Recently, the California Bar Association (“CBA”) published Formal Opinion No. 2020-203[1] concerning a lawyer’s ethical obligations with respect to unauthorized access to electronically stored client information. The onset of the COVID-19 pandemic greatly accelerated the growing trend of storing and maintaining data and information online so that employees and clients can access the data from anywhere in the world at any time. Now, in today’s working world, the reality is nearly all information and data is stored and shared digitally online for ease of access, use, and dissemination.

Unfortunately, a major draw-back of this switch to a cyber paradigm is serious exposure to data breaches as a result of hacking, inadvertence, or theft. Formal Opinion No. 2020-203 outlines how a lawyer is to handle access to client confidential information and anticipation of potential security issues. This article will briefly cover the key aspects addressed in Formal Opinion No. 2020-203.

What is the duty owed by a lawyer to his or her client regarding the use of technology?

At the outset, the CBA reminds lawyers of the ongoing duty of competence (Rule 1.1) and the duty to safeguard clients’ confidences and secrets (Rule 1.6; Cal. Bus. & Prof. Code, § 6068(e)) which impose the requirement that a lawyer must have a basic understanding of the risks posed when using a given technology and (if necessary) obtain help from appropriate experts to assess those risks and take reasonable steps to prevent data breaches.