On April 10, 2020, the Pennsylvania Bar Association (“PBA”) Committee on Legal Ethics and Professional Responsibility issued Formal Opinion 2020-300, which outlines the ethical obligations for lawyers working remotely. Lawyers must be particularly mindful of the ethical obligations identified in the Opinion in light of the shift to remote work necessitated by the COVID-19 pandemic. Although Opinion 2020-300 only applies to Pennsylvania attorneys, attorneys licensed in all jurisdictions should heed the guidance and best practices identified in the Opinion.
The PBA issued Opinion 2020-300 following a number of questions received from attorneys, primarily involving the use of technology (e.g., email, cell phones, text messages, remote access, cloud computing, video chatting, and teleconferencing). Accordingly, technology issues feature prominently throughout the Opinion.
In the Opinion, the PBA focused on the intersection of the recent shift to remote work throughout the legal industry and the ethical obligations set forth in Pennsylvania Rules of Professional Conduct (“RPC”) 1.1 (Competence), 1.6 (Confidentiality), 5.1 (Responsibilities of Supervising Lawyers), and 5.3 (Responsibilities Regarding Non-Lawyer Assistance).
As to RPC 1.1, the PBA stated that a “lawyer’s duty to provide competent representation includes the obligation to understand the risks and benefits of technology,” which in turn “includes the obligation to understand or take reasonable measures to use appropriate technology to protect the confidentiality of communications in both physical and electronic form.” (Opinion, at 3). In that regard, “attorneys must evaluate, obtain, and utilize the technology necessary to assure that their communications remain confidential.”
With respect to RPC 1.6, the PBA affirmed that an “attorney working from home or another remote location is under the same obligations to maintain client confidentiality as is the attorney when working within a traditional physical office.” (Opinion, at 4). Citing to comments to RPC 1.6, the PBA affirmed that “an attorney’s duty to understand the risks and benefits of technology” includes the obligation to safeguard client information against unauthorized access or disclosure. In that regard, while working from home, a lawyer must “make reasonable efforts to ensure” that other members of the household or any visitors thereto cannot access client materials or communications.
The PBA also briefly summarized RPC 5.1 and RPC 5.3, stating that “a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm must make reasonable efforts to ensure that the firm has in effect requirements that any staff, consultants or other entities that have or may have access to confidential client information or data comply with” the RPCs “with regard to data access from remote locations and that any discussions regarding client-related matters are done confidentially.” (Opinion, at 7).
Finally, the PBA provided some “best practices” for remote work. Although directed to Pennsylvania attorneys, these best practices can be adapted to practices in other jurisdictions — such as New Jersey — as well. Some “best practices” identified by the PBA in Opinion 2020-300 are:
- Attorneys should ensure that all forms of confidential communications (including phone calls, emails, and video conferencing) remain confidential. Be sure to create a private area to communicate privately with clients, and confirm that no one (including smart devices like Amazon’s Alexa) can hear or see those communications. In the context of email, this may require the use of encryption.
- When determining whether “reasonable efforts to ensure” confidentiality of client information have been made, an attorney should consider the facts of the particular circumstances, such as the sensitivity of the information, “the likelihood of disclosure if additional safeguards are not employed,” whether additional safeguards would be too difficult to implement, would be too costly, or would adversely affect the attorney’s ability to represent clients. This analysis, again, may require the use of encryption, or might even “require avoiding the use of electronic methods or any technology to communicate with the client altogether[.]” (Opinion, at 10). Attorneys should also consider whether their clients have imposed obligations concerning protection of their confidential information in addition to those imposed by the RPCs.
- Attorneys should avoid using public internet or free Wi-Fi in performing work for clients or transmitting confidential or sensitive information, and should instead use a Virtual Private Network (VPN).
- As in-person depositions and court appearances have been replaced with Zoom meetings and other forms of teleconferencing, attorneys should be mindful of whether those conferences are secure. Meetings should not be public, but rather should require a password and a link directly to meeting participants.
- Attorneys working from home offices should ensure their computers possess up-to-date antivirus software, avoid websites that could potentially corrupt their systems, and do not use USBs or flash drives from unknown sources.
In sum, in these unprecedented times, while navigating the new work-from-home environment, attorneys should not overlook the need to ensure that they are still mindful of their ethical obligations to their clients.