Originally published 8 June 2016 in ACCDocket.com

New York will soon join 21 other states in adopting new ethics rules regarding lawyers' obligations to protect their clients' confidential information. The new rules, based on 2012 changes to Rule 1.6(c) and Comment 18 to Rule 1.6 of the ABA's Model Rules of Professional Conduct, are intended to address the dangers posed by modern information technology. They require lawyers to use "reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to" clients' confidential information.[1]

The adoption of these new rules comes at a time when law firms' practices with respect to storing and communicating confidential information have come under increased scrutiny. In recent months, stories about the "Panama Papers" leaks at Mossack Fonseca and the system breaches at major US firms like Cravath and Weil Gotshal have made front-page headlines.

Since these new rules are intended to benefit clients by requiring lawyers and firms to adopt better ways of handling hot-button issues like insider leaks, system hacks, and misdirected emails, corporate counsel will want to know how outside counsel will actually improve their current approach to confidentiality. During the development of my company's software application, ReplyToSome, my colleagues and I investigated how law firms use email and protect clients' confidential information from accidental disclosure. In this article, I will focus on the email protections clients might expect of their law firms, though many of the points will apply more broadly.

Some outside firms might not read the rule changes as requiring anything new, and a cursory reading of the rules might support their view. Since 2002, the Comments to Rule 1.6 of the ABA Model Rules have stated that lawyers have an obligation to take "reasonable precautions" to prevent inadvertent disclosure over email.[2] Many states have already adopted this language in the comments to their own rules of professional conduct. Is there any difference between the earlier "reasonable precaution" language and the new "reasonable efforts" language?

In fact, the new language being adopted in New York and other states requires lawyers to take a more proactive and individuated approach to confidentiality. The language passed in 2002 did not make an effort to define what constitutes a "reasonable precaution", except to say that lawyers are not required to adopt "special security measures" (such as encryption) unless "special circumstances" warrant them. This older language did go on to say that lawyers should adopt any additional security measures expressly required by a client.

The new rules recently adopted by New York and other states, by contrast, provide more guidance about what factors a lawyer should consider when determining the appropriate confidentiality safeguards for a given matter. Comment 18 to Rule 1.6 charges lawyers with considering "the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer's ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use)."[3] Further, recent ethics opinions from both the ABA and state bar associations urge lawyers to consider not only the likelihood of their own slip-ups, but the probability that a particular practice will cause their clients to inadvertently expose confidential information.[4] Thus, ethical standards increasingly require lawyers to be proactive and give individualized attention to the risks attending each engagement.

Having external counsel adopt a more proactive and individuated approach can provide greater protection to clients without incentivizing unnecessary and burdensome "CYA" measures.But corporate counsel should not take it for granted that their external lawyers will automatically become more reflective about their long-standing habits regarding email communication. There are certain steps corporate counsel can take at the beginning of engagements to ensure that they will get the confidentiality protections most appropriate to their needs:

1. Tell external counsel what information is sensitive. The Comments to ABA Model Rule 1.6 and most state rules require lawyers to take into account the sensitivity of information in determining what safeguards are appropriate. Experienced external counsel, especially if they have previous exposure to your industry or company, should have a sense of what information is particularly sensitive. However, even the most experienced lawyers might not be aware that a certain piece of information could reveal an important trade secret or piece of corporate strategy. To get the best performance from external counsel, put them on notice from the beginning.
2. Have a frank discussion about staffing. External lawyers know that in-house counsel want lean, efficient teams working on their matters. This can lead to a concern about "optics" and a desire by external lawyers to minimize the visibility of peripheral members of their teams. And excluding peripheral team members from emails, or using BCC or group lists, is one of the primary ways of maintaining optics. Unfortunately, it is often lawyers peripheral to matters who are the most likely to make mistakes regarding confidential communications and documents, since they are less attuned to the relationships between the various parties involved. External counsel should be actively thinking about how to keep their more peripheral colleagues in the loop without either running up the bill or creating opportunities for mistakes.
3. Ask what safeguards are available and what they recommend. Firms increasingly offer a menu of options to secure communications, ranging from conducting messaging through secure data rooms to deploying security add-ins to their existing email software. However, not all partners are equally attuned to these options. A simple question from a client about what's available can ensure that you are getting the full benefit of the firm's existing resources.

The new confidentiality rules provide an opportunity for law firms to reassure clients that their information and communications are safe. But the rules ultimately rely on lawyers' judgment, and for reassurance to be real comfort, corporate counsel should take their own proactive steps to open outside counsel's judgments to scrutiny.

[1] The new rules were approved by the New York State Bar Association and sent to the state's Appellate Division for formal enactment. The Appellate Division closed its public comment period on June 1, 2015. See John W. McConnell, Request for Public Comment on Proposed Amendments to the New York Rules of Professional Conduct (22 NYCRR Part 1200), available at http://www.nycourts.gov/rules/comments/PDF/ProfConduct.pdf (last visited 30 May 2016).

[2] See American Bar Association Ethics 2000 Commission, Report on the Model Rules of Professional Conduct, available athttp://www.americanbar.org/groups/professional_responsibility/policy/ethics_2000_commission/e2k_report_home.html (last visited 30 May 2016).

[3] See Comment 18 to Rule 1.6, ABA Model Rules of Professional Conduct.

[4] See, ABA Formal Opinion 11-459 (issued in 2011) (arguing that lawyers should inform clients of the risks associated with using their employer-provided email addresses when getting legal advice) and New York Professional Ethics Opinion 1076 (issued in 2015) (advising against lawyers blind carbon copying their clients on emails to opposing counsel because clients might inadvertently reply all to the email and expose confidential information).