Cybersecurity and AI:
Evolving Legal and Ethical Issues
4th Annual Technology Summit
ACC | Washington State Chapter
June 8, 2017
dwt.com
Cybersecurity
4th Annual Technology Summit
dwt.com
Strengthening the Cybersecurity
of Federal Networks and Critical
Infrastructure
Executive Order 13800
May 11, 2017
3
dwt.com
NIST issues proposed
updates to Cybersecurity
Framework in Jan. 2017
Workshops to discuss
comments are underway.
4
dwt.com
Federal Trade Commission
issues Start with Security
guide
FTC data security guidance
based on +50 data security
enforcement actions.
5
dwt.com
AI / IoT
4th Annual Technology Summit
dwt.com
Artificial Intelligence
The theory and development
of computer systems able to
perform tasks that normally
require human intelligence,
such as visual perception,
speech recognition, decisionmaking, and translation
between languages.
4th Annual Technology Summit
Internet of Things
The interconnection via the
Internet of computing
devices embedded in
everyday objects, enabling
them to send and receive
data.
7
dwt.com
Legal Bots
Source: www.donotpay.co.uk
Personal Assistant
Smart Appliances
Source: Microsoft
8
dwt.com
AI / IoT Legal Considerations
Privacy
frameworks:
- Online Trust Alliance
+ Traditional privacy issues: notice,
- OWASP
choice, access, data security, user
- NIST SP 800-160
redress
+ Will your product/service be used
+ Context matters
as a threat vector in a cyber attack?
+ Watch out for collection/use of
+ FTC has already been active, see
sensitive data – children, biometric,
- TRENDnet (2014)
medical, financial, etc.
- ASUSTek (2016)
+ Prepare for requests from law
- Vizio (2016)
enforcement and third parties
- D-Link (2017)
Data Security
Liability / Public Safety
+ Have you incorporated security by
design into your products?
+ Can you leverage existing security
+ Interacting with other services
+ Liability for criminal acts and torts
+ Defamation
9
dwt.com
+ Impose reasonable limits on the collection
and retention of consumer data
+ Delete data after it has served its purpose
+ Use data consistent with consumers’
expectations
+ For data maintained in a de-identified form:
(1) take reasonable step to de-identify, (2)
publicly commit not to re-identify, and (3)
have enforceable contracts in place with
third parties, require them not to re-identify
+
+
+
+
service providers
Defense-in-depth for systems with significant
risk (layers of security), reasonable secure data
in transit and in storage
Reasonable access controls – limit unauthorized
access to device, data, and consumer’s network
Continue to monitor products throughout life
cycle, patch known vulnerabilities
Be forthright in representations about security
updates and software patches
Notice and Choice
Reasonable Security
+ Security by design – build in security at the
outset
+ Conduct risk assessment
+ Incorporate smart defaults
+ Test security measures before launching
+ Use of SSL/encryption for sensitive data
+ Promote good security – address appropriate
level of responsibility, train employees, service
providers must be capable of maintaining
reasonable security, and provide oversight of
Data Minimization
FTC Internet of Things: Privacy & Security in a Connect World
+ Notice is especially important for sensitive
data
+ Not every collection requires choice, must
be consistent with context
+ Notice: explore different choice options - at
point of sale, tutorials, QR codes, choices
during setup, portal, icons, out of ban
messages, general privacy menus ….
+ Must be clear, prominent, and not buried
within lengthy documents
+ No choice for de-identified data
10
dwt.com
AI / IoT Legal Considerations
Intellectual Property
+ Who is responsible for the
infringing use of copyrighted
content?
+ Who owns products created by AI,
if anyone?
+ Can AI enter into contracts?
Probably yes.
Policy Considerations
+ Even if we can, should we and at
what cost?
+ Data issues – bias and outcomes
that disproportionately affect
certain populations
+ Are conversations overheard by
your digital assistant protected
from disclosure?
How and when should lawyers
become engaged?
+ From the beginning …
+ In-house attorneys are especially
well qualified to help their
organizations identify, quantify,
shift, mitigate or assume the new
risks presented by advancements in
technology
(more details in supplement)
11
dwt.com
Transactional Safeguards
4th Annual Technology Summit
dwt.com
Demand Side Safeguards
 At the end of the day your company is responsible for the acts
and omissions of your service providers/vendors
 Security due diligence
+ Comprehensive security review upfront
+ Security bona fides (ISO cert, SOC Type II)
+ Any additional security controls should be incorporated into agreement
+ Security must be a continual process – do you have audit rights, can you
conduct your own security assessments, how do you address changes
over time
 Data security is not a template practice
13
dwt.com
Demand Side Safeguards (continued)
 Law “applicable” to the data, not the vendor
 Service providers must be factored into your incident
response plan
+ When do they have to give you notice of a suspected breach
+ Can you participate in the investigation and have access to the findings
+ Who is responsible for the costs of giving notice – only if required by
law or discretionary notice
+ Who controls communications with your end users
 Data ownership and data use restrictions
14
dwt.com
Supply Side Safeguards
 Know your security tolerances up front
+ Have a process in place to evaluate security requests and
questionnaires
+ Consider whether to have your own proactive set of security standards
+ Consider the value of a third-party attestation of your security practices
 Can you limit the types of data maintained in your systems or
your access to said data
 Do you need insurance to manage your risk and will it cover
third-party expenses
15
dwt.com
Supply Side Safeguards (continued)
 Be on the watch for + Unlimited liability or exclusion from cap on liability
+ Too rigid timeframe for providing notice of suspected breach
+ Breach notice obligation that is not limited to when required by
applicable law
+ Indemnification that is not tied solely to third-party claims
+ SLAs that don’t exclude events of force majeure, including telco and
service provider failures
+ Unlimited audit rights – can audits be replaced with third-party
attestations
16
dwt.com
Ethical Considerations
4th Annual Technology Summit
dwt.com
Ethical Sources and Considerations
Rules of Professional
Conduct
Common Law
WSBA and ABA Ethics
Opinions
Duty of
confidentiality
Duty to safeguard
Duty to maintain
competence
Duty to maintain
communication
18
dwt.com
Duty of Confidentiality – Rule 1.6(a)
“[t]his obligation … is no less
applicable to electronically stored
information than to information
contained in paper documents or not
reduced to any written or stored
form.”
ABA Cybersecurity Handbook
19
dwt.com
Duty to Safeguard – Rule 1.15A
Duty to safeguard clients’ private
data and property against
unintentional disclosure or harm
Duty to Safeguard
+ Overlaps with the duty of
confidentiality
+ Requires implementation of
administrative, physical and
technical safeguards
+ WSBA Advisory Opinions – 2215
(Cloud computing), 2216
(metadata), 2217 (Email security,
and 201061 (vendor security)
20
dwt.com
Duty to Maintain Competence – Rule 1.1
“…a lawyer should keep abreast of
changes in the law and its practice,
including the benefits and risks
associated with relevant
technology…”
Comment to Rule 1.1 of ABA Model Rules and
Washington Rules of Professional Conduct
21
dwt.com
Duty of Maintain Communications – Rule 1.4
Rule 1.4 requires:
• Keeping the client
Duty to maintain
informed and, depending
communications with
on the circumstances,
clients “about the means by
may require obtaining
which the client's
“informed consent.”
objectives are to be
• Notice to a client of a
accomplished,” including
compromise of
the use of technology.
confidential information
relating to the client.
22
dwt.com
Christopher Avery
DWT, Counsel
212.603.6464
Trisha Kozu
Microsoft, Sr. Attorney
425.703.8229
Evan Shapiro
DWT, Partner
206.757.8142
23
dwt.com
Supplement
24
dwt.com
Cybersecurity
25
dwt.com
Privacy Versus Security
Privacy
The choices a
consumer exercises
regarding who can
collect, store, access
and use their
information
Security
Controls limiting
access to information.
Without security,
there can be no
privacy
26
dwt.com
Overview of US Data Security Requirements
1. Sectoral
(GLBA, HIPAA,
Comm. Act, etc)
7. PCI DSS
6. State
Safeguards
Statutes
2. FTCA
3. State UDAP
5. State
Disposal
Statutes
4. Data Breach
Notification
Statues
27
dwt.com
Primary US Data Security Requirements
1. Federal Sectoral Data Security Laws
+ Health Insurance Portability and Accountability Act
+ Genetic Information Nondiscriminaiton Act
+ Fair Credit Reporting Act
+ Fair and Accurate Credit Transactions Act
+ Gramm-Leach-Biley Act
+ Family Educational Rights and Privacy Act
+ Telecommunications Act, Cable Television Privacy Act and Video Privacy
Protection Act
+ Children’s Online Privacy Protection Act
28
dwt.com
Primary US Data Security Requirements (continued)
2. The Federal Trade Commission Act, 15 U.S.C. 41, et seq.
+ Prohibits “unfair or deceptive acts or practices”

“Deception”: incorrect statements a company has made about its security.

“Unfairness”: accepting consumer information if appropriate security is not
applied.
+ FTC enforces, particularly in negotiated consent orders.
 Arguably creates a type of jurisprudence through a road-map of required
security practices.
3. State Consumer Protection Acts (UDAP)
Mimics the data security jurisprudence of the FTC. Since the FTC
establishes precedent under “deception” and “unfairness” theories, similar
cases may be brought under many state statutes.
29
dwt.com
Primary US Data Security Requirements (continued)
4. Data Breach Notification Statutes
+ Federal sectoral statutes – HIPAA, GLBA, CPNI.
+ State data breach notification statutes enacted by 48 states, the District
of Columbia, and various US territories.
+ Generally requires a company to notify affected state residents (and in
some instances state regulators) if certain sensitive personal
information about consumers in the state is acquired and/or is accessed
by an unauthorized third party.
5. Data Disposal Statutes
Generally requires a company that collects certain types of information
(e.g., social security numbers) to properly dispose / delete that information
when the information is no longer necessary.
30
dwt.com
Primary US Data Security Requirements (continued)
6. State Data Safeguards Statutes
More than a dozen states, most notably Massachusetts, have statutes that
require a company to take steps to protect sensitive personal information.
+ Massachusetts data security law, 201 CMR 17.00, is very detailed and
proscriptive.
+ State security statutes more generic than the Massachusetts law simply
require a business that collects PI to use “reasonable” security.

Increasing debate on what is and what is not “reasonable”

California Attorney General “recommended” that, in addition to utilized
encryption, multi-factor authentication, etc., the Center for Internet
Security’s Critical Security Controls define a “minimum level of information
security that all organizations that collect or maintain personal information
should meet.”
31
dwt.com
Primary US Data Security Requirements (continued)
7. Payment Card Industry Data Security Standard (PCI DSS)
+ Payment Card Industry Security Standards Council (PCI SSC) founded by
major payment brands (e.g., AMEX, MasterCard, Visa, Discover, JCB) in
2006.
 Created data security standard (PCI DSS) for payment card processors
 Certifies Qualified Security Assessors (QSAs) to audit PCI DSS compliance
 Certifies third party forensic investigators (PFIs) to investigate data breaches
+ Each of the major payment brands agreed to incorporate PCI DSS into its
own merchant regulations.
+ Each payment brand is responsible for its own enforcement of compliance
with the PCI DSS and its own determination of non-compliance penalties.
32
dwt.com
Primary US Data Security Requirements (continued)
7. PCI DSS (continued)
+ Applies to merchants through a series of contractual relationships
+ Penalties (i.e., fines, assessments, chargebacks, recoveries, etc.) also
imposed on merchants through the same series of contractual
relationships
Issuing Bank
(bank that issues
credit card)
Credit Card Networks
(Visa, MC, Discover,
AmEx)
Merchant Bank /
Payment Processor
Consumer
Retailer
33
dwt.com
New Cybersecurity Executive Order (EO)
+ EO 13800, signed May 11, 2017
+ Contains three substantive sections:
(1) Cybersecurity for Executive Branch’s own operations
(2) Cybersecurity and critical infrastructure
(3) Cybersecurity for the Internet at large
34
dwt.com
Cybersecurity EO (continued)
Executive Branch Operations and Cybersecurity EO
+ Directs each executive agency to generate a “risk management report”
within 90 days based on the NIST framework to include an action plan
to implement the framework.
+ Declares the policy of the Executive Branch to “build and maintain a
modern, secure, and more resilient” IT architecture which includes
reliance on “shared” email, cloud, and cybersecurity services.
• Risks associated with information sharing across agencies
35
dwt.com
Cybersecurity EO (continued)
Critical Infrastructure
+ Directs law enforcement and intelligence agencies to identify what they
can do to support cybersecurity efforts of providers of critical
infrastructure and to provide a report within 180 days on findings and
recommendations for future action.
+ Requires numerous agencies to provide reports and assessments
• Ex: Secretary of Homeland and Security to report on promotion of
appropriate marketplace transparency regarding cybersecurity risk
management by providers of critical infrastructure, in particular the ones
that are publicly traded.
• Potential impact of reports on owners of critical infrastructure and their
suppliers/vendors.
36
dwt.com
Cybersecurity EO (continued)
Cybersecurity for the Internet at large
+ Directs a wide variety of agency heads to jointly submit a report within 90
days on “Nation’s strategic options for deterring adversaries” and protecting
American people from cyber threats.
+ Directs a variety of agencies to submit reports within 45 days to identify
their international cybersecurity priorities.
– Secretary of State to submit a report regarding engagement strategy for
international cooperation in cybersecurity within 90 days following submission
by other agencies.
+ Directs Secretaries of Commerce and Homeland Security, in consultation
with others, to tackle workforce issues in order to ensure that United States
maintains a “long-term cybersecurity advantage” within 120 days of the
issuance of the EO.
37
dwt.com
16 Critical Infrastructure Sectors
Systems and assets, whether physical or virtual, so vital to the United States
that the incapacity or destruction of such systems and assets would have a
debilitating impact on security, national economic security, national public
health or safety, or any combination of those matters. 42 USC § 5195c(e)
1.
Chemical
7.
Emergency Services
13. Information Technology
2.
Commercial Facilities
8.
Energy
3.
Communications
9.
Financial Services
14. Nuclear Reactors,
Materials and Waste
4.
Critical Manufacturing
10. Food and Agriculture
5.
Dams
11. Government Facilities
6.
Defense Industrial Base 12. Healthcare and Public
Heath
15. Transportation
16. Water and Wastewater
Systems
Source: https://www.dhs.gov/critical-infrastructure-sectors
38
dwt.com
FTC “Start with Security” Guide
1. Start with security.
2. Control access to data sensibly.
3. Require secure passwords and
authentications.
4. Store sensitive personal information
security and protect during
transmission.
5. Segment your network and monitor
who’s trying to get in and out.
7. Apply sound security practices
when developing new products.
8. Make sure your service providers
implement reasonable security
measures.
9. Put procedures in place to keep
your security current and address
vulnerabilities that may arise.
10. Secure paper, physical media, and
devices.
6. Secure remote access to your
network.
Source: https://www.ftc.gov/system/files/documents/plain-language/pdf0205-startwithsecurity.pdf
39
dwt.com
Other Regulatory Developments
 NIST issues updates on cybersecurity framework in January
2017. Workshops to discuss comments on the new proposed
framework will be held mid-May 2017.
 Other Regulatory Developments: DOD, DOE, DOJ, FCC, FDA,
FDIC, FINRA, OMB, SEC are all stepping into cybersecurity
– Commissioner Kara Stein stated that the SEC should “play a much more
active role” in cybersecurity (Jopson. “Kara Stein Urges SEC to Act Over
Cyber Attacks.” Financial Times. September 2015.)
– Overall the federal guidance on cybersecurity suggests implementing
cybersecurity best practices
40
dwt.com
Other Regulatory Developments
 New York Department of Financial Services - effective March 1, 2017
 California Attorney General
– Encourages organizations to implement 20 controls in the Center For
Internet Security’s Critical Security Controls (a/k/a, SANS Top 20) as a
“minimum level of information security”
 State Data Breach Notification Laws
– New Mexico becomes the 48th state to enact a security breach
notification statute on April 6, 2017.
 U.S. Department of Transportation's National Highway Traffic Safety
Administration issues guidance for improving vehicle cybersecurity
in 2016
41
dwt.com
Litigation Developments – New Requirements
 New Theories of Litigation
– Allegations of ignoring cybersecurity risk management obligations
– Allegations of failing to prevent, investigate, disclose or remediate the
breach
– Allegations of “desperately out of date systems” and complacency about
known vulnerabilities
– Focus on pre and post breach conduct
– Breach of Fiduciary Duty, Waste of Corporate Assets, Failing of Oversight
 Recent Incidents
– Global ransomware outbreak
– Premera BlueCross Security Breach
42
dwt.com
AI / IoT
43
dwt.com
AI - Applying privacy principles in a new context
+ Principles of Notice and Consent – apply principles from
cases involving online terms and ensure you obtain
affirmative assent to terms within the experience
– Nguyen v. Barnes; Nicosia v. Amazon; Salameno v. Gogo
+ Consider the context and ensure you factor in specific
statutes
– your child’s playmate; factor in Children’s Online Privacy Protection
Act (“COPPA”)
– you’re collecting biometric data; Illinois’s Biometric Information
Privacy Act (“BIPA”); In re Facebook Biometric Information Privacy
Litigation, No. 15-cv-03747 (N.D. Cal. May 5, 2016).
44
dwt.com
AI – Protecting against third party access
+ What’s at Stake
– Riley v. California, 134 S. Ct. 2473 (2014), “Privacies of Life”
– State v James Bates (Arkansas Amazon Echo)
+ Issues to consider –
– cyber-security and rogue actors – have you adequately secured the
data? FTC’s expectations from Wyndham and beyond.
– state actors – consider recent litigation from Apple and Microsoft in
considering the balance between effective law enforcement and access
to private data
45
dwt.com
AI - Liability
+ Interacting with Other Services
+ Liability for Criminal Acts
+ Defamation
+ Security
+ Special Rules for Regulated Industries
46
dwt.com
AI - Copyright
“Current IP law does not support a finding of infringement
that is independent of human involvement.”
Jason D. Lohr, Managing Patent Rights in the Age of Artificial Intelligence, Law.Com (Aug. 18, 2016)
+ Which humans could be liable? The creator, the hoster, the users?
+ Today, there are inconsistent protections when AI uses copyrighted
content for machine learning
– US & Canada: protect fair uses
– Japan, Israel, Singapore: protect all uses
– UK: protect non-commercial uses
– EU: protect non-commercial users
47
dwt.com
AI - Authorship
+ AI generated works increasingly look like traditional
human authorship
– Original music, short stories, poetry
+ “Our intellectual property system is designed with only
human inventors and authors in mind.” John Weaver,
Robots Are People Too (2014).
+ Issues related to AI generated works
– Does Section 102 protect automated/mechanical creativity?
– Does Section 201 contemplate machines as authors?
48
dwt.com
AI - Patents
“The coming wave of computer-generated material is on a
collision course with our patent laws.”
B. Hattenbach & J. Glucoft, Patents in an Era of Infinite Monkeys & Artificial Intelligence, 19
Stan. Tech. L. Rev. 32 (2015)
Who owns products created by AI, if anyone?
– Can AI be an inventor?
– Is the invention non-obvious?
49
dwt.com
AI – IP Licensing and Ownership
Can a license be drafted broadly enough to cover unforeseen
discovery and uses made by AI?
Licensing Agreement
5. Ownership. As between Company and Customer and subject to the grants
under this Agreement, Company owns all right, title and interest in and to:
(a) the Product (including, but not limited to, any modifications thereto or
derivative works thereof); (b) all ideas, inventions, discoveries,
improvements, information, creative works and any other works
discovered, prepared or developed by Company in the course of or resulting
from the provision of any services under this Agreement; and (c) any and all
Intellectual Property Rights embodied in the foregoing.
50
dwt.com
AI – Can AI enter into contracts?
+ AI already enters into contracts “on behalf” of a principal
(corporation or person) in a number of circumstances such as
when people purchase items online
+ The Uniform Electronic Transactions Act validates contracts
formed by electronic agents authorized by their principals
+ AI and other technologies challenge the notion of contract as a
consensus-based agreement between individuals
+ As AI becomes more sophisticated, regulations may be passed
to limit how they can bind their principals or they may permit AI
to enter into contracts by and for themselves
51
dwt.com
AI – Legal counseling in an evolving landscape
Company To Dos
+ Catalogue AI in use or under development
+ Analyze how intellectual property laws could apply
+ Ensure agreements protect AI rights and reduce liability from AI
+ Keep abreast of IP laws governing AI and update policies,
programs and agreement terms accordingly
52
dwt.com
AI – Policy considerations
+ Even if we can, should we?
+ When is the right thing to do to stand down on pushing the
technological boundaries?
+ What does "free speech mean in this context"?
+ Are our digital assistants "free" or should we moderate how they
learn and how they speak?
+ Data issues - bias, non-interpretability, and outcomes that
disproportionately affect certain populations
53
dwt.com
IoT – Legal considerations
+ Privacy Issues: Designing products and platforms with the appropriate
privacy protections where the products and platforms are often collecting
new and different information (and more detailed and/or more personal
information); and do we know what’s “appropriate?”
+ Data Ownership and Access: Defining who owns what data and under
what circumstances a party has access to the data and how can the data
be used? Is the business model for the device manufacturer or service
provider consistent with privacy laws? How will data be split among
providers and between providers and users?
+ Cybersecurity, Physical Security and Security: Everything is hackable.
How will security be designed into the devices and into the system? How
does one not only prevent intrusion, but also mitigate the damage? Also,
designs must not just be for cybersecurity, but also physical security.
54
dwt.com
IoT – Legal considerations
+ Getting a Binding Contract: Can consumers understand the contract and
how does one display a contract through IoT that will be binding? Can
machines, AI, and smart devices enter into a contract?
+ Who’s Liable?: Allocating liability among providers and between providers
and customers. Will platforms be liable for third party products? Will the
customer be responsible for integrating all of the products on a network
or platform?
+ Disclaiming Liability: What liability can be disclaimed? Will UCC Article 2
apply? Will IoT be treated as “software” or as “products?” What about
property damage and consequential damages of device failures?
+ Regulation: How are IoT devices regulated? Who are the regulators? Will
there be both state and Federal regulation? What about international
regulation? What are the regulations going to be? What existing
regulations apply? What sort of failures will capture the regulators
attention?
55
dwt.com
IoT – Legal considerations
+ Consumer Protection: Vaporware, MVP (minimum viable product), and
overpromising and under delivering are often hallmarks of early stage
innovation. Will consumers and regulators be patient with IoT?
What burdens, obligations, and expectations will regulators place on
consumers to be informed about the operation of these devices? How will
consumers process the enormous information flow when all devices are
smart, i.e. what constitutes “informed” consent?
+ Law Enforcement/Surveillance: What limits will be placed on law
enforcement’s collection and use of data generated by these devices? Will
there be “backdoors” built into the devices for law enforcement to use?
+ Compatibility: What will be the evolving standards? What will the laws
and norms be about ensuring compatibility among devices?
56
dwt.com
IoT – Legal considerations
+ IP Ownership Issues: Not only will there be the standard issues regarding
intellectual property as there are with any innovative technology, but
since the devices will be highly networked and will integrate machine
learning, there will be more IP will “co-created” (e.g. algorithms). Also,
combination patents and other combination liability may be more
important.
+ The Loss of the “It’s Not Possible” Defense: If all devices are “smart” and
we are collecting data on every act and interaction, organizations may not
be able to claim they did not have “actual knowledge” or that “it’s not
possible” for them to find out certain information.
57
dwt.com
Ethical Considerations
58
dwt.com
Duty of Confidentiality
+ Duty to protect the confidentiality of client confidences
+ Rule 1.6(a) of Model Rules and WA Rules of Professional
Conduct
• “[a] lawyer shall not reveal information relating to the
representation of a client unless the client gives informed
consent.”
+ ABA Cybersecurity Handbook
• “[t]his obligation … is no less applicable to electronically
stored information than to information contained in paper
documents or not reduced to any written or stored form.”
• ABA Formal Opinion 477R: Securing Communication of
Protected Client Information
59
dwt.com
Duty to Safeguard
+ Duty to safeguard clients’ private data and property against
unintentional disclosure or harm; overlaps with the duty of
confidentiality
+ Requires implementation of administrative, physical and
technical safeguards
+ WSBA Advisory Opinion 2215
May use online data file storage system so long as “the lawyer takes
reasonable care to ensure that the information will remain
confidential and that the information is secure against risk of loss.”
+ WSBA Advisory Opinion 2216
Discusses three different scenarios and ethical obligations with
respect to metadata.
+ ABA Formal Ethics Opinion 477
Must take reasonable efforts to ensure communications with clients
are secure
60
dwt.com
Duty to Maintain Competence
+ Duty to maintain competence by staying updated with
developing technology in the field
+ Rule 1.1(c)
“A lawyer shall make reasonable efforts to prevent the
inadvertent or unauthorized disclosure of, or unauthorized
access to, information relating to the representation of a
client.”
+ Comments to Rule 1.1 of Model Rules and WA Rules of
Professional Conduct
“…a lawyer should keep abreast of changes in the law and its
practice, including the benefits and risks associated with
relevant technology…”
61
dwt.com
Duty to Maintain Communication
+ Duty to maintain communications with clients “about the
means by which the client's objectives are to be
accomplished,” including the use of technology. Rule 1.4 of
the Model Rules and WA Rules of Professional Conduct
require:
• Keeping the client informed and, depending on the
circumstances, may require obtaining “informed consent.”
• Notice to a client of a compromise of confidential
information relating to the client.
• WSBA Advisory Opinion 2217:
A lawyer has an obligation to advise the client that confidentiality
may be jeopardized if the lawyer believes there is a significant
risk that a third party will access the communications.
62
dwt.com
dwt.com