Make note of the American Bar Association's Formal Opinion 477, published this past May. The summary states that:
A lawyer generally may transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct where the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access. However, a lawyer may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security.
The opinion does not recommend specific technical cyber security measures that should be taken, but requires attorneys to take reasonable steps specific to different factual circumstances. A lawyers should follow these guidelines:
1. Understand if a particular case presents a high threat for cyber intrusion. "[H]ighly sensitive industries such as industrial designs, mergers and acquisitions or trade secrets, and industries like healthcare, banking, defense or education, may present a higher risk of data theft."
2. Understand how data is transferred and stored. "Each access point, and each device, should be evaluated for security compliance."
3. Take Reasonable Security Measures. Such as, "using secure internet access methods to communicate, access and store client information (such as through secure Wi-Fi, the use of a Virtual Private Network, or another secure internet portal), using unique complex passwords, changed periodically, implementing firewalls and anti-Malware/AntiSpyware/Antivirus software on all devices upon which client confidential information is transmitted or stored, and applying all necessary security patches and updates to operational and communications software." An attorney is specifically charged with understanding that deleted files can be recovered.
4. Protect Electronic Communications - "If client information is of sufficient sensitivity, a lawyer should encrypt the transmission and determine how to do so to sufficiently protect it, and consider the use of password protection for any attachments."
5. Label electronic media as confidential.
6. Lawyers and their nonlawyer assistants should receive formal cyber security training.
7. Do due diligence on vendors hired to assist with electronic communications including checking their security policies and protocols.