by Toby Rothschild
In this time of quarantine and sheltering-in-place, law offices are finding new ways to continue their practices remotely. Lawyers have long worked from outside the office, whether at home, in the courthouse, or other remote locations. Most gave little thought to the ethical issues this might raise. Now that almost all staff is working from home, it is important to take a new look at the ethical issues that arise from remote practice.
The starting point for this analysis is that the rules don’t change. Except for limited services in case of an emergency, the California Rules of Professional Conduct (CRPC) and the State Bar Act (Business and Professions Code sections 6000-6243) have no exceptions or special provisions for pandemics, natural disasters, or other disruptions of the normal order. This article will address the obligations of lawyers and their staff not just during this crisis but at any future time they may need to perform law firm-related and client-related activities from home or other remote locations. Among the CRPC provisions that should be examined in a remote work setting are rules 1.1 (Competence), 1.4 (Communication with Clients), 1.6 (Confidential Information of a Client), 1.7 (Conflicts of Interest: Current Clients), 1.9 (Duties to Former Clients), 1.18 (Duties to Prospective Client), 5.1 (Responsibilities of Managerial and Supervisory Lawyers), and 5.3 (Responsibilities Regarding Nonlawyer Assistants).
Remote work creates several circumstances in which a person may violate these rules inadvertently. To prevent this, law firms should have a clear remote working policy with specific protocols for protecting client confidentiality and satisfying other ethical requirements. As far as possible, managers and supervisors should ensure that staff working remotely are doing so with secure equipment and offer practical guidance on adherence to the protocols. CRPC rules 5.1 and 5.3 require managers and supervisors to assure that the firm’s lawyers and staff are trained and follow the ethical rules. To demonstrate compliance with these obligations, employees working remotely could sign an acknowledgment that they have received and understand the policy.
The primary, but by no means the only, issue is confidentiality. Business & Professions Code section 6068(e)(1) requires members “[t]o maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client.” CPRC rule 6.1 reinforces this mandate by requiring that information protected by section 6068 not be revealed without client consent. The level of security required to provide adequate assurance that confidential information will be protected depends on the nature of the communication. Among the factors to consider are the sensitivity of the information, the urgency of the communication, and the instructions of the client. See State Bar of California Standing Committee on Professional Responsibility and Conduct, Formal Opinion 2010-179. The concerns about confidentiality relate to technology, the work setting, and the client’s setting.
The technology used by the remote worker must be secure. Computers, smartphones, and tablets should be equipped with firewalls and anti-virus and anti-malware software to prevent hacking and loss or corruption of data. Any connection to the firm’s computer servers should be over a virtual private network or similar system that encrypts data during transmission. (Encryption converts data to a code that can be read by someone only with the key to the code. Much computer data, including text messages, phone calls, documents, or files can be encrypted.) All client-related data should be stored on the firm’s server, not on the local device. If it has to be on the local device, it should be password protected and, if possible, encrypted. It should also be deleted from the remote equipment once it is no longer actively needed.
Most computer connections from remote worksites are over Wi-Fi networks. Wi-Fi should be a private, password protected system. Free Wi-Fi services, such as at restaurants, coffee shops, and airports are inherently insecure and should never be used for any confidential information even if a password is required.
Email has become a primary means of communicating information to, from, or about a client. While standard email is not totally secure, most opinions have found it has an expectation of privacy adequate to allow its use. If the sensitivity of the message is extreme, however, it may be required that the lawyer use a system of communication that includes end-to-end encryption. This means that the information is encrypted by the sending computer and can only be decrypted, or decoded, by the receiving computer. The technology issues can be very complex. The firm must have someone proficient in technology or use an outside IT provider to assure that the firm’s ethical obligations are adequately addressed.
Another area to assure security is teleconferencing. With remote working, many meetings and conferences are now being held on a videoconferencing platform such as Zoom, GoToMeeting, or Webex. If the conference is with a client, or if client-related matters are being discussed, several steps need to be taken to assure the confidentiality of the conference. Make sure that participants are using the most current version of the platform software. A password should be required to enter the conference, and only authorized participants should have access to the password. Some platforms allow you to require consent from the host to enter the conference.
The work setting raises additional issues of confidentiality with teleconferencing. People working remotely must use a private work space or wear ear or headphones to assure confidentiality from those, including spouses, partners, roommates, and children not authorized to hear the information. This also includes smart home devices such as Amazon Echo and Google Home, which can overhear your conversations.
The rules for the work environment of the lawyer or staff member also apply to the other parties to the conference. All parties should be in a private location or wear ear or headphones and have secure technology so confidential client information is not inadvertently disclosed. This is a particular issue when conversing by phone or video with a client. Particularly in family law matters, the adverse party may be present in the house when talking to the client. If the client cannot talk in confidence at the time of the conversation, the lawyer or staff member should arrange a different time or find some other way to assure that the conversation is confidential.
Conversations with clients raise other ethical issues besides confidentiality. CRPC rule 1.4 requires a lawyer to communicate with a client. When speaking with a client in person, the lawyer can assess the ability of the client to understand the information being provided. That is much more difficult with videoconferencing or telephone communications. It is important for the lawyer to use active listening techniques and to regularly confirm with the client that they understand what the lawyer is saying and that the lawyer understands the information being provided by the client. The lawyer should confirm both the information received from the client and the information provided to the client in writing.
When working on client-related matters remotely, the lawyer should also have access to the firm’s conflicts database to make sure that new clients, adverse parties, and witnesses do not create conflicts of interest that can affect handling of the matter.
The suggestions in this article are not limited to the current situation. They apply any time work on a client-related matter is being done remotely. Most apply with equal force when such work is being done in the office. The bottom line is the work must be done competently and confidentially.
Toby Rothschild is of counsel to OneJustice, providing ethics training and consulting to legal services programs throughout California. He is a member of the OCBA’s Professionalism and Ethics Committee. He can be reached at toby@tjrlaw.net.