BYOD and Threats to Confidentiality
Lawyers are increasingly reliant upon personally owned and/or managed mobile devices, such as smart phones and tablets, to perform their work as well as maintain their personal relationships. Enter “Bring Your Own Device” (BYOD). BYOD is an approach to mobile technology that permits access to a law firm’s computer network and email system through employee-owned mobile devices. These mobile devices typically have some mechanism for installing software applications (“apps”) that run on the device. Examples of commonly downloaded apps include Pandora Radio, Facebook, Instagram, and LinkedIn.
In basic terms, mobile apps are software programs that are downloaded to and installed upon a mobile device. These programs communicate with a remote server when in use, and often access information on users’ mobile devices to operate properly. Some apps request the device user to allow access to information on the device such as location, photographs, or even the contacts in your address book.
For example, when you launch the camera app on a smart phone it will generally ask you if it can use your location. If you agree, your acquiescence will allow pictures taken with the camera to be “geotagged.” A photo’s geotag will identify when and where the picture was taken. If you then allow another app (like Facebook or Instagram) to use the camera, those apps may gain access to the time and location data as well.
When you download a social networking app you may see a pop-up message such as “Facebook Would Like to Access Your Contacts,” to which you can reply “Allow” or “Don’t Allow.” When you share access to your contacts, you are granting the app access to other people’s personal information.
Depending on the type of client information that is stored in the employee’s device, allowing apps to access information on the device may have ethical implications. A lawyer could take a photo of a draft document to email to opposing counsel and potentially reveal the location of where the photo was taken. This scenario would be problematic if the location was, say, a warehouse that a client was trying to convert for a new, secret product. A photo of a client’s bruised face taken at a battered women’s safe house could inadvertently reveal the location of the safe house. If a lawyer uses his phone’s camera to take a photo of a confidential document in a case, and the lawyer then opens Instagram to upload a picture of his child playing soccer, technically the lawyer has disclosed client information because Instagram has access to the lawyer’s photos.
Apps will generally only ask for access the FIRST time that you run the app. Thus, if you allow Instagram to access your child’s soccer photos in 2012, the program may remember that setting after you start using a new photo-to-PDF conversion program in 2016 (maybe even after moving to a new phone because some settings automatically transfer to new phones).
Demand for Increased Security
Firm clients are strongly communicating how important security is to them. Clients rightfully expect their information to be secure and are increasingly asking more specific security-related questions. It has become an important component of their decision process when awarding or maintaining business. Some clients even require security-specific audits for their professional services firms and business partners.
Duty of Competence Includes Technology
At a conference on October 2, 2014, the North Carolina Supreme Court approved several amendments to the North Carolina Rules of Professional Conduct. Many of these amendments were the result of revisions suggested by the North Carolina State Bar Study Committee on the ABA Ethics 20/20 Commission. The committee reviewed amendments to the Model Rules of Professional Conduct adopted by the ABA upon the recommendation of the Ethics 20/20 Commission. The task of the ABA commission was to amend the ABA Model Rules of Professional Conduct to respond to changes in the practice of law due to technology and globalization. The State Bar’s committee reviewed the Ethics 20/20 amendments to the Model Rules of Professional Conduct and made recommendations as to similar amendments to the North Carolina Rules.
An amendment to the comments to Rule 1.1 (Competence) was approved by the Court. Comment  to Rule 1.1 now provides:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with the technology relevant to the lawyer’s practice, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject (emphasis added to show changes).
The ABA commission commented in their report that, “[b]ecause of the sometimes bewildering pace of technological change, the commission believes that it is important to make explicit that a lawyer’s duty of competence, which requires the lawyer to stay abreast of changes in the law and its practice, includes understanding relevant technology’s benefits and risks.”
A lawyer or law firm utilizing BYOD telecommunication needs to understand the risks of such technology. The primary concern is a lawyer’s obligation to safeguard client information under Rule 1.6. Rule 1.6(c) provides that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comments  and  to Rule 1.6 further discuss a lawyer’s duty to safeguard confidential client information. Comment  provides that:
The unauthorized access to, or the inadvertent or unauthorized disclosure of, information acquired during the professional relationship with a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
Comment  provides that:
When transmitting a communication that includes information acquired during the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy.
Pursuant to the above comments, a lawyer may use any technology if the lawyer has determined that the technology affords reasonable protection against disclosure of confidential information and the lawyer takes reasonable precautions in the use of the technology.
Although a lawyer has a professional obligation to protect confidential information from unauthorized disclosure, the Ethics Committee has held that this duty does not compel any particular mode of handling confidential information, nor does it prohibit the employment of vendors whose services may involve the handling of documents or data containing client information. See RPC 133. Moreover, while the duty of confidentiality applies to lawyers who choose to use technology to communicate, “this obligation does not require that a lawyer use only infallibly secure methods of communication.” RPC 215. Rather, the lawyer must use reasonable care to select a mode of communication that, in light of the circumstances, will best protect confidential client information, and the lawyer must advise affected parties if there is reason to believe that the chosen communications technology presents an unreasonable risk to confidentiality. Id.
For example, in 2008 FEO 5, the committee held that the use of a web-based document management system that allows both the law firm and the client access to the client’s file is permissible, provided the lawyer can fulfill his obligation to protect the confidential information of all clients.
In 2011 FEO 6, involving the use of “cloud” data storage, the Ethics Committee concluded that a lawyer may contract with a vendor of software as a service provided the lawyer uses reasonable care to safeguard confidential client information. 2011 FEO 7, which discusses the use of online banking to manage a law firm’s trust account, provides that a law firm may use online banking “provided the lawyers use reasonable care to minimize the risk of loss or theft of client property specifically including the regular education of the firm’s managing lawyers on the ever-changing security risks of online banking and the active maintenance of end-user security.” The ethical duty to obtain frequent and regular education is also emphasized in 2011 FEO 6. The opinion provides that “[g]iven the rapidity with which computer technology changes, law firms are encouraged to consult periodically with professionals competent in the area of online security.”
Therefore, prior to permitting BYOD telecommunication, which may include downloading apps, a law firm must determine that the technology and devices it will use afford reasonable protection against disclosure of confidential client information. The law firm must also take reasonable precautions to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, client information.
Measures You Can Take
What measures should a lawyer and law firm consider or take to reduce the risk of exposing client information when making decisions about the use of particular mobile apps?
In general, a law firm that permits BYOD telecommunication and a lawyer who elects to make use of such technology must both carefully consider and address the risks associated with BYOD technology. Because many of the same security risks are present in personally managed devices that are not necessarily mobile (home computers), a firm allowing employees to use any personally managed device should consider and address the associated risks.
BYOD affects a law firm’s ability to control the use of employee owned/managed devices in the same manner it controls the use of computers and equipment owned and managed by the firm. In relation to apps, a law firm may lose control over the apps that are downloaded on the device, or the access the owner grants while downloading the apps on the device.
One reasonable measure to consider is the establishment of a BYOD policy that defines the law firm’s security policies. A law firm might address the following issues in its BYOD policy: (1) permitted devices; (2) acceptable use; (3) lock screen password requirements; (4) prohibition on subverting security controls—devices should not be “rooted” or “jailbroken” from their original, vendor supported state; (5) support limitations; (6) loss or theft procedure; (7) employee discharge strategy; (8) training; and (9) acceptable apps/privacy settings that must be adhered to for applications that are allowed.
When determining which apps are permissible on personally managed devices, law firms should take into consideration: (1) what type of client information is stored on the device; (2) the trustworthiness of the app and app vendor; (3) whether a particular app requires access to information on the device; and (4) if access to information on the device is required, what specific information is accessed and for what purpose.
Even in the absence of a firm-wide BYOD policy, lawyers should take the following common sense steps when downloading apps on a mobile device: (1) pay attention to the pop-ups that appear when you download an app; (2) think carefully before clicking “Allow” in response to any app request; (3) periodically review the access requirements on the apps you have downloaded; (4) learn how to access and manipulate the privacy settings on your mobile devices.
These lists are not exhaustive. To emphasize what has been previously stated, given the complexity of the subject matter, and the rapidity with which technology changes, lawyers and law firms are encouraged to consult periodically with professionals competent in BYOD information security.
Suzanne Lever is assistant ethics counsel for the North Carolina State Bar.