Law Firm Cyber Protection and the Ethics of Protecting Your Digital Assets: Everything You Need and Want to Know

Transcription

1 Law Firm Cyber Protection and the Ethics of Protecting Your Digital Assets: Everything You Need and Want to Know Michael S. Ross, Esq., Panel Chair Panelists: Greg Cooke James S. Gkonos, Esq. Michael Kraft, Esq. Patrick M. Turner, Esq.

2

3 1 NEW YORK RULES OF PROFESSIONAL CONDUCT Effective April 1, 2009 As amended through January 1, 2017 With Commentary as amended through January 1, 2017 TABLE OF CONTENTS Rule Title Page 1.0 Terminology Competence Scope of Representation and Allocation of Authority Between Client and Lawyer Diligence Communication Fees and Division of Fees Confidentiality of Information Conflict of Interest: Current Clients Current Clients: Specific Conflict of Interest Rules Duties to Former Clients Imputation of Conflicts of Interest Special Conflicts of Interest for Former and Current Government Officials and Employees Specific Conflicts of Interest for Former Judges, Arbitrators, Mediators, or Other Third-Party Neutrals Organization as Client Client with Diminished Capacity Preserving Identity of Funds and Property of Others; Fiduciary Responsibility; Commingling and Misappropriation of Client Funds or Property; Maintenance of Bank Accounts; Record Keeping; Examination of Records Declining or Terminating Representation Sale of Law Practice Duties to Prospective Clients Advisor [Reserved] Evaluation for Use by Third Persons Lawyer Serving as Third-Party Neutral Non-Meritorious Claims and Contentions Delay of Litigation

4 2 3.3 Conduct Before a Tribunal Fairness to Opposing Party and Counsel Maintaining and Preserving the Impartiality of Tribunals and Jurors Trial Publicity Lawyer as Witness Special Responsibilities of Prosecutors and Other Government Lawyers Advocate in Non-Adjudicative Matters Truthfulness in Statements to Others Communication with Persons Represented by Counsel Communicating with Unrepresented Persons Respect for Rights of Third Persons Communication After Incidents involving Personal Injury or Wrongful Death Responsibilities of Law Firms, Partners, Managers, and Supervisory Lawyers Responsibilities of a Subordinate Lawyer Lawyer s Responsibility for Conduct of Nonlawyers Professional Independence of a Lawyer Unauthorized Practice of Law Restrictions on Right to Practice Responsibilities Regarding Nonlegal Services Contractual Relationship Between Lawyers and Nonlegal Professionals Voluntary Pro Bono Service [Reserved] Membership in a Legal Services Organization Law Reform Activities Affecting Client Interests Participation in Limited Pro Bono Legal Service Programs Advertising Payment for Referrals Solicitation and Recommendation of Professional Employment Identification of Practice and Specialty Professional Notices, Letterheads, and Signs Candor in the Bar Admission Process Judicial Officers and Candidates Reporting Professional Misconduct Misconduct Disciplinary Authority and Choice of Law

5 3 RULE 1.1: COMPETENCE (a) A lawyer should provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation. (b) A lawyer shall not handle a legal matter that the lawyer knows or should know that the lawyer is not competent to handle, without associating with a lawyer who is competent to handle it. (c) A lawyer shall not intentionally: Comment (1) fail to seek the objectives of the client through reasonably available means permitted by law and these Rules; or (2) prejudice or damage the client during the course of the representation except as permitted or required by these Rules. Legal Knowledge and Skill [1] In determining whether a lawyer employs the requisite knowledge and skill in a particular matter, relevant factors include the relative complexity and specialized nature of the matter, the lawyer s general experience, the lawyer s training and experience in the field in question, the preparation and study the lawyer is able to give the matter, and whether it is feasible to associate with a lawyer of established competence in the field in question. In many instances, the required proficiency is that of a general practitioner. Expertise in a particular field of law may be required in some circumstances. One such circumstance would be where the lawyer, by representations made to the client, has led the client reasonably to expect a special level of expertise in the matter undertaken by the lawyer. [2] A lawyer need not necessarily have special training or prior experience to handle legal problems of a type with which the lawyer is unfamiliar. A newly admitted lawyer can be as competent as a practitioner with long experience. Some important legal skills, such as the analysis of precedent, the evaluation of evidence and legal drafting, are required in all legal problems. Perhaps the most fundamental legal skill consists of determining what kinds of legal problems a situation may involve, a skill that necessarily transcends any particular specialized knowledge. A lawyer can provide adequate representation in a wholly novel field through necessary study. Competent representation can also be provided through the association of a lawyer of established competence in the field in question. [3] [Reserved.] 11

6 4 [4] A lawyer may accept representation where the requisite level of competence can be achieved by adequate preparation before handling the legal matter. This applies as well to a lawyer who is appointed as counsel for an unrepresented person. Thoroughness and Preparation [5] Competent handling of a particular matter includes inquiry into and analysis of the factual and legal elements of the problem, and use of methods and procedures meeting the standards of competent practitioners. It also includes adequate preparation. The required attention and preparation are determined in part by what is at stake; major litigation and complex transactions ordinarily require more extensive treatment than matters of lesser complexity and consequence. An agreement between the lawyer and the client may limit the scope of the representation if the agreement complies with Rule 1.2(c). Retaining or Contracting with Lawyers Outside the Firm [6] Before a lawyer retains or contracts with other lawyers outside the lawyer s own firm to provide or assist in the provision of legal services to a client, the lawyer should ordinarily obtain informed consent from the client and should reasonably believe that the other lawyers services will contribute to the competent and ethical representation of the client. See also Rules 1.2 (allocation of authority), 1.4 (communication with client), 1.5(g) (fee sharing with lawyers outside the firm), 1.6 (confidentiality), and 5.5(a) (unauthorized practice of law). The reasonableness of the decision to retain or contract with other lawyers outside the lawyer s own firm will depend upon the circumstances, including the needs of the client; the education, experience and reputation of the outside lawyers; the nature of the services assigned to the outside lawyers; and the legal protections, professional conduct rules, and ethical environments of the jurisdictions in which the services will be performed, particularly relating to confidential information. [6A] Client consent to contract with a lawyer outside the lawyer s own firm may not be necessary for discrete and limited tasks supervised closely by a lawyer in the firm. However, a lawyer should ordinarily obtain client consent before contracting with an outside lawyer to perform substantive or strategic legal work on which the lawyer will exercise independent judgment without close supervision or review by the referring lawyer. For example, on one hand, a lawyer who hires an outside lawyer on a per diem basis to cover a single court call or a routing calendar call ordinarily would not need to obtain the client s prior informed consent. On the other hand, a lawyer who hires an outside lawyer to argue a summary judgment motion or negotiate key points in a transaction ordinarily should seek to obtain the client s prior informed consent. [7] When lawyer from more than one law firm are providing legal services to the client on a particular matter, the lawyers ordinarily should consult with each other about the scope of their respective roles and the allocation of responsibility among them. See Rule 1.2(a). When allocating responsibility in a matter pending before a tribunal, lawyers and parties may have additional obligations (e.g., under local court rules, the CPLR, or the Federal Rules of Civil Procedure) that are a matter of law beyond the scope of these Rules. 12

7 5 [7A] Whether a lawyer who contracts with a lawyer outside the firm needs to obtain informed consent from the client about the roles and responsibilities of the retaining and outside lawyers will depend on the circumstances. On one hand, of a lawyer retains an outside lawyer or law firm to work under the lawyer s close direction and supervision, and the retaining lawyer closely reviews the outside lawyer s work, the retaining lawyer usually will not need to consult with the client about the outside lawyer s role and level of responsibility. On the other hand, if the outside lawyer will have a more material role and will exercise more autonomy and responsibility, then the retaining lawyer usually should consult with the client. In any event, whenever a retaining lawyer discloses a client s confidential information to lawyers outside the firm, the retaining lawyer should comply with Rule 1.6(a). [8] To maintain the requisite knowledge and skill, a lawyer should (i) keep abreast of changes in substantive and procedural law relevant to the lawyer s practice, (ii) keep abreast of the benefits and risks associated with technology the lawyer uses to provide services to clients or to store or transmit confidential information, and (iii) engage in continuing study and education and comply with all applicable continuing legal education requirements under 22 N.Y.C.R.R. Part

8 6 RULE 1.4: COMMUNICATION (a) A lawyer shall: (1) promptly inform the client of: (i) any decision or circumstance with respect to which the client s informed consent, as defined in Rule 1.0(j), is required by these Rules; (ii) any information required by court rule or other law to be communicated to a client; and (iii) plea offers. material developments in the matter including settlement or (2) reasonably consult with the client about the means by which the client s objectives are to be accomplished; (3) keep the client reasonably informed about the status of the matter; and (4) promptly comply with a client s reasonable requests for information; (5) consult with the client about any relevant limitation on the lawyer s conduct when the lawyer knows that the client expects assistance not permitted by these Rules or other law. (b) A lawyer shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation. Comment [1] Reasonable communication between the lawyer and the client is necessary for the client to participate effectively in the representation. Communicating with Client [2] In instances where these Rules require that a particular decision about the representation be made by the client, paragraph (a)(1) requires that the lawyer promptly consult with the client and secure the client s consent prior to taking action, unless prior discussions with the client have resolved what action the client wants the lawyer to take. For example, paragraph (a)(1)(iii) requires that a lawyer who receives from opposing counsel an offer of settlement in a civil controversy or a proffered plea bargain in a criminal case must promptly inform the client of its substance unless the client has previously made clear that the proposal will be acceptable or unacceptable or has authorized the lawyer to accept or to reject the offer. See Rule 1.2(a). 21

9 7 [3] Paragraph (a)(2) requires that the lawyer reasonably consult with the client about the means to be used to accomplish the client s objectives. In some situations depending on both the importance of the action under consideration and the feasibility of consulting with the client this duty will require consultation prior to taking action. In other circumstances, such as during a trial when an immediate decision must be made, the exigency of the situation may require the lawyer to act without prior consultation. In such cases, the lawyer must nonetheless act reasonably to inform the client of actions the lawyer has taken on the client s behalf. Likewise, for routine matters such as scheduling decisions not materially affecting the interests of the client, the lawyer need not consult in advance, but should keep the client reasonably informed thereafter. Additionally, paragraph (a)(3) requires that the lawyer keep the client reasonably informed about the status of the matter, such as significant developments affecting the timing or the substance of the representation. [4] A lawyer s regular communication with clients will minimize the occasions on which a client will need to request information concerning the representation. When a client makes a reasonable request for information, however, paragraph (a)(4) requires prompt compliance with the request, or if a prompt response is not feasible, that the lawyer or a member of the lawyer s staff acknowledge receipt of the request and advise the client when a response may be expected. A lawyer should promptly respond to or acknowledge client communications, or arrange for an appropriate person who works with the lawyer to do so. Explaining Matters [5] The client should have sufficient information to participate intelligently in decisions concerning the objectives of the representation and the means by which they are to be pursued, to the extent the client is willing and able to do so. Adequacy of communication depends in part on the kind of advice or assistance that is involved. For example, when there is time to explain a proposal made in a negotiation, the lawyer should review all important provisions with the client before proceeding to an agreement. In litigation a lawyer should explain the general strategy and prospects of success and ordinarily should consult the client on tactics that are likely to result in significant expense or to injure or coerce others. On the other hand, a lawyer ordinarily will not be expected to describe trial or negotiation strategy in detail. The guiding principle is that the lawyer should fulfill reasonable client expectations for information consistent with the duty to act in the client s best interest and the client s overall requirements as to the character of representation. In certain circumstances, such as when a lawyer asks a client to consent to a representation affected by a conflict of interest, the client must give informed consent, as defined in Rule 1.0(j). [6] Ordinarily, the information to be provided is that appropriate for a client who is a comprehending and responsible adult. However, fully informing the client according to this standard may be impracticable, for example, where the client is a child or suffers from diminished capacity. See Rule When the client is an organization or group, it is often impossible or inappropriate to inform every one of its members about its legal affairs; ordinarily, the lawyer should address communications to those who the lawyer reasonably believes to be appropriate persons within the organization. See Rule Where many routine matters are involved, a system of limited or occasional reporting may be arranged with the client. 22

10 8 Withholding Information [7] In some circumstances, a lawyer may be justified in delaying transmission of information when the client would be likely to react imprudently to an immediate communication. Thus, a lawyer might withhold a psychiatric diagnosis of a client when the examining psychiatrist indicates that disclosure would harm the client. A lawyer may not withhold information to serve the lawyer s own interest or convenience or the interests or convenience of another person. Rules or court orders governing litigation may provide that information supplied to a lawyer may not be disclosed to the client. Rule 3.4(c) directs compliance with such rules or orders. 23

11 9 RULE 1.5: FEES AND DIVISION OF FEES (a) A lawyer shall not make an agreement for, charge, or collect an excessive or illegal fee or expense. A fee is excessive when, after a review of the facts, a reasonable lawyer would be left with a definite and firm conviction that the fee is excessive. The factors to be considered in determining whether a fee is excessive may include the following: (1) the time and labor required, the novelty and difficulty of the questions involved, and the skill requisite to perform the legal service properly; (2) the likelihood, if apparent or made known to the client, that the acceptance of the particular employment will preclude other employment by the lawyer; (3) the fee customarily charged in the locality for similar legal services; (4) the amount involved and the results obtained; (5) the time limitations imposed by the client or by circumstances; (6) the nature and length of the professional relationship with the client; (7) the experience, reputation and ability of the lawyer or lawyers performing the services; and (8) whether the fee is fixed or contingent. (b) A lawyer shall communicate to a client the scope of the representation and the basis or rate of the fee and expenses for which the client will be responsible. This information shall be communicated to the client before or within a reasonable time after commencement of the representation and shall be in writing where required by statute or court rule. This provision shall not apply when the lawyer will charge a regularly represented client on the same basis or rate and perform services that are of the same general kind as previously rendered to and paid for by the client. Any changes in the scope of the representation or the basis or rate of the fee or expenses shall also be communicated to the client. (c) A fee may be contingent on the outcome of the matter for which the service is rendered, except in a matter in which a contingent fee is prohibited by paragraph (d) or other law. Promptly after a lawyer has been employed in a contingent fee matter, the lawyer shall provide the client with a writing stating the method by which the fee is to be determined, including the percentage or percentages that shall accrue to the lawyer in the event of settlement, trial or appeal; litigation and other expenses to be deducted from the recovery; and whether such expenses are to be deducted before or, if not prohibited by statute or court rule, after the contingent fee is calculated. The writing must clearly notify 24

12 10 the client of any expenses for which the client will be liable regardless of whether the client is the prevailing party. Upon conclusion of a contingent fee matter, the lawyer shall provide the client with a writing stating the outcome of the matter and, if there is a recovery, showing the remittance to the client and the method of its determination. (d) A lawyer shall not enter into an arrangement for, charge or collect: (1) a contingent fee for representing a defendant in a criminal matter; (2) a fee prohibited by law or rule of court; (3) a fee based on fraudulent billing; (4) a nonrefundable retainer fee; provided that a lawyer may enter into a retainer agreement with a client containing a reasonable minimum fee clause if it defines in plain language and sets forth the circumstances under which such fee may be incurred and how it will be calculated; or (5) any fee in a domestic relations matter if: (i) the payment or amount of the fee is contingent upon the securing of a divorce or of obtaining child custody or visitation or is in any way determined by reference to the amount of maintenance, support, equitable distribution, or property settlement; (ii) a written retainer agreement has not been signed by the lawyer and client setting forth in plain language the nature of the relationship and the details of the fee arrangement; or (iii) the written retainer agreement includes a security interest, confession of judgment or other lien without prior notice being provided to the client in a signed retainer agreement and approval from a tribunal after notice to the adversary. A lawyer shall not foreclose on a mortgage placed on the marital residence while the spouse who consents to the mortgage remains the titleholder and the residence remains the spouse s primary residence. (e) In domestic relations matters, a lawyer shall provide a prospective client with a Statement of Client s Rights and Responsibilities at the initial conference and prior to the signing of a written retainer agreement. (f) Where applicable, a lawyer shall resolve fee disputes by arbitration at the election of the client pursuant to a fee arbitration program established by the Chief Administrator of the Courts and approved by the Administrative Board of the Courts. (g) A lawyer shall not divide a fee for legal services with another lawyer who is not associated in the same law firm unless: 25

13 11 (1) the division is in proportion to the services performed by each lawyer or, by a writing given to the client, each lawyer assumes joint responsibility for the representation; (2) the client agrees to employment of the other lawyer after a full disclosure that a division of fees will be made, including the share each lawyer will receive, and the client s agreement is confirmed in writing; and (3) the total fee is not excessive. (h) Rule 1.5(g) does not prohibit payment to a lawyer formerly associated in a law firm pursuant to a separation or retirement agreement. Comment [1] Paragraph (a) requires that lawyers not charge fees that are excessive or illegal under the circumstances. The factors specified in paragraphs (a)(1) through (a)(8) are not exclusive, nor will each factor be relevant in each instance. The time and labor required for a matter may be affected by the actions of the lawyer s own client or by those of the opposing party and counsel. Paragraph (a) also requires that expenses for which the client will be charged must not be excessive or illegal. A lawyer may seek payment for services performed in-house, such as copying, or for other expenses incurred in-house, such as telephone charges, either by charging an amount to which the client has agreed in advance or by charging an amount that reflects the cost incurred by the lawyer, provided in either case that the amount charged is not excessive. [1A] A billing is fraudulent if it is knowingly and intentionally based on false or inaccurate information. Thus, under an hourly billing arrangement, it would be fraudulent to knowingly and intentionally charge a client for more than the actual number of hours spent by the lawyer on the client s matter; similarly, where the client has agreed to pay the lawyer s cost of in-house services, such as for photocopying or telephone calls, it would be fraudulent knowingly and intentionally to charge a client more than the actual costs incurred. Fraudulent billing requires an element of scienter and does not include inaccurate billing due to an innocent mistake. [1B] A supervising lawyer who submits a fraudulent bill for fees or expenses to a client based on submissions by a subordinate lawyer has not automatically violated this Rule. In this situation, whether the lawyer is responsible for a violation must be determined by reference to Rules 5.1, 5.2 and 5.3. As noted in Comment [8] to Rule 5.1, nothing in that Rule alters the personal duty of each lawyer in a firm to abide by these Rules and in some situations, other Rules may impose upon a supervising lawyer a duty to ensure that the books and records of a firm are accurate. See Rule 1.15(j). 26

14 12 Basis or Rate of Fee [2] When the lawyer has regularly represented a client, they ordinarily will have evolved an understanding concerning the basis or rate of the fee and the expenses for which the client will be responsible. In a new client-lawyer relationship, however, an understanding as to fees and expenses must be promptly established. Court rules regarding engagement letters require that such an understanding be memorialized in writing in certain cases. See 22 N.Y.C.R.R. Part Even where not required, it is desirable to furnish the client with at least a simple memorandum or copy of the lawyer s customary fee arrangements that states the general nature of the legal services to be provided, the basis, rate or total amount of the fee, and whether and to what extent the client will be responsible for any costs, expenses or disbursements in the course of the representation. A written statement concerning the terms of the engagement reduces the possibility of misunderstanding. [3] Contingent fees, like any other fees, are subject to the excessiveness standard of paragraph (a). In determining whether a particular contingent fee is excessive, or whether it is excessive to charge any form of contingent fee, a lawyer must consider the factors that are relevant under the circumstances. Applicable law may impose limitations on contingent fees, such as a ceiling on the percentage allowable, or may regulate the type or amount of the fee that may be charged. Terms of Payment [4] A lawyer may require advance payment of a fee, but is obliged to return any unearned portion. See Rule 1.16(e). A lawyer may charge a minimum fee, if that fee is not excessive, and if the wording of the minimum fee clause of the retainer agreement meets the requirements of paragraph (d)(4). A lawyer may accept property in payment for services, such as an ownership interest in an enterprise, providing this does not involve acquisition of a proprietary interest in the cause of action or subject matter of the litigation contrary to Rule 1.8(i). A fee paid in property instead of money may, however, be subject to the requirements of Rule 1.8(a), because such fees often have the essential qualities of a business transaction with the client. [5] An agreement may not be made if its terms might induce the lawyer improperly to curtail services for the client or perform them in a way contrary to the client s interest. For example, a lawyer should not enter into an agreement whereby services are to be provided only up to a stated amount when it is foreseeable that more extensive services probably will be required, unless the situation is adequately explained to the client. Otherwise, the client might have to bargain for further assistance in the midst of a proceeding or transaction. In matters in litigation, the court s approval for the lawyer s withdrawal may be required. See Rule 1.16(d). It is proper, however, to define the extent of services in light of the client s ability to pay. A lawyer should not exploit a fee arrangement based primarily on hourly charges by using wasteful procedures. [5A] The New York Court Rules require every lawyer with an office located in New York to post in that office, in a manner visible to clients of the lawyer, a Statement of Client s Rights. See 22 N.Y.C.R.R Paragraph (e) requires a lawyer in a domestic relations 27

15 13 matter, as defined in Rule 1.0(g), to provide a prospective client with the Statement of Client s Rights and Responsibilities, as further set forth in 22 N.Y.C.R.R , at the initial conference and, in any event, prior to the signing of a written retainer agreement. Prohibited Contingent Fees [6] Paragraph (d) prohibits a lawyer from charging a contingent fee in a domestic relations matter when payment is contingent upon the securing of a divorce or upon the amount of alimony or support or property settlement to be obtained or upon obtaining child custody or visitation. This provision also precludes a contract for a contingent fee for legal representation in connection with the recovery of post-judgment balances due under support, alimony or other financial orders. See Rule 1.0(g) (defining domestic relations matter to include an action to enforce such a judgment). Division of Fee [7] A division of fee is a single billing to a client covering the fee of two or more lawyers who are not affiliated in the same firm. A division of fee facilitates association of more than one lawyer in a matter in which neither alone could serve the client as well. Paragraph (g) permits the lawyers to divide a fee either on the basis of the proportion of services they render or if each lawyer assumes responsibility for the representation as a whole in a writing given to the client. In addition, the client must agree to the arrangement, including the share that each lawyer is to receive, and the client s agreement must be confirmed in writing. Contingent fee arrangements must comply with paragraph (c). Joint responsibility for the representation entails financial and ethical responsibility for the representation as if the lawyers were associated in a partnership. See Rule 5.1. A lawyer should refer a matter only to a lawyer who the referring lawyer reasonably believes is competent to handle the matter. See Rule 1.1. [8] Paragraph (g) does not prohibit or regulate division of fees to be received in the future for work done when lawyers were previously associated in a law firm. Paragraph (h) recognizes that this Rule does not prohibit payment to a previously associated lawyer pursuant to a separation or retirement agreement. Disputes over Fees [9] A lawyer should seek to avoid controversies over fees with clients and should attempt to resolve amicably any differences on the subject. The New York courts have established a procedure for resolution of fee disputes through arbitration and the lawyer must comply with the procedure when it is mandatory. Even when it is voluntary, the lawyer should conscientiously consider submitting to it. 28

16 14 RULE 1.6: CONFIDENTIALITY OF INFORMATION (a) A lawyer shall not knowingly reveal confidential information, as defined in this Rule, or use such information to the disadvantage of a client or for the advantage of the lawyer or a third person, unless: (1) the client gives informed consent, as defined in Rule 1.0(j); (2) the disclosure is impliedly authorized to advance the best interests of the client and is either reasonable under the circumstances or customary in the professional community; or (3) the disclosure is permitted by paragraph (b). Confidential information consists of information gained during or relating to the representation of a client, whatever its source, that is (a) protected by the attorney-client privilege, (b) likely to be embarrassing or detrimental to the client if disclosed, or (c) information that the client has requested be kept confidential. Confidential information does not ordinarily include (i) a lawyer s legal knowledge or legal research or (ii) information that is generally known in the local community or in the trade, field or profession to which the information relates. (b) A lawyer may reveal or use confidential information to the extent that the lawyer reasonably believes necessary: (1) to prevent reasonably certain death or substantial bodily harm; (2) to prevent the client from committing a crime; (3) to withdraw a written or oral opinion or representation previously given by the lawyer and reasonably believed by the lawyer still to be relied upon by a third person, where the lawyer has discovered that the opinion or representation was based on materially inaccurate information or is being used to further a crime or fraud; (4) to secure legal advice about compliance with these Rules or other law by the lawyer, another lawyer associated with the lawyer s firm or the law firm; (5) (i) to defend the lawyer or the lawyer s employees and associates against an accusation of wrongful conduct; or (ii) to establish or collect a fee; or (6) when permitted or required under these Rules or to comply with other law or court order. 29

17 15 (c) A lawyer make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to, information protected by Rules 1.6, 1.9(c), or 1.18(b). Comment Scope of the Professional Duty of Confidentiality [1] This Rule governs the disclosure of information protected by the professional duty of confidentiality. Such information is described in these Rules as confidential information as defined in this Rule. Other rules also deal with confidential information. See Rules 1.8(b) and 1.9(c)(1) for the lawyer s duties with respect to the use of such information to the disadvantage of clients and former clients; Rule 1.9(c)(2) for the lawyer s duty not to reveal information relating to the lawyer s prior representation of a former client; Rule 1.14(c) for information relating to representation of a client with diminished capacity; Rule 1.18(b) for the lawyer s duties with respect to information provided to the lawyer by a prospective client; Rule 3.3 for the lawyer s duty of candor to a tribunal; and Rule 8.3(c) for information gained by a lawyer or judge while participating in an approved lawyer assistance program. [2] A fundamental principle in the client-lawyer relationship is that, in the absence of the client s informed consent, or except as permitted or required by these Rules, the lawyer must not knowingly reveal information gained during and related to the representation, whatever its source. See Rule 1.0(j) for the definition of informed consent. The lawyer s duty of confidentiality contributes to the trust that is the hallmark of the client-lawyer relationship. The client is thereby encouraged to seek legal assistance and to communicate fully and frankly with the lawyer, even as to embarrassing or legally damaging subject matter. The lawyer needs this information to represent the client effectively and, if necessary, to advise the client to refrain from wrongful conduct. Typically, clients come to lawyers to determine their rights and what is, in the complex of laws and regulations, deemed to be legal and correct. Based upon experience, lawyers know that almost all clients follow the advice given, and the law is thereby upheld. [3] The principle of client-lawyer confidentiality is given effect in three related bodies of law: the attorney-client privilege of evidence law, the work-product doctrine of civil procedure and the professional duty of confidentiality established in legal ethics codes. The attorney-client privilege and the work-product doctrine apply when compulsory process by a judicial or other governmental body seeks to compel a lawyer to testify or produce information or evidence concerning a client. The professional duty of client-lawyer confidentiality, in contrast, applies to a lawyer in all settings and at all times, prohibiting the lawyer from disclosing confidential information unless permitted or required by these Rules or to comply with other law or court order. The confidentiality duty applies not only to matters communicated in confidence by the client, which are protected by the attorney-client privilege, but also to all information gained during and relating to the representation, whatever its source. The confidentiality duty, for example, prohibits a lawyer from volunteering confidential information to a friend or to any other person except in compliance with the provisions of this Rule, including the Rule s reference to other law that may compel disclosure. See Comments [12]-[13]; see also Scope. 30

18 16 [4] Paragraph (a) prohibits a lawyer from knowingly revealing confidential information as defined by this Rule. This prohibition also applies to disclosures by a lawyer that do not in themselves reveal confidential information but could reasonably lead to the discovery of such information by a third person. A lawyer s use of a hypothetical to discuss issues relating to the representation with persons not connected to the representation is permissible so long as there is no reasonable likelihood that the listener will be able to ascertain the identity of the client. [4A] Paragraph (a) protects all factual information gained during or relating to the representation of a client. Information relates to the representation if it has any possible relevance to the representation or is received because of the representation. The accumulation of legal knowledge or legal research that a lawyer acquires through practice ordinarily is not client information protected by this Rule. However, in some circumstances, including where the client and the lawyer have so agreed, a client may have a proprietary interest in a particular product of the lawyer s research. Information that is generally known in the local community or in the trade, field or profession to which the information relates is also not protected, unless the client and the lawyer have otherwise agreed. Information is not generally known simply because it is in the public domain or available in a public file. Use of Information Related to Representation [4B] The duty of confidentiality also prohibits a lawyer from using confidential information to the advantage of the lawyer or a third person or to the disadvantage of a client or former client unless the client or former client has given informed consent. See Rule 1.0(j) for the definition of informed consent. This part of paragraph (a) applies when information is used to benefit either the lawyer or a third person, such as another client, a former client or a business associate of the lawyer. For example, if a lawyer learns that a client intends to purchase and develop several parcels of land, the lawyer may not (absent the client s informed consent) use that information to buy a nearby parcel that is expected to appreciate in value due to the client s purchase, or to recommend that another client buy the nearby land, even if the lawyer does not reveal any confidential information. The duty also prohibits disadvantageous use of confidential information unless the client gives informed consent, except as permitted or required by these Rules. For example, a lawyer assisting a client in purchasing a parcel of land may not make a competing bid on the same land. However, the fact that a lawyer has once served a client does not preclude the lawyer from using generally known information about that client, even to the disadvantage of the former client, after the client-lawyer relationship has terminated. See Rule 1.9(c)(1). Authorized Disclosure [5] Except to the extent that the client s instructions or special circumstances limit that authority, a lawyer may make disclosures of confidential information that are impliedly authorized by a client if the disclosures (i) advance the best interests of the client and (ii) are either reasonable under the circumstances or customary in the professional community. In some situations, for example, a lawyer may be impliedly authorized to admit a fact that cannot properly be disputed or to make a disclosure that facilitates a satisfactory conclusion to a matter. In addition, lawyers in a firm may, in the course of the firm s practice, disclose to each other 31

19 17 information relating to a client of the firm, unless the client has instructed that particular information be confined to specified lawyers. Lawyers are also impliedly authorized to reveal information about a client with diminished capacity when necessary to take protective action to safeguard the client s interests. See Rules 1.14(b) and (c). Disclosure Adverse to Client [6] Although the public interest is usually best served by a strict rule requiring lawyers to preserve the confidentiality of information relating to the representation of their clients, the confidentiality rule is subject to limited exceptions that prevent substantial harm to important interests, deter wrongdoing by clients, prevent violations of the law, and maintain the impartiality and integrity of judicial proceedings. Paragraph (b) permits, but does not require, a lawyer to disclose information relating to the representation to accomplish these specified purposes. [6A] The lawyer s exercise of discretion conferred by paragraphs (b)(1) through (b)(3) requires consideration of a wide range of factors and should therefore be given great weight. In exercising such discretion under these paragraphs, the lawyer should consider such factors as: (i) the seriousness of the potential injury to others if the prospective harm or crime occurs, (ii) the likelihood that it will occur and its imminence, (iii) the apparent absence of any other feasible way to prevent the potential injury, (iv) the extent to which the client may be using the lawyer s services in bringing about the harm or crime, (v) the circumstances under which the lawyer acquired the information of the client s intent or prospective course of action, and (vi) any other aggravating or extenuating circumstances. In any case, disclosure adverse to the client s interest should be no greater than the lawyer reasonably believes necessary to prevent the threatened harm or crime. When a lawyer learns that a client intends to pursue or is pursuing a course of conduct that would permit disclosure under paragraphs (b)(1), (b)(2) or (b)(3), the lawyer s initial duty, where practicable, is to remonstrate with the client. In the rare situation in which the client is reluctant to accept the lawyer s advice, the lawyer s threat of disclosure is a measure of last resort that may persuade the client. When the lawyer reasonably believes that the client will carry out the threatened harm or crime, the lawyer may disclose confidential information when permitted by paragraphs (b)(1), (b)(2) or (b)(3). A lawyer s permissible disclosure under paragraph (b) does not waive the client s attorney-client privilege; neither the lawyer nor the client may be forced to testify about communications protected by the privilege, unless a tribunal or body with authority to compel testimony makes a determination that the crime-fraud exception to the privilege, or some other exception, has been satisfied by a party to the proceeding. For a lawyer s duties when representing an organizational client engaged in wrongdoing, see Rule 1.13(b). [6B] Paragraph (b)(1) recognizes the overriding value of life and physical integrity and permits disclosure reasonably necessary to prevent reasonably certain death or substantial bodily harm. Such harm is reasonably certain to occur if it will be suffered imminently or if there is a present and substantial risk that a person will suffer such harm at a later date if the lawyer fails to take action necessary to eliminate the threat. Thus, a lawyer who knows that a client has accidentally discharged toxic waste into a town s water supply may reveal this information to the authorities if there is a present and substantial risk that a person who drinks the water will contract a life-threatening or debilitating disease and the lawyer s disclosure is necessary to 32

20 18 eliminate the threat or reduce the number of victims. Wrongful execution of a person is a lifethreatening and imminent harm under paragraph (b)(1) once the person has been convicted and sentenced to death. On the other hand, an event that will cause property damage but is unlikely to cause substantial bodily harm is not a present and substantial risk under paragraph (b)(1); similarly, a remote possibility or small statistical likelihood that any particular unit of a massdistributed product will cause death or substantial bodily harm to unspecified persons over a period of years does not satisfy the element of reasonably certain death or substantial bodily harm under the exception to the duty of confidentiality in paragraph (b)(1). [6C] Paragraph (b)(2) recognizes that society has important interests in preventing a client s crime. Disclosure of the client s intention is permitted to the extent reasonably necessary to prevent the crime. In exercising discretion under this paragraph, the lawyer should consider such factors as those stated in Comment [6A]. [6D] Some crimes, such as criminal fraud, may be ongoing in the sense that the client s past material false representations are still deceiving new victims. The law treats such crimes as continuing crimes in which new violations are constantly occurring. The lawyer whose services were involved in the criminal acts that constitute a continuing crime may reveal the client s refusal to bring an end to a continuing crime, even though that disclosure may also reveal the client s past wrongful acts, because refusal to end a continuing crime is equivalent to an intention to commit a new crime. Disclosure is not permitted under paragraph (b)(2), however, when a person who may have committed a crime employs a new lawyer for investigation or defense. Such a lawyer does not have discretion under paragraph (b)(2) to use or disclose the client s past acts that may have continuing criminal consequences. Disclosure is permitted, however, if the client uses the new lawyer s services to commit a further crime, such as obstruction of justice or perjury. [6E] Paragraph (b)(3) permits a lawyer to withdraw a legal opinion or to disaffirm a prior representation made to third parties when the lawyer reasonably believes that third persons are still relying on the lawyer s work and the work was based on materially inaccurate information or is being used to further a crime or fraud. See Rule 1.16(b)(1), requiring the lawyer to withdraw when the lawyer knows or reasonably should know that the representation will result in a violation of law. Paragraph (b)(3) permits the lawyer to give only the limited notice that is implicit in withdrawing an opinion or representation, which may have the collateral effect of inferentially revealing confidential information. The lawyer s withdrawal of the tainted opinion or representation allows the lawyer to prevent further harm to third persons and to protect the lawyer s own interest when the client has abused the professional relationship, but paragraph (b)(3) does not permit explicit disclosure of the client s past acts unless such disclosure is permitted under paragraph (b)(2). [7] [Reserved.] [8] [Reserved.] [9] A lawyer s confidentiality obligations do not preclude a lawyer from securing confidential legal advice about compliance with these Rules and other law by the lawyer, another lawyer in the lawyer s firm, or the law firm. In many situations, disclosing information to secure 33

21 19 such advice will be impliedly authorized for the lawyer to carry out the representation. Even when the disclosure is not impliedly authorized, paragraph (b)(4) permits such disclosure because of the importance of a lawyer s compliance with these Rules, court orders and other law. [10] Where a claim or charge alleges misconduct of the lawyer related to the representation of a current or former client, the lawyer may respond to the extent the lawyer reasonably believes necessary to establish a defense. Such a claim can arise in a civil, criminal, disciplinary or other proceeding and can be based on a wrong allegedly committed by the lawyer against the client or on a wrong alleged by a third person, such as a person claiming to have been defrauded by the lawyer and client acting together or by the lawyer acting alone. The lawyer may respond directly to the person who has made an accusation that permits disclosure, provided that the lawyer s response complies with Rule 4.2 and Rule 4.3, and other Rules or applicable law. A lawyer may make the disclosures authorized by paragraph (b)(5) through counsel. The right to respond also applies to accusations of wrongful conduct concerning the lawyer s law firm, employees or associates. [11] A lawyer entitled to a fee is permitted by paragraph (b)(5) to prove the services rendered in an action to collect it. This aspect of the rule expresses the principle that the beneficiary of a fiduciary relationship may not exploit it to the detriment of the fiduciary. [12] Paragraph (b) does not mandate any disclosures. However, other law may require that a lawyer disclose confidential information. Whether such a law supersedes Rule 1.6 is a question of law beyond the scope of these Rules. When disclosure of confidential information appears to be required by other law, the lawyer must consult with the client to the extent required by Rule 1.4 before making the disclosure, unless such consultation would be prohibited by other law. If the lawyer concludes that other law supersedes this Rule and requires disclosure, paragraph (b)(6) permits the lawyer to make such disclosures as are necessary to comply with the law. [13] A tribunal or governmental entity claiming authority pursuant to other law to compel disclosure may order a lawyer to reveal confidential information. Absent informed consent of the client to comply with the order, the lawyer should assert on behalf of the client nonfrivolous arguments that the order is not authorized by law, the information sought is protected against disclosure by an applicable privilege or other law, or the order is invalid or defective for some other reason. In the event of an adverse ruling, the lawyer must consult with the client to the extent required by Rule 1.4 about the possibility of an appeal or further challenge, unless such consultation would be prohibited by other law. If such review is not sought or is unsuccessful, paragraph (b)(6) permits the lawyer to comply with the order. [14] Paragraph (b) permits disclosure only to the extent the lawyer reasonably believes the disclosure is necessary to accomplish one of the purposes specified in paragraphs (b)(1) through (b)(6). Before making a disclosure, the lawyer should, where practicable, first seek to persuade the client to take suitable action to obviate the need for disclosure. In any case, a disclosure adverse to the client s interest should be no greater than the lawyer reasonably believes necessary to accomplish the purpose, particularly when accusations of wrongdoing in the representation of a client have been made by a third party rather than by the client. If the disclosure will be made in connection with an adjudicative proceeding, the disclosure should be 34

22 20 made in a manner that limits access to the information to the tribunal or other persons having a need to know the information, and appropriate protective orders or other arrangements should be sought by the lawyer to the fullest extent practicable. [15] Paragraph (b) permits but does not require the disclosure of information relating to a client s representation to accomplish the purposes specified in paragraphs (b)(1) through (b)(6). A lawyer s decision not to disclose as permitted by paragraph (b) does not violate this Rule. Disclosure may, however, be required by other Rules or by other law. See Comments [12]-[13]. Some Rules require disclosure only if such disclosure would be permitted by paragraph (b). E.g., Rule 8.3(c)(1). Rule 3.3(c), on the other hand, requires disclosure in some circumstances whether or not disclosure is permitted or prohibited by this Rule. Withdrawal [15A] If the lawyer s services will be used by the client in materially furthering a course of criminal or fraudulent conduct, the lawyer must withdraw pursuant to Rule 1.16(b)(1). Withdrawal may also be required or permitted for other reasons under Rule After withdrawal, the lawyer is required to refrain from disclosing or using information protected by Rule 1.6, except as this Rule permits such disclosure. Neither this Rule, nor Rule 1.9(c), nor Rule 1.16(e) prevents the lawyer from giving notice of the fact of withdrawal. For withdrawal or disaffirmance of an opinion or representation, see paragraph (b)(3) and Comment [6E]. Where the client is an organization, the lawyer may be in doubt whether the organization will actually carry out the contemplated conduct. Where necessary to guide conduct in connection with this Rule, the lawyer may, and sometimes must, make inquiry within the organization. See Rules 1.13(b) and (c). Duty to Preserve Confidentiality [16] Paragraph (c) imposes three related obligations. It requires a lawyer to make reasonable efforts to safeguard confidential information against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are otherwise subject to the lawyer s supervision. See Rules 1.1, 5.1 and 5.3. Confidential information includes not only information protected by Rule 1.6(a) with respect to current clients but also information protected by Rule 1.9(c) with respect to former clients and information protected by Rule 1.18(b) with respect to prospective clients. Unauthorized access to, or the inadvertent or unauthorized disclosure of, information protected by Rules 1.6, 1.9, or 1.18, does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the unauthorized access or disclosure. Factors to be considered in determining the reasonableness of the lawyer s efforts include, but are not limited to: (i) the sensitivity of the information; (ii) the likelihood of disclosure if additional safeguards are not employed; (iii) the cost of employing additional safeguards; (iv) the difficulty of implementing the safeguards; and (v) the extent to which the safeguards adversely affect the lawyer s ability to represent clients (e.g., by making a device or software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule, or may give informed consent to forgo security measures that would otherwise be required by this Rule. For a lawyer s duties when sharing information with nonlawyers inside or outside the lawyer s own firm, see Rule 5.3, Comment [2]. 35

23 21 [17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. Paragraph (c) does not ordinarily require that the lawyer use special security measures if the method of communication affords a reasonable expectation of confidentiality. However, a lawyer may be required to take specific steps to safeguard a client s information to comply with a court order (such as a protective order) or to comply with other law (such as state and federal laws or court rules that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information). For example, a protective order may extend a high level of protection to documents marked Confidential or Confidential Attorneys Eyes Only ; the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) may require a lawyer to take specific precautions with respect to a client s or adversary s medical records; and court rules may require a lawyer to block out a client s Social Security number or a minor s name when electronically filing papers with the court. The specific requirements of court orders, court rules, and other laws are beyond the scope of these Rules. Lateral Moves, Law Firm Mergers, and Confidentiality [18A] When lawyers or law firms (including in-house legal departments) contemplate a new association with other lawyers or law firms though lateral hiring or merger, disclosure of limited information may be necessary to resolve conflicts of interest pursuant to Rule 1.10 and to address financial, staffing, operational, and other practical issues. However, Rule 1.6(a) requires lawyers and law firms to protect their clients confidential information, so lawyers and law firms may not disclose such information for their own advantage or for the advantage of third parties absent a client s informed consent or some other exception to Rule 1.6. [18B] Disclosure without client consent in the context of a possible lateral move or law firm merger is ordinarily permitted regarding basic information such as: (i) the identities of clients or other parties involved in a matter; (ii) a brief summary of the status and nature of a particular matter, including the general issues involved; (iii) information that is publicly available; (iv) the lawyer s total book of business; (v) the financial terms of each lawyer-client relationship; and (vi) information about aggregate current and historical payment of fees (such as realization rates, average receivables, and aggregate timeliness of payments). Such information is generally not confidential information within the meaning of Rule 1.6. [18C] Disclosure without client consent in the context of a possible lateral move or law firm merger is ordinarily not permitted, however, if information is protected by Rule 1.6(a), 1.9(c), or Rule 1.18(b). This includes information that a lawyer knows or reasonably believes is protected by the attorney-client privilege, or is likely to be detrimental or embarrassing to the client, or is information that the client has requested be kept confidential. For example, many clients would not want their lawyers to disclose their tardiness in paying bills; the amounts they spend on legal fees in particular matters; forecasts about their financial prospects; ir information relating to sensitive client matters (e.g., an unannounced corporate takeover, an undisclosed possible divorce, or a criminal investigation into the client s conduct). 36

24 22 [18D] When lawyers are exploring a new association, whether by lateral move or by merger, all lawyers involved must individually consider fiduciary obligations to their existing firms that may bear on the timing and scope of disclosures to clients relating to conflicts and financial concerns, and should consider whether to ask clients for a waiver of confidentiality if consistent with these fiduciary duties see Rule 1.10(e) (requiring law firms to check for conflicts of interest). Questions of fiduciary duty are legal issues beyond the scope of the Rules. [18E] For the unique confidentiality and notice provisions that apply to a lawyer or law firm seeking to sell all or part of its practice, see Rule 1.17 and Comment [7] to that Rule. [18F] Before disclosing information regarding a possible lateral move or law firm merger, law firms and lawyers moving between firms both those providing information and those receiving information should use reasonable measures to minimize the risk of any improper, unauthorized or inadvertent disclosures, whether or not the information is protected by Rule 1.6(a), 1.9(c), or 1.18(b). These steps might include such measures as: (1) disclosing client information in stages; initially identifying only certain clients and providing only limited information, and providing a complete list of clients and more detailed financial information only at subsequent stages; (2) limiting disclosure to those at the firm, or even a single person at the firm, directly involved in clearing conflicts and making the business decision whether to move forward to the next stage regarding the lateral hire or law firm merger; and/or (3) agreeing not to disclose financial or conflict information outside the firm(s) during and after the lateral hiring negotiations or merger process. 37

25 23 SUMMARY OF AMERICAN BAR ASSOCIATION STANDING COMMITTEE ON ETHICS AND PROFESSIONAL RESPONSIBILITY FORMAL OPINION 477R In its advisory Formal Ethics Opinion 477 (May 11, 2017; revised May 22, 2017), the American Bar Association s Standing Committee on Ethics and Professional Responsibility addressed the question of what security precautions a lawyer must take when transmitting information relating to the representation of a client over the internet. Opinion 477 noted that the ABA had previously addressed this issue in its advisory Formal Ethics Opinion , but that the role and risks of technology in the practice of law have evolved since 1999 prompting the need to update Opinion Opinion 477 expressed the view that: A lawyer generally may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security. Opinion 477 noted that, at the time when the ABA had issued Opinion , lawyers had a reasonable expectation of privacy in communications made by all then-existing forms of . Accordingly, Opinion had expressed the view that the use of to transmit client confidential information was consistent with the duty under Rule 1.6 to use reasonable means to maintain the confidentiality of information relating to a client s representation. Opinion 477 observed that there had been major changes in the technological and ethical context in the eighteen years since Opinion had been issued. In particular, today [as opposed to 1999], many lawyers primarily use electronic means to communicate and exchange documents with clients, other lawyers, and even with other persons who are assisting a lawyer in delivering legal services to clients. In addition, lawyers (and others) now regularly use a variety of devices to create, transmit and store confidential communications, including desktop, laptop and notebook computers, tablet devices, smartphones, and cloud resource and storage locations. And, most significantly, [e]ach device and each storage location offer an opportunity for the inadvertent or unauthorized disclosure of information relating to the representation, and thus implicate a lawyer s ethical duties (emphasis COPYRIGHT 2017 BY MICHAEL S. ROSS, ESQ. ALL RIGHTS RESERVED. REPRINTED WITH PERMISSION. 1

26 24 added). In addition, as the Opinion observed, the term cyber security has come into general usage, reflecting the broad range of issues relating to preserving individual privacy from intrusion by nefarious actors throughout the Internet. Opinion 477 then noted that, from an ethical standpoint, the ABA had adopted, in 2012, certain technology amendments to the Model Rules. Those amendments included providing more detail with respect to lawyer technological competency under Model Rule 1.1, and the addition of a new subsection and a new Comment to Model Rule 1.6 that address a lawyer s obligation to take reasonable measures to prevent inadvertent or unauthorized disclosure of information relating to a representation. According to Opinion 477, [t]he Model Rules do not impose greater or different duties of confidentiality based upon the method by which a lawyer communicates with a client. But how a lawyer should comply with the core duty of confidentiality in an ever-changing technological world requires some reflection. With respect to lawyers obligation to maintain technological competence, the Opinion expressed the view that lawyers must stay abreast of the benefits and risks associated with relevant technology. And with respect to protecting the confidentiality of client confidential information, the Opinion noted that, pursuant to the new Comment to Model Rule 1.6, a lawyer must act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer s supervision. This requires a lawyer to make reasonable efforts to prevent inadvertent access to or disclosure of client confidential information when using technology in communicating about client matters. Opinion 477 adopted the position that what constitutes reasonable efforts is a case-by-case, fact-specific inquiry and that there is no hard and fast rule as to what is or is not a reasonable effort. Rather, the Opinion adopted the view of reasonable efforts that was adopted in the ABA Cybersecurity Handbook, i.e., that the reasonable efforts standard:... rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a process to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments. (Quoting Jill D. Rhodes & Vincent I. Polley, The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms, and Business Professionals 7 (2013), at ) COPYRIGHT 2017 BY MICHAEL S. ROSS, ESQ. ALL RIGHTS RESERVED. REPRINTED WITH PERMISSION. 2

27 25 Opinion 477 expressed the view that, assuming that the lawyer has implemented reasonably 1 accessible and common electronic security measures, the use of unencrypted routine generally remains an acceptable method of lawyer-client communication. However, according to the Opinion, due to the rise in cyber-threats and the proliferation of electronic communications devices, it may not always be reasonable to rely on the use of unencrypted , such as when communicating through certain mobile applications or via unsecured networks. Although Opinion 477 stated that it could not specify the reasonable steps that lawyers should take under any given set of facts, it did provide the following considerations as general guidance: (1) A lawyer must understand the nature of the cyber threats presented in particular circumstances; (2) A lawyer must understand how client confidential information is transmitted and stored; (3) A lawyer must understand the use of reasonable electronic security measures; (4) A lawyer must consider how particular electronic communications should be protected; (5) Client information must be labeled as privileged and confidential; (6) A lawyer must ensure that lawyers under his or her supervision and non-lawyer assistants receive training in technology and cyber security; and (7) A lawyer must conduct due diligence on vendors who provide technology services. Opinion 477, in particular, observed that different communications require different levels of protection. The Opinion then provided some (admittedly very general) guidance: 1 According to Opinion 477, examples of such reasonably accessible electronic security measures include using secure internet access methods to communicate, access and store client information (such as through secure Wi-Fi, the use of a Virtual Private Network, or another secure internet portal), using unique complex passwords, changed periodically, implementing firewalls and anti-malware/antispyware/antivirus software on all devices upon which client confidential information is transmitted or stored, and applying all necessary security patches and updates to operational and communications software. COPYRIGHT 2017 BY MICHAEL S. ROSS, ESQ. ALL RIGHTS RESERVED. REPRINTED WITH PERMISSION. 3

28 26 In situations where the communication (and any attachments) are sensitive or warrant extra security, additional electronic protection may be required. For example, if client information is of sufficient sensitivity, a lawyer should encrypt the transmission and determine how to do so to sufficiently protect it,[] and consider the use of password protection for any attachments. Alternatively, lawyers can consider the use of a well vetted and secure third-party cloud based file storage system to exchange documents normally attached to s. Thus, routine communications sent electronically are those communications that do not contain information warranting additional security measures beyond basic methods. However, in some circumstances, a client s lack of technological sophistication or the limitations of technology available to the client may require alternative non-electronic forms of communication altogether. (Emphasis added) (footnote omitted). COPYRIGHT 2017 BY MICHAEL S. ROSS, ESQ. ALL RIGHTS RESERVED. REPRINTED WITH PERMISSION. 4

29 27 Security Breach Notification Laws 4/12/2017 Forty-eight states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legisla requiring private or governmental entities to notify individuals of security breaches of information involving identifiable information. Security breach laws typically have provisions regarding who must comply with the law (e.g., businesses, information brokers, government entities, etc); definitions of personal information (e.g., name combined w drivers license or state ID, account numbers, etc.); what constitutes a breach (e.g., unauthorized acquisitio requirements for notice (e.g., timing or method of notice, who must be notified); and exemptions (e.g., for e information). PLEASE NOTE: NCSL serves state legislators and their staff. This site provides general comparative information only and should not be relied upon or construed State Alaska Citation Alaska Stat et seq. Arizona Ariz. Rev. Stat Arkansas Ark. Code et seq. California Cal. Civ. Code , Colorado Colo. Rev. Stat Connecticut Conn. Gen Stat. 36a-701b, 4e-70 Delaware Florida Del. Code tit. 6, 12B-101 et seq. Fla. Stat , , (2)(i) Georgia Ga. Code , -911, -912; Hawaii Haw. Rev. Stat. 487N-1 et seq. Idaho Idaho Stat to -107 Illinois 815 ILCS 530/1 to 530/25 Indiana Ind. Code et seq., et seq. 1/4

30 28 State Citation Iowa Iowa Code 715C.1, 715C.2 Kansas Kan. Stat. 50-7a01 et seq. Kentucky KRS , KRS to Louisiana Maine La. Rev. Stat. 51:3071 et seq. Me. Rev. Stat. tit et seq. Maryland Md. Code Com. Law et seq., Md. State Govt. Code 10- Massachusetts Mass. Gen. Laws 93H-1 et seq. Michigan Mich. Comp. Laws , Minnesota Minn. Stat. 325E.61, 325E.64 Mississippi Miss. Code Missouri Mo. Rev. Stat Montana Mont. Code to -1503, et seq., Nebraska Neb. Rev. Stat et seq. Nevada Nev. Rev. Stat. 603A.010 et seq., New Hampshire New Jersey N.H. Rev. Stat. 359-C:19 et seq. N.J. Stat. 56:8-161 et seq. New Mexico 2017 H.B. 15, Chap. 36 (effective 6/16/2017) New York N.Y. Gen. Bus. Law 899-AA, N.Y. State Tech. Law 208 North Carolina N.C. Gen. Stat 75-61, North Dakota N.D. Cent. Code et seq. Ohio Ohio Rev. Code , , , Oklahoma Okla. Stat , to /4

31 29 State Citation Oregon Oregon Rev. Stat. 646A.600 to.628 Pennsylvania Rhode Island 73 Pa. Stat et seq. R.I. Gen. Laws et seq. South Carolina S.C. Code Tennessee Tenn. Code ; Texas Tex. Bus. & Com. Code , Utah Utah Code et seq. Vermont Vt. Stat. tit , 2435 Virginia Va. Code , :05 Washington Wash. Rev. Code , West Virginia W.V. Code 46A-2A-101 et seq. Wisconsin Wis. Stat Wyoming District of Columbia Wyo. Stat et seq. D.C. Code et seq. Guam 9 GCA et seq. Puerto Rico 10 Laws of Puerto Rico 4051 et seq. Virgin Islands V.I. Code tit. 14, 2208, 2209 States with no security breach law: Alabama and South Dakota. This chart does not include state statutes notification of breaches of student data. Additional Resources Consumer report security freeze laws Data disposal laws Security Breach homepage 3/4

32 30 Security breach overview (including links to past years' introduced and enacted legislation) NCSL Member Toolbox Members Resources Policy & Research Resources Meeting Resources Denver Get Involved With NCSL Jobs Clearinghouse Legislative Careers NCSL Staff Directories Staff Directories StateConnect Directory Bill Information Service Legislative Websites NCSL Bookstore State Legislatures Magazine Accessibility Support Tel: or 711 Accessibility Support Accessibility Policy Calendar Online Registration Press Room Media Contact NCSL in the News Press Releases 7700 East First Plac Denver, CO Tel: Washington 444 North Capitol St Washington, D.C. 20 Tel: /4

33 As of 12/01/ :10AM, the Laws database is current through 2017 Chapters State Technology Notification; person without valid authorization has acquired private information. 1. As used in this section, the following terms shall have the following meanings: (a) "Private information" shall mean personal information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired: (1) social security number; (2) driver's license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual's financial account. "Private information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. (b) "Breach of the security of the system" shall mean unauthorized acquisition or acquisition without valid authorization of computerized data which compromises the security, confidentiality, or integrity of personal information maintained by a state entity. Good faith acquisition of personal information by an employee or agent of a state entity for the purposes of the agency is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure. In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, such state entity may consider the following factors, among others: (1) indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information; or (2) indications that the information has been downloaded or copied; or (3) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported. (c) "State entity" shall mean any state board, bureau, division, committee, commission, council, department, public authority, public benefit corporation, office or other governmental entity performing a governmental or proprietary function for the state of New York, except: (1) the judiciary; and (2) all cities, counties, municipalities, villages, towns, and other local agencies. (d) "Consumer reporting agency" shall mean any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. A list of consumer reporting agencies shall be compiled by the state attorney general and furnished upon request to state entities required to make a notification under subdivision two of this section. 2. Any state entity that owns or licenses computerized data that includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization. The disclosure shall be made in the 1/3

34 most expedient time possible and without unreasonable 32 delay, consistent with the legitimate needs of law enforcement, as provided in subdivision four of this section, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system. The state entity shall consult with the state office of information technology services to determine the scope of the breach and restoration measures. 3. Any state entity that maintains computerized data that includes private information which such agency does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, acquired by a person without valid authorization. 4. The notification required by this section may be delayed if a law enforcement agency determines that such notification impedes a criminal investigation. The notification required by this section shall be made after such law enforcement agency determines that such notification does not compromise such investigation. 5. The notice required by this section shall be directly provided to the affected persons by one of the following methods: (a) written notice; (b) electronic notice, provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the state entity who notifies affected persons in such form; provided further, however, that in no case shall any person or business require a person to consent to accepting said notice in said form as a condition of establishing any business relationship or engaging in any transaction; (c) telephone notification provided that a log of each such notification is kept by the state entity who notifies affected persons; or (d) Substitute notice, if a state entity demonstrates to the state attorney general that the cost of providing notice would exceed two hundred fifty thousand dollars, or that the affected class of subject persons to be notified exceeds five hundred thousand, or such agency does not have sufficient contact information. Substitute notice shall consist of all of the following: (1) notice when such state entity has an address for the subject persons; (2) conspicuous posting of the notice on such state entity's web site page, if such agency maintains one; and (3) notification to major statewide media. 6. Regardless of the method by which notice is provided, such notice shall include contact information for the state entity making the notification and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so acquired. 7. (a) In the event that any New York residents are to be notified, the state entity shall notify the state attorney general, the department of state and the state office of information technology services as to the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York residents. (b) In the event that more than five thousand New York residents are to be notified at one time, the state entity shall also notify consumer reporting agencies as to the timing, content and distribution of the 2/3

35 notices and approximate number of affected persons. 33 Such notice shall be made without delaying notice to affected New York residents. 8. Any entity listed in subparagraph two of paragraph (c) of subdivision one of this section shall adopt a notification policy no more than one hundred twenty days after the effective date of this section. Such entity may develop a notification policy which is consistent with this section or alternatively shall adopt a local law which is consistent with this section. 3/3

36 As of 12/01/ :10AM, the Laws database is current through 2017 Chapters General Business aa. Notification; person without valid authorization has acquired private information. 1. As used in this section, the following terms shall have the following meanings: (a) "Personal information" shall mean any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person; (b) "Private information" shall mean personal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired: (1) social security number; (2) driver's license number or non-driver identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account; "Private information" does not include publicly available information which is lawfully made available to the general public from federal, state, or local government records. (c) "Breach of the security of the system" shall mean unauthorized acquisition or acquisition without valid authorization of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business. Good faith acquisition of personal information by an employee or agent of the business for the purposes of the business is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure. In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, such business may consider the following factors, among others: (1) indications that the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information; or (2) indications that the information has been downloaded or copied; or (3) indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported. (d) "Consumer reporting agency" shall mean any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. A list of consumer reporting agencies shall be compiled by the state attorney general and furnished upon request to any person or business required to make a notification under subdivision two of this section. 2. Any person or business which conducts business in New York state, and which owns or licenses computerized data which includes private information shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision four of 1/3

37 this section, or any measures necessary to determine 35 the scope of the breach and restore the reasonable integrity of the system. 3. Any person or business which maintains computerized data which includes private information which such person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, acquired by a person without valid authorization. 4. The notification required by this section may be delayed if a law enforcement agency determines that such notification impedes a criminal investigation. The notification required by this section shall be made after such law enforcement agency determines that such notification does not compromise such investigation. 5. The notice required by this section shall be directly provided to the affected persons by one of the following methods: (a) written notice; (b) electronic notice, provided that the person to whom notice is required has expressly consented to receiving said notice in electronic form and a log of each such notification is kept by the person or business who notifies affected persons in such form; provided further, however, that in no case shall any person or business require a person to consent to accepting said notice in said form as a condition of establishing any business relationship or engaging in any transaction. (c) telephone notification provided that a log of each such notification is kept by the person or business who notifies affected persons; or (d) Substitute notice, if a business demonstrates to the state attorney general that the cost of providing notice would exceed two hundred fifty thousand dollars, or that the affected class of subject persons to be notified exceeds five hundred thousand, or such business does not have sufficient contact information. Substitute notice shall consist of all of the following: (1) notice when such business has an address for the subject persons; (2) conspicuous posting of the notice on such business's web site page, if such business maintains one; and (3) notification to major statewide media. 6. (a) whenever the attorney general shall believe from evidence satisfactory to him that there is a violation of this article he may bring an action in the name and on behalf of the people of the state of New York, in a court of justice having jurisdiction to issue an injunction, to enjoin and restrain the continuation of such violation. In such action, preliminary relief may be granted under article sixty-three of the civil practice law and rules. In such action the court may award damages for actual costs or losses incurred by a person entitled to notice pursuant to this article, if notification was not provided to such person pursuant to this article, including consequential financial losses. Whenever the court shall determine in such action that a person or business violated this article knowingly or recklessly, the court may impose a civil penalty of the greater of five thousand dollars or up to ten dollars per instance of failed notification, provided that the latter amount shall not exceed one hundred fifty thousand dollars. (b) the remedies provided by this section shall be in addition to any other lawful remedy available. (c) no action may be brought under the provisions of this section unless such action is commenced within two years immediately after the date of the act complained of or the date of discovery of such act. 2/3

38 7. Regardless of the method by which notice is 36 provided, such notice shall include contact information for the person or business making the notification and a description of the categories of information that were, or are reasonably believed to have been, acquired by a person without valid authorization, including specification of which of the elements of personal information and private information were, or are reasonably believed to have been, so acquired. 8. (a) In the event that any New York residents are to be notified, the person or business shall notify the state attorney general, the department of state and the division of state police as to the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York residents. (b) In the event that more than five thousand New York residents are to be notified at one time, the person or business shall also notify consumer reporting agencies as to the timing, content and distribution of the notices and approximate number of affected persons. Such notice shall be made without delaying notice to affected New York residents. 9. The provisions of this section shall be exclusive and shall preempt any provisions of local law, ordinance or code, and no locality shall impose requirements that are inconsistent with or more restrictive than those set forth in this section. 3/3

39 37 NEW YORK STATE DEPARTMENT OF FINANCIAL SERVICES 23 NYCRR 500 CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES I, Maria T. Vullo, Superintendent of Financial Services, pursuant to the authority granted by sections 102, 201, 202, 301, 302 and 408 of the Financial Services Law, do hereby promulgate Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York, to take effect March 1, 2017, to read as follows: Section Introduction. (ALL MATTER IS NEW) The New York State Department of Financial Services ( DFS ) has been closely monitoring the evergrowing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data. Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes. The financial services industry is a significant target of cybersecurity threats. DFS appreciates that many firms have proactively increased their cybersecurity programs with great success. Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity s cybersecurity program must ensure the safety and soundness of the institution and protect its customers. It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State. Section Definitions. For purposes of this Part only, the following definitions shall apply: (a) Affiliate means any Person that controls, is controlled by or is under common control with another Person. For purposes of this subsection, control means the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a Person, whether through the ownership of stock of such Person or otherwise. 1

40 38 (b) Authorized User means any employee, contractor, agent or other Person that participates in the business operations of a Covered Entity and is authorized to access and use any Information Systems and data of the Covered Entity. (c) Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law. (d) Cybersecurity Event means any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System. (e) Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems. (f) Multi-Factor Authentication means authentication through verification of at least two of the following types of authentication factors: (1) Knowledge factors, such as a password; or (2) Possession factors, such as a token or text message on a mobile phone; or (3) Inherence factors, such as a biometric characteristic. (g) Nonpublic Information shall mean all electronic information that is not Publicly Available Information and is: (1) Business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity; (2) Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual s financial account, or (v) biometric records; (3) Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual. 2

41 39 (h) Penetration Testing means a test methodology in which assessors attempt to circumvent or defeat the security features of an Information System by attempting penetration of databases or controls from outside or inside the Covered Entity s Information Systems. (i) Person means any individual or any non-governmental entity, including but not limited to any nongovernmental partnership, corporation, branch, agency or association. (j) Publicly Available Information means any information that a Covered Entity has a reasonable basis to believe is lawfully made available to the general public from: federal, state or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state or local law. (1) For the purposes of this subsection, a Covered Entity has a reasonable basis to believe that information is lawfully made available to the general public if the Covered Entity has taken steps to determine: (i) That the information is of the type that is available to the general public; and (ii) Whether an individual can direct that the information not be made available to the general public and, if so, that such individual has not done so. (k) Risk Assessment means the risk assessment that each Covered Entity is required to conduct under section of this Part. (l) Risk-Based Authentication means any risk-based system of authentication that detects anomalies or changes in the normal use patterns of a Person and requires additional verification of the Person s identity when such deviations or changes are detected, such as through the use of challenge questions. (m) Senior Officer(s) means the senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity, including a branch or agency of a foreign banking organization subject to this Part. (n) Third Party Service Provider(s) means a Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity. Section Cybersecurity Program. (a) Cybersecurity Program. Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity s Information Systems. (b) The cybersecurity program shall be based on the Covered Entity s Risk Assessment and designed to perform the following core cybersecurity functions: (1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity s Information Systems; 3

42 40 (2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts; (3) detect Cybersecurity Events; (4) respond to identified or detected Cybersecurity Events to mitigate any negative effects; (5) recover from Cybersecurity Events and restore normal operations and services; and (6) fulfill applicable regulatory reporting obligations. (c) A Covered Entity may meet the requirement(s) of this Part by adopting the relevant and applicable provisions of a cybersecurity program maintained by an Affiliate, provided that such provisions satisfy the requirements of this Part, as applicable to the Covered Entity. (d) All documentation and information relevant to the Covered Entity s cybersecurity program shall be made available to the superintendent upon request. Section Cybersecurity Policy. Cybersecurity Policy. Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems. The cybersecurity policy shall be based on the Covered Entity s Risk Assessment and address the following areas to the extent applicable to the Covered Entity s operations: (a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; 4

43 41 (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response. Section Chief Information Security Officer. (a) Chief Information Security Officer. Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, Chief Information Security Officer or CISO ). The CISO may be employed by the Covered Entity, one of its Affiliates or a Third Party Service Provider. To the extent this requirement is met using a Third Party Service Provider or an Affiliate, the Covered Entity shall: (1) retain responsibility for compliance with this Part; (2) designate a senior member of the Covered Entity s personnel responsible for direction and oversight of the Third Party Service Provider; and (3) require the Third Party Service Provider to maintain a cybersecurity program that protects the Covered Entity in accordance with the requirements of this Part. (b) Report. The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity s board of directors or equivalent governing body. If no such board of directors or equivalent governing body exists, such report shall be timely presented to a Senior Officer of the Covered Entity responsible for the Covered Entity s cybersecurity program. The CISO shall report on the Covered Entity s cybersecurity program and material cybersecurity risks. The CISO shall consider to the extent applicable: (1) the confidentiality of Nonpublic Information and the integrity and security of the Covered Entity s Information Systems; (2) the Covered Entity s cybersecurity policies and procedures; (3) material cybersecurity risks to the Covered Entity; (4) overall effectiveness of the Covered Entity s cybersecurity program; and report. (5) material Cybersecurity Events involving the Covered Entity during the time period addressed by the Section Penetration Testing and Vulnerability Assessments. 5

44 42 The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity s Risk Assessment, designed to assess the effectiveness of the Covered Entity s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic Penetration Testing and vulnerability assessments. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities, Covered Entities shall conduct: (a) annual Penetration Testing of the Covered Entity s Information Systems determined each given year based on relevant identified risks in accordance with the Risk Assessment; and (b) bi-annual vulnerability assessments, including any systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the Covered Entity s Information Systems based on the Risk Assessment. Section Audit Trail. (a) Each Covered Entity shall securely maintain systems that, to the extent applicable and based on its Risk Assessment: (1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and (2) include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity. (b) Each Covered Entity shall maintain records required by section (a)(1) of this Part for not fewer than five years and shall maintain records required by section (a)(2) of this Part for not fewer than three years. Section Access Privileges. As part of its cybersecurity program, based on the Covered Entity s Risk Assessment each Covered Entity shall limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges. Section Application Security. (a) Each Covered Entity s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity s technology environment. (b) All such procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity. Section Risk Assessment. 6

45 43 (a) Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity s Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. Such Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity s Information Systems, Nonpublic Information or business operations. The Covered Entity s Risk Assessment shall allow for revision of controls to respond to technological developments and evolving threats and shall consider the particular risks of the Covered Entity s business operations related to cybersecurity, Nonpublic Information collected or stored, Information Systems utilized and the availability and effectiveness of controls to protect Nonpublic Information and Information Systems. (b) The Risk Assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall include: (1) criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the Covered Entity; (2) criteria for the assessment of the confidentiality, integrity, security and availability of the Covered Entity s Information Systems and Nonpublic Information, including the adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks. Section Cybersecurity Personnel and Intelligence. (a) Cybersecurity Personnel and Intelligence. In addition to the requirements set forth in section (a) of this Part, each Covered Entity shall: (1) utilize qualified cybersecurity personnel of the Covered Entity, an Affiliate or a Third Party Service Provider sufficient to manage the Covered Entity s cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified in section (b)(1)-(6) of this Part; (2) provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks; and (3) verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures. (b) A Covered Entity may choose to utilize an Affiliate or qualified Third Party Service Provider to assist in complying with the requirements set forth in this Part, subject to the requirements set forth in section of this Part. Section Third Party Service Provider Security Policy. (a) Third Party Service Provider Policy. Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible 7

46 44 to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable: (1) the identification and risk assessment of Third Party Service Providers; (2) minimum cybersecurity practices required to be met by such Third Party Service Providers in order for them to do business with the Covered Entity; (3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third Party Service Providers; and (4) periodic assessment of such Third Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices. (b) Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers including to the extent applicable guidelines addressing: (1) the Third Party Service Provider s policies and procedures for access controls, including its use of Multi-Factor Authentication as required by section of this Part, to limit access to relevant Information Systems and Nonpublic Information; (2) the Third Party Service Provider s policies and procedures for use of encryption as required by section of this Part to protect Nonpublic Information in transit and at rest; (3) notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity s Information Systems or the Covered Entity s Nonpublic Information being held by the Third Party Service Provider; and (4) representations and warranties addressing the Third Party Service Provider s cybersecurity policies and procedures that relate to the security of the Covered Entity s Information Systems or Nonpublic Information. (c) Limited Exception. An agent, employee, representative or designee of a Covered Entity who is itself a Covered Entity need not develop its own Third Party Information Security Policy pursuant to this section if the agent, employee, representative or designee follows the policy of the Covered Entity that is required to comply with this Part. Section Multi-Factor Authentication. (a) Multi-Factor Authentication. Based on its Risk Assessment, each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems. (b) Multi-Factor Authentication shall be utilized for any individual accessing the Covered Entity s internal networks from an external network, unless the Covered Entity s CISO has approved in writing the use of reasonably equivalent or more secure access controls. 8

47 45 Section Limitations on Data Retention. As part of its cybersecurity program, each Covered Entity shall include policies and procedures for the secure disposal on a periodic basis of any Nonpublic Information identified in section (g)(2)-(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. Section Training and Monitoring. As part of its cybersecurity program, each Covered Entity shall: (a) implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users; and (b) provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment. Section Encryption of Nonpublic Information. (a) As part of its cybersecurity program, based on its Risk Assessment, each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest. (1) To the extent a Covered Entity determines that encryption of Nonpublic Information in transit over external networks is infeasible, the Covered Entity may instead secure such Nonpublic Information using effective alternative compensating controls reviewed and approved by the Covered Entity s CISO. (2) To the extent a Covered Entity determines that encryption of Nonpublic Information at rest is infeasible, the Covered Entity may instead secure such Nonpublic Information using effective alternative compensating controls reviewed and approved by the Covered Entity s CISO. (b) To the extent that a Covered Entity is utilizing compensating controls under (a) above, the feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually. Section Incident Response Plan. (a) As part of its cybersecurity program, each Covered Entity shall establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting the confidentiality, integrity or availability of the Covered Entity s Information Systems or the continuing functionality of any aspect of the Covered Entity s business or operations. (b) Such incident response plan shall address the following areas: (1) the internal processes for responding to a Cybersecurity Event; 9

48 46 (2) the goals of the incident response plan; (3) the definition of clear roles, responsibilities and levels of decision-making authority; (4) external and internal communications and information sharing; (5) identification of requirements for the remediation of any identified weaknesses in Information Systems and associated controls; and (6) documentation and reporting regarding Cybersecurity Events and related incident response activities; (7) the evaluation and revision as necessary of the incident response plan following a Cybersecurity Event. Section Notices to Superintendent. (a) Notice of Cybersecurity Event. Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred that is either of the following: (1) Cybersecurity Events impacting the Covered Entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (2) Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity. (b) Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by February 15 in such form set forth as Appendix A, certifying that the Covered Entity is in compliance with the requirements set forth in this Part. Each Covered Entity shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years. To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the superintendent. Section Confidentiality. Information provided by a Covered Entity pursuant to this Part is subject to exemptions from disclosure under the Banking Law, Insurance Law, Financial Services Law, Public Officers Law or any other applicable state or federal law. Section Exemptions. (a) Limited Exemption. Each Covered Entity with: 10

49 47 (1) fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity, or (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, or (3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates, shall be exempt from the requirements of sections , , , , , , , , and of this Part. (b) An employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity. (c) A Covered Entity that does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information shall be exempt from the requirements of sections , , , , , , , , , , , and of this Part. (d) A Covered Entity under Article 70 of the Insurance Law that does not and is not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates) shall be exempt from the requirements of sections , , , , , , , , , , , and of this Part. (e) A Covered Entity that qualifies for any of the above exemptions pursuant to this section shall file a Notice of Exemption in the form set forth as Appendix B within 30 days of the determination that the Covered Entity is exempt. (f) The following Persons are exempt from the requirements of this Part, provided such Persons do not otherwise qualify as a Covered Entity for purposes of this Part: Persons subject to Insurance Law section 1110; Persons subject to Insurance Law section 5904; and any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant to 11 NYCRR 125. (g) In the event that a Covered Entity, as of its most recent fiscal year end, ceases to qualify for an exemption, such Covered Entity shall have 180 days from such fiscal year end to comply with all applicable requirements of this Part. Section Enforcement. This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent s authority under any applicable laws. Section Effective Date. 11

50 48 This Part will be effective March 1, Covered Entities will be required to annually prepare and submit to the superintendent a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations under section (b) of this Part commencing February 15, Section Transitional Periods. (a) Transitional Period. Covered Entities shall have 180 days from the effective date of this Part to comply with the requirements set forth in this Part, except as otherwise specified. (b) The following provisions shall include additional transitional periods. Covered Entities shall have: (1) One year from the effective date of this Part to comply with the requirements of sections (b), , , , and (b) of this Part. (2) Eighteen months from the effective date of this Part to comply with the requirements of sections , , , (a) and of this Part. (3) Two years from the effective date of this Part to comply with the requirements of section of this Part. Section Severability. If any provision of this Part or the application thereof to any Person or circumstance is adjudged invalid by a court of competent jurisdiction, such judgment shall not affect or impair the validity of the other provisions of this Part or the application thereof to other Persons or circumstances. 12

51 49 APPENDIX A (Part 500) (Covered Entity Name) February 15, 20 Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations The Board of Directors or a Senior Officer(s) of the Covered Entity certifies: (1) The Board of Directors (or name of Senior Officer(s)) has reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary; (2) To the best of the (Board of Directors) or (name of Senior Officer(s)) knowledge, the Cybersecurity Program of (name of Covered Entity) as of (date of the Board Resolution or Senior Officer(s) Compliance Finding) for the year ended (year for which Board Resolution or Compliance Finding is provided) complies with Part. Signed by the Chairperson of the Board of Directors or Senior Officer(s) (Name) Date: [DFS Portal Filing Instructions] 13

52 50 APPENDIX B (Part 500) (Covered Entity Name) (Date) Notice of Exemption In accordance with 23 NYCRR (e), (Covered Entity Name) hereby provides notice that (Covered Entity Name) qualifies for the following Exemption(s) under 23 NYCRR (check all that apply): Section (a)(1) Section (a)(2) Section (a)(3) Section (b) Section (c) Section (d) If you have any question or concerns regarding this notice, please contact: (Insert name, title, and full contact information) (Name) (Title) (Covered Entity Name) Date: [DFS Portal Filing Instructions] 14

53 Skip to Content Frequently Asked Questions Regarding 23 NYCRR Part Search DFS Search Home ABOUT US Consumers Banking Industry Insurance Industry Legal Reports & Publica ons Mission & Leadership Ini a ves History News Room Who We Supervise Careers with DFS Contact Us Procurement FREQUENTLY ASKED QUESTIONS REGARDING 23 NYCRR PART 500 Effec ve March 1, 2017, the Superintendent of Financial Services promulgated 23 NYCRR Part 500, a regula on establishing cybersecurity requirements for financial services companies. The following provides answers to frequently asked ques ons concerning 23 NYCRR Part 500. Terms used below have the meanings assigned to them in 23 NYCRR Please note that the Department may revise or update the below informa on from me to me, as appropriate. 1. Is a Covered En ty en tled to an exemp on under Sec on (b) if that Covered En ty is an employee, agent, representa ve or designee of more than one other Covered En ty? Sec on (b) states that a Covered En ty who is an "employee, agent, representa ve or designee of a Covered En ty... is exempt from" 23 NYCRR Part 500 and "need not develop its own cybersecurity program to the extent that the employee, agent, representa ve or designee is covered by the cybersecurity program of the Covered En ty" (emphasis added). This exemp on requires an en re employee, agent, representa ve or designee to be fully covered by the program of another Covered En ty. Therefore, a Covered En ty who is an employee, agent, representa ve or designee of more than one other Covered En ty will only qualify for a Sec on (b) exemp on where the cybersecurity program of at least one of its parent Covered En es fully covers all aspects of the employee's, agent's, representa ve's or designee's business. 2. Does a Covered En ty that qualifies for an exemp on under 23 NYCRR Sec on (b) need to file a no ce of exemp on? Yes. 23 NYCRR subsec ons (a) through (d) set forth certain limited exemp ons from different requirements of Part 500. Pursuant to 23 NYCRR Sec on (e): "[a] Covered En ty that qualifies for any of the above exemp ons pursuant to this sec on shall file a No ce of Exemp on" (emphasis added). 3. Under Sec on (b), can the requirement that the CISO report in wri ng at least annually "to the Covered En ty's board of directors" (the "board") be met by repor ng to an authorized subcommi ee of the board? No. The Department emphasizes that a well-informed board is a crucial part of an effec ve cybersecurity program and the CISO's repor ng to the full board is important to enable the board to assess the Covered En ty's governance, funding, structure and effec veness as well as compliance with 23 NYCRR Part 500 or other applicable laws or regula ons. 4. Can a Covered En ty file a no ce of exemp on on behalf of its employees or agents? By permission, the Department will approve certain Covered En es to file no ces of exemp on on behalf of their employees or cap ve agents who are also Covered En es. This op on will only be available for filings of 50 or more employees or cap ve agents and only if all employees or cap ve agents qualify for the same exemp ons. Covered En es with over 50 employees or agents on whose behalf they have authority to file should contact the Department at CyberRegComments@dfs.ny.gov from the to which your Cybersecurity portal account is associated with the following instruc ons. The Department will coordinate with the Covered En ty to submit a one- me filing form to effectuate an exemp on filing for mul ple covered en es. On the spreadsheet, the submi er will need to provide the first and last name, DFS iden fica on number, type of license, and for every employee or cap ve agent. A er approval, the Department will send more detailed instruc ons and the exemp on spreadsheet. In the event that there is a need for addi onal names or cap ve agents a er the ini al submission, the submi er will be able to submit a supplemental form through the portal. The Department emphasizes that the employee or cap ve agent, for whom the Covered En ty is filing, con nues to be ul mately responsible in ensuring compliance with 23 NYCRR Part 500. It remains the responsibility of the employee or cap ve agent to no fy the Department of any changes in their status. 5. When is an unsuccessful a ack a Cybersecurity Event that has or had a reasonable likelihood of materially harming any material part of the normal opera on(s) of the Covered En ty under the repor ng requirements of 23 NYCRR Sec on (a)(2)? The Department recognizes that Covered En es are regularly subject to many a empts to gain unauthorized access to, disrupt or misuse Informa on Systems and the informa on stored on them, and that many of these a empts are thwarted by the Covered En es cybersecurity programs. The Department an cipates that most unsuccessful a acks will not be reportable, but seeks the repor ng of those unsuccessful a acks that, in the considered judgment of the Covered En ty, are sufficiently serious to raise a concern. For example, no ce to the Department under 23 NYCRR Sec on (a)(2) would generally not be required if, consistent with its Risk Assessment, a Covered En ty makes a good faith judgment that the unsuccessful a ack was of a rou ne nature. 1/4

54 Frequently Asked Questions Regarding 23 NYCRR Part 500 The Department believes that analysis of unsuccessful threats is cri cally important to the ongoing development and improvement of cybersecurity programs, and Covered En es are encouraged to con nually develop their threat assessment programs. No ce of the especially serious unsuccessful a acks may be useful to the Department in carrying out its broader supervisory responsibili es, and the knowledge shared through such no ce can be used to mely improve cybersecurity generally across the industries regulated by the Department. Accordingly, Covered En es are requested to no fy the Department of those unsuccessful a acks that appear par cularly significant based on the Covered En ty s understanding of the risks it faces. For example, in making a judgment as to whether a par cular unsuccessful a ack should be reported, a Covered En ty might consider whether handling the a ack required measures or resources well beyond those ordinarily used by the Covered En ty, like excep onal a en on by senior personnel or the adop on of extraordinary non-rou ne precau onary steps. The Department recognizes that Covered En es focus should be on preven ng cybersecurity a acks and improving systems to protect the ins tu on and its customers. The Department s no ce requirement is intended to facilitate informa on sharing about serious events that threaten an ins tu on s integrity and that may be relevant to the Department s overall supervision of the financial services industries. The Department trusts that Covered En es will exercise appropriate judgment as to which unsuccessful a acks must be reported and does not intend to penalize Covered En es for the exercise of honest, good faith judgment. 6. Are the New York branches of out-of-state domes c banks required to comply with 23 NYCRR Part 500? New York is a signatory to the Na onwide Coopera ve Agreement, Revised as of December 9, 1997 (the Agreement ), an agreement among state banking regulators that addresses supervision in an interstate branching environment. Pursuant to the Agreement, the home state of a state-chartered bank with a branch or branches in New York under Ar cle V-C of the New York Banking Law is primarily responsible for supervising such state-chartered bank, including its New York branches. In keeping with the Agreement s goals of interstate coordina on and coopera on with respect to the supervision and examina on of bank branches, including compliance with applicable laws, DFS will defer to the home state supervisor for supervision and examina on of the New York branches, with the understanding that DFS is available to coordinate and work with the home state in such supervision and examina on. DFS notes that New York branches are required to comply with New York state law, and DFS maintains the right to examine branches located in New York. With respect to DFS s cybersecurity regula on, given the everincreasing cybersecurity risks that financial ins tu ons face, DFS strongly encourages all financial ins tu ons, including New York branches of out-of-state domes c banks, to adopt cybersecurity protec ons consistent with the safeguards and protec ons of 23 NYCRR Part How must a Covered En ty address cybersecurity issues with respect to its subsidiaries and other affiliates? When a subsidiary or other affiliate of a Covered En ty presents risks to the Covered En ty s Informa on Systems or the Nonpublic Informa on stored on those Informa on Systems, those risks must be evaluated and addressed in the Covered En ty s Risk Assessment, cybersecurity program and cybersecurity policies (see 23 NYCRR Sec ons , and , respec vely). Other regulatory requirements may also apply, depending on the individual facts and circumstances. 8. If a Covered En ty qualifies for a limited exemp on, does it need to comply with 23 NYCRR Part 500? The exemp ons listed in 23 NYCRR Part are limited in scope. These exemp ons have been tailored to address par cular circumstances and include requirements that the Department believes are necessary for these exempted en es. As such, Covered En es that qualify for those exemp ons are only exempt from complying with certain provisions as set forth in the regula on, but must comply with the sec ons listed in the exemp on that applies to that Covered En ty. 9. Under 23 NYCRR (a), is a Covered En ty required to give no ce to the Department when a Cybersecurity Event involves harm to consumers? Yes. 23 NYCRR (a) must be read in combina on with other laws and regula ons that apply to consumer privacy. Under 23 NYCRR (a)(1), a Covered En ty must give no ce to the Department of any Cybersecurity Event of which no ce is required to be provided to any government body, self-regulatory agency or any other supervisory body, which includes many Cybersecurity Events that involve consumer harm, whether actual or poten al. To offer just one example, New York s informa on security breach and no fica on law requires no ces to affected consumers and to certain government bodies following a data breach. Under 23 NYCRR (a)(1), when such a data breach cons tutes a Cybersecurity Event, it must also be reported to the Department. In addi on, under 23 NYCRR (a)(2), Cybersecurity Events must be reported to the Department if they have a reasonable likelihood of materially harming any material part of the normal opera on(s) of the Covered En ty. To the extent a Cybersecurity Event involves material consumer harm, it is covered by this provision. 10. Is a Covered En ty required to give no ce to consumers affected by a Cybersecurity Event? New York s informa on security breach and no fica on law (General Business Law Sec on 899-aa), requires no ce to consumers who have been affected by cybersecurity incidents. Further, under 23 NYCRR Part 500, a Covered En ty s cybersecurity program and policy must address, to the extent applicable, consumer data privacy and other consumer protec on issues. Addi onally, Part 500 requires that Covered En es address as part of their incident response plans external communica ons in the a ermath of a breach, which includes communica on with affected customers. Thus, a Covered En ty s cybersecurity program and policies will need to address no ce to consumers in order to be consistent with the risk-based requirements of 23 NYCRR Part May a Covered En ty adopt por ons of an Affiliate's cybersecurity program without adop ng all of it? 52 A Covered En ty may adopt an Affiliate's cybersecurity program in whole or in part, as long as the Covered En ty's overall cybersecurity program meets all requirements of 23 NYCRR Part 500. The Covered En ty remains responsible for full compliance 2/4

55 Frequently Asked Questions Regarding 23 NYCRR Part 500 with the requirements of 23 NYCRR Part 500. To the extent a Covered En ty relies on an Affiliate's cybersecurity program in whole or in part, that program must be made available for examina on by the Department. 12. May the cer fica on requirement of 23 NYCRR (b) be met by an Affiliate? No. Each Covered En ty is required to annually cer fy its compliance with Part 500 as required by 23 NYCRR (b). 13. To the extent a Covered En ty uses an employee of an Affiliate as its Chief Informa on Security Officer ("CISO"), is the Covered En ty required to sa sfy the requirements of 23 NYCRR (a)(2)-(3)? To the extent a Covered En ty u lizes an employee of an Affiliate to serve as the Covered En ty's CISO for purposes of 23 NYCRR (a), the Affiliate is not considered a Third Party Service Provider for purposes of 23 NYCRR (a)(2)-(3). However, the Covered En ty retains full responsibility for compliance with the requirements of 23 NYCRR Part 500 at all mes, including ensuring that the CISO responsible for the Covered En ty is performing the du es consistent with this Part. 14. Are the DFS-authorized New York branches, agencies and representa ve offices of out-of-country foreign banks required to comply with 23 NYCRR Part 500? Yes. It is further noted that, in such cases, only the Informa on Systems suppor ng the branch, agency or representa ve office, and the Nonpublic Informa on of the branch, agency or representa ve office are subject to the applicable requirements of 23 NYCRR Part 500, whether through the branch's, agency's or representa ve office's development and implementa on of its own cybersecurity program or through the adop on of an Affiliate's cybersecurity program. 15. Where interrelated requirements under 23 NYCRR Part 500 are subject to different transi onal periods, when and to what extent are Covered En es required to comply with currently applicable requirements that are impacted by separate requirements for which the applicable transi onal period has not yet ended? Covered En es have 180 days from the March 1, 2017, effec ve date to come into compliance with the requirements of 23 NYCRR Part 500 unless otherwise specified in 23 NYCRR While complying with currently applicable requirements under the final rule, Covered En es are generally not required to comply with, or incorporate into their cybersecurity programs, provisions of the regula on for which the applicable transi onal period has not yet ended. For example, while Covered En es will be required to have a cybersecurity program as well as policies and procedures in place by August 28, 2017, the Department recognizes that in some cases there may be updates and revisions therea er that incorporate the results of a Risk Assessment later conducted, or other elements of Part 500 that are subject to longer transi onal periods. 16. Is a Covered En ty required to cer fy compliance with all the requirements of 23 NYCRR 500 on February 15, 2018? Covered En es are required to submit the first cer fica on under 23 NYCRR (b) by February 15, This ini al cer fica on applies to and includes all requirements of 23 NYCRR Part 500 for which the applicable transi onal period under 23 NYCRR has terminated prior to February 15, Accordingly, Covered En es will not be required to submit cer fica on of compliance with the requirements of 23 NYCRR (b), , , , , , , and un l February 15, 2019, and cer fica on of compliance with 23 NYCRR un l February 15, May a Covered En ty submit a cer fica on under 23 NYCRR (b) if it is not yet in compliance with all applicable requirements of Part 500? The Department expects full compliance with this regula on. A Covered En ty may not submit a cer fica on under 23 NYCRR (b) unless the Covered En ty is in compliance with all applicable requirements of Part 500 at the me of cer fica on. To the extent a par cular requirement of Part 500 is subject to an ongoing transi onal period under 23 NYCRR at the me of cer fica on, that requirement would not be consider applicable for purposes of a cer fica on under 23 NYCRR (b). 18. What cons tutes "con nuous monitoring" for purposes of 23 NYCRR ? Effec ve con nuous monitoring could be a ained through a variety of technical and procedural tools, controls and systems. There is no specific technology that is required to be used in order to have an effec ve con nuous monitoring program. Effec ve con nuous monitoring generally has the ability to con nuously, on an ongoing basis, detect changes or ac vi es within a Covered En ty's Informa on Systems that may create or indicate the existence of cybersecurity vulnerabili es or malicious ac vity. In contrast, non-con nuous monitoring of Informa on Systems, such as through periodic manual review of logs and firewall configura ons, would not be considered to cons tute "effec ve con nuous monitoring" for purposes of 23 NYCRR When is a Covered En ty required to report a Cybersecurity Event under 23 NYCRR (a)? 23 NYCRR (a) requires Covered En es to no fy the superintendent of certain Cybersecurity Events as promptly as possible but in no event later than 72 hours from a determina on that a reportable Cybersecurity Event has occurred. A Cybersecurity Event is reportable if it falls into at least one of the following categories: the Cybersecurity Event impacts the Covered En ty and no ce of it is required to be provided to any government body, selfregulatory agency or any other supervisory body; or the Cybersecurity Event has a reasonable likelihood of materially harming any material part of the normal opera on(s) of the Covered En ty. An a ack on a Covered En ty may cons tute a reportable Cybersecurity Event even if the a ack is not successful How should a Covered En ty submit No ces of Exemp on, Cer fica ons of Compliance and No ces of Cybersecurity Events? Cybersecurity No ces of Exemp on, Cer fica ons of Compliance, and No ces of Cybersecurity Events should be filed electronically via the DFS Web Portal h p:// You will first be prompted to create an 3/4

56 Frequently Asked Questions Regarding 23 NYCRR Part 500 account and log in to the DFS Web Portal, then directed to the filing interface. Filings made through the DFS Web Portal are preferred to alterna ve filing mechanisms because the DFS Web Portal provides a secure repor ng tool to facilitate compliance with the filing requirements of 23 NYCRR Part Can an en ty be both a Covered En ty and a Third Party Service Provider under 23 NYCRR Part 500? 54 Yes. If an en ty is both a Covered En ty and a Third Party Service Provider, the en ty is responsible for mee ng the requirements of 23 NYCRR Part 500 as a Covered En ty. 22. Are all Third Party Service Providers required to implement Mul -Factor Authen ca on and encryp on when dealing with a Covered En ty? 23 NYCRR , among other things, generally requires a Covered En ty to develop and implement wri en policies and procedures designed to ensure the security of the Covered En ty's Informa on Systems and Nonpublic Informa on that are accessible to, or held by, Third Party Service Providers. 23 NYCRR (b) requires a Covered En ty to include in those policies and procedures guidelines, as applicable, addressing certain enumerated issues. Accordingly, 23 NYCRR (b) requires Covered En es to make a risk assessment regarding the appropriate controls for Third Party Service Providers based on the individual facts and circumstances presented and does not create a one-size-fits-all solu on. Updated 09/06/2017 About DFS Contact DFS Reports & Publica ons Licensing Laws and Regs Connect With DFS Mission & Leadership Who We Supervise Annual Reports DFS Newsroom Public Hearings (800) File a Complaint Freedom of Informa on Law (FOIL) Report Fraud External Appeals Weekly Bulle n Circular Le ers Industry Le ers Insurance Exam Reports CRA Exam Reports Insurers DFS Portal Banks & Trusts Financial Services Mortgage Industry NYCRR NYS Laws Accessibility Language Access Contact Us Disclaimer Privacy Policy Site Map PDF Reader So ware 4/4

57 55 New York County Lawyers Association Professional Ethics Committee Formal Opinion 749 February 21, 2017 TOPIC: A lawyer s ethical duty of technological competence with respect to the duty to protect a client s confidential information from cybersecurity risk and handling e- discovery when representing clients in a litigation or government investigation. DIGEST: A lawyer s ethical duty of competence extends to the manner in which he provides legal services to the client as well as the lawyer s substantive knowledge of the pertinent areas of law. The duty of competence expands as technological developments become integrated into the practice of law. Lawyers should be aware of the disclosure risks associated with the transmission of client confidential information by electronic means, and should possess the technological knowledge necessary to exercise reasonable care with respect to maintaining client confidentiality and fulfilling e-discovery demands. Further, a lawyer s duty of competence in a litigation or investigation requires that the lawyer have a sufficient understanding of issues relating to securing, transmitting, and producing electronically stored information ( ESI ). The duty of technological competence required in a specific engagement will vary depending on the nature of the ESI at issue and the level of technological knowledge required. A lawyer fulfills his or her duty of technological competence if the lawyer possesses the requisite knowledge personally, acquires the requisite knowledge before performance is required, or associates with one or more persons who possess the requisite technological knowledge. RULES OF PROFESSIONAL CONDUCT: 1.1, 1.6, 5.1, 5.3 OPINION A lawyer has a duty to provide competent representation to a client, which requires that the lawyer demonstrate the legal knowledge, skill, thoroughness and preparation necessary for the representation. New York Rules of Professional Conduct ( RPCs ), RPC 1.1. A comment to the rule notes that [t]o maintain the requisite knowledge and skill, a lawyer should... (ii) keep abreast of the benefits and risks associated with technology the lawyer uses to provide services to clients or to store or transmit confidential information. RPC 1.1, Cmt. [8]. RPC 1.6 provides that a lawyer shall not knowingly reveal confidential information, as defined in this RPC, or use such information to the disadvantage of a client or for the advantage of the lawyer or a third person. RPC 1.6(c) further requires a lawyer to exercise reasonable care to prevent disclosure of information related to the representation by employees, associates and others whose services are utilized in connection with the representation. Duty of Competence and Protection of Electronically Transmitted Client

58 56 Information Compliance with RPC 1.6 requires that lawyers who use technology to store or transmit a client s confidential information, or to communicate with clients, use reasonable care with respect to those uses. The lawyer must assess the risks associated with the use of that technology to determine if the use is appropriate under the circumstances. See, e.g., N.Y. State 709 (1998) ( an attorney must use reasonable care to protect confidences and secrets ); N.Y. City (lawyer must take reasonable steps to secure client confidences and secrets). Lawyers should be aware that the storage and transmission of a client s confidential information electronically carries a risk of disclosure if the stored or transmitted data is hacked, or if human, software or hardware error results in an inadvertent disclosure. Attacks on computer systems by those trying to gain confidential, proprietary, or other sensitive information for personal or political gain (including so-called hacktivists ) are reported with alarming frequency. Corporate clients have become proactive in attempting to ensure that its outside vendors including lawyers who have access to sensitive corporate information sufficiently protect that information from disclosure through inadvertence or cyber-attack. Individual clients are increasingly sensitive to the potential harm from widely reported data breaches, and similarly expect their lawyers to use appropriate measures to avoid unauthorized disclosure of personal data. In response to these concerns, at least 25 states have adopted rules regarding maintaining technological competence, including most recently Florida s rule, which mandates continuing legal education on the subject. See, e.g., Florida Rules of Professional Conduct, Rule (b) (effective January 1, 2017, a Florida lawyer s CLE requirements will include 3 credit hours in approved technology programs); California Standing Committee on Professional Responsibility and Conduct Formal Op (concluding that an attorney lacking the required e-discovery competence must either acquire the requisite skill before performance is required, associate with technical consultants or competent counsel, or decline the representation). An overwhelming majority of lawyers recently surveyed who work in firms ranging from solo practitioners to over 500 attorneys believed training in the firm s technology is important. 1 Additionally, lawyers who represent clients who are located outside of New York may, in certain instances, be subject to laws in those other states that require a heightened level of protection of electronic communications. See, e.g., Mass. Gen. L. Ch. 93H, 201 C.M.R. 17 (requiring, where technically feasible, the encryption of personal information stored on portable devices and personal information transmitted across public networks or wirelessly); Nevada Senate Bill 227 (amending Nev. Rev. Stat and requiring that data collectors who conduct business in the state encrypt data storage devices including computers, cell phones and thumb drives that contain personal information that are moved outside the secured physical and logical boundaries of the data collecting Legal Technology Survey Report, American Bar Association (2016).

59 57 entity). Lawyers must have a sufficient understanding of the technology either directly or through associating with persons possessing such knowledge to determine how to satisfy the lawyer s duty of reasonable care. Reasonable care will vary depending on the circumstances, including the subject matter, the sensitivity of the information, the likelihood that the information is sought by others, and the potential harm from disclosure. See NYCLA Op. 738 (2008) (lawyer may not ethically search metadata made available through an adversary s inadvertent disclosure of client confidential information through metadata); N.Y. State 782 (2004) (addressing the exercise of reasonable care to prevent the disclosure of client confidential information through metadata). Duty of Competence and Electronically Stored Information Lawyers who represent client in litigations, or in government or regulatory investigations, are well aware that often a significant aspect of the representation of the client is the collection, preservation and production of ESI. The ethical duty of competence requires an attorney to assess at the outset of e-discovery issues that may arise in the course of the representation, including the likelihood that e-discovery will or should be sought by either side, identification of likely electronic document custodians, and preservation and collection of potentially relevant ESI in an appropriate database that will permit the lawyer to search for responsive ESI during e-discovery. A lawyer s obligations with respect to ESI will be governed by applicable state or federal law. See, e.g., Fed. R. Civ. P. Rules 16, 26 and 37 (outlining a federal court litigant's obligations with respect to the presentation and production of ESI); Rules (b) and (g) of New York s Uniform Trial Court Rules (requiring all attorneys be sufficiently versed in matters relating to their client s technological systems to be competent to discuss all issues relating to electronic discovery at preliminary conferences). In addition, a lawyer s ethical duty of competence requires the lawyer to assess his or her own e-discovery skills and resources in order to meet these ESI demands. E-discovery needs in a particular matter may include (i) assessing e-discovery needs and ESI preservation procedures; (ii) identifying custodians of potentially relevant ESI; (iii) understanding the client's ESI system and storage; (iii) determining and advising the client on alternatives for the collection and preservation of ESI and associated costs; and (v) ensuring that the collection procedures, software and/or databases created will permit the lawyer to provide responsive ESI in an appropriate manner. If a lawyer lacks the requisite skills and/or resources, the attorney must try to acquire sufficient learning and skill, or associate with another attorney or expert who possess these skills. RPC 1.1 (b) & Cmt., 1,Cmt. 8. Where a lawyer satisfies his or her duty of technological competence by associating with another lawyer or expert, the lawyer remains responsible for fulfilling the duty of

60 58 competence, and must satisfy himself or herself that the work of the associated lawyer or expert is being done properly. The lawyer must understand the pertinent legal issues and the e-discovery obligations imposed by law or court order and the relevant risks associated with the e-discovery tasks at hand, and satisfy himself or herself that everyone involved in the e-discovery process on behalf of the client is conducting themselves accordingly. See RPCs 5.1, 5.3. CONCLUSION A lawyer s ethical duty of competence extends to the manner in which he or she provides legal services to the client as well as the lawyer s substantive knowledge of the relevant areas of law. Lawyers must be responsive to technological developments as they become integrated into the practice of law. A lawyer cannot knowingly reveal client confidential information, and must exercise reasonable care to ensure that the lawyer s employees, associates and others whose services are utilized by the lawyer not disclose or use client confidential information. The risks associated with transmission of client confidential information electronically include disclosure through hacking or technological inadvertence. A lawyer's duty of technological competence may include having the requisite technological knowledge to reduce the risk of disclosure of client information through hacking or errors in technology where the practice requires the use of technology to competently represent the client. A lawyer s competence with respect to litigation requires that the lawyer possesses a sufficient understanding of issues relating to securing, transmitting, and producing ESI. The duty of competence in a specific engagement will vary depending on the nature of the ESI at issue and the level of technological knowledge required. A lawyer fulfills his or her duty of competence with respect to technology if the lawyer possesses the requisite knowledge personally, acquires the requisite knowledge in a timely manner and before performance is required, or associates with one or more persons who possess the requisite technological knowledge. If a lawyer is unable to satisfy the duty of technological competence associated with a matter, the lawyer should decline the representation.

61 59 QUESTION PRESENTED THE PROFESSIONAL ETHICS COMMITTEE FOR THE STATE BAR OF TEXAS Opinion No. 648 April 2015 Under the Texas Disciplinary Rules of Professional Conduct, may a lawyer communicate confidential information by ? STATEMENT OF FACTS Lawyers in a Texas law firm represent clients in family law, employment law, personal injury, and criminal law matters. When they started practicing law, the lawyers typically delivered written communication by facsimile or the U.S. Postal Service. Now, most of their written communication is delivered by webbased , such as unencrypted Gmail. Having read reports about accounts being hacked and the National Security Agency obtaining communications without a search warrant, the lawyers are concerned about whether it is proper for them to continue using to communicate confidential information. DISCUSSION The Texas Disciplinary Rules of Professional Conduct do not specifically address the use of in the practice of law, but they do provide for the protection of confidential information, defined broadly by Rule 1.05(a) to include both privileged and unprivileged client information, which might be transmitted by . Rule 1.05(b) provides that, except as permitted by paragraphs (c) and (d) of the Rule: a lawyer shall not knowingly: (1) Reveal confidential information of a client or former client to: (i) a person that the client has instructed is not to receive the information; or

62 60 (ii) anyone else, other than the client, the client s representatives, or the members, associates, or employees of the lawyer s law firm. A lawyer violates Rule 1.05 if the lawyer knowingly reveals confidential information to any person other than those persons who are permitted or required to receive the information under paragraphs (b), (c), (d), (e), or (f) of the Rule. The Terminology section of the Rules states that ʻ[k]nowinglyʼ... denotes actual knowledge of the fact in question and that a person s knowledge may be inferred from circumstances. A determination of whether a lawyer violates the Disciplinary Rules, as opposed to fiduciary obligations, the law, or best practices, by sending an containing confidential information, requires a case-by-case evaluation of whether that lawyer knowingly revealed confidential information to a person who was not permitted to receive that information under Rule The concern about sending confidential information by is the risk that an unauthorized person will gain access to the confidential information. While this Committee has not addressed the propriety of communicating confidential information by , many other ethics committees have, concluding that, in general, and except in special circumstances, the use of , including unencrypted , is a proper method of communicating confidential information. See, e.g., ABA Comm. on Ethics and Prof l Responsibility, Formal Op (1999); ABA Comm. on Ethics and Prof l Responsibility, Formal Op (2011); State Bar of Cal. Standing Comm. on Prof l Responsibility and Conduct, Formal Op (2010); Prof l Ethics Comm. of the Maine Bd. of Overseers of the Bar, Op. No. 195 (2008); N.Y. State Bar Ass n Comm. on Prof l Ethics, Op. 820 (2008); Alaska Bar Ass n Ethics Comm., Op (1998); D.C. Bar Legal Ethics Comm., Op. 281 (1998); Ill. State Bar Ass n Advisory Opinion on Prof l Conduct, Op (1997); State Bar Ass n of N.D. Ethics Comm., Op. No (1997); S.C. Bar Ethics Advisory Comm., Ethics Advisory Op (1997); Vt. Bar Ass n, Advisory Ethics Op. No (1997). Those ethics opinions often make two points in support of the conclusion that communication is proper. First, the risk an unauthorized person will gain access to confidential information is inherent in the delivery of any written communication including delivery by the U.S. Postal Service, a private mail service, a courier, or facsimile. Second, persons who use have a reasonable expectation of privacy based, in part, upon statutes that make it a crime to intercept s. See, e.g., Alaska Bar Ass n Ethics Comm. Op (1998); D.C. Bar Legal Ethics Comm., Op. 281 (1998). The statute cited in those opinions is the Electronic Communication Privacy Act (ECPA), which makes it a crime to

63 61 intercept electronic communication, to use the contents of the intercepted , or to disclose the contents of intercepted U.S.C et seq. Importantly, the statute provides that [n]o otherwise privileged... electronic communication intercepted in accordance with, or in violation of, the provisions of this chapter shall lose its privileged character. 18 U.S.C. 2517(4). The ethics opinions from other jurisdictions are instructive, as is Texas Professional Ethics Committee Opinion 572 (June 2006). The issue in Opinion 572 was whether a lawyer may, without the client s express consent, deliver the client s privileged information to a copy service hired by the lawyer to perform services in connection with the client s representation. Opinion 572 concluded that a lawyer may disclose privileged information to an independent contractor if the lawyer reasonably expects that the independent contractor will not disclose or use such items or their contents except as directed by the lawyer and will otherwise respect the confidential character of the information. In general, considering the present state of technology and usage, a lawyer may communicate confidential information by . In some circumstances, however, a lawyer should consider whether the confidentiality of the information will be protected if communicated by and whether it is prudent to use encrypted or another form of communication. Examples of such circumstances are: 1. communicating highly sensitive or confidential information via or unencrypted connections; 2. sending an to or from an account that the sender or recipient shares with others; 3. sending an to a client when it is possible that a third person (such as a spouse in a divorce case) knows the password to the account, or to an individual client at that client s work account, especially if the relates to a client s employment dispute with his employer (see ABA Comm. on Ethics and Prof l Responsibility, Formal Op (2011)); 4. sending an from a public computer or a borrowed computer or where the lawyer knows that the s the lawyer sends are being read on a public or borrowed computer or on an unsecure network; 5. sending an if the lawyer knows that the recipient is accessing the on devices that are potentially accessible to third persons or are not protected by a password; or 6. sending an if the lawyer is concerned that the NSA or other law enforcement agency may read the lawyer s communication, with or without a warrant.

64 62 In the event circumstances such as those identified above are present, to prevent the unauthorized or inadvertent disclosure of confidential information, it may be appropriate for a lawyer to advise and caution a client as to the dangers inherent in sending or accessing s from computers accessible to persons other than the client. A lawyer should also consider whether circumstances are present that would make it advisable to obtain the client s informed consent to the use of communication, including the use of unencrypted . See Texas Rule 1.03(b) and ABA Comm. on Ethics and Prof l Responsibility, Formal Op (2011). Additionally, a lawyer s evaluation of the lawyer s technology and practices should be ongoing as there may be changes in the risk of interception of communication over time that would indicate that certain or perhaps all communications should be sent by other means. Under Rule 1.05, the issue in each case is whether a lawyer who sent an containing confidential information knowingly revealed confidential information to a person who was not authorized to receive the information. The answer to that question depends on the facts of each case. Since a knowing disclosure can be based on actual knowledge or can be inferred, each lawyer must decide whether he or she has a reasonable expectation that the confidential character of the information will be maintained if the lawyer transmits the information by . This opinion discusses a lawyer s obligations under the Texas Disciplinary Rules of Professional Conduct, but it does not address other issues such as a lawyer s fiduciary obligations or best practices with respect to communications. Furthermore, it does not address a lawyer s obligations under various statutes, such as the Health Insurance Portability and Accountability Act (HIPAA), which may impose other duties. CONCLUSION Under the Texas Disciplinary Rules of Professional Conduct, and considering the present state of technology and usage, a lawyer may generally communicate confidential information by . Some circumstances, may, however, cause a lawyer to have a duty to advise a client regarding risks incident to the sending or receiving of s arising from those circumstances and to consider whether it is prudent to use encrypted or another form of communication.

65 63 ETHICS OPINION 1019 New York State Bar Association Committee on Professional Ethics Opinion 1019 (8/6/2014) Topic: Confidentiality; Remote Access to Firm's Electronic Files Digest: A law firm may give its lawyers remote access to client files, so that lawyers may work from home, as long as the firm determines that the particular technology used provides reasonable protection to client confidential information, or, in the absence of such reasonable protection, if the law firm obtains informed consent from the client, after informing the client of the risks. Rules: 1.0(j), 1.5(a), 1.6, 1.6(a), 1.6(b), 1.6(c), 1.15(d). QUESTION 1. May a law firm provide its lawyers with remote access to its electronic files, so that they may work from home? OPINION 2. Our committee has often been asked about the application of New York's ethical rules -- now the Rules of Professional Conduct -- to the use of modern technology. While some of our technology opinions involve the application of the advertising rules to advertising using electronic means, many involve other ethical issues. See, e.g.: N.Y. State 680 (1996). Retaining records by electronic imaging during the period required by DR 9-102(D) [now Rule 1.15(d)]. N.Y. State 709 (1998). Operating a trademark law practice over the internet and using . N.Y. State 782 (2004). Use of electronic documents that may contain "metadata". N.Y. State 820 (2008). Use of an service provider that conducts computer scans of s to generate computer advertising. N.Y. State 833 (2009). Whether a lawyer must respond to unsolicited s requesting representation. N.Y. State 842 (2010). Use of a "cloud" data storage system to store and back up client confidential information. N.Y. State 940 (2012). Storage of confidential information on off-site backup tapes.

66 N.Y. State 950 (2012). Storage of s in electronic rather than paper form Much of our advice in these opinions turns on whether the use of technology would violate the lawyer's duty to preserve the confidential information of the client. Rule 1.6(a) sets forth a simple prohibition against disclosure of such information, i.e. "A lawyer shall not knowingly reveal confidential information, as defined in this Rule... unless... the client gives informed consent, as defined in Rule 1.0(j)." In addition, Rule 1.6(c) provides that a lawyer must "exercise reasonable care to prevent... others whose services are utilized by the lawyer from disclosing or using confidential information of a client" except as provided in Rule 1.6(b). 4. Comment 17 to Rule 1.6 provides some additional guidance that reflects the advent of the information age: [17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. The duty does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered to determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to use a means of communication or security measures not required by this Rule, or may give informed consent (as in an engagement letter or similar document) to the use of means or measures that would otherwise be prohibited by this Rule. 5. As is clear from Comment 17, the key to whether a lawyer may use any particular technology is whether the lawyer has determined that the technology affords reasonable protection against disclosure and that the lawyer has taken reasonable precautions in the use of the technology. 6. In some of our early opinions, despite language indicating that the inquiring lawyer must make the reasonableness determination, this Committee had reached general conclusions. In N.Y. State 709, we concluded that there is a reasonable expectation that s will be as private as other forms of telecommunication, such as telephone or fax machine, and that a lawyer ordinarily may utilize unencrypted to transmit confidential information, unless there is a heightened risk of interception. We also noted, however, that "when the confidential information is of such an extraordinarily sensitive nature that it is reasonable to use only a means of communication that is completely under the lawyer's control, the lawyer must select a more secure means of communication than unencrypted internet ." Moreover, we said the lawyer was obligated to stay abreast of evolving technology to assess changes in the likelihood of interception, as well as the availability of improved technologies that might reduce the risks at a reasonable cost. 7. In N.Y. State 820, we approved the use of an internet service provider that scanned s to assist in providing user-targeted advertising, in part based on the published privacy policies of the provider.

67 8. Our more recent opinions, however, put the determination of reasonableness squarely on the 65 inquiring lawyer. See, e.g. N.Y. State 842, 940, 950. For example, in N.Y. State 842, involving the use of "cloud" data storage, we were told that the storage system was password protected and that data stored in the system was encrypted. We concluded that the lawyer could use such a system, but only if the lawyer took reasonable care to ensure that the system was secure and that client confidentiality would be maintained. We said that "reasonable care" to protect a client's confidential information against unauthorized disclosure may include consideration of the following steps: (1) Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information; (2) Investigating the online data storage provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances; (3) Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored; and/or (4) Investigating the storage provider's ability to purge and wipe any copies of the data, and to move the data to a different host, if the lawyer becomes dissatisfied with the storage provider or for other reasons changes storage providers. Moreover, in view of rapid changes in technology and the security of stored data, we suggested that the lawyer should periodically reconfirm that the provider's security measures remained effective in light of advances in technology. We also warned that, if the lawyer learned information suggesting that the security measures used by the online data storage provider were insufficient to adequately protect the confidentiality of client information, or if the lawyer learned of any breaches of confidentiality by the provider, then the lawyer must discontinue use of the service unless the lawyer received assurances that security issues had been sufficiently remediated. 9. Cyber-security issues have continued to be a major concern for lawyers, as cyber-criminals have begun to target lawyers to access client information, including trade secrets, business plans and personal data. Lawyers can no longer assume that their document systems are of no interest to cybercrooks. That is particularly true where there is outside access to the internal system by third parties, including law firm employees working at other firm offices, at home or when traveling, or clients who have been given access to the firm's document system. See, e.g. Matthew Goldstein, "Law Firms Are Pressed on Security For Data," N.Y. Times (Mar. 22, 2014) at B1 (corporate clients are demanding that their law firms take more steps to guard against online intrusions that could compromise sensitive information as global concerns about hacker threats mount; companies are asking law firms to stop putting files on portable thumb drives, ing them to non-secure ipads or working on computers linked to a shared network in countries like China or Russia where hacking is prevalent); Joe Dysart, "Moving Targets: New Hacker Technology Threatens Lawyers' Mobile Devices," ABA Journal 25 (September 2012); Rachel M. Zahorsky, "Being Insecure: Firms are at Risk Inside and Out," ABA Journal 32 (June 2013); Sharon D. Nelson, John W. Simek & David G. Ries, Locked Down: Information Security for Lawyers (ABA Section of Law Practice Management, 2012).

68 10. In light of these developments, it is even more important for a law firm to determine that the 66 technology it will use to provide remote access (as well as the devices that firm lawyers will use to effect remote access), provides reasonable assurance that confidential client information will be protected. Because of the fact-specific and evolving nature of both technology and cyber risks, we cannot recommend particular steps that would constitute reasonable precautions to prevent confidential information from coming into the hands of unintended recipients, including the degree of password protection to ensure that persons who access the system are authorized, the degree of security of the devices that firm lawyers use to gain access, whether encryption is required, and the security measures the firm must use to determine whether there has been any unauthorized access to client confidential information. However, assuming that the law firm determines that its precautions are reasonable, we believe it may provide such remote access. When the law firm is able to make a determination of reasonableness, we do not believe that client consent is necessary. 11. Where a law firm cannot conclude that its precautions would provide reasonable protection to client confidential information, Rule 1.6(a) allows the law firm to request the client's informed consent. See also Comment 17 to Rule 1.6, which provides that a client may give informed consent (as in an engagement letter or similar document) to the use of means that would otherwise be prohibited by the rule. In N.Y. State 842, however, we stated that the obligation to preserve client confidential information extends beyond merely prohibiting an attorney from revealing confidential information without client consent. A lawyer must take reasonable care to affirmatively protect a client's confidential information. Consequently, we believe that before requesting client consent to a technology system used by the law firm, the firm must disclose the risks that the system does not provide reasonable assurance of confidentiality, so that the consent is "informed" within the meaning of Rule 1.0(j), i.e. that the client has information adequate to make an informed decision. CONCLUSION 12. A law firm may use a system that allows its lawyers to access the firm's document system remotely, as long as it takes reasonable steps to ensure that confidentiality of information is maintained. Because of the fact-specific and evolving nature of both technology and cyber risks, this Committee cannot recommend particular steps that constitute reasonable precautions to prevent confidential information from coming into the hands of unintended recipients. If the firm cannot conclude that its security precautions are reasonable, then it may request the informed consent of the client to its security precautions, as long as the firm discloses the risks that the system does not provide reasonable assurance of confidentiality, so that the consent is "informed" within the meaning of Rule 1.0(j) One Elk Street, Albany, NY Phone: Secure Fax: New York State Bar Association

69 67 ISBA Advisory Opinion on Professional Conduct ISBA Advisory Opinions on Professional Conduct are prepared as an educational service to members of the ISBA. While the Opinions express the ISBA interpretation of the Illinois Rules of Professional Conduct and other relevant materials in response to a specific hypothesized fact situation, they do not have the weight of law and should not be relied upon as a substitute for individual legal advice. This Opinion was AFFIRMED by the Board of Governors in January This opinion was affirmed based on its general consistency with the 2010 Rules, although the specific standards referenced in it may be different from the 2010 Rules. Readers are encouraged to review and consider other applicable Rules and Comments, as well as any applicable case law or disciplinary decisions. Opinion No July 2009 Topic: Digest: Ref.: Law firm s maintenance of confidential information while working with thirdparty technology vendor A law firm s utilization of an off-site network administrator to assist in the operation of its law practice will not violate the Illinois Rules of Professional Conduct regarding the confidentiality of client information if the law firm makes reasonable efforts to ensure the protection of confidential client information Illinois Rules of Professional Conduct Rules 1.6(a), 5.3, 1.4(b) ISBA Advisory Opinion No (May 2004) ISBA Advisory Opinion No (May 1997) ABA Formal Opinion Nos (Oct. 27, 1995), (Aug. 5, 2008); (March 10, 1999). In re Estate of Divine, 263 Ill. App. 3d 799, 635 N.E.2d 581 (1 st Dist. 1994) Massachusetts Bar Association Ethics Opinion No

70 68 Restatement (Third) of the Law Governing Lawyers 60 (2000) Electronic Communications Privacy Act, 18 U.S.C FACTS A law firm would like to have its computer network managed by an off-site third party vendor for the purpose of monitoring the server and responding to any problems which may develop on the firm s network. In order to respond to such problems, the vendor would need to have access to the firm s network in which electronic client files are stored. The sole purpose of the vendor s access to the network would be for administration of the computer system. Moreover, the law firm and vendor would enter into a written agreement whereby the vendor would agree to respect and maintain the confidentiality of the information within the network, and to not utilize or disclose it. QUESTIONS 1. What ethical issues should be considered if a law firm utilizes an off-site network administrator to assist in the operation of the law practice if the firm s server were located at the firm and the vendor had remote access, or alternatively, if the server were physically located at the vendor? 2. Would either arrangement violate the Illinois Rules of Professional Conduct regarding the confidentiality of client information? OPINION The ethical issues that should be considered if a law firm utilizes an off-site network administrator to assist in the operation of its law practice principally involve two of the Illinois Rules of Professional Conduct ( RPC ): RPC 1.6(a) and 5.3. RPC 1.6(a), entitled, Confidentiality of Information, provides: Except when required under Rule 1.6(b) or permitted under Rule 1.6(c), a lawyer shall not, during or after termination of the professional relationship with the client, use or reveal a confidence or secret of the client known to the lawyer unless the client consents after disclosure. The RPC s define confidence as information protected by the lawyer-client privilege under applicable law. RPC 5.3, entitled, Responsibilities Regarding Nonlawyer Assistants, provides: With respect to a nonlawyer employed or retained by or associated with a lawyer: 2

71 69 (a) The lawyer, and, in a law firm, each partner, shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the nonlawyer s conduct is compatible with the professional obligations of the lawyer and the firm; (b) each lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the nonlawyer s conduct is compatible with the professional obligations of the lawyer; and (c) a lawyer shall be responsible for a nonlawyer s conduct that would be a violation of these Rules if engaged in by a lawyer if: (1) the lawyer orders or, with knowledge of the specific conduct, ratifies the conduct involved; or (2) the lawyer is a partner in the law firm, or has direct supervisory authority over the nonlawyer, and knows of the nonlawyer s conduct at a time when its consequences can be avoided or mitigated but fails to take reasonable remedial action. Here, because the offsite third-party computer vendor ( Vendor ), a nonlawyer, would have access to client files when monitoring and administering the law firm s network, the contents of these files must be protected from disclosure under RPC s 1.6(a) and 5.3. Thus, the law firm giving access to the Vendor to information in client files must make reasonable efforts to ensure that the Vendor either has in place or will institute reasonable procedures to safeguard the confidentiality of the client information. This same scenario was addressed by the American Bar Association ( ABA ) in Formal Op , wherein the ABA acknowledged that in this age of rapidly developing technology, it is now commonplace to retain nonlawyers to perform numerous functions, including accounting, data processing and storage, printing, photocopying, computer servicing and paper disposal. Because the use of such outside service providers inevitably requires giving them access to client files, lawyers must make reasonable efforts to ensure that the service provider will not make unauthorized disclosures of client information. ABA Op To that end, the law firm should obtain from the Vendor a written statement of the Vendor s assurance of confidentiality with respect to the electronic client files stored on the network. ABA Op The ABA subsequently issued Formal Op (Aug. 5, 2008), in which it remarked that there is nothing unethical about a lawyer outsourcing nonlegal services, including the use of a thirdparty vendor to maintain a law firm s computer system, but warned that the lawyer must minimize the risk that the outside service provider may inadvertently reveal confidential client information. The ABA reiterated its opinion that written confidentiality agreements are strongly advisable in outsourcing relationships. ABA Op See also ISBA Formal Op (May 2004) (opining that the responsibilities of lawyers regarding nonlawyer assistants extends to interpreters who are retained by the lawyer to communicate with hearing impaired clients, including the protection of client confidences). 3

72 70 In addition, the ABA observed that in the event the Vendor breaches the confidentiality of the firm s client files, a lawyer may be obligated to disclose this breach to its client if it is likely to affect the position of the client or the outcome of the client s case. Such disclosure may be required under RPC 1.4(b), pursuant to which a lawyer shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation. ABA Op See also In re Estate of Divine, 263 Ill. App. 3d 799, 808 (1 st Dist. 1994) (observing that RPC 5.3 places the responsibility for unethical acts by nonlawyer employees on the employing attorney). Other laws may also require disclosure to the client, such as notification about a data security breach. The ABA Formal Opinions cited herein are consistent with other authorities which have addressed the issue of the lawyer s duty to safeguard client confidentiality when dealing with outside service providers. For example, Massachusetts Bar Association Ethics Opinion ( MBA ) involved a situation in which a vendor periodically accessed a law firm s computer system, including its server and document database, in order to support the firm s computer software application. The MBA concluded that this practice was reasonable and did not violate any ethical rules: We believe that it is well known among the general population that computer systems are an integral and essential tool of the modern-day legal profession, and that those computer systems, and the software that they operate, must be made available to technicians and other trained support personnel more often than we desire for the purpose of keeping them running. It would be impractical and unrealistic to expect a lawyer to delete or scrub all confidential client information from his or her computer before allowing it to be serviced. Indeed, in circumstances where the system has failed unexpectedly and completely, it may be physically impossible for the lawyer to do so. MBA However, the MBA opined that the lawyer must take reasonable steps to protect its clients confidential information, examples of which include: notifying the vendor of the confidential nature of the information stored on the firm s servers and in its document database; examining the vendor s existing policies and procedures with respect to the handling of confidential information; obtaining written assurance from the vendor that access is only for technical support purposes and that the system will only be accessed on an as needed basis; and obtaining written assurance that the vendor will preserve and protect all client information. MBA Likewise, Restatement (Third) of Law Governing Lawyers 60 (Comment d) (2000) ( Comment d ) provides that a lawyer who acquires confidential client information has a duty to take reasonable steps to secure the information against misuse or inappropriate disclosure by the lawyer s agents. This requires that client confidential information be acquired, stored, retrieved, and transmitted under systems and controls that are reasonably designed and managed to maintain confidentiality. Comment d. Further, Restatement Comment g provides that a lawyer may disclose confidential client information for the purpose of facilitating the lawyer s law practice, including to computer technicians, provided that the lawyer takes appropriate safeguards against impermissible use or disclosure. 4

73 71 Finally, whether the Vendor has physical or remote access to the law firm s server is irrelevant so long as other adequate safeguards are taken.. The ABA has opined that the communication of confidential client information over the internet, even by unencrypted , does not violate Rule 1.6. ABA Formal Op (1999). Moreover, internet users, including lawyers, have a reasonable expectation that communications will remain private. See Electronic Communications Privacy Act, 18 U.S.C. 2510; ISBA Ethics Advisory Opinion Consequently, it makes no difference whether the Vendor in the fact scenario presented has remote or on-site access to the law firm s network. CONCLUSION Under RPC s 1.6 and 5.3, a law firm may retain or work with a private vendor to monitor the firm s computer server and network, either on-site or remotely, and may allow the vendor to access it as needed for maintenance, updating, troubleshooting and similar purposes. Before doing so, however, the law firm must take reasonable steps to ensure that the vendor protects the confidentiality of the clients information on the server. 5

74 72 The Colorado Bar Association Ethics Committee (Reprinted with persmission.) Formal Opinions Opinion 113 ETHICAL DUTY OF ATTORNEY TO 113 DISCLOSE ERRORS TO CLIENT Adopted November 19, Modified July 18, 2015 solely to reflect January 1, 2008 changes in the Rules of Professional Conduct. Syllabus As part of the general ethical duty to keep a client reasonably informed about the status of a matter, a lawyer should fully and promptly inform the client of significant developments, Colo. RPC 1.4. including those developments resulting from the lawyer s own errors. As part of this broad duty to report, a lawyer has an ethical duty to make prompt and specific disclosure to a client of the lawyer s error if the error is material. A material error is one that will likely result in prejudice to a client s right or claim. In these circumstances, the lawyer should inform the client that it may be advisable for the client to consult with independent counsel regarding the error, which may include advice regarding the statute of limitations on a claim for legal malpractice. Colo. RPC 1.4(b).The lawyer need not and should not inform the client that a legal malpractice claim against the lawyer actually exists or has merit, or of the desirability of terminating the lawyer s representation. A lawyer shall explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation. A lawyer may continue to represent the client in these circumstances only in compliance with Colo. RPC 1.7(a) and (b). In many, if not most, circumstances, the interest of the attorney in avoiding liability will be consistent with the interest of the client in a successful representation. Continued representation may not be permissible if the lawyer might be influenced to pursue a strategy that would avoid liability for the lawyer at the expense of the success of the representation, or if there is a significant risk that the representation of the client will be materially limited by the lawyer s personal interest. Finally, the lawyer may not obtain a release of liability except in compliance with Colo. RPC 1.8(h). This opinion addresses the lawyer s ethical duty to advise the client of relevant developments resulting from the lawyer s own errors. This opinion does not address whether the failure to disclose an error itself gives rise to a cause of action against the lawyer. See Colo. RPC, Scope, ( Violation of a Rule should not in and of itself give rise to a cause of action nor should it create a presumption that a legal duty has been breached. ). 1

75 The lawyer should also consider the impact of disclosure of the error to the client on the lawyer s malpractice insurance coverage. The lawyer should review and consider any applicable malpractice insurance contract provisions, including notice to the insurer of potential claims, disclosure on applications for insurance, and cooperation clauses in the lawyer s policy. Analysis 73 The Colorado Bar Association Ethics Committee (Reprinted with persmission.) Basis for the Duty in the Rules of Professional Conduct Lawyers must keep clients reasonably informed about the status of a matter. Colo. RPC 1.4(a)(2). The lawyer s explanation must be to the extent reasonably necessary to permit the client to make informed decisions regarding the representation. Colo. RPC 1.4(b). The ethical duty to inform the client extends to keeping the client reasonably informed about the status of the matter, such as significant developments affecting the timing or the substance of the representation. Comment, Colo. RPC 1.4. Additionally, [a] lawyer may not withhold information to serve the lawyer s own interests Comment, Colo. RPC 1.4. Significant developments include matters adverse to the client s interests and those resulting from the lawyer s own actions, if the lawyer s actions are likely to result in prejudice to a client s rights or claim. In addition, failing to disclose an error to a client may rise to the level of conduct involving dishonesty, fraud, deceit or misrepresentation under Colo. RPC 8.4(c). Colo. RPC 8.4(c) may apply if the lawyer actively and intentionally conceals the facts and circumstances of the error from the client, 1 or misrepresents facts about the error, and the client loses a valuable right, such as a right of appeal, 2 or releases a claim against the lawyer for legal malpractice. 3 In the context of this opinion, a breach of a duty of care that will likely result in prejudice to a client s right or claim will be referred to as an error, and disclosing an error to a client will mean drawing a client s attention to an error and not simply relying on the flow of paperwork sent to the client in the ordinary course of a representation. When, by act or omission, a lawyer has made an error, and that error is likely to result in prejudice to a client s right or claim, the lawyer must promptly disclose the error to the client. Error, as used in this opinion, is not meant to include an act or omission that a reasonable lawyer would conclude would not likely result in prejudice to a client s right or claim. Various jurisdictions that have considered the issue have reached similar conclusions. 4 Some legal authorities rely on the lawyer s obligation under the equivalent of Colo. RPC 1.4(b) to explain a matter to the extent reasonably necessary to permit the client to make informed decisions regarding the representation. Colo. RPC 1.4(b). 5 Other authorities cite the lawyer s obligation under the conflict of interest rules to obtain the client s informed consent to continued representation, on the basis that the lawyer s own interest in avoiding liability may materially limit the lawyer s representation of the client. 6 The conflict of interest rules would not apply, obviously, if the representation does not continue following the error. Nature of Conduct that Triggers the Duty to Disclose The more difficult determination is whether a particular error triggers an ethical duty to disclose it to the client. This determination is important because an overbroad interpretation of the ethical duty to disclose may needlessly undermine the trust and confidence essential to a healthy attorney-client relationship. 7 Also, the ethical duty to disclose should remain primarily a basis for a lawyer s self-assessment, not 2

76 74 The Colorado Bar Association Ethics Committee (Reprinted with persmission.) another arrow in the quiver of tactics employed in legal malpractice cases. 8 Whether a particular error gives rise to an ethical duty to disclose depends on whether a disinterested lawyer would conclude that the error will likely result in prejudice to the client s right or claim and that the lawyer, therefore, has an ethical responsibility to disclose the error. The failure to disclose an error does not (and should not), in and of itself, give rise to a cause of action against the lawyer, nor does it (or should it) create a presumption that a legal duty has been breached. Professional errors exist along a spectrum. At one end are errors that, as stated above, will likely prejudice a client s right or claim. Examples of these kinds of errors are the loss of a claim for failure to file it within a statutory limitations period or a failure to serve a notice of claim within a statutory time period. The lawyer must promptly inform the client of an error of this kind, if a disinterested lawyer would conclude there was an ethical duty to do so, because the client must decide whether to appeal the dismissal of the claim or pursue a legal malpractice action. 9 Another example is the loss of a right of appeal for failure to file a timely notice of appeal. However, as discussed more fully below, the lawyer should be given an opportunity to remedy the error before disclosing it to the client. At the other end of the spectrum are errors and possible errors that may never cause harm to the client, either because any resulting harm is not reasonably foreseeable, there is no prejudice to a client s right or claim, or the lawyer takes corrective measures that are reasonably likely to avoid any such prejudice. For example, missing a nonjurisdictional deadline, a potentially fruitful area of discovery, or a theory of liability or defense may, upon discovery, prompt regretful frustration, but not an ethical duty to disclose to the client. As one commentator remarked regarding similar circumstances, Unless there are steps that can be taken now to avoid the possibility of future harm, there is probably no immediate duty to disclose the mere possibility of lawyer error or omission. 10 Lawyers should be given the opportunity to remedy any error before disclosing the error to the client. The later assertion of a legal malpractice claim does not mean that the allegedly negligent lawyer breached a duty to disclose the error to the client. Nor should the failure to disclose the error be construed as an independent claim against the lawyer. 11 Whether a lawyer has an ethical duty to disclose depends on the facts and circumstances known to the lawyer once he or she has realized the error, not those that appear only through the prism of hindsight. In between these two ends of the spectrum are innumerable errors that do not fall neatly into either end of the spectrum and must be analyzed on an individual basis. For example, it is ordinarily not necessary to disclose questions of professional judgment where the law was unsettled on an issue or the attorney made a tactical decision from among equally viable alternatives. 12 Under the doctrine of judgmental immunity, these types of decisions are not, as a matter of law, considered errors, below the applicable standard of care, or negligent conduct. When reasonable lawyers may disagree about whether the state of the law was unsettled or the available alternatives were equally viable, however, the lawyer should err on the side of discussing the available alternatives with the client before pursuing a course of action. 13 The lawyer s choice between equally viable alternatives should not be considered an error as defined in this opinion. Examples of potential errors that may give rise to an ethical duty to disclose include the failure to request a jury in a pleading (or pay the jury fee), the failure to include an acceleration provision in a promissory note, and the failure to give timely notice under a contract or statute. The Committee agrees with the New York State Bar Association that whether an attorney has an obligation to disclose a mistake to a client will depend on the nature of the lawyer s possible error or omission, whether it is possible to correct it in the pending proceeding, the extent of the harm resulting from the possible error or 3

77 omission, and the likelihood that the lawyer s conduct would be deemed unreasonable and therefore give rise to a colorable malpractice claim. 14 What to Tell the Client 75 The Colorado Bar Association Ethics Committee (Reprinted with persmission.) Although it can be difficult to determine whether a lawyer must call a client s attention to an error, it is relatively easy to describe what to say to the client when the lawyer has made the decision to disclose. Candor is a given. The result may be a surprisingly appreciative and understanding client. The lawyer need not advise the client about whether a valid claim for malpractice exists, and indeed the lawyer s conflicting interest in avoiding liability makes it improper for the lawyer to do so. 15 The lawyer need not, and should not, make an admission of liability. What must be disclosed are the facts that surround the error, and the lawyer should inform the client that it may be advisable to consult with an independent lawyer with respect to the potential impact of the error on the client s rights or claims. It may be advisable, however, to inform the client that it may be prudent to consult with independent counsel regarding the statute of limitations on a claim for legal malpractice, especially if, notwithstanding the disclosure, the attorney-client relationship continues in the matter giving rise to the potential claim. The lawyer need not, however, advise the client of the viability of a legal malpractice claim, but simply inform the client that it may be appropriate to seek independent advice from a disinterested lawyer. The Rules of Professional Conduct do not require the disclosure to be in writing, but failing to make a written record of it is imprudent and potentially defeating of one of the purposes of the disclosure: protection of the lawyer. The letter informing the client of the error should also recommend that the client consult independent counsel to discuss the consequences of the error. This notice may itself trigger the accrual of a legal malpractice claim and, hence, the relevant statute of limitations. 16 Even if the lawyer genuinely believes that it is in the client s best interests to continue the representation despite the error, the lawyer s own interests prohibit him or her from advising the client on this issue. 17 The lawyer should also consider the impact of disclosure of the error to the client on the lawyer s malpractice insurance coverage. The lawyer should review and consider any applicable malpractice insurance contract provisions, including notice to the insurer of potential claims, disclosure on applications for insurance, and cooperation clauses in the lawyer s policy. Conflicts of Interest in Continuing the Representation Continuing the representation is not an option if (a) the client terminates it, (b) the error effectively concludes it, or (c) the lawyer withdraws because the error creates a nonwaivable conflict of interest. If both lawyer and client desire to continue the representation, Colo. RPC 1.7(a)(2) requires the lawyer to consider whether the lawyer s own interests in avoiding liability may materially limit the representation. If the lawyer concludes that the lawyer s own interests may materially limit the representation, continued representation is permissible only if the lawyer reasonably believes the lawyer will be able to provide competent and diligent representation to each affected client. Colo. RPC 1.7(b)(1). 18 Additionally, in order for representation to continue, each affected client must give informed consent, confirmed in writing. Colo. RPC 1.7(b)(4). Whether or not continued representation is permissible, either because there is no potential conflict or the potential conflict is waivable, depends on the nature of the error. In many, if not most, circumstances the 4

78 76 The Colorado Bar Association Ethics Committee (Reprinted with persmission.) interest of the attorney in avoiding liability will be consistent with the interest of the client in a successful representation. 19 Withdrawal is typically not required if the error likely can be corrected during the course of the representation; the error is not likely to result in harm to the client s cause; the error does not prejudice the client s right or claim, or the error does not necessarily constitute an error at all. 20 As one court stated: Many errors by a lawyer may involve a low risk of harm to the client or low risk of ultimate liability for the lawyer, thereby vitiating the danger that the lawyer s own interests will endanger his or her exercise of professional judgment on behalf of the client. Even if the risk of some harm to the client is high, the actual effect of that harm may be minimal, or, if an error does occur, it may be remedied with little or no harm to the client. In those circumstances, it is possible for a lawyer to continue to exercise his or her professional judgment on behalf of the client without placing the quality of representation at risk. 21 In any event, a lawyer may not procure a release of liability from the client except in compliance with Colo. RPC 1.8(h). That rule prohibits a lawyer from making an agreement prospectively limiting the lawyer s liability to a client for malpractice unless the client is independently represented in making the agreement; or settle a claim or potential claim for such liability with an unrepresented client or former client unless that person is advised in writing of the desirability of seeking and is given a reasonable opportunity to seek the advice of independent legal counsel in association therewith. 22 Colo. RPC 1.8(h)(1) and (2). Colo. RPC 1.8(h) would be applicable, for example, if a lawyer agreed to handle the client s appeal free of charge in exchange for a release of liability. 23 In other situations, a client cannot give informed consent, confirmed in writing, within the meaning of Colo. RPC 1.7(b)(4), because the lawyer s own interest in avoiding liability may materially limit the lawyer s representation of the client, within the meaning of Colo. RPC 1.7(a)(2)), by influencing the lawyer s strategy. For example, in a personal injury case arising from an automobile accident involving a Regional Transportation District bus, the plaintiff s lawyer fails to give RTD timely notice of a potential claim against it as required by the Colorado Governmental Immunity Act. The plaintiff s lawyer files an action against another driver, who is uninsured. The uninsured driver files a notice of nonparty at fault, identifying RTD. At trial, the plaintiff s lawyer emphasizes the evidence against the uninsured driver and downplays the evidence against RTD. The jury returns a verdict assigning 75% fault against the uninsured driver and 25% against RTD. The judgment against the uninsured driver is uncollectible, and the plaintiff s lawyer s liability to his client is limited to 25% of the total damages. Another lawyer representing the plaintiff might have emphasized the evidence against RTD or proceeded directly to an action against the plaintiff s lawyer for malpractice. The plaintiff s lawyer thus violated Colo. RPC 1.7(a)(2). His interest in limiting his liability to the client in a future legal malpractice claim caused him to adopt a litigation strategy that emphasized evidence that increased the fault attributable to the uninsured driver, thereby reducing the lawyer s liability exposure to the client and increasing the uncollectible portion of the judgment. Another lawyer representing the plaintiff would have emphasized evidence that decreased the fault attributable to the uninsured driver, 5

79 77 The Colorado Bar Association Ethics Committee (Reprinted with persmission.) thereby increasing the lawyer s liability exposure to the client and decreasing the uncollectible portion of the judgment. Under the circumstances, the plaintiff s consent to the conflict was not validly obtained. It is seldom so clear that a lawyer s independent judgment is materially limited by his or her interest in avoiding or reducing liability to a client. Indeed, the opposite problem may be more likely. To avoid the appearance of self-interest, a lawyer may be hesitant to adopt strategies that could leave that impression, including strategies that the lawyer genuinely believes to be in the client s best interests. A lawyer should consider this complication in deciding whether or not he or she wishes to continue the representation. If the representation continues, the lawyer may be able to avoid the appearance of self-interest by conferring with another lawyer about strategies that may, in the hindsight of a legal malpractice action, be labeled self-serving. The lawyer may also suggest the retention of co-counsel. Notes 1 CBA Formal Ethics Opinion 85, Release and Settlement of Legal Malpractice Claims (May 19, 1995). 2 E.g., Kentucky Bar Ass n v. Cowden, 727 S.W.2d 403, (Ken. 1987). 3 CBA Formal Ethics Opinion 85, Release and Settlement of Legal Malpractice Claims (May 19, 1995). Accord In re Tallon, 447 N.Y.S.2d 50, 51 (App. Div. 1982); see also People v. Good, 576 P.2d 1020, 1022 (Colo. 1978) (finding violation of former Code equivalent of Colo. RPC 1.8(h) where lawyer refunded retainer with check containing restrictive endorsement releasing claims against lawyer). 4 See Circle Chevrolet Co. v. Giordano, Halleran & Ciesla, 662 A.2d 509, 514 (N.J. 1995), relevant holding confirmed but decision abrogated on other grounds, Olds v. Donnelly, 696 A.2d 633, 642 (N.J. 1997); In re Tallon, 447 N.Y.S.2d 50 (App. Div. 1982); New Jersey Supreme Court Advisory Committee on Professional Ethics 684 (March 9, 1998); N.Y. State Bar Association Opinion 734 (Nov. 1, 2000); Association of the Bar of the City of New York Formal Opinion (Feb. 22, 1995). 5 See Circle Chevrolet, supra (New Jersey Rule 1.4); N.Y. State Bar Association Opinion 734 (Nov. 1, 2000) (New York equivalent of Colo. RPC 1.4); Pennsylvania Bar Association Informal Opinion (June 6, 1997) (Pennsylvania equivalent of Colo. RPC 1.4). Accord Restatement (Third) of the Law Governing Lawyers 20, Comment c; American Bar Association Informal Opinion 1010 (Nov. 18, 1967). 6 E.g., Circle Chevrolet, supra, 662 A.2d at See N. Moore, Implications of Circle Chevrolet for Attorney Malpractice and Attorney Ethics, 28 Rutgers L.J. 57, 75 n. 85 (Autumn 1996) (suggesting that clients of lawyer, like patients of physician, do not want to know every time the physician has doubts or second thoughts about any aspect of some ongoing treatment ) (hereinafter Moore ). 8 See Preamble, Scope and Terminology, Colo. RPC (purpose of Rules of Professional Conduct can be subverted when they are invoked by opposing parties as procedural weapons ; nothing in the Rules should be deemed to augment any substantive legal duty of lawyers or the extra-disciplinary consequences of violating such a duty ); Colo. RPC 4.5(a) (lawyer shall not threaten or present, or participate in presenting, disciplinary charges to gain advantage in a civil matter); see also Weiss v. Manfredi, 639 N.E.2d 1122, 1124, 616 N.Y.S.2d 325, 327 (N.Y. 1994) (attorney s failure to disclose malpractice does not give rise to fraud claim separate from customary malpractice action). 6

80 78 The Colorado Bar Association Ethics Committee (Reprinted with persmission.) 9 Moore, supra n. 7, at 73. See Cowden, supra, 727 S.W.2d at (lawyer s failure to advise client of dismissal of action for failure to file prior to expiration of statute of limitations was particularly important because dismissal may have been erroneous). 10 Moore, supra n. 7, at E.g., In re Knappenberger, 90 P.3d 614 (Ore. 2004) (attorney had no immediate duty to alert client regarding potential malpractice claim arising from opposing party s filing of motion to dismiss appeal as untimely where lawyer reasonably believed motion had little chance of success). 12 Merchant v. Kelly, Haglund, Garnsey & Kahn, 874 F. Supp. 300, 304 (D. Colo. 1995); Myers v. Beem, 712 P.2d 1092, 1094 (Colo. App. 1985). 13 See Cmt., Withholding Information, Colo. RPC 1.4 (lawyer may not withhold information to serve the lawyer s own interest or convenience ). 14 N.Y. State Bar Association Opinion 734 (Nov. 1, 2000). 15 New York City Opinion (Feb. 22, 1995); S. O Neal, If You Make a Mistake, When and What Should You Tell Your Client?, 2000-FEB W. Va. Law. 24, 25 (Feb. 2000) (hereinafter, O Neal ). 16 O Neal, supra n. 15, at 25; see New York State Opinion 275 (1972) (upon withdrawing from representation, lawyer should recommend that client obtain other counsel) (cited with approval in New York State Opinion 734 (Nov. 1, 2000). 17 O Neal, supra n. 15, at See In re Lawrence, 31 P.3d 1078, 1084 (Or. 2001) (lawyer violated conflict of interest rule by failing to inform client in writing of potential conflict of interest caused by continuing representation of client in domestic relations matter following entry of default against client due to attorney s neglect). 19 See D. Karpman, A Twilight Zone of Inharmonic Convergence, California Bar Journal 20 (February 2004) ( it is doubtful that any other lawyer in the entire world would be as motivated to make sure the client is successful than the one who commits malpractice and continues the representation); Pennsylvania Informal Opinion No (June 6, 1997) (law firm s interest and motivation in trying to win appeal from dismissal of case based on law firm s negligence are same as client s interest and motivation in trying to win appeal). 20 N.Y. State Bar Association Opinion 734 (Nov. 1, 2000). 21 In re Knappenberger, 90 P.3d 614, 622 (Or. 2004). 22 Colo. RPC 1.8(h). 23 Formal Ethics Opinion 85, Release and Settlement of Legal Malpractice Claims (May 19, 1995). 7

81 Advisory Ethics Opinion of the Vermont Bar Association Committee on Professional Responsibility ( (Reprinted with permission.) SYNOPSIS: ADVISORY ETHICS OPINION A lawyer may engage an outside contractor as a computer consultant to recover a lost data-base file, which contains confidential client information so long as: The lawyer clearly communicates the confidentiality rules to the outside contractor; the contractor fully understands the confidentiality rules and embraces the obligation to maintain the confidentiality of any information obtained in the course of assisting the lawyer; and the lawyer determines that the contractor has instituted adequate safeguards to preserve and protect confidential information. If a significant breach of confidentiality should occur by the outside contractor, the law firm would be obligated to disclose such a breach to the client. QUESTION: 1. Is the use of outside technical experts to retrieve computer files permissible and not a violation of a lawyer s duty of confidentiality to the client? 2. What precautions with the outside contractor are expected to be utilized and what measures are to be taken should a breach occur by the contractor? FACTS: The requesting lawyer wishes to engage the services of technical support personnel outside the firm to assist the lawyer with a computer-related issue which allows access to confidential information on the client. ANALYSIS: The Vermont Rules of Professional Conduct define confidentiality of information in RPC 1.6, which reads as follows: Rule 1.6 CONFIDENTIALITY OF INFORMATION (a) A lawyer shall not reveal information relating to representation of a client unless the client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation, and except as stated in paragraphs (b) and (c)). (Emphasis added.) Client electronic files usually contain most of the significant information relating to representation and therefore are covered by the confidentiality rules contained in Rules of Professional Conduct 1.6. The rule goes on to state that disclosures that are impliedly authorized

82 Advisory Ethics Opinion of the Vermont Bar Association Committee on Professional Responsibility ( (Reprinted with permission.) in order to carry out the representation are not covered by the prohibition. This inquiry is distinguished from Opinion and Opinion which prohibited disclosure in cases where the disclosure was not for the purposes of carrying out representation. It should also be noted that the Rule 1.6 has the clause explicitly allowing disclosure for purposes of serving the client and that exception was not in the previous section of the Code. Nonetheless, another section of the rules provides further elaboration on how such disclosures should be handled. Rules of Professional Conduct 5.3 reads in part: Rule 5.3. RESPONSIBILITIES REGARDING NONLAWYER ASSISTANTS With respect to a nonlawyer employed or retained by or associated with a lawyer: (a) a partner in a law firm shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the person s conduct is compatible with the professional obligations of the lawyer; and (b) a lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person s conduct is compatible with the professional obligations of the lawyer; and The comments to our Rules do not specifically address this area of the use of outside service providers to deal with technological concerns, but generally RPC 5.3 requires that the lawyer has in effect measures giving reasonable assurance that client confidentiality will be protected. In ABA Formal Opinion , the American Bar Association concluded that it is not a violation of the confidentiality rules to allow nonlawyers to come into contact with client file information, but that the lawyer must ensure that the service provider has in place, or will establish reasonable procedures to protect the confidentiality of information to which it gains access, and moreover, that it fully understands its obligations in this regard.. See also, Michigan the Op. RI-328 (1/25/2002) in which a law department of a governmental unit could ethically utilize the services of the technical support department with the recommendation that the law department secure a written acknowledgment from the technical support personnel that they have been advised of the confidentiality requirements. For purposes of the Vermont Rules and in response to the pending inquiry, we believe that the requesting lawyer should follow a three-step process: 1. The lawyer must clearly explain the confidentiality rules to the contractor; 2. The contractor must fully understand the confidentiality rules and embrace the obligation to maintain the confidentiality of all information obtained in the course of assisting the lawyer.

83 Advisory Ethics Opinion of the Vermont Bar Association Committee on Professional Responsibility ( (Reprinted with permission.) 3. The lawyer must determine that the contractor has instituted adequate safeguards to preserve and protect confidential information. How a lawyer is to assure that a nonlawyer understands the obligation of confidentiality is not specifically spelled out in the Vermont Rules. Nonetheless, we believe that a lawyer would satisfy the reasonableness requirements of Rule 5.3 if the lawyer obtained a written acknowledgment from an outside contractor that the contractor understands the confidential nature of the material and understands his or her duty not to keep any information gained in strictest confidence. If a breach of confidentiality were to occur, RPC 1.4 requires a lawyer to explain a matter reasonably necessary to permit the client to make informed decision regarding representation. Thus, if the breach would affect the outcome of the client legal matter in any fashion, the lawyer would be obligated to tell the client of the breach by the nonlawyer. CONCLUSION: It is appropriate for a lawyer to use outside technological support in managing case files when it is done in furtherance of carrying out the representation of the client. It is the expectation of the Rules that the lawyer will actively manage the nonlawyer to protect the confidentiality of the client s information and should a significant breach occur, the lawyer would need to disclose such a breach to the client.

84 82 OPINION 734 NEW YORK STATE BAR ASSOCIATION Committee on Professional Ethics Opinion #734 (11/01/2000) Topic: Attorney's obligation to report to a client a significant error or omission that may give rise to a possible malpractice claim. Digest: A legal services organization is subject to the same ethical standards as other law offices, and therefore must report to the client a significant error or omission that may give rise to a possible malpractice claim, and depending on the circumstances, it may be required to withdraw its representation of the client. Code: DR 5?101(A); DR 6?102; DR 2?110(A)(2); EC 2-6; EC 2?8; EC 2?32; EC 5?1; EC 5-11; EC 7?7; and EC 7?8. QUESTIONS 1. Is a Legal Aid Society ("Society"), which provides legal services to low-income clients, bound by the ethical standards which require attorneys to disclose significant errors and omissions to their clients? 2. If so, may the Society continue as counsel if, after having made full disclosure of such an error, a client still wants the organization to continue its representation? OPINION As a general rule, whether an attorney has an obligation to disclose a mistake to a client will depend on the nature of the lawyer's possible error or omission, whether it is possible to correct it in the pending proceeding, the extent of the harm resulting from the possible error or omission, and the likelihood that the lawyer's conduct would be deemed unreasonable and therefore give rise to a colorable malpractice claim. Ordinarily, since lawyers have an obligation to keep their clients reasonably informed about the matter and to provide information that their clients need to make decisions relating to the representation, the Society's lawyer would have an obligation to disclose to the client the possibility that they have made a significant error or omission. SeeN.Y. State Op. 396 (1975); EC 7?7, EC 7?8. DR 5?101(A) governs the question of whether the Society and its lawyers have a conflict of interest arising out of their personal interest in avoiding civil liability and, if so, whether the lawyers may nevertheless continue the representation with "the client's consent to the representation after full disclosure of the implications of the lawyer's interest." In general, under DR 5?101(A), the lawyers

85 would have a conflict of interest if "the exercise of professional judgment on behalf of the client will be 83 or reasonably may be affected by the lawyer's own" interest, and, in that event, the Society could continue the representation with the client's informed consent only if "a disinterested lawyer would believe that the representation of the client will not be adversely affected thereby." This Committee's prior opinions provide guidance about how these principles generally apply when a lawyer has made a significant error or omission in the course of the representation, although their application will obviously vary depending on the facts of the particular case. For example, in N.Y. State 275 (1972), we addressed the situation of a lawyer who failed to file a claim within the statute of limitations period. We held that a lawyer had a professional duty to notify the client promptly that the lawyer had committed a serious and irremediable error, and of the possible claim the client may have against the lawyer for damages. Because the error could not be remedied and the representation was all but concluded, we further held that the lawyer should withdraw from the matter after having made the necessary full disclosure. In such a situation, not only was there an inherent conflict between the interest of the client and the lawyer's own interest, but, from an objective perspective, one could not be confident that the quality of the lawyer's work would be unaffected if the representation continued. We advised that, upon withdrawing, the lawyer should recommend that the client retain other counsel. See alsodr 5?101(A); DR 6?102; EC 5?1; EC 2?6; and EC 5?11; N.Y. State 295 (1973) (reaffirming N.Y. State 275); N.Y. City 1995?2 (1995) (a lawyer failed to settle a judgment within time period prescribed by procedural rules). Of course, not every possible error creates a possible claim for malpractice. Some errors can be corrected during the course of the representation. Others are not particularly harmful to the client's cause. In some cases, it may be questionable whether the lawyer acted erroneously at all. Therefore, when a lawyer makes a mistake in the representation of a client, the likelihood that the lawyer's representation will be affected adversely because of the lawyer's interest in avoiding civil liability will depend upon all the relevant facts. Earlier opinions also make clear that the Society is subject to the same general standard as other law offices, even though its clients, who have limited financial resources, may find it more difficult to retain other counsel. SeeN.Y. City 1995?2 (1995) (holding that a legal services organization that may have committed malpractice should withdraw its representation and advise an indigent client to obtain legal advice from an attorney not employed by the organization); DR 5?101(A); EC?5?1; and EC 5?11. If the Society is required to withdraw from the representation because of the possibility that its lawyers' representation will be adversely affected by their own or the Society's interest, another legal services organization may be willing to undertake representation of the client or the client may be able to retain a private attorney on a contingency fee or on a pro bono basis. Unfortunately, it is also possible that the client may go unrepresented if another attorney is unavailable or unwilling to assume the matter. In any case, the Society cannot withdraw its representation until it "has taken steps to the extent reasonably practical to avoid foreseeable prejudice to the rights of the client," the specifics of which would depend on the circumstances of a particular case. SeeDR 2?110(A)(2); DR 6?102; EC 2?6; EC 2?8; and EC 2?32. However, if the matter is in litigation, the Society must seek permission from the Court before withdrawing. DR 2?110(A)(1). CONCLUSION

86 The Society is bound by the same ethical standards as other law offices, and therefore has an 84 obligation to report to the client that it has made a significant error or omission that may give rise to a possible malpractice claim. In such a situation, the Society will be required to withdraw as counsel if its continued representation would be adversely affected by its interest in avoiding civil liability. (5-00) Related Files Opinion 734(PDF File) One Elk Street, Albany, NY Phone: Secure Fax: New York State Bar Association

87 85 OPINION 709 NEW YORK STATE BAR ASSOCIATION Committee on Professional Ethics Opinion #709-09/16/1998 (55-97) TOPIC: Use of Internet to advertise and to conduct law practice focusing on trademarks; use of Internet ; use of trade names DIGEST: Attorney may operate and advertise a trademark practice over the Internet, as long as attorney complies with (a) the Code's obligations to check client conflicts; (b) court rules requiring the posting of a statement of Client's Rights and Responsibilities; (c) the obligation to preserve client confidences by assuring that use of is reasonable; and (d) the Code's advertising rules and perhaps those of other jurisdictions. The attorney may not engage in or advertise a more limited form of trademark business under a trade name if the business constitutes the practice of law. CODE: DR 1-102(A), DR 2-101, DR 2-101(B), DR 2-102, DR 2-102(B), DR 2-102(D), DR 2-101(F), DR 2-103(A), DR 2-106, DR 3-101(B), DR 4-101(A), DR 4-101(B), Canon 6, EC 2-10, EC 2-13, EC 3?5, EC 3-9, EC 4-1, EC 8-3 QUESTIONS An attorney plans to create an Internet web site in connection with a business that will conduct trademark searches, render legal opinions on availability of trademarks, and file and prosecute applications to register trademarks. The web site will have the capability to take orders from clients from all over the country on the Internet, and charge their credit cards a pre-determined fee for each applicable service. The attorney will speak to clients by telephone when they request a legal opinion, but will otherwise rely on unencrypted Internet e?mail to communicate with clients. We address the following questions in connection with this proposed conduct:

88 1. May an attorney make his or her services available through the Internet, including 86 taking orders for conducting trademark searches, communicating with clients using Internet , conducting trademark searches, rendering legal opinions on trademark availability, filing trademark applications, and charging clients by credit card? 2. May an attorney advertise on the Internet utilizing a web site accessible throughout the United States where the attorney is licensed to practice law only in New York? 3. May an attorney licensed to practice only in New York render legal opinions to nonresidents of New York, and if not, may the attorney limit his or her services to performing trademark searches and filing trademark applications on behalf of clients who reside outside of New York, since such services may be performed by non-lawyers? 4. May the attorney operate his or her practice under a trade name as well as his or her own name (e.g., advertising and operating under the trade name "The Trademark Store") and also state that The Trademark Store is operated by the "Law Offices of ")? If the attorney only performs the trademark searching and filing services that may be performed by non-lawyers, and does not render legal opinions, may the attorney operate the business under a trade name without using his or her own name? 1. Legal Practice on the Internet There is no express provision in the Lawyer's Code of Professional Responsibility (the "Code") that addresses practicing law over the Internet. The Committee believes that using the Internet to take orders for trademark searches, conduct trademark searches, render legal opinions and file trademark applications is analogous to conducting a law practice by telephone or facsimile machine and is likewise permissible, subject to the same restrictions applicable to communication by those means. Some issues peculiar to practice on the Internet warrant additional comment, however. A. Statement of Client's Rights and Responsibilities New York's court rules require the posting of a Statement of Client's Rights and Responsibilities in a lawyer's office, and apply by their terms to any attorney who has an office in the state. 22 N.Y.C.R.R As a result, such rules may apply even where the attorney-client relationship is conducted exclusively through the Internet and the lawyer does not typically meet clients in the lawyer's office. In such circumstances it would be prudent for the attorney to achieve substantial compliance with the terms of the rule (requiring posting of the Statement in the office "in a manner visible to clients") by including the full text of the Statement on the attorney's web site. B. Conflicts Checks Next, DR 5-105(E) provides that New York lawyers must maintain a system of keeping records of prior engagements and checking them before undertaking a new matter to assure that the attorney will not violate DR 5-105's and DR 5-108's prohibitions on conflicting engagements. Practicing law for clients by means of the Internet does not give rise to any exemption from this fundamental obligation to avoid conflicts and not to undertake a new representation without checking to assure that it does not create an impermissible conflict. See generallyn.y. State 664 (1994) (requiring conflicts check by lawyer providing specific legal advice to clients by means of "900" telephone service). We recognize,

89 however, that a conflicts check is not required where the attorney's interaction is limited to providing 87 general information of an educational nature, no confidential information is obtained from a client and no specific advice tailored to a client's particular circumstances is rendered. Id.; cf.n.y. 625 (1992); N.Y. State 636 (1992). In such circumstances, the recipient of such general advice need not be included in the lawyer's records of past engagements. C. Reliability of Internet Information To the extent that the attorney in performing legal research for clients relies on information obtained from searching of Internet sites, the attorney's duty under Canon 6 to represent the client competently requires that the attorney take care to assure that the information obtained is reliable. D. Use of Internet As to the attorney's use of Internet to communicate with clients, we note that the fiduciary relationship between an attorney and client requires the preservation of confidences and secrets, EC 4-1, and an attorney is prohibited from "knowingly" revealing a client confidence or secret. DR 4-101(B). Significantly, the Code expressly requires attorneys to "exercise reasonable care" to prevent others at his or her firm from disclosing a client's confidences or secrets, DR 4-101(D), and EC 4-4 provides that a "lawyer should endeavor to act in a manner which preserves the evidentiary privilege; for example, the lawyer should avoid professional discussions in the presence of persons to whom the privilege does not extend." It is fair to state that an attorney has a duty to use reasonable care to protect client confidences and secrets; whether the use of Internet is consistent with that duty depends upon the likelihood of interception. Other ethics committees that have considered this or analogous issues have reached inconsistent conclusions. CompareAz. Op ( may pose a risk to confidentiality); Iowa Op (attorneys must obtain waiver from clients as to security risk); N.Y. City (advising that an attorney should use caution and consider security measures when speaking to a client via cordless or cellular telephone because of the risk that the client's confidences or secrets may be overheard); withd.c. Op. 281 (1998) (no per serule barring use of unencrypted internet to transmit client confidences); South Carolina Op (examining the privacy of Internet communications in view of current technology and laws prohibiting interception or monitoring of communications, and concluding that Internet users may have a reasonable expectation of confidentiality); Vt. Op ( may pose no risk to confidentiality). The Electronic Communications Privacy Act ("ECPA"), 18 U.S.C et seq., criminalizes the interception of transmissions and also appears to mitigate the risk of loss of the evidentiary privilege. 18 U.S.C. 2517(4) ("[n]o otherwise privileged wire, oral, or electronic communication intercepted in accordance with, or in violation of, the provisions of [the ECPA] shall lose its privileged character"). Similarly, in 1998 New York enacted comparable protection for the evidentiary privilege in an amendment to the CPLR.[1] Although the federal and New York statutes may resolve the question of whether use of Internet waives the evidentiary privilege (a question of law outside the scope of this Committee's jurisdiction), at least to the extent the privilege at issue is governed by federal or New York law, the statutes do not directly resolve the lawyer's independent ethical duty to avoid disclosure of a client's confidences and secrets. The lawyer's ethical duty is broader than the obligation to preserve the privilege, as the Code extends the duty of non-disclosure to client "secrets,"

90 which are explicitly defined by the Code to encompass certain client-related information that is not 88 protected by the evidentiary attorney-client privilege. DR 4-101(A), (B). Consequently, the recent additions in federal and state law providing that use of does not by itself jeopardize the applicability of the attorney-client privilege cannot dispose of the ethical issue. In considering the ethical issue, we believe that the criminalization of unauthorized interception of certainly enhances the reasonableness of an expectation that s will be as private as other forms of telecommunication. That prohibition, together with the developing experience from the increasingly widespread use of Internet , persuades us that concerns over lack of privacy in the use of Internet are not currently well founded. So far as we are aware, there is little evidence that the use of unencrypted Internet s has resulted in a greater risk of unauthorized disclosure than is posed by other forms of communication that are commonly used without compromising ethical obligations, such as telephones and facsimile machines. We therefore conclude that lawyers may in ordinary circumstances utilize unencrypted Internet to transmit confidential information without breaching their duties of confidentiality under Canon 4 to their clients, as the technology is in use today. Despite this general conclusion, lawyers must always act reasonably in choosing to use for confidential communications, as with any other means of communication. Thus, in circumstances in which a lawyer is on notice for a specific reason that a particular transmission is at heightened risk of interception, or where the confidential information at issue is of such an extraordinarily sensitive nature that it is reasonable to use only a means of communication that is completely under the lawyer's control, the lawyer must select a more secure means of communication than unencrypted Internet . A lawyer who uses Internet must also stay abreast of this evolving technology to assess any changes in the likelihood of interception as well as the availability of improved technologies that may reduce such risks at reasonable cost.[2] It is also sensible for lawyers to discuss with clients the risks inherent in the use of Internet , and lawyers should abide by the clients' wishes as to its use. E. Payment By Credit Card There is nothing in the Code prohibiting an attorney from accepting payment by credit card as long as the fee charged is not excessive and the fee arrangement does not otherwise violate any Code provision. N.Y. State 399 (1975); N.Y. State 362 (1974); seedr The lawyer's duty to safeguard client interests and property also requires the lawyer who accepts payment by credit card via the Internet to assure that the privacy of the client's credit card information will be preserved. 2. Advertising on the Internet The Code's advertising rules are intended to protect the public from false and misleading advertisements. There is no ethical distinction to be drawn among different forms of advertising directed to a general population. See, e.g., Shapero v. Kentucky Bar Assoc., 486 U.S. 466, 473 (1988) ("lawyer advertising cases have never distinguished among various modes of written advertising to the general public"); In re Koffler, 432 N.Y.S.2d 872, 875 (Ct. App. 1980) (direct mail solicitation by attorneys of potential clients is constitutionally protected commercial speech), cert. denied, 450 U.S (1981); cfaba Model Rule 7.2(a) (permitting advertising in "public media," including " a telephone directory, legal directory, newspaper or other periodical, outdoor advertising, radio or television, or through written or recorded communication"). Accordingly, we believe that advertising via the Internet - an

91 electronic form of public media - is permissible as long as the advertising is not false, deceptive or 89 misleading, and otherwise adheres to the requirements set forth in the Code. DR 2-101, DR 2-102, EC In addition to the other guidelines for lawyer advertising set forth in DR 2-101, we note that DR 2-101(F) requires retention and in some circumstances filing of advertisements with a departmental disciplinary committee, depending upon the medium used to distribute the advertisement. Thus, broadcasts must be tape recorded and preserved by the lawyer for one year; a copy of mailed advertisements must be filed as noted, and the address list retained by the attorney for a year. We conclude that an Internet web site advertisement is more analogous to a radio or TV broadcast, in which the attorney has no means of identifying the audience, than it is to a mass mailing in which the address list is within the attorney's control. Therefore, the attorney must keep a copy of any Internet advertisement for a period of not less than one year following its last use, but need not file a copy with a departmental disciplinary committee. The copy may be maintained by the attorney in electronic form. There is no ethical prohibition in the Code against advertising to solicit clients who reside outside the state of New York with respect to matters as to which the lawyer may competently and lawfully practice. However, any Internet advertisement should inform a potential client of the jurisdiction in which the attorney is licensed, and should not mislead the potential client into believing that the attorney is licensed in a jurisdiction where the attorney is not licensed. See DR 2-102(D); ABA/BNA Lawyers Manual on Professional Conduct 81:551 at 57 ("lawyer's Web page should clearly identify those states in which he is licensed to practice"); South Carolina Op (1995) (any advertisement by a lawyer on the Internet that may reach potential clients in jurisdictions where lawyer is not admitted to practice must clearly identify the geographic limitations of lawyer's practice or risk being deemed misleading); see also Florida Bar v. Kaiser, 397 So.2d 1132, 1133 (Fl. Sup. Ct. 1981) (lawyer engaged in unauthorized practice where his law firm's advertisements gave the impression that he was authorized to practice in Florida). [3] 3. Services to Clients Outside New York DR 3-101(B) provides that a lawyer "shall not practice law in a jurisdiction where to do so would be in violation of regulations of the profession in that jurisdiction." Thus, whether a lawyer licensed only in New York may render legal opinions over the Internet to clients who reside outside of New York depends on whether the attorney's conduct constitutes the unauthorized practice of law in the other jurisdiction. That question is beyond the scope of this Committee's jurisdiction, though we note that lawyers licensed in one state may appropriately render legal services to clients resident elsewhere in many circumstances. N.Y. State 375 (1975). But see Birbrower, Montalbano, Condon & Frank v. Superior Court of Santa Clara County, 70 Cal. Rptr. 2d 304, 306 (Cal. Sup. Ct. 1998) (New York firm that performed legal services in California engaged in the unauthorized practice of law in violation of California statute). We are similarly unable to opine on whether the limitation of the practice to federal trademark issues affects the applicability of state laws regarding unauthorized practice. See Charles W. Wolfram, "Sneaking Around in the Legal Profession: Interjurisdictional Unauthorized Practice by Transactional Lawyers," 36 S. Tex. L.J. 665 (1995).

92 Finally, if an attorney licensed only in New York limits his or her services to trademark searches 90 and filing trademark applications as non-lawyers are typically permitted to do, whether or not the attorney may provide such limited services to clients who reside outside of New York in matters arising in a non-new York jurisdiction is governed by the laws and rules of the other jurisdiction, and therefore is also beyond the scope of this Committee. 4. Use of a Trade Name for a Law Practice Operating the proposed law practice under a trade name is prohibited by the Code. DR 2-102(B) provides that "[a] lawyer in private practice shall not practice under a trade name." See In re von Wiegen, 481 N.Y.S. 2d 40 (Ct. App. 1984) (use of phrase "The Country Lawyer" immediately below lawyer's name is acceptable; In re Shephard, 459 N.Y.S.2d 632, 633 (3rd Dep't 1983) (finding "The People's Law Firm" was a prohibited trade name); In re Shapiro, 455 N.Y.S. 2d 604, 605 (1st Dep't 1982) (finding "People's Legal Clinic, Inc." was a prohibited trade name). Operating the proposed law practice under a trade name, while simultaneously indicating in advertising materials that the company is operated by the attorney's law office, is likely to be confusing and misleading to the public as to whether the company and law office are separate entities. Given the prohibition against attorneys practicing under a trade name in DR 2?102(B), whether an attorney may operate under a trade name a business limited to providing services that can permissibly be offered by non-lawyers depends on whether the attorney's conduct constitutes the practice of law. Although certain activities may be performed by lawyers and non-lawyers alike, this Committee has previously opined that certain activities that may be performed by non-lawyers constitute the practice of law when done by attorneys. See, e.g., N.Y. State 705 (1998) (handling real estate tax reduction proceedings); N.Y. State 678 (1996) (providing divorce mediation services); N.Y. State 557 (1984) (providing accountant services). On the other hand, this Committee also has opined that an attorney may maintain a separate business that does not involve the practice of law, and operate that business under a trade name, provided that the attorney does not use the separate business as a means of soliciting legal work in violation of any statute or court rule, does not recommend that clients of the law practice purchase a product of the separate business, does not hold himself or herself out as an attorney in connection with the separate business, and does not otherwise violate any ethical or legal rules. N.Y. State 636 (1992) (finding no per seethical proscription to law firm establishing separate business selling will forms operating under the trade name "The Will Store" provided that the phrase was not used in conjunction with the names of the attorney principals, the business did not constitute the practice of law, and the separate business is not used to solicit legal practice); cf.n.y. State 662 (1994) (refraining from holding oneself out as a lawyer may satisfy the literal language of N.Y. State 557, but would constitute deception in violation of DR 1?102(A)(4) where lawyer refrains in order to avoid an ethical prohibition and solicit legal work); EC 2?13 ("to avoid the possibility of misleading persons with whom a lawyer deals, a lawyer should be scrupulous in the representation of professional status"). The lawyer must closely scrutinize the services provided to make certain that the services do not involve the exercise of an attorney's professional judgment, which would constitute the practice of law. We provided the following guidance in N.Y. State 636:

93 [T]o the extent that the wills are individualized and offered as a specific solution to individual problems or 91 other services requiring the professional judgment of a lawyer are rendered, the business becomes the practice of law. EC 3-5. Furthermore, if in selling such forms to individual members of the public, an employee provides assistance or advice in selecting the appropriate form or forms or in adapting their language to particular circumstances, the business becomes the practice of law. Therefore, even though trademark searches and application filings may be performed by non-lawyers, to the extent that the attorney invokes his or her professional legal judgment in conducting searches or filing applications, the business becomes the practice of law and practicing under a trade name is prohibited. CONCLUSION The questions are answered in accordance with this Opinion. [1] New CPLR 4547 provides: No communication privileged under this article shall lose its privileged character for the sole reason that it is communicated by electronic means or because persons necessary for the delivery or facilitation of such electronic communication may have access to the content of the communication. [2] We note that recent press reports concerning a lack of security arising from the use of Internet have not reflected interceptions of the content of s, but instead the possible effect of the use of programs on the security of the contents of the files stored in a computer that is connected to the Internet. See, e.g., Denise Caruso, "Technology: As long as software code is kept secret, Internet security is at risk," N.Y. Times, Aug. 17, 1998, at D3. The security risk at issue is wholly separate from the use of to transmit confidential communications, as the content of e- mails is not itself intercepted, and the possible interception of the contents of stored computer files potentially occurs when a person receives an from the would-be interceptor. Should it become clear that a lawyer's use of Internet exposes the contents of the lawyer's computer files to a meaningful risk of unauthorized interception, lawyers will, of course, be unable to use Internet without taking steps to eliminate such risk. [3] We express no view as to whether Internet advertising may also be subject to the rules regulating lawyer advertising of other jurisdictions in which the advertising appears and from which potential clients are solicited. Other states have opined that lawyers may advertise over the Internet as long as they comply with that state's ethics and rules on advertising but have not necessarily asserted that such state's rules apply to lawyers licensed and practicing outside that state. Utah Op (attorney may advertise service on web page provided that attorney complies with the state's advertising rules); Iowa Op (Iowa lawyers advertising on the Web page must comply with state's ethics rules including publication of mandatory disclosures), Penn. Op (law firm web site is permitted subject to state's advertising ethics rules, including disclosures of the geographic location of the law office and recordkeeping requirements); Tenn. Op. 95-A-57 (Tennessee lawyer posting firm brochure on World Wide Web must comply with ethical rules regarding publicity); Tex. Disc. Rules of Prof. Conduct, Part 7, Comment 17 (lawyers' Web sites are public media advertisement subject to state advertising rules); see also David Bell, Internet Use Raises Ethics Questions, Cal. St. B. J. at 36-37

94 (April 1996) (California rule and statute on attorney advertising applies to attorneys advertising on 92 Internet); Ethics Update, Florida Bar News, Jan. 1, 1996 (lawyers' computer ads and industry web site on home pages are subject to Florida ethics rules on advertisements disseminated in electronic media). In addition, at least one state opinion suggests that lawyers should publish separate, unconnected web sites for in-state and out-of-state offices of the same law firm. Iowa Op Related Files Opinion 709(PDF File) One Elk Street, Albany, NY Phone: Secure Fax: New York State Bar Association

95 93 ETHICS OPINION 1020 New York State Bar Association Committee on Professional Ethics Opinion 1020 (9/12/2014) Topic: Confidentiality; use of cloud storage for purposes of a transaction Digest: Whether a lawyer to a party in a transaction may post and share documents using a cloud data storage tool depends on whether the particular technology employed provides reasonable protection to confidential client information and, if not, whether the lawyer obtains informed consent from the client after advising the client of the relevant risks. Rules: 1.1, 1.6 FACTS 1. The inquirer is engaged in a real estate practice and is looking into the viability of using an electronic project management tool to help with closings. The technology would allow sellers attorneys, buyers attorneys, real estate brokers and mortgage brokers to post and view documents, such as drafts, signed contracts and building financials, all in one central place. QUESTION 2. May a lawyer representing a party to a transaction use a cloud-based technology so as to post documents and share them with others involved in the transaction? OPINION 3. The materials that the inquirer seeks to post, such as drafts, contracts and building financials, may well include confidential information of the inquirer s clients, and for purposes of this opinion we assume that they do. 1 Thus the answer to this inquiry hinges on whether use of the contemplated technology would violate the inquirer s ethical duty to preserve a client s confidential information. 4. Rule 1.6(a) contains a straightforward prohibition against the knowing disclosure of confidential information, subject to certain exceptions including a client s informed consent, and Rule 1.6(c) contains the accompanying general requirement that a lawyer exercise reasonable care to prevent [persons] whose services are utilized by the lawyer from disclosing or using confidential information of a client. 5. Comment [17] to Rule 1.6 addresses issues raised by a lawyer s use of technology:

96 When transmitting a communication that includes information 94 relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. The duty does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to use a means of communication or security measures not required by this Rule, or may give informed consent (as in an engagement letter or similar document) to the use of means or measures that would otherwise be prohibited by this Rule. 6. In the recent past, our Committee has repeatedly been asked to provide guidance on the interplay of technology and confidentiality. N.Y. State 1019 (2014) catalogues the Committee s opinions on technology. In that opinion, we considered whether a law firm could provide its lawyers with remote access to its electronic files. We concluded that a law firm could use remote access as long as it takes reasonable steps to ensure that confidential information is maintained. Id Similarly, in N.Y. State 842 (2010), which considered the use of cloud data storage, we concluded that a lawyer could use this technology to store client records provided that the lawyer takes reasonable care to protect the client s confidential information. We also reached a similar conclusion in N.Y. State 939 (2012) as to the issue of lawyers from different firms sharing a computer system. 8. The concerns presented by the current inquiry were also present in N.Y. State 1019, N.Y. State 939 and N.Y. State 842, and those opinions govern the outcome here. That is, the inquirer may use the proposed technology provided that the lawyer takes reasonable steps to ensure that confidential information is not breached. 2 The inquirer must, for example, try to ensure that only authorized parties have access to the system on which the information is shared. Because of the fact-specific and evolving nature of technology, we do not purport to specify in detail the steps that will constitute reasonable care in any given set of circumstances. See N.Y. State We note, however, that use of electronically stored information may not only require reasonable care to protect that information under Rule 1.6, but may also, under Rule 1.1, require the competence to determine and follow a set of steps that will constitute such reasonable care Finally, we note that Rule 1.6 provides an exception to confidentiality rules based on a client s informed consent. Thus, as quoted in paragraph 5 above, a client may agree to the use of a technology that would otherwise be prohibited by the Rule. But as we have previously pointed out, before requesting client consent to a technology system used by the law firm, the firm must disclose the risks that the system does not provide reasonable assurance of confidentiality, so that the consent is informed within the meaning of Rule 1.0(j), i.e. that the client has information adequate to make an informed decision. N.Y. State CONCLUSION

97 10. Whether a lawyer for a party in a transaction may post and share documents using a cloud 95 data storage tool depends on whether the particular technology employed provides reasonable protection to confidential client information and, if not, whether the lawyer obtains informed consent from the client after advising the client of the relevant risks. (17-14) 1 Rule 1.6(a) defines confidential information generally to include information gained during or relating to the representation of a client, whatever its source, that is (a) protected by the attorneyclient privilege, (b) likely to be embarrassing or detrimental to the client if disclosed, or (c) information that the client has requested be kept confidential. 2 This result is consistent with results in other jurisdictions that have considered lawyers use of off-site, third-party cloud services for storing and sharing documents. See, e.g., ABA ; Arizona Opinion 05-04; California Opinion ; Connecticut Inf. Opinion ; Florida Opinion 12-3 (2013); Illinois Opinion (2009); Iowa Opinion 11-01; Maine Opinion 207 (2013); Massachusetts Opinion 12-03; Massachusetts Opinion 05-04; Missouri Inf. Opinion ; Nebraska Opinion 06-05; New Hampshire Opinion /4 (2013); New Jersey Opinion 701 (2006); North Carolina Opinion (2012); North Dakota Opinion (1999); Ohio Opinion ; Oregon Opinion ; Pennsylvania Opinion ; Pennsylvania Opinion ; Vermont Opinion (2012); Washington Inf. Opinion 2215 (2012). 3 It has been said for example that the duty of competence may require litigators, depending on circumstances, to possess a basic or even a more refined understanding of electronically stored information. See, e.g., Zachary Wang, Ethics and Electronic Discovery: New Medium, Same Problems, 75 Defense Counsel Journal 328, at 7 (October 2008) ( disclosure of privileged information as a result of a lack of knowledge of a client s IT system would subject an attorney to discipline under Rules 1.1 and 1.6 ). The California State Bar Standing Committee on Professional Responsibility and Conduct has tentatively approved an interim opinion interpreting California ethical rules as follows: Attorney competence related to litigation generally requires, at a minimum, a basic understanding of, and facility with, issues relating to e-discovery, i.e., the discovery of electronically stored information ( ESI ). On a case-by-case basis, the duty of competence may require a higher level of technical knowledge and ability, depending on the e-discovery issues involved in a given matter and the nature of the ESI involved. An attorney lacking the required competence for the e-discovery issues in the case at issue has three options: (1) acquire sufficient learning and skill before performance is required; (2) associate with or consult technical consultants or competent counsel; or (3) decline the client representation. COPRAC Proposed Formal Opinion (2014).

98 One Elk Street, Albany, NY Phone: Secure Fax: New York State Bar Association

99 97 ETHICS OPINION 842 COMMITTEE ON PROFESSIONAL ETHICS Opinion 842 (9/10/10) Topic: Using an outside online storage provider to store client confidential information. Digest: A lawyer may use an online data storage system to store and back up client confidential information provided that the lawyer takes reasonable care to ensure that confidentiality will be maintained in a manner consistent with the lawyer's obligations under Rule 1.6. In addition, the lawyer should stay abreast of technological advances to ensure that the storage system remains sufficiently advanced to protect the client's information, and should monitor the changing law of privilege to ensure that storing the information online will not cause loss or waiver of any privilege. Rules: 1.4, 1.6(a), 1.6(c) QUESTION 1. MAY A LAWYER USE AN ONLINE SYSTEM TO STORE A CLIENT'S CONFIDENTIAL INFORMATION WITHOUT VIOLATING THE DUTY OF CONFIDENTIALITY OR ANY OTHER DUTY? IF SO, WHAT STEPS SHOULD THE LAWYER TAKE TO ENSURE THAT THE INFORMATION IS SUFFICIENTLY SECURE? OPINION 2. VARIOUS COMPANIES OFFER ONLINE COMPUTER DATA STORAGE SYSTEMS THAT ARE MAINTAINED ON AN ARRAY OF INTERNET SERVERS LOCATED AROUND THE WORLD. (THE ARRAY OF INTERNET SERVERS THAT STORE THE DATA IS OFTEN CALLED THE "CLOUD.") A SOLO PRACTITIONER WOULD LIKE TO USE ONE OF THESE ONLINE "CLOUD" COMPUTER DATA STORAGE SYSTEMS TO STORE CLIENT CONFIDENTIAL INFORMATION. THE LAWYER'S AIM IS TO ENSURE THAT HIS CLIENTS' INFORMATION WILL NOT BE LOST IF SOMETHING HAPPENS TO THE LAWYER'S OWN COMPUTERS. THE ONLINE DATA STORAGE SYSTEM IS PASSWORD-PROTECTED AND THE DATA STORED IN THE ONLINE SYSTEM IS ENCRYPTED. 3. A DISCUSSION OF CONFIDENTIAL INFORMATION IMPLICATES RULE 1.6 OF THE NEW YORK RULES OF PROFESSIONAL CONDUCT (THE "RULES"), THE GENERAL RULE GOVERNING CONFIDENTIALITY. RULE 1.6(A) PROVIDES AS FOLLOWS:

100 A LAWYER SHALL NOT KNOWINGLY REVEAL CONFIDENTIAL INFORMATION OR USE SUCH INFORMATION TO THE DISADVANTAGE OF A CLIENT OR FOR THE ADVANTAGE OF A LAWYER OR A THIRD PERSON, UNLESS: (1) THE CLIENT GIVES INFORMED CONSENT, AS DEFINED IN RULE 1.0(J); (2) THE DISCLOSURE IS IMPLIEDLY AUTHORIZED TO ADVANCE THE BEST INTERESTS OF THE CLIENT AND IS EITHER REASONABLE UNDER THE CIRCUMSTANCES OR CUSTOMARY IN THE PROFESSIONAL COMMUNITY; OR (3) THE DISCLOSURE IS PERMITTED BY PARAGRAPH (B). 4. THE OBLIGATION TO PRESERVE CLIENT CONFIDENTIAL INFORMATION EXTENDS BEYOND MERELY PROHIBITING AN ATTORNEY FROM REVEALING CONFIDENTIAL INFORMATION WITHOUT CLIENT CONSENT. A LAWYER MUST ALSO TAKE REASONABLE CARE TO AFFIRMATIVELY PROTECT A CLIENT'S CONFIDENTIAL INFORMATION. SEE N.Y. COUNTY 733 (2004) (AN ATTORNEY "MUST DILIGENTLY PRESERVE THE CLIENT'S CONFIDENCES, WHETHER REDUCED TO DIGITAL FORMAT, PAPER, OR OTHERWISE"). AS A NEW JERSEY ETHICS COMMITTEE OBSERVED, EVEN WHEN A LAWYER WANTS A CLOSED CLIENT FILE TO BE DESTROYED, "[S]IMPLY PLACING THE FILES IN THE TRASH WOULD NOT SUFFICE. APPROPRIATE STEPS MUST BE TAKEN TO ENSURE THAT CONFIDENTIAL AND PRIVILEGED INFORMATION REMAINS PROTECTED AND NOT AVAILABLE TO THIRD PARTIES." NEW JERSEY OPINION (2006), QUOTING NEW JERSEY OPINION 692 (2002). 5. IN ADDITION, RULE 1.6(C) PROVIDES THAT AN ATTORNEY MUST "EXERCISE REASONABLE CARE TO PREVENT... OTHERS WHOSE SERVICES ARE UTILIZED BY THE LAWYER FROM DISCLOSING OR USING CONFIDENTIAL INFORMATION OF A CLIENT" EXCEPT TO THE EXTENT DISCLOSURE IS PERMITTED BY RULE 1.6(B). ACCORDINGLY, A LAWYER MUST TAKE REASONABLE AFFIRMATIVE STEPS TO GUARD AGAINST THE RISK OF INADVERTENT DISCLOSURE BY OTHERS WHO ARE WORKING UNDER THE ATTORNEY'S SUPERVISION OR WHO HAVE BEEN RETAINED BY THE ATTORNEY TO ASSIST IN PROVIDING SERVICES TO THE CLIENT. WE NOTE, HOWEVER, THAT EXERCISING "REASONABLE CARE" UNDER RULE 1.6 DOES NOT MEAN THAT THE LAWYER GUARANTEES THAT THE INFORMATION IS SECURE FROM ANY UNAUTHORIZED ACCESS. 6. TO DATE, NO NEW YORK ETHICS OPINION HAS ADDRESSED THE ETHICS OF STORING CONFIDENTIAL INFORMATION ONLINE. HOWEVER, IN N.Y. STATE 709 (1998) THIS COMMITTEE ADDRESSED THE DUTY TO PRESERVE A

101 CLIENT'S CONFIDENTIAL INFORMATION WHEN TRANSMITTING SUCH 99 INFORMATION ELECTRONICALLY. OPINION 709 CONCLUDED THAT LAWYERS MAY TRANSMIT CONFIDENTIAL INFORMATION BY , BUT CAUTIONED THAT "LAWYERS MUST ALWAYS ACT REASONABLY IN CHOOSING TO USE E- MAIL FOR CONFIDENTIAL COMMUNICATIONS." THE COMMITTEE ALSO WARNED THAT THE EXERCISE OF REASONABLE CARE MAY DIFFER FROM ONE CASE TO THE NEXT. ACCORDINGLY, WHEN A LAWYER IS ON NOTICE THAT THE CONFIDENTIAL INFORMATION BEING TRANSMITTED IS "OF SUCH AN EXTRAORDINARILY SENSITIVE NATURE THAT IT IS REASONABLE TO USE ONLY A MEANS OF COMMUNICATION THAT IS COMPLETELY UNDER THE LAWYER'S CONTROL, THE LAWYER MUST SELECT A MORE SECURE MEANS OF COMMUNICATION THAN UNENCRYPTED INTERNET ." SEE ALSO RULE 1.6, CMT. 17 (A LAWYER "MUST TAKE REASONABLE PRECAUTIONS" TO PREVENT INFORMATION COMING INTO THE HANDS OF UNINTENDED RECIPIENTS WHEN TRANSMITTING INFORMATION RELATING TO THE REPRESENTATION, BUT IS NOT REQUIRED TO USE SPECIAL SECURITY MEASURES IF THE MEANS OF COMMUNICATING PROVIDES A REASONABLE EXPECTATION OF PRIVACY). 7. ETHICS ADVISORY OPINIONS IN SEVERAL OTHER STATES HAVE APPROVED THE USE OF ELECTRONIC STORAGE OF CLIENT FILES PROVIDED THAT SUFFICIENT PRECAUTIONS ARE IN PLACE. SEE, E.G., NEW JERSEY OPINION 701 (2006) (LAWYER MAY USE ELECTRONIC FILING SYSTEM WHEREBY ALL DOCUMENTS ARE SCANNED INTO A DIGITIZED FORMAT AND ENTRUSTED TO SOMEONE OUTSIDE THE FIRM PROVIDED THAT THE LAWYER EXERCISES "REASONABLE CARE," WHICH INCLUDES ENTRUSTING DOCUMENTS TO A THIRD PARTY WITH AN ENFORCEABLE OBLIGATION TO PRESERVE CONFIDENTIALITY AND SECURITY, AND EMPLOYING AVAILABLE TECHNOLOGY TO GUARD AGAINST REASONABLY FORESEEABLE ATTEMPTS TO INFILTRATE DATA); ARIZONA OPINION (2005) (ELECTRONIC STORAGE OF CLIENT FILES IS PERMISSIBLE PROVIDED LAWYERS AND LAW FIRMS "TAKE COMPETENT AND REASONABLE STEPS TO ASSURE THAT THE CLIENT'S CONFIDENCES ARE NOT DISCLOSED TO THIRD PARTIES THROUGH THEFT OR INADVERTENCE"); SEE ALSO ARIZONA OPINION (2009) (LAWYER MAY PROVIDE CLIENTS WITH AN ONLINE FILE STORAGE AND RETRIEVAL SYSTEM THAT CLIENTS MAY ACCESS, PROVIDED LAWYER TAKES REASONABLE PRECAUTIONS TO PROTECT SECURITY AND CONFIDENTIALITY AND LAWYER PERIODICALLY REVIEWS SECURITY MEASURES AS TECHNOLOGY ADVANCES OVER TIME TO ENSURE THAT THE CONFIDENTIALITY OF CLIENT INFORMATION REMAINS REASONABLY PROTECTED). 8. BECAUSE THE INQUIRING LAWYER WILL USE THE ONLINE DATA STORAGE SYSTEM FOR THE PURPOSE OF PRESERVING CLIENT INFORMATION - A PURPOSE BOTH RELATED TO THE RETENTION AND NECESSARY TO PROVIDING

102 LEGAL SERVICES TO THE CLIENT - USING THE ONLINE SYSTEM IS CONSISTENT 100 WITH CONDUCT THAT THIS COMMITTEE HAS DEEMED ETHICALLY PERMISSIBLE. SEE N.Y. STATE 473 (1977) (ABSENT CLIENT'S OBJECTION, LAWYER MAY PROVIDE CONFIDENTIAL INFORMATION TO OUTSIDE SERVICE AGENCY FOR LEGITIMATE PURPOSES RELATING TO THE REPRESENTATION PROVIDED THAT THE LAWYER EXERCISES CARE IN THE SELECTION OF THE AGENCY AND CAUTIONS THE AGENCY TO KEEP THE INFORMATION CONFIDENTIAL); CF. NY CPLR 4548 (PRIVILEGED COMMUNICATION DOES NOT LOSE ITS PRIVILEGED CHARACTER SOLELY BECAUSE IT IS COMMUNICATED BY ELECTRONIC MEANS OR BECAUSE "PERSONS NECESSARY FOR THE DELIVERY OR FACILITATION OF SUCH ELECTRONIC COMMUNICATION MAY HAVE ACCESS TO" ITS CONTENTS). 9. WE CONCLUDE THAT A LAWYER MAY USE AN ONLINE "CLOUD" COMPUTER DATA BACKUP SYSTEM TO STORE CLIENT FILES PROVIDED THAT THE LAWYER TAKES REASONABLE CARE TO ENSURE THAT THE SYSTEM IS SECURE AND THAT CLIENT CONFIDENTIALITY WILL BE MAINTAINED. "REASONABLE CARE" TO PROTECT A CLIENT'S CONFIDENTIAL INFORMATION AGAINST UNAUTHORIZED DISCLOSURE MAY INCLUDE CONSIDERATION OF THE FOLLOWING STEPS: (1) ENSURING THAT THE ONLINE DATA STORAGE PROVIDER HAS AN ENFORCEABLE OBLIGATION TO PRESERVE CONFIDENTIALITY AND SECURITY, AND THAT THE PROVIDER WILL NOTIFY THE LAWYER IF SERVED WITH PROCESS REQUIRING THE PRODUCTION OF CLIENT INFORMATION; (2) INVESTIGATING THE ONLINE DATA STORAGE PROVIDER'S SECURITY MEASURES, POLICIES, RECOVERABILITY METHODS, AND OTHER PROCEDURES TO DETERMINE IF THEY ARE ADEQUATE UNDER THE CIRCUMSTANCES; (3) EMPLOYING AVAILABLE TECHNOLOGY TO GUARD AGAINST REASONABLY FORESEEABLE ATTEMPTS TO INFILTRATE THE DATA THAT IS STORED; AND/OR (4) INVESTIGATING THE STORAGE PROVIDER'S ABILITY TO PURGE AND WIPE ANY COPIES OF THE DATA, AND TO MOVE THE DATA TO A DIFFERENT HOST, IF THE LAWYER BECOMES DISSATISFIED WITH THE STORAGE PROVIDER OR FOR OTHER REASONS CHANGES STORAGE PROVIDERS.

103 10. TECHNOLOGY AND THE SECURITY OF STORED DATA ARE CHANGING 101 RAPIDLY. EVEN AFTER TAKING SOME OR ALL OF THESE STEPS (OR SIMILAR STEPS), THEREFORE, THE LAWYER SHOULD PERIODICALLY RECONFIRM THAT THE PROVIDER'S SECURITY MEASURES REMAIN EFFECTIVE IN LIGHT OF ADVANCES IN TECHNOLOGY. IF THE LAWYER LEARNS INFORMATION SUGGESTING THAT THE SECURITY MEASURES USED BY THE ONLINE DATA STORAGE PROVIDER ARE INSUFFICIENT TO ADEQUATELY PROTECT THE CONFIDENTIALITY OF CLIENT INFORMATION, OR IF THE LAWYER LEARNS OF ANY BREACH OF CONFIDENTIALITY BY THE ONLINE STORAGE PROVIDER, THEN THE LAWYER MUST INVESTIGATE WHETHER THERE HAS BEEN ANY BREACH OF HIS OR HER OWN CLIENTS' CONFIDENTIAL INFORMATION, NOTIFY ANY AFFECTED CLIENTS, AND DISCONTINUE USE OF THE SERVICE UNLESS THE LAWYER RECEIVES ASSURANCES THAT ANY SECURITY ISSUES HAVE BEEN SUFFICIENTLY REMEDIATED. SEE RULE 1.4 (MANDATING COMMUNICATION WITH CLIENTS); SEE ALSO N.Y. STATE 820 (2008) (ADDRESSING WEB-BASED SERVICES). 11. NOT ONLY TECHNOLOGY ITSELF BUT ALSO THE LAW RELATING TO TECHNOLOGY AND THE PROTECTION OF CONFIDENTIAL COMMUNICATIONS IS CHANGING RAPIDLY. LAWYERS USING ONLINE STORAGE SYSTEMS (AND ELECTRONIC MEANS OF COMMUNICATION GENERALLY) SHOULD MONITOR THESE LEGAL DEVELOPMENTS, ESPECIALLY REGARDING INSTANCES WHEN USING TECHNOLOGY MAY WAIVE AN OTHERWISE APPLICABLE PRIVILEGE. SEE, E.G., CITY OF ONTARIO, CALIF. V. QUON, 130 S. CT. 2619, 177 L.ED.2D 216 (2010) (HOLDING THAT CITY DID NOT VIOLATE FOURTH AMENDMENT WHEN IT REVIEWED TRANSCRIPTS OF MESSAGES SENT AND RECEIVED BY POLICE OFFICERS ON POLICE DEPARTMENT PAGERS); SCOTT V. BETH ISRAEL MEDICAL CENTER, 17 MISC. 3D 934, 847 N.Y.S.2D 436 (N.Y. SUP. 2007) ( S BETWEEN HOSPITAL EMPLOYEE AND HIS PERSONAL ATTORNEYS WERE NOT PRIVILEGED BECAUSE EMPLOYER'S POLICY REGARDING COMPUTER USE AND E- MAIL MONITORING STATED THAT EMPLOYEES HAD NO REASONABLE EXPECTATION OF PRIVACY IN S SENT OVER THE EMPLOYER'S SERVER). BUT SEE STENGART V. LOVING CARE AGENCY, INC., 201 N.J. 300, 990 A.2D 650 (2010) (DESPITE EMPLOYER'S POLICY STATING THAT COMPANY HAD RIGHT TO REVIEW AND DISCLOSE ALL INFORMATION ON "THE COMPANY'S MEDIA SYSTEMS AND SERVICES" AND THAT S WERE "NOT TO BE CONSIDERED PRIVATE OR PERSONAL" TO ANY EMPLOYEES, COMPANY VIOLATED EMPLOYEE'S ATTORNEY-CLIENT PRIVILEGE BY REVIEWING S SENT TO EMPLOYEE'S PERSONAL ATTORNEY ON EMPLOYER'S LAPTOP THROUGH EMPLOYEE'S PERSONAL, PASSWORD-PROTECTED ACCOUNT).

104 12. THIS COMMITTEE'S PRIOR OPINIONS HAVE ADDRESSED THE 102 DISCLOSURE OF CONFIDENTIAL INFORMATION IN METADATA AND THE PERILS OF PRACTICING LAW OVER THE INTERNET. WE HAVE NOTED IN THOSE OPINIONS THAT THE DUTY TO "EXERCISE REASONABLE CARE" TO PREVENT DISCLOSURE OF CONFIDENTIAL INFORMATION "MAY, IN SOME CIRCUMSTANCES, CALL FOR THE LAWYER TO STAY ABREAST OF TECHNOLOGICAL ADVANCES AND THE POTENTIAL RISKS" IN TRANSMITTING INFORMATION ELECTRONICALLY. N.Y. STATE 782 (2004), CITING N.Y. STATE 709 (1998) (WHEN CONDUCTING TRADEMARK PRACTICE OVER THE INTERNET, LAWYER HAD DUTY TO "STAY ABREAST OF THIS EVOLVING TECHNOLOGY TO ASSESS ANY CHANGES IN THE LIKELIHOOD OF INTERCEPTION AS WELL AS THE AVAILABILITY OF IMPROVED TECHNOLOGIES THAT MAY REDUCE SUCH RISKS AT REASONABLE COST"); SEE ALSO N.Y. STATE 820 (2008) (SAME IN CONTEXT OF USING SERVICE PROVIDER THAT SCANS S TO GENERATE COMPUTER ADVERTISING). THE SAME DUTY TO STAY CURRENT WITH THE TECHNOLOGICAL ADVANCES APPLIES TO A LAWYER'S CONTEMPLATED USE OF AN ONLINE DATA STORAGE SYSTEM. CONCLUSION 13. A LAWYER MAY USE AN ONLINE DATA STORAGE SYSTEM TO STORE AND BACK UP CLIENT CONFIDENTIAL INFORMATION PROVIDED THAT THE LAWYER TAKES REASONABLE CARE TO ENSURE THAT CONFIDENTIALITY IS MAINTAINED IN A MANNER CONSISTENT WITH THE LAWYER'S OBLIGATIONS UNDER RULE 1.6. A LAWYER USING AN ONLINE STORAGE PROVIDER SHOULD TAKE REASONABLE CARE TO PROTECT CONFIDENTIAL INFORMATION, AND SHOULD EXERCISE REASONABLE CARE TO PREVENT OTHERS WHOSE SERVICES ARE UTILIZED BY THE LAWYER FROM DISCLOSING OR USING CONFIDENTIAL INFORMATION OF A CLIENT. IN ADDITION, THE LAWYER SHOULD STAY ABREAST OF TECHNOLOGICAL ADVANCES TO ENSURE THAT THE STORAGE SYSTEM REMAINS SUFFICIENTLY ADVANCED TO PROTECT THE CLIENT'S INFORMATION, AND THE LAWYER SHOULD MONITOR THE CHANGING LAW OF PRIVILEGE TO ENSURE THAT STORING INFORMATION IN THE "CLOUD" WILL NOT WAIVE OR JEOPARDIZE ANY PRIVILEGE PROTECTING THE INFORMATION. (75-09) One Elk Street, Albany, NY Phone: Secure Fax: New York State Bar Association

105 103 SUMMARY OF AMERICAN BAR ASSOCIATION STANDING COMMITTEE ON ETHICS AND PROFESSIONAL RESPONSIBILITY FORMAL OPINION In its advisory Formal Ethics Opinion (1995), the American Bar Association s Standing Committee on Ethics and Professional Responsibility considered the ethical implications of an arrangement between a law firm and a computer maintenance company pursuant to which the maintenance company would have access to the firm s clients files. The Opinion expressed the view that the firm must, in order to comply with Model Rule 1.6 (confidentiality) and Model Rule 5.3 (responsibilities regarding nonlawyer assistants) of the Model Rules of Professional Conduct, make reasonable efforts to ensure that the maintenance company has in place or will establish reasonable procedures to protect the confidentiality of the information of the firm s clients. Opinion expressed the view that the firm would be well-advised to obtain a separate written statement from the maintenance company setting forth that company s assurance of confidentiality. Opinion also expressed the view that if a significant breach of confidentiality occurs while the client files are in the possession of the maintenance company, the firm may be required by Model Rule 1.4 (communication) to disclose the breach to affected clients. According to Opinion , if the breach could reasonably be viewed as a significant factor in the representation of the client, e.g., the breach is likely to affect the client s position or the outcome of the matter, the firm would be required by Model Rule 1.4 to disclose the breach to the client. COPYRIGHT 2017 BY MICHAEL S. ROSS, ESQ. ALL RIGHTS RESERVED. REPRINTED WITH PERMISSION. 1

106 104

107 105 12/6/2017 CYBER LIABILITY; COVERAGE, UNDERWRITING AND CLAIMS USI 2017 Cyber Presentation CONFIDENTIAL AND PROPRIETARY: This presentation and the information contained herein is confidential and proprietary information of USI Insurance Services, LLC ("USI"). Recipient agrees not to copy, reproduce or distribute this document, in whole or 2017 in part, USI Affinity. without All the rights prior reserved. written consent of USI. Estimates are illustrative given data limitation, may not be cumulative and are subject to change based on carrier underwriting USI Insurance Services. All rights reserved. Greg Cooke Vice President Sales and Client Management USI Affinity 2017 USI Affinity. All rights reserved. 2 Why Law Firms? Why Are Small and Midsize Firms Targeted? Data Security Gaps What Does Cyber Insurance Cover? What is NOT COVERED by Cyber Insurance? Insurance Coverage Gaps Claims Statistics Cyber Insurance Market Today How Do Insurers Underwrite Cyber Risk? Coverage Through USI Affinity What Will We Be Covering? 2017 USI Affinity. All rights reserved. 3 1

108 106 12/6/2017 Why Law Firms? Why are law firms at risk? Rich collection of confidential information Security vulnerabilities Social Engineering Frequency of law firm data breaches Lack of reporting requirements Failure to detect a breach / breaches are reported 2017 USI Affinity. All rights reserved. 4 Why Law Firms? 2009 FBI issues advisory that hackers are targeting law firms 2011 FBI meets with managing partners of top law firms on cyber risks 2013 Mary Galligan of FBI warns, We have hundreds of law firms that we see increasingly being targeted by hackers Citigroup Cyber Intelligence Center Report: law firms at high risk for cyber intrusions Cisco Systems Inc. s Annual Security Report: law firms are the seventh most vulnerable industry 2017 USI Affinity. All rights reserved. 5 Why Are Small and Midsize Businesses Targeted? Small and midsize businesses (SMBs) are the principal target of cybercrime. Based on one study, 60 percent of all targeted cyberattacks last year struck SMBs. SMBs are easier targets than larger organizations. Many SMBs lack sufficient resources and in-house expertise to address cyberattacks. It has been estimated that half of the small businesses that suffer a cyberattack go out of business within six months as a result. Source: U.S. Securities and Exchange Commission, The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses, USI Affinity. All rights reserved. 6 2

109 107 12/6/2017 Data Security Gaps Lost or stolen devices Wireless access Vendor management Staff training Insider threats Cloud computing Encryption 2017 USI Affinity. All rights reserved. 7 What Does Cyber Insurance Cover? Cyber/Privacy Liability First Party First Party Third Party Third Party Breach Notice Costs Other Business Costs Civil Lawsuits Regulatory Actions Forensic Investigation Business interruption Consumer class action State AG investigations Crisis management/pr Notification costs Credit monitoring Data repair /replacement Cyber-extortion Social Engineering Corporate or financial institution suits Credit card brands PCI fines, penalties, and assessments FTC investigations Health & Human Services OCR (enforcement arm) Foreign Privacy Entities 2017 USI Affinity. All rights reserved. 8 What is NOT COVERED by Cyber Insurance? Theft of Corporate Intellectual Property or Trade Secrets Brand Damage Loss of Future Revenue As in the case of Target, for example, if sales were down due to customers staying away after data breach Negligence/Induced Incidents Nation State Attacks (excluded) Improved IT Security Measures (post breach remediation) Physical Damage 2017 USI Affinity. All rights reserved. 9 3

110 108 12/6/2017 Insurance Coverage Gaps Property General Liability Crime/Bond K&R E&O Cyber / Privacy 1st Party Privacy / Network Risks Physical Damage to Data Virus/Hacker Damage to Data Denial of Service attack B.I. Loss from Security Event Extortion or Threat Employee Sabatoge 3rd Party Privacy/Network Risks Theft/Disclosure of private Info Confidential Corporate Breach Technology E&O Media Liability (electronic content) Privacy Breach Expense Damage to 3rd Party's Data Regulatory Privacy Defense/Fines Virus/ Malicious Code Transmission Traditional Insurance Gaps to name a few: Theft or disclosure of Third Party Information GL Security & Privacy intentional act exclusion GL Data is not tangible Property GL, Prop. and Crime Bi/PD Triggers GL Value of Data if corrupted, destroyed or disclosed Prop& GL Contingent Risks from external hosting, etc. Coverage Provided: Limited Coverage: No Coverage: Commercial Crime policies require intent and only cover money securities and other Tangible Property Territorial Restrictions Sublimits or long waiting periods applicable to any virus coverage available Prop USI Affinity. All rights reserved. 10 Claims by Cause of Loss: Claims Statistics Source: NetDiligence 2016 Cyber Claims Study 2017 USI Affinity. All rights reserved. 11 Types of Costs Claims Statistics Source: NetDiligence 2016 Cyber Claims Study 2017 USI Affinity. All rights reserved. 12 4

111 109 12/6/2017 Cyber Insurance Market Today Current marketplace is disjointed and coverage splintered Cyber insurance premiums have grown to over $3.25 billion in 2016 Coverage continues to expand in breadth and limit availability Pricing continues to trend upwards Certain classes of business are considered riskier than others Stronger data is being gathered as more breaches are reported 2017 USI Affinity. All rights reserved. 13 How Do Insurers Underwrite Cyber Risk? Cyber Application Cyber Security Risk Assessment Conference Calls/Meetings Stakeholders Involvement Terms and Conditions Managing Capacity Pricing the Risk 2017 USI Affinity. All rights reserved. 14 Coverage Through USI Affinity USI Affinity proprietary program PrivaSafe underwritten through NAS Insurance Includes First and Third Party Coverage Unauthorized access to or use of client/employee/trading partner data Disclosure of confidential data Loss of data or digital assets (malicious, i.e. rogue employee, or accidental) Cyber extortion or terrorism threats Crisis management and public relations expenses Business interruption expenses (data/software restoration) 2017 USI Affinity. All rights reserved. 15 5

112 110 12/6/2017 Questions? 2017 USI Affinity. All rights reserved. 16 Greg Cooke Vice President Sales and Client Management USI Affinity 2017 USI Affinity. All rights reserved USI Affinity. All rights reserved. 18 6