Committee on Professional Ethics

 

Formal Opinion 754-2020

 

TOPIC: Ethical Obligations when Lawyers Work Remotely

 

DIGEST: Law firms in New York State began working remotely in mid-March 2020 due to the COVID-19 pandemic and likely will continue to have a significant number of lawyers working remotely even after the pandemic ends. This opinion addresses a law firm’s ethical obligations when most of its lawyer and nonlawyer staff work remotely. Maintaining a majority remote law firm has significant implications for the way in which lawyers discharge their duties in the areas of confidentiality (New York’s Rules of Professional Conduct (the “Rules”), Rule 1.6), competence (Rule 1.1), and supervision (Rules 5.1 and 5.3). This opinion does not reiterate guidance provided in prior New York State ethics opinions regarding technological competence and confidentiality, but rather highlights distinct characteristics of practicing remotely that require additional consideration.

 

RULES OF PROFESSIONAL CONDUCT: 1.1, 1.6, 5.1, 5.3

 

OPINION

 

1. If all or most of a law firm’s legal and nonlegal staff works remotely, the firm and its lawyers must determine whether additional measures are necessary to discharge the firm’s duties of competence, confidentiality and supervision. This opinion will address how these three duties may be affected by a remote workforce.

 

2. Initially, we need to address whether the Rules prohibit a law firm from operating 100% remotely. The New York City Bar Association addressed this issue in its N.Y. City 2019-2. The Opinion observes that Rule 7.1(h) requires that firms have a “principal law office address” in New York, and Judiciary Law Section 470 requires New York-admitted lawyers who reside outside the state to maintain a New York office. In 2015, the New York Court of Appeals held that Section 470 requires nonresident New York-admitted lawyers to maintain a physical law office in New York (Schoenefeld v. New York, 25 N.Y.3d 22 (2015)), and this ruling was upheld by the United States Court of Appeals (see Schoenefeld v. New York, 821 F.3d 373 (2d Cir. 2016)). Opinion 2019-2 concluded that a New York lawyer may use the street address of a virtual law office located in New York as the lawyer’s “principal law office address,” and thereby satisfy Rule 7.1(h), provided that the law office qualifies as an office for the transaction of law business under New York’s Judiciary Law. Opinion 2019-2 does not suggest that there is any ethical impropriety if a law firm that currently maintains a physical office space in New York works 100% remotely; such firms have a New York address that can be identified as its principal law office address in compliance with Rule 7.1(h).

 

Duty of Confidentiality

 

3. Rule 1.6(a) prohibits a lawyer from “knowingly reveal[ing] confidential information, . . . [or] us[ing] such information to the disadvantage of a client or for the advantage of the lawyer or a third person” unless certain exceptions not relevant here apply. Under this rule, lawyers have a duty to ensure that each client’s confidential information remains protected from disclosure while the lawyer is working remotely.

 

4. Numerous opinions have addressed a lawyer’s duties under Rule 1.6, including the duty to mitigate the risk of a data breach or other incursion on client confidential information. If a firm is operating remotely, the law firm will need to attend to the following to fulfill its duty of confidentiality:

 

• Ensure that information is transmitted securely to each lawyer’s remote computer.

 

• Establish procedures to secure and back-up confidential information stored on electronic devices and in the cloud, and test that these protocols are functioning well with a remote workforce.

 

• Check that lawyers have designed their remote workspaces to mitigate the risk of an inadvertent disclosure of confidential information (e.g., workspaces that are physically separate from personal or other non-work papers and that otherwise minimize the likelihood of the inadvertent disclosure of client confidential information).

 

• Ensure that the security of remote forms of communication (e.g., video conferencing platforms) has been vetted and maintained to ensure that any risk of interference or breach is minimized.

 

See New York State Bar Technology and the Legal Profession Committee Cybersecurity Alert: Tips for Working Securely While Working Remotely (2020); see generally James B. Kobak, Jr., Current Ethics Issues for Intellectual Property Lawyers Coping with Clients, Courts and Practicing in Cyberspace During COVID and Beyond, at 1-12.

 

5. Cybersecurity practices that may assist lawyers to meet their ethical duties of confidentiality include:

 

• Avoiding use of unsecure WiFi systems when accessing or transmitting confidential client information.

 

• Using virtual private networks that encrypt information and shield online activity from third parties.

 

• Using two-factor or multi-factor authentication to access firm information and firm networks.

 

• Ensuring that computer systems are kept up to date, with appropriate firewalls and anti-malware software.

 

• Backing-up data stored remotely.

 

• Requiring strong passwords to protect data access and devices.

 

• Creating, or imploring the law firm to create, a written work-from-home protocol that specifies procedures to safeguard confidential information and other data.

 

• Training employees on security protocols, data privacy and confidentiality policies and stress compliance.

 

Duty of Competence

 

6. A. lawyer has a duty to provide competent representation, which requires that the lawyer have the requisite “knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” This Committee and others have determined the lawyer’s duty of competence includes an obligation to understand the risks and benefits of technology used in practice. NYCLA Formal Op. 749.

 

7. Lawyers should think carefully about what the duty of competence means in the context of maintaining a remote workforce. For example, if the lawyer must prepare a client for an interview or deposition remotely, relying on telephone calls and videoconferences to communicate with the client rather than in-person meetings, a lawyer must ask herself whether the lawyer can represent the client competently given the conditions under which the interview or deposition must go forward. Factors to consider include (i) have the lawyer and client had an opportunity to meet in person, or developed a meaningful rapport remotely, (ii) has the lawyer done an appropriate risk assessment with respect to potential civil or criminal liability that could result from giving testimony under less than ideal conditions vs. any risks associated with refusing to go forward, (iii) has the client been properly prepared for testifying remotely, (iv) has the lawyer reached agreement with the questioner on procedures to ensure the lawyer has an adequate opportunity to interpose objections and to communicate privately with the client on breaks, and (v) has the lawyer adequately considered legal grounds for objecting to consent to remote testimony, as well as the legal and employment risks attendant to refusing to agree with remote testing conditions.

 

8. A lawyer should give due consideration to whether she can adequately prepare the client while working remotely. For example, preparing a client for testimony by telephone or via video conferencing software may be effective when the lawyer and client have sufficient facility with appropriate technology, access to the relevant documents, and adequate time and attention to ensure the client’s comfort with communicating via the medium that will be used in the testimony. However, if the client is not comfortable with the technology, or has difficulty presenting himself or herself through the medium that will be used (possibly exacerbated by distractions caused by challenges with mastering the technology or inherent in working from home), the lawyer must seriously consider whether it remains in the best interests of the client to go forward with the testimony rather than pressing for a postponement until the testimony can either happen live or when the client has had sufficient opportunity to become comfortable with the medium. In short, the lawyer must recognize that representing the client remotely may present important challenges to competent representation, and should adjust the manner in which the lawyer carries out the representation accordingly.

 

Duty of Supervision

 

9. Rules 5.1 and 5.3 concern the responsibility of law firms, partners, managers and supervising lawyers to provide oversight and supervision to other lawyers and nonlawyers. For example, Rule 5.1(a) requires that law firms “make reasonable efforts to ensure that all lawyers in the firm conform to these Rules.” Rule 5.3(a) requires law firms to “ensure that the work of nonlawyers who work for the firm is adequately supervised, as appropriate.” Rules 5.1 and 5.3 require that law firms and any lawyer who individually or together with other lawyers possesses managerial authority in the firm make reasonable efforts to ensure that the firm has implemented procedures that will make certain that staff, consultants or others working with the firm who have access to confidential client information comply with the Rules when accessing client data from remote locations. To discharge this duty when an entire firm is working remotely requires the firm and its supervising lawyers to consider whether its pre-pandemic policies and procedures need to be enhanced to address unique supervision issues that may arise in a remote working environment. Some additional challenges to be addressed when the firm is working remotely include the following:

 

• Monitoring appropriate use of firm networks for work purposes.

 

• Tightening off-site work procedures to ensure that the increase in worksites does not similarly increase the entry points for a data breach.

 

• Monitoring adherence to firm cybersecurity procedures (e.g., not processing or transmitting work across insecure networks, and appropriate storage of client data and work product).

 

• Ensuring that working at home has not significantly increased the likelihood of an inadvertent disclosure through misdirection of a transmission, possibly because the lawyer or nonlawyer was distracted by a child, spouse, parent or someone working on repair or maintenance of the home.

 

• Ensuring that sufficiently frequent “live” remote sessions occur between supervising attorneys and supervised attorneys to achieve effective supervision as described in NY RPC 5.1(c).

 

CONCLUSION

 

10. It is ethical to operate a law office remotely provided that appropriate attention is given to compliance with a lawyer’s duties of confidentiality, competence and supervision, and appropriate safeguards are implemented to ensure compliance with the Rules.