, email, and video conferencing, are conducted in a manner that minimizes the risk of inadvertent disclosure of confidential information.
- Information transmitted through the internet is done in a manner that ensures the confidentiality of client communications and other sensitive data.
- Remote workspaces are designed to prevent the disclosure of confidential information in both paper and electronic form.
- Proper procedures are used to secure and backup confidential data stored on electronic devices and in the cloud.
- Remotely working staff are educated about and have the resources to make their work compliant with the Rules of Professional Conduct.
- Appropriate forms of data security are used.
The opinion discusses some of the unique issues that working from home presents. For example, it cautions against speaking with clients when smart devices such as Amazon’s Alexa and Google’s voice assistants are present, or even when others in your home can overhear you.
Among the opinion’s recommendations for ensuring client confidentiality:
- Avoid using public Wi-Fi hotspots.
- Use a virtual private network.
- Use two-factor or multi-factor authentication.
- Use strong passwords to protect data and devices.
- Ensure that video conferences are secure.
- Backup data stored remotely.
Notably, the opinion also urges lawyers to be cognizant of their obligation to act with civility and to treat the courts and their adversaries with courtesy and respect.
“[W]orking from home has become the new normal, forcing law offices to transform themselves into a remote workforce overnight,” the opinion concludes. “As a result, attorneys must be particularly cognizant of how they and their staff work remotely, how they access data, and how they prevent computer viruses and other cybersecurity risks.”