Ethics: The ethical implications of technology in your law practice: Understanding the Rules of Professional Conduct can prevent potential problems

Melinda J. Bentley

Melinda J. Bentley is Legal Ethics Counsel for the Advisory Committee of the Supreme Court of Missouri.

How do you become competent in making those selections and using those technologies? What if there is a loss of a device or data? How do you train your staff? While the Rules of Professional Conduct (Rules) cannot tell you what to buy, fortunately, they do give you clear standards, and further guidance is provided through the Comments to the Rules to assist you with implementing and using technology devices and systems in your practice.² Further, by having a keen understanding of the Rules and Comments, you, as a lawyer, can be proactive in both preventing potential problems and being able to respond efficiently and ethically if a difficulty, large or small, occurs.

Key Ethics Rules: Building A Framework of Understanding

Three key ethics obligations are at the forefront of establishing a lawyer’s understanding in order to prevent potential technology problems: competence, confidentiality, and responsibilities regarding nonlawyer assistants.

Rule 4-1.1 – Competence

The first key ethics obligation underlying a lawyer’s use of technology is found in Rule 4-1.1, which states that “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” Further, Comment [6] provides that “[t]o maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject.” (emphasis added.)

Rule 4-1.6 – Confidentiality of Information

The second key ethics obligation underlying a lawyer’s use of technology is found in Rule 4-1.6(a), which generally prohibits a lawyer from revealing information relating to the representation of a client unless an exception is met. In 2017, the Supreme Court of Missouri adopted an additional requirement for lawyers in Rule 4-1.6(c) that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of the client.” Such disclosure or access to confidential client information not only applies to physical information, such as paper documents in a client file, but also to electronically stored information. Think of the large amount of confidential client information lawyers have electronically. That electronic confidential client information makes lawyers’ duty of technology competence under Rule 4-1.1 that much more critical.

Reasonable Efforts on Unauthorized Access and Inadvertent or Unauthorized Disclosure. What constitutes reasonable efforts by a lawyer to safeguard confidential client information to prevent inadvertent or unauthorized disclosure, or unauthorized access? Comment [15] provides guidance to Rule 4-1.6(c) that lawyers are required to act competently regarding safeguarding this information. First, Comment [15] specifically creates three categories of safeguarding information from: (1) unauthorized access by third parties; (2) inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client; (3) and/or inadvertent or unauthorized disclosure by those who are subject to the lawyer’s supervision. When describing these categories, Comment [15] references Rules 4-1.1 (Competence), 4-5.1 (Responsibilities of Partners, Managers, and Supervisory Lawyers), and 4-5.3 (Responsibilities Regarding Nonlawyer Assistants).

Second, Comment [15] provides factors to consider in determining the reasonableness of the lawyer’s efforts, including but not limited to:

the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).

Comment [15] notes that there is no violation of Rule 4-1.6(c) “if the lawyer has made reasonable efforts to prevent the access or disclosure.”³

Additionally, Comment [15] provides guidance that the client may require the lawyer to implement special security measures that are not required by Rule 4-1.6, but it also notes that a client may give informed consent to forgo otherwise required security measures under Rule 4-1.6. “Informed consent,” as defined in Rule 4-1.0(e), requires communication of “adequate information and explanation about the material risks of and reasonably available alternatives to the proposed course of conduct.” Per Rule 4-1.0(e), guided by Comment [6], informed consent in this context means discussing the material advantages and disadvantages of forgoing security measures, discussing available options and alternatives, and possibly advising the client to seek other counsel on this decision. Factors as to reasonableness will depend on the experience of the client or if the client is independently represented by counsel.⁴

Further, Comment [15] references that it is beyond the scope of the Rules to determine if state or federal data privacy laws require additional safeguards over client confidential information, or notification in the event of a loss of electronic information or unauthorized access to such information.

Finally, Comment [15] advises lawyers to consult Rule 4-5.3 (Responsibilities Regarding Nonlawyer Assistants) and its Comments [3] and [4] regarding supervision of nonlawyer assistants outside the firm.

Reasonable Precautions in Transmission. Comment [16] to Rule 4-1.6 notes that a “lawyer must take reasonable precautions to prevent … information [relating to the representation of a client] from coming into the hands of unintended recipients.” In offering guidance on this responsibility, Comment [16] provides two factors to consider when determining if the lawyer can have a reasonable expectation of confidentiality: first, the “sensitivity of the information,” and second, “the extent to which the privacy of the communication is protected by law or by a confidentiality agreement.”

Comment [16] provides that no special security measures are required “if the method of communication affords a reasonable expectation of privacy.”⁵ Just as with the considerations previously discussed in Comment [15], Comment [16] provides guidance that the client may require the lawyer to implement special security measures that are not required by Rule 4-1.6, but it also notes that a client may give informed consent to forgo otherwise required security measures under Rule 4-1.6. Further, a lawyer may be required to take additional steps to comply with other law, but that is an issue beyond the scope of the Rules.

Rule 4-5.3 – Responsibilities Regarding Nonlawyer Assistants

The third key ethics obligation underling a lawyer’s use of technology is found in Rule 4-5.3, which applies to a lawyer’s responsibilities for the conduct of nonlawyers who are “retained by or associated with a lawyer.” Rule 4-5.3(a) sets the requirements for firm-wide measures to ensure that partners or lawyers with comparable managerial authority make reasonable efforts to make sure the firm has measures in place to give reasonable assurance that the nonlawyer assistant’s conduct is compatible with the professional obligations of the lawyer. Similarly, Rule 4-5.3(b) requires a lawyer with direct supervisory responsibility to make reasonable efforts to make sure the nonlawyer assistant’s conduct is compatible with the professional obligations of the lawyer. Per Rule 4-5.3(c), lawyers are responsible for the conduct of nonlawyer assistants who they employ, retain, or associate with if the conduct of the nonlawyer assistant would be a violation of the Rules of Professional Conduct if engaged in by the lawyer and if one of two scenarios is present:

(1) the lawyer orders or, with the knowledge of the specific conduct, ratifies the conduct involved; or

(2) the lawyer is a partner, or has comparable managerial authority in the law firm in which the person is employed, or has direct supervisory authority over the person and knows of the conduct at a time when its consequences can be avoided or mitigated but fails to take reasonable remedial action.

Comment [2] to Rule 4-5.3 provides guidance on supervising the conduct of nonlawyer assistants employed by a lawyer, including but not limited to administrative assistants, investigators, law student interns, and paralegals. It describes making sure such assistants receive “appropriate instruction and supervision concerning the ethical aspects of their employment,” particularly on preserving confidentiality.⁶ Ways to ensure appropriate instruction include written policies and protocols, as well as regular instruction on the Rules of Professional Conduct and relevant substantive areas of law in which the nonlawyer is providing assistance. Further, specific protocols should be implemented within the law firm to ensure appropriate supervision of the work product of the nonlawyer.

Comment [3] to Rule 4-5.3 provides guidance on using nonlawyer assistants outside the firm who assist the lawyer in rendering legal services to a client, including but not limited to retaining investigative or paraprofessional services, hiring a document management company, sending client documents to a third party for printing or scanning, and using a service based on the internet to store client information. Lawyers using these services still must make reasonable efforts to ensure that the services are provided in a manner compatible with the lawyer’s professional obligations, and the extent of those efforts will depend on the circumstances.⁷

Applying the Rules to Potential Technology Issues

The Growing Need for Technology Competence

As provided for in Rule 4-1.1 and its Comment [6], lawyers do have an ethical obligation to be competent in technology, including its risks and its benefits, in a lawyer’s practice. For example, a lawyer in Oklahoma was publicly censured in 2016 based on a reciprocal discipline from the United States Bankruptcy Court for the Western District of Oklahoma where the lawyer was suspended for failure to file documents in a manner that was compatible with applicable rules.⁸ The lawyer failed to report his discipline in the Bankruptcy Court to the Oklahoma Bar Association and also failed to timely notify his clients of his suspension.⁹ During the hearing before the trial panel of the Oklahoma Bar Association’s Professional Responsibility Tribunal, the lawyer “acknowledged his problems with the bankruptcy court were caused by his lack of expertise in computer skills and his frustration trying to meet the federal court’s expectations with electronic pleading requirements.” The trial panel reported that the lawyer’s problems were not with his knowledge of substantive bankruptcy law, but instead “technological proficiency.”¹⁰ The Supreme Court of Oklahoma, in issuing its public censure of the lawyer, encouraged him to “continue to improve his computer skills, or better, to hire an adept administrative assistant to do his pleadings.”¹¹

While hiring adept support staff is helpful in some circumstances when properly supervised per Rule 4-5.3, it is not a substitute for a lawyer’s own technology competency as required by Rule 4-1.1. What are some ways to gain technology competency skills? The answers will be different for each lawyer depending on the lawyer’s practice setting and level of technological savvy. One of the best ways to gain the requisite skill and knowledge about the risks and benefits of relevant technology for a law practice is by taking continuing legal education programs related to technology.¹² While Missouri does not require that lawyers receive specific minimum continuing legal education (MCLE) credits related to technology competence, it does offer MCLE accreditation of a number of technology programs that help lawyers gain and maintain professional competence as it relates to the practice of law, professional responsibility, or law office management.¹³

There are several resources readily available to help lawyers build their technology competence, including articles, publications, blogs, podcasts, and more. When it comes to these resources, lawyers should be sure to check that they are receiving information from reputable sources that are appropriate for their practice settings.¹⁴ Malpractice insurance providers may also have resources or standards for insureds.

Additionally, lawyers should read the terms and conditions of service carefully for each new hardware or software item they consider incorporating into their practices to ensure the item has appropriate safeguards for maintaining client confidential information.¹⁵ Further, lawyers should consider consulting an information technology (IT) professional for assistance.¹⁶

Email and Other Electronic Communications

If lawyers are using email to communicate with clients, they must take reasonable precautions to prevent the unintended interception of confidential client information and should only use email upon proper consideration of Rule 4-1.6 and Comments [15]-[16].¹⁷ While email may be appropriate in some circumstances, other circumstances where the lawyer is transmitting highly sensitive information may require special security measures to comply with Rule 4-1.6.¹⁸ Special security measures may include using email encryption software, placing password protection on attachments, or using “a well vetted and secure third-party cloud based file storage system to exchange documents.”¹⁹ Remember that Rule 4-1.6(c) requires a lawyer to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of the client.” In looking to the factors discussed in Comment [15] to Rule 4-1.6 as to reasonable efforts to prevent access or disclosure, consider having a conversation with the client at the outset of the representation to determine if email is an appropriate means of communication. Some points to consider are:

• How do the lawyer and the client want to use email to communicate?
• What information will the lawyer and client be exchanging by email?
• What are the terms and conditions of the platforms that host both the lawyer’s email and the client’s email? Are the platforms ensuring privacy or are they mining emails for personal information?
• How is the client going to be accessing the email?²⁰ On a personal or work phone or computer? Who else has access to that device or the email account?

Consider these points, as well as the sensitivity of the information being transmitted, to determine if additional security measures are necessary or if email should even be used.²¹ By asking some of these questions, it should help the lawyer determine if he or she is acting reasonably in using email as a form of communication.

Other forms of electronic communication may include online client portals that have communication features or by texting. Similar questions about confidentiality and appropriateness of the medium should be asked for each of these other potential forms of electronic communication.

Also, lawyers should be mindful that if they are using one of these forms of electronic communication with clients, the correspondence needs to be retained for the client files in accordance with Rule 4-1.22 (Retaining Client Files) and Advisory Committee of the Supreme Court of Missouri Formal Opinions 115 (no withholding of property belonging to the client to enforce payment of fees or expenses) and 127 (scanning client files).²²

Data Backups, Case and Document Management Systems, and Electronic File Retention

When considering how to backup data, a lawyer should consider the nature of the information to be backed up. Most of it will likely be confidential client information, but it may include items such as trust account records, business records, and much more. Whether a lawyer is considering online (i.e., cloud)and/or on-site backups, those backups pertaining to confidential client information are governed by Rule 4-1.6 and guided by Comments [15] and [16].²³

Guidance is provided to lawyers regarding cloud backups in Missouri Informal Advisory Opinion 2018-09. It describes how lawyers need to maintain competence in using relevant technology per Rule 4-1.1, safeguard confidential client information per Rule 4-1.6(c), and supervise per Rule 4-5.3.²⁴ It also cautions lawyers to read the terms and conditions of service carefully to determine ownership and security of client information and the level of access the attorney and provider will have to that client information. It goes on to describe what constitutes reasonable efforts to safeguard confidential client information while using cloud computing, including but not limited to:

• Security measures protecting confidentiality of client information during transmission and storage;
• Prompt notification of attorney in the event of a security breach or provider’s receipt of a subpoena for client information;
• Ownership of data solely by attorney or attorney’s firm;
• No access rights by the provider to client information, except as required by law;
• Regular data backup by the provider;
• Handling of client information in the event attorney’s relationship with the provider is terminated;
• Compliance with applicable law regarding data storage and transmission;
• Reliable access to data by attorney;
• No access to data by third parties, including advertisers, except as required by law; and
• Domestic storage of data or, alternatively, storage in a jurisdiction subject to United States data protection laws or equivalent.²⁵

It also provides guidance that lawyers should review the provider policies and practices periodically, as these can change.²⁶

For on-site backups, lawyers should consider such things as the physical security of the equipment storing the confidential information, level of encryption, and redundancy (the same data being stored in multiple ways in case one system fails). Lawyers should consult with an IT professional to assist in properly setting up and maintaining this system.

Many case or document management systems are now provided by vendors as cloud-based services, though some are still provided for on-site network usage. When selecting a case or document management system, lawyers should consider similar factors as just discussed for cloud or on-site back-ups.

When backing up client information, lawyers should be mindful that they are required to securely store client files for six or 10 years after the completion or termination of the representation absent having an agreement with the client based on informed consent confirmed in writing.²⁷ The six-year client file retention applies to client files where the representation was completed or terminated on or after July 1, 2016, and the 10-year requirement applies where the representation was completed or terminated prior to July 1, 2016.²⁸ “Client files, except for items of intrinsic value, may be maintained by electronic, photographic, or other media provided that printed copies can be produced. These records shall be readily accessible to the lawyer.”²⁹ Advisory Committee of the Supreme Court of Missouri Formal Opinion 127 permits the destruction of paper files (except for items of intrinsic value) prior to the expiration of the required retention period if the files are maintained electronically for the required period in accordance with the Rules of Professional Conduct.³⁰

Keeping Client Confidential Information Secure on Phones, Laptops, Tablets, Etc.

Just as lawyers have an obligation to secure physical files of clients from unauthorized access, the same is true of electronic files lawyers maintain on portable electronic devices such as phones, laptops, tablets, and other similar devices.³¹ Whether the devices are those of the firm, or lawyers and employees are permitted to bring their own devices and use them for firm business, reasonable measures may include some of the following suggestions:

• Take reasonable steps to ensure confidentiality by, at a minimum, having strong passwords to access these devices.³²
• Passwords should be changed periodically.³³
• Consider additional safeguards such as encrypting the data on these devices, using multi-factor authentication to access firm systems.³⁴
• Avoid public Wi-Fi and only choose secure Wi-Fi, as well as consider using a virtual private network (VPN).³⁵
• For lost or stolen devices, have a way to remotely disable the devices and destroy the data contained on those devices.³⁶
• Implement firewalls, keep updated anti-malware, anti-spyware, and anti-virus protections on all devices where confidential client information is stored or transmitted.³⁷
• Apply all security patches and updates for software and devices.³⁸

These suggestions are some starting points for what constitutes reasonable measures to secure client confidential information and are not intended to be an exclusive list. As previously suggested, lawyers should be sure to consider the type of client confidential information and applicable state and federal laws. The prudent lawyer will consider consulting with an IT professional, the lawyer’s malpractice insurance carrier, and other appropriate resources for additional guidance.

Metadata

Another source of client confidential information lawyers should be mindful of securing is metadata, meaning electronically embedded data.³⁹ Informal Advisory Opinion 2014-02 asks in the litigation context if a lawyer “has an ethical obligation to make good faith efforts to prevent the inadvertent electronic transmission of embedded metadata to opposing party or counsel?” Citing Rule 4-1.6, guidance is provided that the lawyer must use reasonable care to ensure that no confidential client information related to the representation is revealed without the client’s consent, including confidential information that is contained in embedded metadata.⁴⁰ It provides that this may require scrubbing documents of metadata before transmitting them.⁴¹ However, the Informal Advisory Opinion goes on to note:

Efforts to protect confidential information must be exercised in light of Attorney’s obligation pursuant to Rule 4-3.4(a) not to unlawfully obstruct another party’s access to evidence or unlawfully alter, destroy, or conceal evidence. Removing metadata with evidentiary value before transmitting certain documents may constitute a violation of laws governing discovery and therefore violate Rule 4-3.4(a). This informal opinion does not render an opinion about the existence of discoverable evidence in particular metadata or about the effect on substantive legal privileges of the pre-transmission removal or lack of removal of metadata.⁴²

Responding to a Loss of Client Confidential Information Due to a Lost Device or File, Data Breach, or Cyberattack

Lawyers are custodians of highly sensitive information and can be prime targets for hackers.⁴³ Missouri Informal Advisory Opinion 2017-02 discusses a lawyer’s ethical duties when a nonlawyer assistant has disclosed client confidential information to third parties, but the ethics analysis as it relates to disclosing this breach to the client will be similar in the event of a lost device or file, data breach, or cyberattack. It advises that lawyers have an obligation under Rule 4-1.4 (Communication) to disclose the confidentiality breach to the affected client and explain the matter to the extent necessary for the client to make an informed decision about the representation. That disclosure also needs to occur in the event of a lost device or file where client confidential information is disclosed, whether lost by the lawyer or a nonlawyer assistant employed or retained either inside or outside the law firm, as the lawyer is responsible for that conduct under Rule 4-5.3. A similar communication is also necessary in the event of a data breach or cyberattack where confidential client information is disclosed.⁴⁴

Rule 4-1.6(c), requiring reasonable efforts to prevent inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation, also notes in Comments [15] and [16] that state and federal data privacy laws may govern or impose notification requirements upon a loss of electronic information or unauthorized access, so lawyers should be mindful of these laws both in how they choose to safeguard confidential client information and handle a loss of such information.

Working with IT Professionals and Vendors Outside the Law Firm

While lawyers may be aware of the obligations to train and supervise nonlawyer assistants within the firm, Rule 4-5.3, Comment [3] reminds lawyers that these same obligations apply regarding nonlawyer assistants employed or retained outside the firm. These include outside IT professionals lawyers may hire to help support their firms and vendors who provide services based on the internet to store client information such as data backup provides, case or document management programs, or other similarly based services used within the firm. Lawyers have the obligation to make reasonable efforts to ensure that the services are provided in a manner compatible with their professional obligations under the Rules.

Reasonable efforts will vary depending on the circumstances, “including the education, experience and reputation of the nonlawyer; the nature of the services involved; the terms of any arrangements concerning the protection of client information; and the legal and ethical environments of the jurisdictions in which the services will be performed, particularly with regard to confidentiality.”⁴⁵ Directions should be communicated to the nonlawyer in a manner appropriate under the circumstances so as to give reasonable assurance that the conduct of the nonlawyer is compatible with the professional obligations of the lawyer.⁴⁶ Missouri Informal Advisory Opinions 20070008 and 20050068 both suggest confidentiality agreements should be used when working with nonlawyer vendors and service providers outside the firm. Such agreements are also advisable when working with outside IT professionals, as well as direct training, as appropriate, on confidentiality and other applicable professional obligations of lawyers to ensure the IT professionals’ conduct is compatible with the conduct of lawyers.

Be Aware of Scams

Lawyers are frequently the targets of potential scams, as lawyers may hold trust account funds for clients as well as sensitive confidential client information. These potential scams often start as emails from those purporting to be legitimate sources, such as potential clients, known clients, financial institutions, businesses, government entities, etc., but are actually phishing attempts to gain access to funds and/or personal information of lawyers or clients. Additionally, emails containing links or attachments from known or unknown senders may contain viruses, malware, spyware, ransomware, or other mechanisms to corrupt computer systems and/or gain access to sensitive information. Lawyers must be savvy to these potential scams and train themselves and their nonlawyer assistants to prevent these breaches.

Trust account scams are some of the most common attacks against lawyers. Lawyers who believe they may have clients who have provided fraudulent checks in an effort to obtain good funds from lawyers’ trust accounts wonder how to ethically proceed. Guidance has been provided in Informal Advisory Opinion 2018-06, which addresses such a potential scam scenario in which a lawyer’s purported prospective client sent the lawyer a bogus check for deposit into the trust account. That Informal Advisory Opinion discusses whether the lawyer may report this purported prospective client to law enforcement. Whether a lawyer-client relationship exists is a question of law and fact that is outside the scope of the Rules of Professional Conduct, but if the lawyer had a prospective client relationship under Rule 4-1.18, the lawyer would not be able to use or disclose information gained in the consultation except as would be permitted under Rule 4-1.9 as though this person were a former client.⁴⁷ If no lawyer-client relationship existed, and this person was not a prospective client, the lawyer would not have a duty of confidentiality and would be free to make a report to law enforcement authorities.⁴⁸

Conclusion

As a lawyer, you should work to gain and maintain competence in technology, engage in reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of clients, and exercise appropriate professional responsibilities over the conduct of nonlawyer assistants both inside and outside the law firm. Focusing on these key ethics rules will assist you in selecting technology devices and systems in your firm, and help prevent breaches of client confidential information. If you have questions about the Rules of Professional Conduct regarding incorporating technology into your law practice, you are encouraged to contact the Legal Ethics Counsel office (www.MO-Legal-Ethics.org) to seek an informal advisory opinion about your prospective conduct.

Endnotes

1 Melinda J. Bentley is Legal Ethics Counsel for the Advisory Committee of the Supreme Court of Missouri.

2 See Rule 4, Scope [14].

3 Rule 4-1.0(h) defines “reasonable” or “reasonably” to be “conduct of a reasonably prudent and competent lawyer.”

4 See Rule 4-1.0, Comment [6].

5 See infra discussion of email.

6 See also Mo. Informal Advisory Opinions 2018-04 and 2017-02 (interpreting Rule 4-5.3 as it applies to nonlawyer assistants within a law firm). Informal Advisory Opinions are published on The Missouri Bar’s website at: https://mobar.org/site/Lawyer_Resources/Legal_Ethics_Opinions/site/content/Lawyer-Resources/Legal_Ethics_Opinions.aspx

7 See Mo. Informal Advisory Opinion 2018-09 (interpreting Rule 4-5.3 as it applies to use of a cloud computing vendor outside the firm).

8 State of Oklahoma ex rel., Oklahoma Bar Ass’n v. Oliver, 2016 OK 37, 369 P.3d 1074 (2016).

9 Id. at ¶15, 369 P.3d at 1077.

10 Id. at ¶5, 369 P.3d at 1075.

11 Id. ¶15, 369 P.3d at 1077.

12 See Mo. Informal Advisory Opinion 2018-09 (providing guidance on technology competence through continuing legal education courses).

13 See Rule 15.04(b): “A program or activity may be an accredited program or activity if it directly contributes to the professional competency of lawyers or judges and has significant intellectual or practical content related to the development or practice of law, professional responsibility, or law office management.” See also Rules Related to The Fla. Bar, Ch. 6, R. 6-10.03(b) (requiring Florida lawyers to take at least three of 33 MCLE credit hours every three years in approved technology programs), and 27 N.C.A.C. Ch. 1D – § .1518(a)(2) (requiring North Carolina lawyers to take at least one hour annually of MCLE devoted to technology training.)

14 See Mo. Informal Advisory Opinion 2018-09.

15 See Id. and Rule 4-1.6, discussion supra; see also Legal Ethics Counsel Resource Page — Electronic Comunication Resources, http://molegalethics.org/electronic-communication-resources/.

16 See Id. and Rules 4-1.6 and 4-5.3, discussion supra.

17 See Mo. Informal Advisory Opinion 2012-01 (providing guidance on use of email).

18 Id.

19 ABA Comm’n on Ethics & Prof’l Responsibility, Formal Opinion 477R (revised May 22, 2017).

20 See Mo. Informal Advisory Opinion 990007 (providing guidance on use of email, including consideration of settings of sender and receiver).

21 See Rule 4-1.6, Comment [15].

22 Mo. Sup. Ct. Advisory Committee Formal Opinions are published on the website of the Supreme Court of Missouri at: http://www.courts.mo.gov/page.jsp?id=11696.

23 See supra discussion of Rule 4-1.6.

24 See supra discussions of Rules 4-1.1, 4-1.6, and 4-5.3.

25 Mo. Informal Advisory Opinion 2018-09.

26 Id.

27 See Rule 4-1.22.

28 Id.

29 Id.

30 See also Legal Ethics Counsel Resource Page, File Retention Resources, http://molegalethics.org/file-retention-resources/.

31 See Mo. Informal Advisory Opinion 980030 (providing guidance on preventing physical client file access in an office-sharing arrangement) and Rule 4-1.6(c).

32 ABA Comm’n on Ethics & Prof’l Responsibility, Formal Opinion 477R (2017) (revised May 22, 2017).

33 Id.

34 Id.

35 Id. See also Jill D. Rhodes & Robert S. Litt, The ABA Cybersecurity Handbook 35 (2d ed. 2018) (“Wireless communication creates opportunities for hackers to intercept sensitive data such as passwords for logging in to corporate networks and online banking sites. Public Wi-Fi locations such as airports, hotels, and coffee shops — convenient places to check email — often do not have security features necessary to protect confidential client data.”).

36 ABA Formal Opinion 477R, supra note 32.

37 Id.

38 Id. See also Rhodes & Litt, supra note 35, 21-22 (2d ed. 2018), (describing cyber-attacks against law firms due to outdated software that had not been updated).

39 See Rule 4-4.4, Comment [2] (describing metadata as a form of electronically stored information).

40 Mo. Informal Advisory Opinion 2014-02.

41 Id.

42 Id.

43 See ABA Comm’n on Ethics & Prof’l Responsibility, Formal Opinion 483 (2018).

44 Id.

45 Rule 4-5.3, Comment [3].

46 Id.

47 Mo. Informal Advisory Opinion 2018-06.

48 Id.