Attorney-Client Privilege – Duty to Preserve Client Confidences – Electronic Storage of Client Information
Article courtesy of Hinshaw & Culbertson, LLP – © 2012 – Used with permission
New York State Bar Ethics Opinion 842 (Sept. 10, 2010) and District of Columbia Bar Legal Ethics Committee Opinion No. 357
Risk Management Issue: What measures do law firms need to take to manage the risks associated with storage of client files and sensitive client information in the “cloud”?
The Opinions: In recent years, lawyers have turned to emerging digital storage solutions such as “cloud” computing to store client files. These tools pose new and different risks than those used for traditional storage of physical files. They likewise raise complicated issues associated with electronic security, maintaining and protecting client confidences and work product privileges, as well as ownership and return of the client’s file upon termination of the representation. In its broadest sense, the cloud consists of all the electronic storage resources available using the internet rather than servers owned and wholly controlled by the owner of the information to be stored. The cloud is composed of domains and servers accessible through a network of internet service providers, and includes any service provided online and operated by a third party, such as online data storage, internet-based email and software as a service.
The New York State Bar Association Committee on Professional Ethics (NYSBA Committee) issued Ethics Opinion 842 to explain the ethical questions that attorneys who hire third-party providers to store electronic client files in the cloud need to address. District of Columbia Bar Legal Ethics Committee (DCB Committee) Opinion No. 357 deals with lawyers’ obligations regarding former clients’ records maintained in electronic form when the client relationship is terminated. Taken together, these two opinions provide guidance to lawyers who seek to uphold their ethical duties to clients while modernizing their practice environment.
The NYSBA Committee concluded that online storage systems are permissible so long as an attorney exercises reasonable care to ensure that confidential information will remain secure. The NYSBA Committee compared the practice with the common practice in the past and present of hiring a third party to store physical copies of client files. Under N.Y. R. Prof’l Conduct 1.6(a) “a lawyer shall not knowingly reveal confidential information” and under N.Y. R. Prof’l Conduct 1.6(c) an attorney must exercise “reasonable care” to ensure that third parties who provide services for the attorney do not divulge or use confidential information. With modern technology however, what constitutes “reasonable care” in the context of third-party storage remains somewhat unclear. Accordingly, the NYSBA Committee suggested four practices that attorneys should consider as part of exercising “reasonable care”:
(1) Ensure, and periodically reconfirm, that the storage provider has “an enforceable obligation to preserve confidentiality and security” and “will notify the lawyer if served with process requiring the production of client information.”
(2) Investigate the storage provider’s “security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances.”
(3) Utilize “available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored” and notify affected clients in the event of a breach.
(4) Review the provider’s ability to purge, wipe and transfer the data if the attorney decides to use another provider.
Bar committees in at least four other jurisdictions (Alabama, Arizona, Nevada and New Jersey) have also reviewed ethical issues associated with cloud computing and have found the practice permissible. All appear to concur that attorney obligations have not fundamentally changed in the face of these new technologies, and lawyers are advised to maintain appropriate competence to understand and keep current with technological developments and their effect on security measures in order to protect confidential information.
The DCB Committee opinion discussed lawyers’ continuing duty to protect client interests when the attorney-client relationship ends where all or part of client files are maintained electronically. Following its Opinion 357 that the entire file unequivocally belongs to the client, the DCB Committee also reaffirmed the rule that in terminating representation under D.C. Rule 1.16 a lawyer must take appropriate steps to protect client interests in surrendering papers and property to which they are entitled, regardless of the media in which they are stored.
In the related issues of when electronic files must be converted to paper, and who should bear such costs, the DCB Committee rejected a “bright-line” test. While a lawyer in most cases must comply with a reasonable request from a client to convert electronic files to paper, the client should in most cases bear the conversion cost. However, the attorney should bear the cost if neither the client nor substitute counsel can access the records “without undue cost or burden” and the former client’s need for the file in paper form outweighs the burden to the lawyer to furnish the file in that manner.
Risk Management Solution: In fulfilling their duties of confidentiality and competence to their clients, attorneys must make reasonable efforts to ensure that technology they employ does not place confidential client information at undue risk of unauthorized disclosure. Technology is continually evolving and available products may differ significantly in security features offered. As well as ensuring and regularly monitoring the security of technology being used, lawyers should also address issues of file retention, maintenance and security in their engagement letters with clients when the representation begins. Where practical, attorneys should consider client input in making technology decisions such as the use of cloud service providers. In the exercise of due diligence and reasonable care, lawyers should be competent to evaluate their use of online technologies and be prepared to interview service providers, particularly with respect to security, backup and service continuity issues.
Disclaimer: This article is written from an insurance perspective and is meant to be used for informational purposes only. It is not the intent of this article to provide legal advice, or advice for any specific fact, situation, or circumstance. Contact legal counsel for specific advice.