|Oregon State Bar Bulletin JULY 2010|
Safeguarding Client Information in a Digital World
By Helen Hierschbiel
Everyone knows the old adage, “an elephant never forgets.” It turns out, neither does your copy machine. In a CBS Evening News report on April 19, 2010, Armen Keteyian revealed an apparently little known fact: nearly every digital copier built since 2002 contains a hard drive that stores an image of every document that has been stored, scanned, copied, e-mailed or faxed on it. In other words, the copiers that many lawyers have in their offices are filled with confidential client information. Thus, as with computers, and personal digital assistants (PDAs), lawyers’ copiers should be scrubbed before they are scrapped.
This story is a chilling reminder that lawyers must devote time and effort to understand the technologies that they use to represent their clients. Failure to do so may result in the inadvertent disclosure of client confidential information.
Oregon RPC 1.6(a) prohibits lawyers from revealing information relating to the representation of a client1 unless the client gives informed consent, or the disclosure is otherwise specifically authorized under the rule. This duty of confidentiality requires lawyers to do more than merely refrain from speaking about a client or turning over client files to others when not permitted by the rule. Lawyers must also take steps to ensure that their business practices do not compromise the confidentiality of client information. Comment  to the ABA Model Rules states:
A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.2
Advances in technology and interest in sustainable business practices have made electronic communication and document storage popular tools for law firms. While a lawyer’s obligation to safeguard client confidences has not changed over time, changing technology has impacted what will constitute reasonable and competent practices to protect confidential information. Thus, while lawyers generally are free to use modern methods of communication and document storage, it is incumbent on them to understand the risks inherent in use of these technologies and to guard against compromising client confidences.
The first ethics opinions that addressed the use of electronic communications prohibited lawyers from using cell phones and unencrypted e-mail. This was in part because of the newness of the technology, but also because of uncertainty about the level of privacy one could expect from the use of such communication methods. More recently, ethics authorities condone the practice, recognizing that the expectation of privacy in these modern methods of communication is comparable to and as reasonable as that of older methods of communication. For example, ABA Formal Ethics Op 99-413 (1999) states:
E-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy… The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of [the law].
Although use of electronic communications is not a per se violation of the duty of confidentiality, special precautions may be necessary in particular circumstances. For example, if information is particularly sensitive or subject to a confidentiality agreement, a lawyer may need to implement special security measures. Also, if a client requests it, a lawyer may be required to avoid, or be allowed to use, a particular type of electronic communication notwithstanding expectations of privacy in the communication method. See ABA Model Rules Comment .
A more common danger of e-mail communication lies not in the unauthorized interception of e-mails, but in the inadvertent disclosure of information not intended for the recipient.3 E-mail allows the transmission of large amounts of data quickly and easily, but it also includes hidden information, known commonly as “metadata,” that lawyers may not want or intend to share. Metadata is information embedded in electronic documents that describes the principal document, such as how, when and by whom it was created or edited.
Some metadata is fairly obvious and may be easily retrieved with the click of a mouse, even by novice users. Other information, however, may only be accessed by computer forensic analysis. In either case, competent representation requires that lawyers understand what information may be hidden in documents that they plan to send by e-mail so that appropriate steps can be taken to protect against inadvertent disclosure of what could be confidential or sensitive information. See, e.g., Arizona Ethics Op 07-03(2007) (lawyer must take “reasonable precautions” to prevent communication of metadata containing client information) and ABA Formal Op 06-442.4
Document Storage and Destruction
Traditionally, client documents were stored in their paper form in hard files that went into the law firm storage room when closed. When the firm ran out of storage space, files were stored in facilities owned and managed by third parties. Protecting against disclosure of confidential information meant ensuring the third-party storage facility was reputable, adequately secured and that unauthorized persons did not have access.
These days, lawyers are more apt to store their client files electronically. Some maintain data on a computer hard drive, disks or server on site, at the place of business. The trend recently is toward “cloud computing,” which is storing data remotely on the Internet through the use of third party vendors that maintain and update the software and hardware necessary to store the data.
Electronic storage of client files, like electronic communication, is generally acceptable, as long as lawyers take reasonable precautions to protect client information from further disclosure. Because one of the primary risks of electronic storage is the necessity of giving a third party access, lawyers should ensure that the third party promises to maintain the confidentiality of the information and to implement security measures that meet industry standards. See, e.g., Maine Ethics Op 194 (2007) (firm may store client files electronically but must “take steps to ensure that the company providing… confidential data storage has a legally enforceable obligation to maintain the confidentiality”); Missouri Informal Ethics Op 2006-0092 (lawyer may use third party to store electronic backup of firm’s files, but must receive assurances from third party that information will be kept secure “at a level that meets industry standards”).
Similarly, lawyers may contract with third parties to dispose of client files as long as they make reasonable efforts to ensure that the third party takes steps to protect confidential information. See OSB Formal Ethics Op 2005-141(law firm may contract with recycling service to dispose of documents that may contain information relating to the representation of a client.)
Finally, as discussed above, even when the files themselves are not scanned into an electronic format, documents created on and transmitted by computers and copy machines, store images of those documents on their hard drives. Lawyers should guard their laptops and PDAs against theft and take care to scrub the hard drives of these devices before they resell or recycle.
Competently safeguarding client information does not require lawyers to become computer or technology whizzes. Instead, it requires that lawyers be able to identify the potential problem, and consult an expert when they are in over their heads. This may mean hiring an information technology person to help set up and maintain an electronic communication and storage system. For lawyers who are interested in and able to navigate the ever-changing world of information technology, the Professional Liability Fund practice management advisers and the American Bar Association can be helpful resources.
1. “Information relating to the representation of a client” is defined in RPC 1.0(f) to include both information subject to the attorney-client privilege and other information gained during the course of representation that the client has asked the lawyer to keep secret or that would be embarrassing or detrimental to the client if disclosed.
2. Former DR 4-101(D) contained similar language: “A lawyer shall exercise reasonable care to prevent the lawyer’s employees, associates, and others whose services are utilized by the lawyer in connection with the performance of legal services from disclosing or using confidences or secrets of a client, except that a lawyer may reveal the information allowed by DR 4-101(C) through an employee.”
3. For a more comprehensive discussion of the dangers of e-mail communications, see DuBoff, “E-Mail Traps & Troubles,” OSB Bulletin (July 2009).
4. For information on lawyers’ obligations upon receipt of documents containing metadata, see Stevens, “Metadata, Guarding against the Disclosure of Embedded Information,” OSB Bulletin (April 2007).
ABOUT THE AUTHOR
Helen Hierschbiel is deputy general counsel for the Oregon State Bar. She can be reached at (503) 620-0222, or toll-free in Oregon at (800) 452-8260, ext. 361, or by e-mail at firstname.lastname@example.org
© 2010 Helen Hierschbiel