The ethics rules make it clear that lawyers have a continuing duty to understand the dangers associated with technology and that we need to take reasonable steps to avoid disclosing our client’s information. Comment  to Rule 1.1 reminds us that, “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…”; Rule 1.6(c) states that lawyers are required to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to” our client information, and; Rule 1.3 requires that we act with reasonable diligence in representing a client. Together those rules make it clear that lawyers need to constantly stay on top of changes in technology and take reasonable steps to protect client data. And that principle has ushered in a new responsibility —the duty to update our software.
The company that sells Norton anti-virus software explained recently that software updates are critical because they patch security flaws:
“Hackers love security flaws, also known as software vulnerabilities. A software vulnerability is a security hole or weakness found in a software program or operating system. Hackers can take advantage of the weakness by writing code to target the vulnerability. The code is packaged into malware — short for malicious software.
An exploit sometimes can infect your computer with no action on your part other than viewing a rogue website, opening a compromised message, or playing infected media.
What happens next? The malware can steal data saved on your device or allow the attacker to gain control over your computer and encrypt your files. Software updates often include software patches. They cover the security holes to keep hackers out.”
It should be pretty clear how this ties into a lawyer’s ethical duty. If we have a continuing duty to understand the dangers in technology and we need to take reasonable steps to avoid disclosing client information, then we must take steps that ensure that the computer systems and software programs we use remain secure. Our duties of competence, confidentiality, and diligence require us to promptly install updates that are designed to repair vulnerabilities in the software we use in the practice.
It’s this type of proactive effort that is so important to avoiding grievances in today’s dangerous technological age. Listen, chances are good that you’re going to get hacked. Chances are good that we are all going to get hacked. The bad guys and gals are simply trying too hard — the odds are against us. Many lawyers therefore wonder, If I’m going to get hacked, doesn’t that mean that I will get into ethical trouble? Not necessarily. You can save your ethical hide if you are proactive in taking steps to avoid the hack.
The disciplinary authorities aren’t likely to make a decision about someone’s ethical liability based solely on the consequences. They are likely to make a decision based on your actions. Remember that when it comes to attorney ethics, it’s all about your behavior. It’s all about whether you behaved reasonably. It’s all about whether you took reasonable steps to avoid the calamity. You will likely be judged not on whether you were hacked, rather whether you took reasonable steps to avoid that hack. If you took every reasonable step possible to protect your client data and avoid the disclosure, then it’s likely that you won’t be disciplined even if something terrible happens.
If you know the bad guys are trying to exploit vulnerabilities in our systems, and you know that software updates are specifically designed to fix those vulnerabilities, then it’s not reasonable to ignore those updates. It’s not reasonable to wait months before you install them. The reasonable effort is to diligently install those updates when they are released. Your duty to protect your client data means that you need to maintain the integrity of your computer systems, and that includes installing security updates promptly.
On the other hand, you might need to do the exact opposite when it comes to massive program upgrades
The duty to update that I discussed above applies to periodic updates that software manufacturers release to existing systems. But every once in a while those same programmers completely overhaul a system and release a major update that ushers in a new generation of their software. In those instances it’s probably reasonable for a lawyer to wait and delay installing that update. Though that seems to contradict everything I discussed above, the rationale is actually quite consistent.
New generations of software very often contain vulnerabilities that were not anticipated by the original programmers. Often hackers exploit those bugs right after the new software is released, thus exposing the problems. The manufacturers then rush to develop and issue updates that close the holes in their code. In those situations, then, prudent approach is probably for lawyers to delay installing updates that constitute massive overhauls or new generations of a software system. Wait until the bugs appear to be worked out, then update to the new generation of software.
Norton article can be found at: https://us.norton.com/internetsecurity-how-to-the-importance-of-general-software-updates-and-patches.html, last checked by the author on March 26, 2019.