Attorneys may also retain vendors to manage documents, including electronically stored information (ESI), to assist with investigations or litigation. For a particular investigation or action, attorneys may retain a vendor to assist with one or more technical tasks, such as:
- Preserving potentially relevant documents (including implementing litigation holds).
- Collecting documents.
- Processing documents.
- Hosting documents in a document review platform.
- Producing documents.
- Presenting documents at a deposition, hearing, or trial.
In addition to technical tasks, vendors sometimes help review documents for relevance, responsiveness, or privilege.
This Note discusses ethical issues in the context of the American Bar Association’s (ABA) Model Rules of Professional Conduct (Model Rules), which many states adopt either verbatim or in substance. For details on how closely state ethics rules mirror the ABA Model Rules, see the ABA’s Jurisdictional Rules Comparison Charts.
Ethical Considerations
Before retaining a vendor, attorneys should consider their obligation to comply with the applicable ethics rules regarding:
- Providing competent representation (see Duty to Provide Competent Representation).
- Maintaining client confidences (see Duty to Maintain Client Confidences).
- Supervising other attorneys and support staff (see Duty to Supervise).
- The prohibition on the unauthorized practice of law (see Duty to Avoid the Unauthorized Practice of Law).
- Communicating with the client (see Duty to Communicate).
Duty to Provide Competent Representation
Attorneys must competently represent their clients (see ABA Model Rule 1.1). An attorney’s duty of competence is relevant to vendor retention because an attorney:
- May be unable to provide competent representation without retaining a vendor to provide select services (for example, an attorney may require an e-discovery vendor’s services to defensibly collect and process relevant ESI) (see ABA Model Rule 1.1 cmt. 8 (recognizing an attorney’s obligation to remain informed of the benefits and risks of relevant technologies)).
- Must competently evaluate potential vendors. For example, an attorney must diligently assess whether a prospective vendor is:
- capable of safeguarding the client’s information; and
- qualified and competent to perform the related task.
Duty to Maintain Client Confidences
Unless the client consents to disclosure, an attorney generally must make reasonable efforts to avoid revealing information related to the representation to anyone outside of the attorney-client relationship (ABA Model Rule 1.6; see also ABA Formal Op. 21-498 (Mar. 10, 2021) and ABA Formal Op. 17-477 (May 22, 2017)). Because vendors are rarely considered to be within the attorney-client relationship, an attorney must consider the duty to maintain client confidences when retaining and working with vendors.
An attorney’s duty to maintain client confidences is relevant to vendor retention and use regardless of whether the client consents to sharing confidential information with a vendor. Specifically, if a client:
- Consents to sharing confidential information with a vendor (such as by signing an engagement letter that addresses the client’s consent to share information with vendors), an attorney must still ensure that the vendor is taking reasonable steps to safeguard the client’s information from others (see Duty to Supervise Attorneys and Nonattorneys; see also ABA Formal Op. 21-498 (Mar. 10, 2021) (addressing an attorney’s obligation to ensure that vendor and the services they provide are capable of providing adequate protections)).
- Does not consent to sharing confidential information with a vendor, the attorney must take reasonable steps to prevent the vendor from accessing the client’s protected information.
When considering whether an attorney’s or vendor’s efforts to protect the client’s information are reasonable, attorneys should consider:
- How sensitive the information is.
- Whether third parties are likely to access the information if the attorney or vendor does not implement additional protections.
- The cost of implementing additional protections.
- How difficult it may be to implement additional protections.
- Whether additional protections are likely to hinder the attorney’s ability to represent the client.
(ABA Formal Op. 21-498 (Mar. 10, 2021) (citing ABA Model Rule 1.6 cmt. 18).)
Duty to Supervise Attorneys and Nonattorneys
An attorney must make reasonable efforts to ensure that subordinate attorneys and employed or retained nonattorneys comply with the Model Rules, including those relating to confidentiality and competence (ABA Model Rules 5.1 and 5.3). Specifically, law firm partners and other managing or supervising attorneys must make reasonable efforts to ensure that:
- The firm or organization implements policies that ensure that all of its attorneys and nonattorneys comply with the Model Rules (ABA Model Rule 5.1(a) and 5.3(a)).
- The attorneys and nonattorneys they supervise comply with the Model Rules (ABA Model Rule 5.1(b) and 5.3(b)).
An attorney is responsible for another attorney’s and nonattorney’s misconduct (that is, conduct that violates the ethics rules that apply to the attorney) if the attorney:
- Orders the other attorney or nonattorney to perform the misconduct.
- Knows of and ratifies the other attorney’s or nonattorney’s misconduct.
- Has managerial or direct supervisory authority over the other attorney or nonattorney and is aware of the misconduct, yet fails to take reasonable, available action to avoid or minimize the negative consequences.
(ABA Model Rule 5.1(c) and 5.3(c).)
An attorney’s duty to supervise is relevant in the vendor context whether the vendor is serving in:
- A technical role, in which case the vendor personnel are nonattorneys the attorney must supervise (see ABA Formal Op. 21-498 (Mar. 10, 2021) (recognizing an attorney’s need to rely on technology vendors and the related obligation to ensure that the vendors comply with the attorney’s ethical obligations)).
- A legal role, such as when the vendor provides contract attorneys to assist with a document review project, in which case the primary attorney must supervise the vendor-provided attorneys.
Duty to Avoid the Unauthorized Practice of Law
Attorneys may not practice law in a manner that violates the rules governing the legal profession in the forum jurisdiction, nor assist another individual in doing so (ABA Model Rule 5.5(a)). The Model Rules generally require that legal work be performed by attorneys admitted to practice in the forum jurisdiction.
In light of this restriction, an attorney retaining a vendor must ensure that the vendor’s:
- Nonattorney personnel do not perform legal work.
- Attorney personnel:
- are admitted to practice in the forum jurisdiction; or
- meet the criteria established for nonadmitted attorneys to practice in the forum jurisdiction (ABA Model Rule 5.5(c)).
Duty to Communicate
An attorney must provide a client with the information the client needs to make an informed decision (ABA Model Rule 1.4(b)). This obligation is relevant:
- To vendor selection and retention, if an attorney seeks the client’s consent to retain a vendor and share the client’s confidential information.
- When a retained vendor suffers a data breach that affects the client’s data, as knowledge of the breach is likely significant to a client’s decision to ongoing consent to sharing its information with the vendor.
(See ABA Formal Op. 18-483 (Oct. 17, 2018).)
Complying with Ethical Obligations
To ensure their compliance with the applicable ethics rules while retaining and working with vendors, attorneys should:
- Candidly assess their ability to provide all facets of representation. For example, when anticipating e-discovery, attorneys should consider whether they:
- have access to litigation technologists within their firm or employed by the client; or
- must retain a vendor possessing the requisite expertise and resources.
- Diligently evaluate potential vendors, including their processes for safeguarding client data and other information about the client (see, for example, ABA Formal Op. 95-398 (Oct. 27, 1995)).
- Obtain the client’s written, informed consent before providing a vendor with access to the client’s data or other information about the representation.
- Execute a written confidentiality agreement with a vendor that details:
- the attorney’s and the vendor’s respective obligations to safeguard the client’s data and any other information about the representation;
- any specific steps the vendor must make to safeguard client data and other information about the representation;
- any confidentiality order or agreement executed in the related matter or proceeding, including the vendor’s obligation to abide by its terms (see ABA Formal Op. 21-498 (Mar. 10, 2021)); and
- the vendor’s obligation to inform the attorney if the client’s data or other information about the representation is compromised and take steps to mitigate any resulting harm.
(See ABA Formal Op. 08-451 (Aug. 5, 2008) (recognizing permissibility of outsourcing nonlegal services and advising attorneys to execute a confidentiality agreement with vendors) and ABA Formal Op. 21-498 (Mar. 10, 2021) (recommending that attorneys consider entering into a confidentiality agreement with vendors).)
- Develop and implement policies at the attorney’s firm (or in-house legal department) to ensure that:
- other attorneys are aware of and comply with their ethical obligations; and
- nonattorneys are aware of and comply with the supervising attorney’s ethical obligations.
- Take prompt, reasonable action to mitigate the negative consequences of any vendor misconduct.
- Avoid retaining a vendor to provide legal assistance unless the relevant personnel are authorized to practice law in the forum jurisdiction.
- Promptly inform the client if the client’s data or other information about the representation is compromised.
Attorneys should document all of their efforts so that they have an accurate record of the diligence in complying with the applicable ethics rules.