Ethics Corner Article

Dear Ethics Committee,

With virtual meetings replacing in-person meetings in my practice, what ethical obligations should I be thinking about?

Answer:

The duties to keep in mind are competence and confidentiality.  With respect to virtual meeting technology, we must maintain a generalist’s knowledge of the available technological platforms.  When we rely on one of these platforms, we must make reasonable efforts to learn how to use it properly and to understand the risks associated with using that platform.  In addition, each time we use any technology, we must assess whether that particular use is reasonable under the circumstances.  So for example, for certain legal meetings a standard business platform may be appropriate, such as Zoom, Skype, TeamViewer, GoToMeeting, or Google Meet.  Other meetings may require end-to-end encryption, which may be available through platforms such as WebEx Meetings, Google Duo, Microsoft Teams, Signal, WhatsApp, or FaceTime.    Practitioners may make the decision to restrict all confidential client communications to end-to-end encrypted enterprise platforms.

Rule 1.1 – Competence

Competent representation of clients includes keeping up with technological developments and understanding the benefits and risks of each technology we rely on in our practice.  NHRPC Rule 1.1, Ethics Committee Comment.  See also id., ABA Comment [8].

Rule 1.6 – Maintaining Client Confidentiality

We must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”  NHRPC Rule 1.6 (c).  What constitutes a reasonable effort is not static, but depends on the circumstances.  ABA comments adopted as commentary on the New Hampshire Rules of Professional Conduct offer the following guidance.

Reasonable efforts when evaluating use of a communication technology platform may include:

  • Understanding the nature and existence of any threat to maintaining confidentiality during the virtual communication;
  • Determining how virtual communications about client matters should be protected;
  • Conducting due diligence of a vendor providing communication technology, including their relevant experience and reputation;
  • Reviewing and understanding the vendor’s terms of use and of any agreements concerning the protection of client information, including the legal and the ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality;
  • Understanding how client confidential information is shared in the virtual communication, how it will be transmitted and how and where it will stored;
  • Understanding and using the security measures available in the selected virtual platform;
  • Understanding how to label stored client confidential information arising from a virtual meeting;
  • Training lawyers and non-lawyer assistants in virtual communication technology and information security;
  • Identifying the likelihood of disclosure if appropriate safeguards are not employed in a virtual meeting;
  • Identifying the cost of employing appropriate safeguards in a virtual meeting;
  • Identifying the difficulty of implementing the safeguards in a virtual meeting; and
  • Identifying which safeguards may adversely affect the lawyer’s ability to the represent client.

 

See ABA Comments [18] and [19] to Rule 1.6 and ABA Comment [3] to Rule 5.3 (discussing “reasonable efforts” factors); see also ABA Formal Opinion 17-477R (discussing factors to use in determining whether use of a given medium for electronic communications is reasonable).

You will also want to consider the risk of waiver of the attorney-client privilege, and, where applicable, of work product protection, as well as your obligation to comply with laws which govern data privacy and impose notification requirements where electronic information has been compromised. See, e.g., N.H. Rev. Stat. §§ 359-C:19, 359-C:20, 359-C:21 (imposing duty to notify following a breach of personal information).

Bear in mind that if you permit recording of a virtual meeting, you are “responsible for reasonably ensuring adequate protection of client confidences in data held or stored by others, including, e.g., offsite storage and ‘cloud’ storage.”  NHRPC Rule 1.6, Ethics Committee Comment.

Rule 5.3 – Responsibilities Regarding Non-lawyer Assistants

While you can never outsource (nor delegate) any duty arising under the RPCs, you may, consistent with those duties, assess where it is reasonable to rely on the expertise of a third party.

Practical Considerations:

  • An attorney must understand, and, where appropriate, use firewalls, virus and spyware programs, operating systems updates, software and applications updates, strong passwords and multifactor authentication, encryption, and virtual private networks. If you are working from home on a laptop, your greatest security vulnerability may arise not from using a particular virtual meeting platform, but from operating outside the protection of your firm’s cybersecurity environment.
  • Software vulnerabilities exist in all applications. The process of identifying them, patching them, and updating them is an inherent part of the lifecycle of any application. Get into the habit of manually checking that you are up-to-date with patches and updates every day, even if you are using the auto-updating feature for your operating system and applications.
  • Competence requires credibility: when presenting yourself as a professional on camera, bear in mind the basics – background, lighting, sound environment, eye contact level with your camera and sufficient bandwidth to avoid freezing.  Be chastened by the stumbles of others, from blinding back-lighting and incessantly barking dogs to broadcasts of inappropriate attire or conduct.  Our reputations are our greatest uninsured assets!
  • Understand your platform’s settings and controls. If you have not dry-run a platform or feature you have not previously used, to ensure that it performs as you expect, you cannot reasonably be said to understand how to use it. If you were alone on the platform when you tried out a feature, you cannot reasonably be said to have dry-run it.  Consider whether a particular meeting warrants including a staff person focused exclusively on managing the technology and if so whether that person ought to be a neutral.
  • To take a common example, on Zoom, consider: Enabling Meeting Passwords and Lobby with Approval and Disabling Join Before Host, Guest Chat, Non-Host Screen Sharing, AutoSaving Chats, File Transfer, Remote Control, and Annotations, and locking the Zoom room when the desired attendees have joined.
  • While virtual conferencing platforms typically provide for host-controlled recording, any participant can surreptitiously record any meeting using third-party software, including screen-shared images and chat. Consider whether screen-sharing documents is reasonable under your circumstances or whether another method, such as secure encrypted email, is more appropriate to share documents.  The same applies for sidebar text communications like chat.
  • Virtual meetings such as depositions and alternative dispute resolution sessions may warrant an agreement in writing specifying the platform as well as any ground rules relating to the use of the technology.

Conclusion:

We must make reasonable efforts to stay abreast of technological developments and understand the risks associated with, and learn how to properly use, any technology we rely on in our practice. We must assess whether each particular use of technology is reasonable under the circumstances.