CBA Record April-May 2018

LEGAL ETHICS

John Levin’s Ethics columns, which are published in each CBA Record, are now in-

dexed and available online. For more, go to http://johnlevin.info/ legalethics/. ETHICS QUESTIONS? The CBA’s Professional Responsibility Commit- tee can help. Submit hypothetical questions to Loretta Wells, CBA Government Affairs Direc- tor, by fax 312/554-2054 or e-mail lwells@ chicagobar.org. The formal opinions and the on-line commentaries do not give hard and fast rules to follow in protecting client informa- tion. Most refer, in one way or another, to the comments to Rule 1.6, which lays out the following non-exclusive factors to use in making a determination of what efforts to take in protecting client information: 1. The sensitivity of the information; 2. The likelihood of disclosure if additional safeguards are not employed; 3. The cost of employing additional safe- guards; 4. The difficulty of implementing the safeguards; and 5. The extent to which the safeguards adversely affect the attorney’s ability to represent clients (e.g., by making a device or software excessively difficult to use). Thus, what protections are necessary for any particular item of client information must be made on a case-by-case basis. And this determination must be made in a world in which not only individual hackers but also government spy agencies are trolling for information. Previous issues of this column have sug- gested that highly sensitive client informa- tion is best left locked in your files and not carried around or transmitted in digital form. Nothing has happened to change this advice. must inform affected clients about such disclosures.

BY JOHN LEVIN Securing Client Information–Further Developments

I n the November 2017 issue of the CBA Record, this column discussed ABA Formal Opinion 477R–“Securing Communication of Protected Client Infor- mation”–in the context of my then recent trip to Russia. The bottom line was that lawyers need to take reasonable measures to prevent unauthorized access to client information–in my case when traveling to a country where border guards routinely inspect electronic devices and spyware is prevalent. The Opinion did not specify security requirements, but outlined those factors a lawyer should consider in making a “reasonable efforts determination.” Apparently, I had stumbled onto a hot topic. A cursory internet search reveals numerous articles, law firm publications and technical blogs discussing this subject. Dis- cussions include narratives on the Opinion, recommendations that all client communi- cations be encrypted and recommendations that sensitive information be kept off the internet and in non-digital form. On the regulatory front, the SEC has issued an interpretive guidance, effec- tive February 26, 2018, to assist public companies in preparing disclosures about cybersecurity risks and incidents. The guidance promotes increased public disclosure and discussion of how these matters impact SEC reporting companies. Of greater applicability to lawyers is Formal Opinion 2017-5 of the New York City Bar. This Opinion is concerned with the fact that when a person crosses the John Levin is the retired Assis- tant General Counsel of GATX Corporation and a member of the CBARecord Editorial Board.

U.S. border, the border authorities have the legal right to search the electronic data contained on that person’s devices. What are the ethical responsibilities of a lawyer whose computer contains confidential client information? The Opinion advises: Before crossing the U.S. border, an attorney must make reason- able efforts to protect against the disclosure of clients’ confidential information in response to a demand by border agents. Because “reason- able efforts” depend on the circum- stances, no particular safeguards are invariably required. However, attor- neys should generally (i) evaluate the risks of traveling with confidential information and (ii) consider what safeguards to implement to avoid or reduce the risk that confidential information will be accessed or dis- closed in the event of a search. At the border, if government agents seek to search the attorney’s electronic device pursuant to a claim of lawful authority, and the device contains clients’ confidential information, the attorney may not comply until first making reasonable efforts to assert the attorney-client privilege and to otherwise avert or limit the disclosure of confidential informa- tion, e.g., by asking to speak to a superior officer. To add credence to the claim of attorney-client privilege, an attorney should carry attorney identification and be familiar with the customs agency’s policies or guidelines regarding searches of privileged information. Finally, if the attorney discloses clients’ confi- dential information to a third party during a border search, the attorney

52 APRIL/MAY 2018