This is an updated version of an article first published in October 2021 in the Law Society of NSW Journal .

Solicitors' duties in the digital era - is there a duty of technological competence?

Background to duties of competency, confidentiality and supervision

Solicitors are under a duty, in contract and tort, to exercise reasonable care in the provision of legal services. Noting that the paramount duty of a lawyer is to the court and the administration of justice, the duty to ‘deliver legal services competently, diligently and as promptly as reasonably possible’ is described as one of the five fundamental duties of a lawyer in the Legal Profession Uniform Law Australian Solicitors Conduct Rules (Rule 4.1.3) (‘ASCR’).

Solicitors also owe a fiduciary duty not to disclose any information which is confidential to a client and acquired by the solicitor during the client’s engagement, subject to any overriding duty, with this duty also being an implied term of the retainer agreement and codified in Rule 9 of the ASCR. Maintaining confidentiality has always been fundamental to public confidence in the legal system and to the lawyer/client relationship.

Rule 37.1 of the ASCR provides that a solicitor with designated responsibility for a matter must exercise reasonable supervision over solicitors and all other employees engaged in the provision of the legal services for that matter.

Technology in legal practice today

Technology offers many opportunities for lawyers to provide legal services in new ways. For example, artificial intelligence is being used in different aspects of legal work such as compliance and e-discovery. While relatively recent technology like this is used by some law firms, the focus of this article is on the mainstream technology that is now a feature of everyday legal practice and how the courts might regard the duty of competency in this context.

In the digital era the expertise needed to work with some legal technologies is a special type of knowledge that is a hybrid of both legal and technological knowledge (see Fabian Horton, Technology Competency – the New Standard for Lawyers, Law Institute Journal, 2017). Digital literacy and technological skills are now an accepted part of modern education which impacts on the knowledge and skills that lawyers are also expected to have (Horton).

Some of the most convenient, efficient and widely accepted technologies used by lawyers are email and the use of cloud-based services.

However, both of these involve significant risks to the security of information if adequate safeguards are not in place. For example, an unauthorised person able to access an email account can potentially find a treasure trove of information about a practice and its clients that can be used to commit funds transfer frauds against the practice, clients or others, or to collect information about third parties that can then be used to launch other targeted cyberattacks. According to its Annual Cyber Threat Report the Australian Cyber Security Centre (ACSC) received 70 reports of cyber incidents impacting the legal and professional services sector between July 2019 and June 2020.

For several years professional associations and insurers have issued repeated warnings about business email compromise (‘BEC’) leading to payment redirection fraud. Business email compromise occurs when cybercriminals gain unlawful access to emails or impersonate businesses to deceive others into redirecting payments into an account connected with the fraudster.

In these cases, fraudsters have been able to insert themselves in transactions leading to financial loss for the client, law practice or legal practitioner. While the solicitors themselves have been entirely innocent of any personal involvement, they may nevertheless be exposed to an action in negligence or for breach of trust, particularly if the fraud was able to occur as a result of breaches in technology used by their practice and reasonable steps were not taken to either secure email accounts, supervise the use of email or train staff how to recognise scam emails.

On 30 August 2021 the growth in business email compromise impacting property transactions prompted the ACSC to issue an alert, warning that “Cybercriminals are targeting the property and real estate sector to conduct business email compromise scams … This trend has potential for significant financial harm. All parties involved in the buying, selling and leasing of property should be vigilant when communicating via email, particularly during settlement periods. This includes real estate agents, conveyancers and lawyers, mortgage lenders and any clients of these businesses.”

Prior to the widespread adoption of email as the preferred mode of business communication, few would have disputed that duties of competency and confidentiality would entail locking doors to protect business records and verifying signatures authorising large funds transfers, and it is difficult to see how the same expectations would not apply to adopting safeguards for risks associated with technology used by legal practices today.

This is not to suggest that every adverse incident could give rise to an allegation of breach of professional duty, but given the monetary value of legal transactions it would arguably be in the interests of both the profession and its clients for education about these risks to become mandatory.

Lawyers may face some difficulties in defending claims that could have been avoided had reasonable and available precautions been implemented to limit the chances of BEC occurring. For example, one legal professional indemnity insurer recently commented that nearly every funds transfer fraud as a result of BEC leading to a claim against its insureds could have been avoided if the practice had used multi-factor authentication for logging in to email accounts, which is easy and inexpensive to implement on business quality email services. In the case of property transactions, both PEXA and Infotrack have developed applications enabling the sharing of bank account details which remove the need for communicating this information by email.

Jurisdictions that have adopted a duty of technological competency

Rule 1 of the American Bar Association’s (‘ABA’) Model Rules of Professional Conduct states that ‘A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation’.

In 2012, the ABA added an eighth comment to this rule, to the effect that Rule 1.1 should be interpreted to mean that lawyers should also maintain technological competence:

[8] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

Since then, bar associations in at least 39 states have adopted this requirement. According to the United States’ National Association of Attorneys General, a lawyer’s duty is to ‘keep abreast of changing technologies and to obtain and use technology in an appropriate way consistent with the needs of their practice and the norms of their legal community’, rather than an expectation that lawyers become ‘tech experts or geeks’. At least two US states now require technology training under ongoing continuing legal education requirements.

In Australia

The Law Council of Australia’s Cyber Precedent website discusses the ABA’s position without formally expressing a view as to whether a similar duty applies locally. It describes the following ‘Key messages’ under a duty of technological competence:

• ‘To be a competent lawyer, you need to understand the value of the information that you are dealing with.

• Failing to properly protect your client’s information that has been entrusted to you could cast doubt on your ability to properly manage your practice.

• As legal practices operate more in the digital realm the issues of cyber security will play a more prominent role. It is important to keep up-to-date with the current risks and the current security measures'.

 Four areas which are likely to be particularly important in everyday practice are understanding risks related to the use the of software storing confidential information ‘in the cloud’ (i.e. servers that are accessed over the internet, and the software and databases that run on those servers), securing data, data sovereignty and avoiding funds transfer frauds as a result of business email compromise.

Professional bodies have emphasised that the use of cloud-based technology should be accompanied by reasonable steps to prevent data from getting into the wrong hands. For example, the Cloud Computing Practice Note published by the Office of the Legal Services Commissioner in 2013 and revised in 2015 provides guidance on issues that should be considered, including an expectation that lawyers who use cloud software have an appropriate understanding of the technology, and appreciation for and appropriate management of risks that might arise.

The Model Rules published by the Australian Registrars' National Electronic Conveyancing Council (ARNECC), which regulates e-conveyancing transactions, now mandate that all users and administrators of an electronic lodgement network complete cyber security awareness training. While no such formal regulatory requirement may currently exist for other work undertaken by law firms, even without a formally recognised duty of technological competence this might be inferred by an Australian court having regard to reported levels of cybercrime, other professional duties and the official warnings described above.