Opinion 05-04 (7/05) by The State Bar of Arizona's Committee on the Rules of Professional Conduct In response to the following; How do we protect the confidentiality and integrity of client information while continuing to increase reliance on internet for … storage of documents? Ethical Rule's 1.6 and 1.1 require that an attorney act competently to safeguard client information and confidences. It is not unethical to store such electronic information on computer systems whether or not those same systems are used to connect to the internet. However, to comply with these ethical rules as they relate to the client's electronic files or communications, an attorney or law firm is obligated to take competent and reasonable steps to assure that the client's confidences are not disclosed to third parties through theft or inadvertence. In addition, an attorney or law firm is obligated to take reasonable and competent steps to assure that the client's electronic information is not lost or destroyed. In order to do that, an attorney must be competent to evaluate the nature of the potential threat to client electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end. An attorney who lacks or cannot reasonably obtain that competence is ethically required to retain an expert consultant who does have such competence.
Opinion 2005-4 (3/3/05) The Massachusetts Bar Association Committee on Professional Ethics issued the ethics opinion that “A law firm may provide a third-party software vendor with access to confidential client information stored on the firm’s computer system for the purpose of allowing the vendor to support and maintain a computer software application utilized by the law firm. However, the law firm must “make reasonable efforts to ensure” that the conduct of the software vendor (or any other independent service provider that the firm utilizes) “is compatible with the professional obligations of the lawyer[s],” including the obligation to protect confidential client information reflected in Rule 1.6(a). The fact that the vendor will provide technical support and updates for its product remotely via the Internet does not alter the Committee’s opinion.”
Formal Opinion No. 33 (02/9/06) State Bar of Nevada Standing Committee on Ethics and Professional Responsibility responded to a query regarding an attorney’s use of an outside agency to store electronically formatted client information. In the situation posed, the attorney’s electronic client files, which contain confidential client information and communications, are stored on a server or other computer device which is physically located and maintained by a third party outside the attorney’s direct control and supervision. The committee responded; “The lawyer’s duty to protect client confidentiality under Supreme Court Rule 156 is not absolute. In order to comply with the rule, the lawyer must act competently and reasonably to safeguard confidential client information and communications from inadvertent and unauthorized disclosure. This may be accomplished while storing client information electronically with a third party to the same extent and subject to the same standards as with storing confidential paper files in a third party warehouse. If the lawyer acts competently and reasonably to ensure the confidentiality of the information, then he or she does not violate SCR 156 simply by contracting with a third party to store the information, even if an unauthorized or inadvertent disclosure should occur.”
Opinion 701 (4/10/06) Advisory Committee on Professional Ethics regarding the Electronic Storage and Access of Client Files opined the following
“when client confidential information is entrusted in unprotected form, even temporarily, to someone outside the firm, it must be under a circumstance in which the outside party is aware of the lawyer's obligation of confidentiality, and is itself obligated, whether by contract, professional standards, or otherwise, to assist in preserving it. Lawyers typically use messengers, delivery services, document warehouses, or other outside vendors, in which physical custody of client sensitive documents is entrusted to them even though they are not employed by the firm. The touchstone in using “reasonable care” against unauthorized disclosure is that: (1) the lawyer has entrusted such documents to an outside provider under circumstances in which there is an enforceable obligation to preserve confidentiality and security, and (2) use is made of available technology to guard against reasonably foreseeable attempts to infiltrate the data. If the lawyer has come to the prudent professional judgment he has satisfied both these criteria, then “reasonable care” will have been exercised. In the specific context presented by the inquirer, where a document is transmitted to him by email over the Internet, the lawyer should password a confidential document (as is now possible in all common electronic formats, including PDF), since it is not possible to secure the Internet itself against third party access.”
Opinion 2003-03 (undated) The Vermont Bar Association Committee on Professional Responsibility responding to the following question “Is the use of outside technical experts to retrieve computer files permissible and not a violation of a lawyer’s duty of confidentiality to the client?” concluded that “It is appropriate for a lawyer to use outside technological support in managing case files when it is done in furtherance of carrying out the representation of the client. It is the expectation of the Rules that the lawyer will actively manage the non-lawyer to protect the confidentiality of the client’s information and should a significant breach occur, the lawyer would need to disclose such a breach to the client.” Additionally, “A lawyer may engage an outside contractor as a computer consultant to recover a lost data-base file, which contains confidential client information so long as: “The lawyer clearly communicates the confidentiality rules to the outside contractor; the contractor fully understands the confidentiality rules and embraces the obligation to maintain the confidentiality of any information obtained in the course of assisting the lawyer; and the lawyer determines that the contractor has instituted adequate safeguards to preserve and protect confidential information.”