Little that lawyers do is separate from their ethical and professional obligations and a cyberfraud attack may connect with specific ethical duties. For instance:
Cybercriminals may aim to steal money directly or may aim to steal information. In either case, they are stealing property of value that lawyers are responsible for safeguarding. Further, information theft often facilitates financial theft or blackmail.
This does not mean that suffering a cyberattack automatically results from or in a breach of professional responsibilities, but egregious ignorance or non-compliance with certain obligations can lead to a successful attack, and possible disciplinary or other sanctions.
Further, a lawyer has a duty to ensure any technology they use, along with all other systems, will be sufficient to uphold their responsibilities. This is part of performing legal services to the standard of a competent lawyer. Commentary to s. 3.1-2 of the Code of Professional Conduct provides:
[4A] To maintain the required level of competence, a lawyer should develop an understanding of, and ability to use, technology relevant to the nature and area of the lawyer’s practice and responsibilities. A lawyer should understand the benefits and risks associated with relevant technology, recognizing the lawyer’s duty to protect confidential information set out in section 3.3.
[4B] The required level of technological competence will depend upon whether the use or understanding of technology is necessary to the nature and area of the lawyer’s practice and responsibilities and whether the relevant technology is reasonably available to the lawyer. In determining whether technology is reasonably available, consideration should be given to factors including:
a) The lawyer’s or law firm’s practice areas;
b) The geographic locations of the lawyer’s or firm’s practice; and
c) The requirements of clients.
Much of this commentary appears to relate to technology, such as legal research tools and case management software, that are specifically practice-related and can be leveraged to efficiently deliver legal services. Inability or refusal to use technological tools relevant to one’s practice can cost clients’ time and result in inefficient representation. There have already been cases in Canada where an award of costs was reduced because the lawyers were not adequately automated.
This, however, is not the focus of this Module. The focus of this Module is on the vast amount of confidential information that law firms store, increasingly in digital form, regardless of practice area or geographic location. In terms of information security, several concepts that arise from these provisions are relevant:
Thus, while the duty of technological competence as outlined in the Code is not specially aimed at preventing cyberfraud, it clearly intersects with a lawyer’s professional responsibilities respecting confidentiality and preservation of client property. Commentary [2] to Section 3.5 of the Code makes this intersection clear:
[4] …. A lawyer is responsible for maintaining the safety and confidentiality of the files of the client in possession of the lawyer and should take all reasonable steps to ensure the privacy and safekeeping of a client’s confidential information. A lawyer should keep the client’s papers and other property out of sight as well as out of reach of those not entitled to see them.
Client information stored in electronic form must be stored as securely as client information stored in paper form and taking all reasonable steps to ensure privacy and safekeeping of confidential information requires understanding the benefits and risks associated with any technology used for information storage and being able to competently use any such technology.
Optional Video: You can learn more about the lawyer’s duty of technological competence in BiteSize CPD – Tech Competence [6:08 minutes].