March 2003  Volume 29, Issue 2
   Format for Printing        Send Feedback
COVER STORY
Confidentiality: Dragons In The Digital Age
by David Hricik
Offsite data storage, viruses that send hard drive files randomly, handheld heists, misdirected or intercepted e-mails to clients. Be they virtual or physical risks, know the ethics issues when client information is kept or sent electronically.

The digital age has brought lawyers many benefits, including increased ways in which to store and transmit ever-greater quantities of information. But think about how much of that information relates to client confidences. Now, consider how a breach of the duty of confidentiality can have far greater consequences than ever before. In the analog age, a lawyer might worry about losing a briefcase containing sensitive documents, or about discussing a client matter too loudly while in a courthouse hallway. Today, you can inadvertently e-mail privileged documents to opposing counsel with the push of a button, or let a room's worth of files fall into malicious hands with a stolen laptop. These days, the potential for breaching confidentiality is downright frightening.

There is little formal ethics guidance for lawyers exploring the reaches of the information superhighway. Bar associations, whose opinions are often merely advisory, have issued only a few opinions dealing with digital ethics issues. And the analogies to preexisting fact patterns may not always hold true.

It's hard to know if, and where, dangers really lay. In that respect, the digital age looks more like the Middle Ages, when dragons, real or imagined, seemed to lurk around every unknown corner. The best recourse is to be prepared, lest you wander off the map and the ethics dragons rear their ugly heads. To help you stay on the straight and narrow path, here is an overview of the ethics issues that arise from digitally storing and transmitting client confidences-with pointers on how to protect yourself, and your clients, from harm.

The Broad Duty of Confidentiality Meets the Digital Age
Most states have ethics rules that require lawyers to protect confidential client information. Although the scope of "confidential" varies by state, most state rules define it to include not just privileged information but all information relating to a representation received by a lawyer as a result of the representation.

That definition is extraordinarily broad. The information need not be truly "secret" for it to be confidential under many state rules-and it need not be of a nature such that disclosure would be "embarrassing" or "detrimental." The broad scope of protected information can even include otherwise "public" information learned by a lawyer.
Generally, while the precise contours of the duty vary by jurisdiction, lawyers must take reasonable steps to ensure that confidential client information is neither disclosed to unauthorized third parties nor misused by the lawyer or the lawyer's staff. Breach of the duty, of course, carries consequences: It may lead to money damages, fee forfeiture or disciplinary action.

How do these factors apply in the digital age? The duty with respect to confidential information does not change when the information is stored on computers. Technology, however, compounds the duty in various ways. Lawyers now need to be concerned with the physical security of the data as well as the virtual security of information when it is stored on a computer connected to the Internet.

Authorizing Third-Party Access to Your Systems
In the course of computer system maintenance and upgrades, law firms regularly allow third parties-software consultants, hardware specialists and the like-to have physical or virtual access to systems on which client confidences are stored. Those third parties are strangers to the privilege who likely do not owe a duty of confidentiality to firm clients.

In the analog arena, it is vital to obtain the agreement of third parties that they will respect the privilege and protect confidential information. Bar opinions hold that a lawyer who stores client files outside of the firm with offsite storage facilities must ensure that the storage company has a confidentiality obligation and takes reasonable security measures. Permitting third parties access is not an ethics violation, according to these opinions, as long as the obligation of confidentiality is maintained.

In its only opinion addressing virtual access, the ABA Committee on Ethics and Professional Responsibility reached the same conclusion (Formal Opinion 95-398 (1995)). It advised:

A lawyer who gives a computer maintenance company access to information in client files must make reasonable efforts to ensure that the company has in place, or will establish, reasonable procedures to protect the confidentiality of client information. Should a significant breach of confidentiality occur, the lawyer may be obligated to disclose it to the client.

The opinion further advised lawyers to obtain "a written statement of the service provider's assurance of confidentiality."

Precisely the same issue arises when the information is physically stored with a third party, such as with an application service provider (ASP) that provides data storage over the Internet. Accordingly, if your firm has given permission to computer consultants or vendors to access -virtually or physically-stored client confidences, you should determine whether to make their confidentiality obligations compatible with your own. (For more on the issues related to ASPs, read "Hidden Dangers: ASPs and Ethics," by David Hricik and Peter Krakaur, in LPM's March 2002 issue.)

Preventing Unauthorized Access with Passwords
What about the possibility of a third party accessing information on your systems without your permission? Meeting the duty here requires additional precautions, with passwords chief among them.
The courts addressing e-mail and Web site security have pointed to the presence of password protection as a key fact in finding stored data to be confidential. Even information stored "in public"-such as on the Web or with an Internet service provider-is still deemed confidential as long as log-on and password protection exists. It may sound odd, but passwords have Constitutional import.

Every computer that stores or provides access to client confidences should have password protection in place. Integral to that protection is requiring users to select appropriate, secure, nonobvious passwords-meaning, for one thing, that the password is not the user's name. Ideally, passwords are at least six to eight keystrokes long and contain letters plus numbers or other, nonalphanumeric characters (such as @ or #). In addition, users should be instructed to never, ever leave their passwords written down in clear view of their computers.

Firms also need to monitor their employees' password usage-that is, who uses what passwords. Suppose, for example, that a lawyer keeps key case information on a laptop protected by a password. Should the lawyer quit the firm under less-than-friendly circumstances, the firm may be unable to access the information and the lawyer who possesses the password may have improper, but significant, leverage.

Safeguarding Against Physical Theft: Do You Know Where Your Laptop Is?
Once it would have taken a truck and an army of burglars to steal an important but voluminous case file. Today it could be accomplished with much simpler logistics-by, say, heisting a litigator's laptop. Given their portability, light weight and file-storage capacity, laptops and other devices such as PDAs and handheld computers present a special risk in terms of physical theft.

Employees who use laptops and handhelds need to be advised on how to secure the information stored on those devices. A written firmwide policy may be in order. The firm may also want to take additional security measures, such as putting in place a means to locate stolen laptops. For example, one available program, once it is installed on a laptop, will periodically and surreptitiously phone a monitoring center and report the laptop's serial number and location. Other, more old-fashioned services provide tags to be placed on portables, specifying that if someone reports finding the device, that person will receive a reward and Federal Express will pick up the device at no charge.

No one knows whether bar associations or courts could hold that lawyers who carry client information on laptops must use these types of systems. In that regard, it's best to keep in mind Learned Hand's formula: Look to whether the cost of the untaken precaution exceeds the expected risk of loss times the amount of loss.

Inoculating Against Viruses and Hackers
Computer viruses, as well as hackers, can destroy client files outright. In addition, there are certain viruses that allow unauthorized third parties to examine stored files, or that attach files from the infected computer and randomly e-mail them to third parties. The possibilities are alarming. For example, a lawyer's computer could be infected with a virus that would randomly choose a sensitive document from the hard drive and then e-mail that file to a randomly chosen recipient-perhaps to opposing counsel or another adverse party in the lawyer's e-mail address book.

Firms must establish policies to reduce the risks to client confidences created by viruses and hackers. The following are essential steps:

  • Install-and run-the most up- to-date virus detection software.
  • Put a secure firewall between your firm computers and the Internet.
  • Do not open e-mail attachments from unknown senders.
  • Think about routing all e-mail attachments to the IT department for scanning.

No ethics opinions or cases currently hold that lawyers must use firewalls or like procedures to protect client confidences. However, a disciplinary board-as well as a client whose information is compromised-will likely rely on the classic test for negligence in determining whether a lawyer took reasonable steps to protect sensitive information.

Turncoat access. Firms should also be concerned about internal risks to computer systems. One recent survey concluded that, while 70 percent of all attacks came from outside of an organization, 75 percent of dollar losses were incurred as a result of internal security issues. When you are firing an employee, your firm needs to take extreme care regarding that person's access to your computers. Consider that thousands of pages of key documents can be destroyed, or at least made temporarily inaccessible, if a disgruntled person pushes just a few buttons.

Securing Confidences Transmitted by E-Mail
E-mail sent over the Internet is routed through a network of computers that are owned by third parties-parties that do not have a contractual agreement to maintain the confidentiality of a lawyer's information as it passes through their systems. Hackers and others, likewise, can review e-mail while it is in transit. Consequently, transmitting e-mail containing privileged or confidential information over the Internet raises the question of whether doing so violates the duty of confidentiality or waives the attorney-client privilege.

Bar associations generally hold that it is ethical for lawyers to use e-mail without encrypting it unless the information is particularly sensitive. When an interception occurs, however, the client may well contend that the information was particularly sensitive and, so, should have been encrypted. A lawyer should advise a client, either in an e-mail or an engagement letter, that the Internet is not completely secure and, therefore, if the client does not wish to use e-mail to communicate, the lawyer will not do so.

Another concern is that e-mail can be misdirected. In fact, anecdotal evidence suggests that misdirection, not interception, is more likely to cause disclosure of confidential information. Consequently, lawyers should take reasonable precautions to prevent inadvertent transmission of confidential information to third parties, and especially to opposing counsel.

Encrypting an e-mail message can, of course, prevent harm if an e-mail is misdirected. Encryption is a best practice. Note, however, that thus far there have been no reported malpractice or disciplinary cases based on e-mail interception or third-party review. (For more on e-mail issues, read Wendy Leibowitz's " As I Was Saying" column on page 6 of this issue.)

Stopping short of encryption. Encryption, unfortunately, is not yet "push of the button" simple, and many clients-not to mention lawyers-do not want to deal with it. But there are ways short of using full-blown encryption programs to decrease the risks of both intentional interception and misdirection. Foremost among these is "password-protecting" a document in its native application before sending it as an e-mail attachment. The major word processing programs, for example, allow you to assign a password to a document under the Save As feature options. Then, only users to whom you've given the password are able to open and read the document. Anyone else will find the document format an unreadable mess. Though not providing the same degree of protection that true encryption programs do, this method can eliminate the risks of third parties intercepting and reviewing attachments as a result of misdirection.

Another option is for lawyers to use so-called "disclaimers," or "legends," on e-mails. These are the notorious blurbs that appear at the bottom of many e-mail messages, stating something like, "This information is privileged; if you read it and you are not supposed to, you will self-combust." It remains to be seen whether a court will find that the presence of disclaimers affects the privilege. However, their indiscriminate use-putting "Highly Confidential" on every e-mail-may lead a court to doubt their efficacy. In addition, a lawyer who sends e-mails stating that the information is privileged may, in some instances, create an expectation in the recipient that the lawyer represents the recipient, which may not be the case.

Watching for Metadata: Did You Send More Than Words Were Meant To Say?
Word processing programs have built-in tools that provide tremendous power but that also pose problems. You can, for example, track the changes made to a document, including who made them and when. The user has the option of having the changes appear on screen, having them print with the document or keeping them from view. In addition, you can store hidden "comments" in a document, which do not print but are visible when the document is on screen. These tracked changes and comments -visible or not-accompany the digital file.
Likewise, some word processors have a feature that allows for multiple "undos" of preceding keystrokes. In order for the program to know how to "undo" the user's last 10 steps, it has to save the undos as data. When you share a document, that data accompanies it.

Lawyers need to be alert to how and when they use these features-especially whether they are allowing comments or tracked changes to accompany a file that is being transmitted. Otherwise, they may compromise information when the electronic version of a document is shared with third parties. For example, if you've created a document using Microsoft Word's Track Changes feature, the recipient may be able to discern the fact that you changed your opening offer from $75,000 to $50,000.

There are precautions you can take with these features. For example, before sending a revised document in electronic form, double-check to ensure that you, or another party, haven't unknowingly been tracking sensitive changes even though they do not appear on screen. Another solution is to turn off the feature before you create a new document. In addition, specialized utility programs can "strip" the metadata from a document before you transmit or otherwise share the file.

Take Reasonable Steps Toward an Unclear Future
Who can predict how these and other ethics questions will fall out in the digital age? Bar associations have already issued opinions in which they did not fully understand the technical issues involved. Will they, in the future, issue opinions that condone risky behavior or prohibit behavior that would be deemed proper and commonplace outside the digital context?
We cannot know for sure. But we do know that lawyers have an obligation to protect client confidences. When storing and transmitting documents, take reasonable steps to ensure that sensitive client information is protected. And, as technology continues to advance, be on the alert for new dragons rearing their heads.

Additional Resources

David Hricik ( hricik_d@mercer.edu) is an Assistant Professor of Law with the Mercer University School of Law in Macon, GA, where his courses include patents and ethics. He was previously Of Counsel with Yetter & Warden, L.L.P., a litigation firm in Houston.