Using Online Service Providers – Where the Duty of Confidentiality Reigns

Volume 37 Number 5

By

Kathryn A. Thompson (kathryn.thompson@americanbar.org) is a research counsel for ETHICSearch, a service of the American Bar Association Center for Professional Responsibility.

With law firms increasingly embracing virtual practice tools, there is a heightened reliance on online service providers to store and process client information. Using such providers offers obvious benefits, but it also raises complex confidentiality issues under various rules of professional conduct. Thus, lawyers who wish to work in the virtual realm must proceed with caution.

Hail the King and Queen: Confidentiality Rules
To begin with, ABA Model Rules 1.6 (Confidentiality of Information) and 5.3 (Responsibilities Regarding Nonlawyer Assistants) come into play because online service providers are generally nonlawyers who are being given access to confidential client information outside the lawyer’s direct control and supervision. Under these rules, lawyers must take “reasonable precautions” to ensure that nonlawyer providers have taken reasonable measures to safeguard the confidentiality of client information, and that nonlawyers are adequately apprised of the lawyer’s confidentiality obligations. Note, too, that while a lawyer isn’t required to use special security measures if the communication method “affords a reasonable expectation of privacy,” Comment 17 to Model Rule 1.6 warns that “special circumstances” may warrant “special precautions.”

When dealing with online service providers, lawyers are obligated not only to protect and preserve clients’ confidential information (Rule 1.6), but to act competently (Rule 1.1), and to adequately supervise both lawyers and nonlawyers (Rules 5.1 and 5.3). In addition, in the event of a significant breach of confidentiality, a lawyer may be obligated under Model Rule 1.4(b) to disclose the breach to the client. Add to the mix Rule 1.9(c), dealing with a lawyer’s confidentiality obligation to former clients, and Rule 1.18, setting forth duties to prospective clients, and most lawyers are left wanting for more concrete ways to adhere to the confluence of the ethics rules involved.

The following guidelines sort through the confidentiality maze for those who rely on the Internet as a platform for delivering legal services.

Select Appropriate Tools and Services
It is the individual lawyer’s obligation, when dealing with confidential electronic data, to select technology tools that both afford a “reasonable expectation of privacy” and otherwise ensure competent representation of the client. Accordingly, ethics committees are forced to apply broad principles and general standards to determine the adequacy of particular security measures on a case-by-case basis.

For example, in describing the “panoply of electronic and other measures available to assist an attorney in maintaining client confidences,” including firewalls, operating systems, security software, and the use of passwords and encryption, Arizona Ethics Opinion 05-04 (2005) concluded that the selection and use of such tools was beyond the scope and competence of the ethics committee and ultimately the responsibility of the individual attorney.

Become a Technology Expert—or Hire One
Commensurate with a lawyer’s obligation to choose technology tools appropriate for the circumstances is the need to acquire the training necessary to make an informed decision about that selection—or hire a technology consultant who can do so. Arizona Ethics Opinion 05-04 (2005) went so far as to say a lawyer may need to conduct additional research or hire an expert consultant to make a “competent” decision about technology. It follows that a lawyer must be sufficiently familiar with the security features of different types of technologies in order to take “reasonable” precautions to protect information. Illustrating the need for lawyers (or hired experts) to be able to distinguish between technologies while securing different types of Internet connections is ’s recent Ethics Opinion 2010-179 (undated). The committee there noted that a lawyer’s use of a laptop computer at home is permissible if the personal wireless system is configured with appropriate security features such as firewalls, encryption and password protection—but that use of a public wireless connection at a location like a coffee shop may require additional safeguards, such as encryption and a firewall.

Of course, the evolving nature of technology makes the lawyer’s task even more difficult, since tools that may be considered reasonable today may quickly become outdated or obsolete. For that reason, state ethics authorities typically decline to recommend specific tools or delineate between acceptable and unacceptable technology practices, instead relying on—in the words of a Maine ethics committee—“general guidance for the lawyer to consider in determining when professional obligations are satisfied” (Ethics Opinion 194 (2007)).

Carefully Select and Monitor Your Service Provider
As noted earlier, a lawyer must use care in selecting an outside service contractor to provide technology services. Pursuant to Model Rules 1.1 and 5.3, that involves adequately investigating the prospective service provider, and making “reasonable efforts” to ensure it has measures that “provide a reasonable assurance” that the conduct of nonlawyer employees is compatible with the lawyer’s ethics obligations. In turn, that includes making a determination that the contractor has adequate procedural and technical safeguards to preserve and protect client confidences. Here are some things you need to consider in that regard.

■ Know what type of information is being stored. Security measures must be adequate for the sensitivity of the stored document. For example, in North Dakota Ethics Opinion 99-03 (1999), the ethics committee determined that minimally adequate measures for using an online backup service require that a law firm limit access to authorized personnel through the use of passwords or other security measures.

■ Know who has access to the information. Lawyers should also have some general familiarity with the employees accessing the electronic information. For example, in Michigan Informal Ethics Opinion RI-328 (2002), the ethics committee ruled that a governmental law department may use the services of a technical support group in a separate department providing the lawyers had no reason to believe that the individuals in the group had a special interest in accessing or would be likely to access the confidential client information.

■ Know where the information resides. Delegating tasks to lawyers in physically remote locations can pose additional difficulties. “Electronic communication can close the gap somewhat,” warns ABA Formal Ethics Opinion 08-451 (2008), but it “may not be sufficient to allow [lawyers] to monitor the work of the lawyers and nonlawyers working for [them] in an effective manner.” In fact, proper monitoring might even require a physical visit to the facility, according to the committee. Such a high degree of monitoring could arguably create insurmountable ethics roadblocks for lawyers hosting data in distant or unknown locations, though, as is often the case with cloud computing, where the data could conceivably be hosted by multiple providers in multiple locations.

Because state ethics authorities are just now beginning to grapple with ethics questions posed by the use of cloud computing, SaaS and other technologies that make the tracking and securing of client information more elusive, lawyers engaged in virtual practice should stay abreast of any precedent in this area. Although the has not yet issued a formal opinion on virtual law practice or cloud computing, both topics have been included on the agenda of the ’s 20/20 Ethics Commission, and the ABA/LPM eLawyering Task Force has issued several pertinent guidelines.

■ Ensure that the provider understands your duty of confidentiality. An important aspect of a lawyer’s ethical obligation when employing outside service providers under Model Rule 5.3(b) is adequately explaining the lawyer’s duty of confidentiality and ensuring that the contractor understands it. Although the rules don’t make clear how to ensure that a nonlawyer understands the lawyer’s confidentiality obligation, most ethics authorities recommend some type of written acknowledgement that the contractor understands the confidential nature of the materials and agrees to protect the information from disclosure.

While ethics authorities typically stop short of requiring a written agreement, most find that such an agreement is “strongly advisable” or “prudent.” (See ABA Formal Ethics Opinion 08-451 (2008) and Michigan Informal Ethics Opinion RI-328 (2002), respectively.) A few committees have even held that the written acknowledgement must constitute an enforceable agreement, as in, for example, New Jersey Ethics Opinion 701 (2006).

However, it is well worth noting that even the most well-appointed confidentiality or terms of service agreement may not suffice absent the actual implementation of adequate safeguards by the service provider. For example, North Carolina Ethics Opinion 5 (2008) determined that a lawyer in that state could utilize a web-based docketing system that allowed access to both lawyers and corporate clients, but only if clients were actually prevented from accessing the information of other clients. The committee noted that while an agreement from a client or a client’s counsel not to view the confidential information of another client was unacceptable, a “security code access procedure that only allows a client to access its own confidential information would be an appropriate measure to protect confidential client information.”

■ Notify the client in the event of a breach. Most ethics authorities that have addressed this issue have found that a lawyer is obligated to notify the client in the event of a significant breach of confidentiality by the service provider.

Obtain Client Consent in Advance of Using the Services
The Model Rule 1.6(a) prohibition against revealing information related to a client’s representation includes exceptions for disclosures that are “impliedly authorized” or where a lawyer has obtained a client’s informed consent to the disclosure. But lawyers with virtual law practices should be aware that ethics authorities disagree about whether lawyers are “impliedly authorized” to use outside service providers to electronically store or manage confidential client information.

Those jurisdictions concluding that such revelations are not authorized under Rule 1.6(a) require the informed consent of the client prior to utilizing the services of the provider, as mandated by the model rule, and some also find Model Rules 1.2 and 1.4 provide an additional basis for requiring advance disclosure to the client. At the other end of the spectrum are several state ethics authorities that overlook analysis of Rules 1.2 and 1.4 and conclude that lawyers are “impliedly authorized” to make confidential client information accessible to outside service providers pursuant to Rule 1.6(a).

Ultimately, though, given the discord among the states about whether the ethics rules permit the hiring of an outside online service provider without client consent, it certainly seems prudent for lawyers to obtain client consent in the initial retainer agreement as a precaution.

Stay Ahead of the Game
Now, for a final note of caution. While this article concentrates on lawyers’ confidentiality obligations in virtual practice, lawyers should also stay abreast of other ethical requirements related to virtual law practice. For help with that, contact the ABA’s ETHICSearch research service (ethicsearch@americanbar.org) for a more comprehensive list of state ethics opinions and other materials focusing on online law practice.

Advertisement

  • LAW PRACTICE MAGAZINE

  • LP on the Web

  • 2013-2014 Editorial Board