September 04, 2018
Author: Brett M. Larson
Organization: Messerli & Kramer
Law firms and lawyers are increasingly more dependent on electronic means of storing and communicating information. Electronic data storage saves law firms money, cloud storage technology offers even small law firms a large cache of data storage at a low cost, and both electronic data storage and communication make lawyers and the practice of law more efficient. Document management programs make all law firm data searchable, making both transactional and litigation practices more efficient, especially in the context of discovery in document intensive cases. While lawyers depend significantly on this technology, this dependence cannot be ambivalent. As data theft becomes more and more common and relatively easy to accomplish absent adequate electronic data security processes, lawyers have an ethical obligation to take reasonable steps to protect client information held on a cloud or in electronic data storage. Clients in the financial services and health care industries drive their law firms to have security measures in place to protect their data to ensure their own compliance with Federal and State law. The minimum that a law firm must do is established by the ethical rules at issue, most commonly Rule 1.6 (confidentiality), Rule 1.1 (competence), and Rule 5.3 (supervision of nonlawyers).
II) Minnesota Rule of Professional Responsibility 1.6 – Duty of Confidentiality
Generally, “a lawyer shall not knowingly reveal information relating to the representation of a client.” MRPC 1.6(a). A fundamental principle in the client-lawyer relationship is that, in the absence of the client's informed consent, the lawyer must not reveal information relating to the representation.” Id. “Informed consent” denotes the agreement by a person to a proposed course of conduct after the lawyer has communicated adequate information and explanation about the material risks of and reasonably available alternatives to the proposed course of conduct.” MRPC 1.0(f). This duty is important to encourage the client to “communicate fully and frankly with the lawyer even as to embarrassing or legally damaging subject matter” so that the lawyer has sufficient information to represent the client effectively and properly advise the client.
Exceptions to this general rule define the limitations of the duty of confidentiality. “A lawyer may reveal information relating to the representation of a client if:
1) the client gives informed consent;
2) the information is not protected by the attorney-client privilege under applicable law, the client has not requested that the information be held inviolate, and the lawyer reasonably believes the disclosure would not be embarrassing or likely detrimental to the client;
3) the lawyer reasonably believes the disclosure is impliedly authorized in order to carry out the representation;
4) the lawyer reasonably believes the disclosure is necessary to prevent the commission of a fraud that is reasonably certain to result in substantial injury to the financial interests or property of another and in furtherance of which the client has used or is using the lawyer's services or to prevent the commission of a crime;
5) the lawyer reasonably believes the disclosure is necessary to rectify the consequences of a client's criminal or fraudulent act in the furtherance of which the lawyer's services were used;
6) the lawyer reasonably believes the disclosure is necessary to prevent reasonably certain death or substantial bodily harm;
7) the lawyer reasonably believes the disclosure is necessary to secure legal advice about the lawyer's compliance with these rules;
8) the lawyer reasonably believes the disclosure is necessary to establish a claim or defense on behalf of the lawyer in an actual or potential controversy between the lawyer and the client, to establish a defense in a civil, criminal, or disciplinary proceeding against the lawyer based upon conduct in which the client was involved, or to respond in any proceeding to allegations by the client concerning the lawyer's representation of the client;
9) the lawyer reasonably believes the disclosure is necessary to comply with other law or a court order; or
10) the lawyer reasonably believes the disclosure is necessary to inform the Office of Lawyers Professional Responsibility of knowledge of another lawyer's violation of the Rules of Professional Conduct that raises a substantial question as to that lawyer's honesty, trustworthiness, or fitness as a lawyer in other respects.” MRPC 1.6(b).
III) Minnesota Rule of Professional Responsibility 1.1: Acting Competently to Preserve Confidentiality
“A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision. See Rules 1.1, 5.1 and 5.3.” Comment 15 to MRPC 1.6.
The comments to the rules clarify the analysis to determine when a lawyer has done enough to protect electronic data. Lawyers do not need to take special security measures to protect electronic data communications if the method of communication “affords a reasonable expectation of privacy.” Comment 16 to MRPC 1.6.
“Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this rule.” Comment 16 to MRPC 1.6.
IV) Minnesota Rule of Professional Responsibility 5.3: Responsibilities of Lawyers
Related to Services Provided by Non-Lawyers.
Service providers who provide data security software, technical support, and in some cases, offsite data management services are generally non-lawyers who are being given access to confidential client information outside the lawyer’s direct control and supervision. Lawyers must take “reasonable precautions” to ensure that non-lawyer providers have taken reasonable measures to safeguard the confidentiality of client information, and that non-lawyers are adequately apprised of the lawyer’s confidentiality obligations. MRPC 5.3.
Shareholders, attorneys with comparable managerial authority within the law firm, and any attorneys directly overseeing the non-lawyer employees or contractors are charged with making “reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the non-lawyer’s conduct is compatible with the professional obligations of the lawyer.” MRPC 5.3(a) and (b).
That lawyer will be responsible for the conduct of the non-lawyer IT professional if: “(1) the lawyer orders or, with the knowledge of the specific conduct, ratifies the conduct involved; or (2) the lawyer is a partner or has comparable managerial authority in the law firm in which the person is employed, or has direct supervisory authority over the person, and knows of the conduct at a time when its consequences can be avoided or mitigated but fails to take reasonable remedial action.” MRPC 5.3(c).
V) Ethical Implications of Electronic Data Cloud Storage and Electronic Communication of Data.
When dealing with online service providers or any IT professionals, lawyers are obligated to protect clients’ confidential information and to adequately supervise both lawyers and nonlawyers in the course of doing so. Moreover, in the event of a breach of data security, a lawyer may be obligated under Rule 1.4(b) to disclose the breach to the client.
The ABA Standing Committee on Ethics and Professional Responsibility has not yet issued a formal opinion on “cloud computing” however, the ABA Commission on Ethics 20/20 Working Group on the Implications of New Technologies, published an “Issues Paper Concerning Client Confidentiality and Lawyers’ Use of Technology”(Sept. 20, 2010) and addressed many of the ethical implications of using “the cloud.” The Working Group found that potential confidentiality problems involved with “cloud computing” include:
• Storage in countries with less legal protection for data;
• Unclear policies regarding data ownership;
• Failure to adequately back up data;
• Unclear policies for data breach notice;
• Insufficient encryption;
• Unclear data destruction policies;
• Protocol for a change of cloud providers;
• Disgruntled/dishonest insiders;
• Technical failures;
• Server crashes;
• Data corruption;
• Data destruction;
• Business interruption (e.g., weather, accident, terrorism); and,
• Absolute loss (i.e., natural or man-made disasters that destroy everything).
Issues Paper Concerning Client Confidentiality and Lawyers’ Use of Technology, ABA Commission on Ethics 20/20 (September 20, 2010).
The Issue Paper also stated, “[f]orms of technology other than ‘cloud computing’ can produce just as many confidentiality-related concerns, such as when laptops, flash drives, and smart phones are lost or stolen.” Id. The Commission is considering recommending the following precautions:
• Physical protection for devices (e.g., laptops and smart phones) or methods for remotely deleting data from lost or stolen devices;
• Strong passwords;
• Purging data from replaced devices (e.g., computers, smart phones, and copiers with scanners);
• Safeguards against malware (e.g., virus and spyware protection);
• Firewalls to prevent unauthorized access;
• Frequent backups of data;
• Updating to operating systems with the latest security protections;
• Configuring software and network settings to minimize security risks;
• Encrypting sensitive information;
• Identifying or eliminating metadata from electronic documents; and
• Avoiding public Wi-Fi when transmitting confidential information (e.g., sending an email to a client). Id.
Law firms who rely on IT professionals for electronic data security and utilize cloud or off-site electronic data storage and transfer in the course of delivering legal services should take the time to make sure they select the appropriate security mechanisms or hire people to help them do so. In the event that a law firm hires an outside IT professional, it must carefully vet the provider and ensure that the contract between the law firm and the provider clearly describes the provider’s obligations to comply with and advance the attorney’s ethical obligations.
1) Select Appropriate Security Mechanisms and Services
It is the individual lawyer’s obligation, when dealing with confidential electronic data, to select technology tools that both afford a “reasonable expectation of privacy” and otherwise ensure competent representation of the client. This standard forces ethics committees to apply broad subjective principles to determine the adequacy of particular security measures on a case-by-case basis.
If the appropriate security measures are employed, a law firm can use remote servers to store client data. \"An attorney may ethically allow client confidential material to be stored in 'the cloud' provided the attorney takes reasonable care to assure that (1) all such materials remain confidential, and (2) reasonable safeguards are employed to ensure that the data is protected from breaches, data loss, and other risks. ... It is important that he or she is aware that some methods like \"cloud computing\" require suitable measures to protect confidential electronic communications and information. The risk of security breaches and even the complete loss of data in cloud computing is magnified because the security of any stored data is with the service provider.” Pennsylvania Bar Association committee on legal ethics and professional responsibility, Formal Opinion 2011-200.
The New York State Bar Association Committee on Professional Ethics concluded in Opinion 842 (Sept. 10, 2010) that the reasonable care standard for confidentiality should be maintained for online data storage and a lawyer is required to stay abreast of technology advances to ensure protection. Reasonable care may include: (1) obligating the provider to preserve confidentiality and security and to notify the attorney if served with process to produce client information, (2) making sure the provider has adequate security measures, policies, and recoverability methods, and (3) guarding against “reasonably foreseeable” data infiltration by using available technology. Id.
The Alabama State Bar Office of General Council Disciplinary Commission issued Ethics Opinion 2010-02, concluding that an attorney must exercise reasonable care in storing client files, which includes becoming knowledgeable about a provider’s storage and security and ensuring that the provider will abide by a confidentiality agreement. Lawyers should stay on top of emerging technology to ensure security is safeguarded. Attorneys may also need to back up electronic data to protect against technical or physical impairment, and install firewalls and intrusion detection software.
Whether information is stored on a cloud or on a local server or another technology that makes information more susceptible to theft, ethics committees focus on what security measures were employed and in light of the current state of technology, whether the lawyers was reasonable in believing that the information was protected. Ethics Opinion 2010-179 noted that a lawyer’s use of wireless internet network at home or work is acceptable to the extent that it is configured with appropriate security features such as firewalls, encryption and password protection but that use of a public wireless connection may require additional safeguards, such as encryption and a firewall.
State Bar of Arizona Ethics Opinion 09-04 (Dec. 2009) stated that an attorney should take reasonable precautions to protect the security and confidentiality of data, precautions which are satisfied when data is accessible exclusively through a Secure Sockets Layer (“SSL”) encrypted connection and at least one other password was used to protect each document on the system. Lawyers have a minimum obligation to understand the type of information that they maintain for clients and should have an agreement with a well-vetted IT service or cloud management provider that requires the provider to acknowledge the sensitivity and confidentiality of the information that they are given control over and that requires the provider to employ state of th art security measures to protect the confidentiality of this information.
2) Become a Technology Expert—or Hire One
Related, attorneys have the obligation to acquire the training necessary to make an informed decision about selecting the appropriate security mechanisms and services or hire a technology consultant who can do so. “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.” Model Rules of Professional Conduct R. 1.1 cmt. 6 (2012).
“An attorney must have at least a base-level comprehension of the technology and the implications of its use. While no attorney is required to know precisely how cutting-edge technology truly works or be a computer genius, the competence requirements of the Rules necessitate at least a cursory understanding of any technology used if for no other reason than to enable an attorney to effectively communicate to a client the pros and cons of its use in the representation.” Brand, Joshua H., Assistant Director Minnesota Office of Lawyers Professional Responsibility, Cloud Computing Services Cloud Storage (Minnesota Lawyer 2012)(citing, Rules 1.1 and 1.4, Minnesota Rules of Professional Conduct; see also St. B. of Ariz. Comm. On the Rules of Prof’l Conduct, Formal Op. 09-04 (2009) (“[L]awyers [must] recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult available experts in the field.”)).Arizona has taken a similar approach in published ethics opinions. Arizona Ethics Opinion 05- 04 (2005) said a lawyer may need to conduct additional research or hire an expert consultant to make a “competent” decision about technology and security. It logically follows that a lawyer must be sufficiently familiar with the security features of different types of technologies in order to take “reasonable” precautions to protect information. The Arizona Bar Association further stated, “[i]t is important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult experts in the field.” State Bar of Arizona Ethics Opinion 09-04 (Dec. 2009).
3) Carefully Select and Monitor Your IT Professional or Network Provider
A lawyer must use care in selecting an IT services provider. Pursuant to Rules 1.1 and 5.3, that involves adequately investigating the prospective service provider, and making “reasonable efforts” to ensure it has measures that “provide a reasonable assurance” that the conduct of nonlawyer employees satisfies the lawyer’s ethical obligations. In order to satisfy these obligations, at a minimum, the responsible lawyer(s) must have an understanding of the security safeguards in place and the steps that the provider will take to protect confidential client information. The responsible attorneys must therefore have enough of an understanding of the following information in order to have that “reasonable assurance” of compliance.
“While complete security is never achievable, a prudent attorney will employ reasonable precautions and thoroughly research a cloud storage vendor’s security measures and track record prior to utilizing the service.” Brand, Joshua H., Assistant Director Minnesota Office of Lawyers Professional Responsibility, Cloud Computing Services Cloud Storage (Minnesota Lawyer 2012). Reasonable precautions may also require an attorney to read and understand a vendor’s user and/or license agreement(s) prior to uploading client information to their servers.
A) Understand what information is being stored.
Security measures must be adequate for the sensitivity of the stored document. “Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. Comment 16 to MRPC 1.6. Understanding the type of information to be protected is especially important if the law firm represents clients in the financial services or health care industries as those clients are subject to specific regulations related to information security and in most cases require that their legal service providers observe the same or equivalent security measures to those they have employed internally.
B) Know who has access to the information.
Lawyers should also have some general familiarity with the individuals accessing the electronic information. For example, in Michigan Informal Ethics Opinion RI-328 (2002), the ethics committee ruled that a governmental law department may use the services of a technical support group in a separate department providing the lawyers had no reason to believe that the individuals in the group had a special interest in accessing or would be likely to access the confidential client information. In North Dakota Ethics Opinion 99-03 (1999), the ethics committee determined that minimally adequate measures for using an online backup service require that a law firm limit access to authorized personnel through the use of passwords or other security measures.
C) Know where the information resides.
Delegating tasks to lawyers in physically remote locations can pose additional difficulties. “Electronic communication can close the gap somewhat,” warns ABA Formal Ethics Opinion 08-451 (2008), but it “may not be sufficient to allow [lawyers] to monitor the work of the lawyers and non-lawyers working for [them] in an effective manner.” Id. State ethics authorities are just beginning to grapple with ethics questions posed by the use of cloud computing, and other technologies that make the tracking and securing of client information more complicated. In Minnesota, Assistant Director Brand has suggested that if a law firm uses a cloud service, the vendor’s servers should be located in a jurisdiction that applies similar or equivalent legal protections against search and seizure to those that are applied in Minnesota (or any other jurisdiction in which the lawyers of the firm are licensed to practice). Brand, Joshua H., Assistant Director Minnesota Office of Lawyers Professional Responsibility, Cloud Computing Services Cloud Storage (Minnesota Lawyer 2012).
D) Ensure that the IT professional understands your duty of confidentiality.
Under Rule 5.3(b) a lawyer’s ethical obligation requires that the lawyer adequately explain the lawyer’s duty of confidentiality and ensure that the contractor or IT employee understands the obligation. Although not required, most ethics authorities recommend some type of written acknowledgement that the contractor understands the confidential nature of the materials and agrees to protect the information from disclosure. (See ABA Formal Ethics Opinion 08-451 (2008) and Michigan Informal Ethics Opinion RI-328 (2002). In some jurisdictions the written acknowledgement must constitute an enforceable agreement. New Jersey Ethics Opinion 701 (2006). This acknowledgement should be included in the contract between the law firm and the IT professional or in a separate acknowledgment that is executed contemporaneously with that contract or at least before any confidential information is made available to the employee or contractor.
E) Understand the law firm’s rights and the provider’s obligation under the vendor service agreement.
In the event a law firm hires a contractor, or for that matter an employee, to manage its electronic data, the responsible attorney must read and understand the agreement governing the vendor or employee’s services and use of that information prior to giving the service provider access to confidential client information. Brand, Joshua H., Assistant Director Minnesota Office of Lawyers Professional Responsibility, Cloud Computing Services Cloud Storage (Minnesota Lawyer 2012).
The agreement should appropriately address the following issues:
• The IT professional should have a confidentiality agreement that binds the professional and any other employees or agents of the professional who will have access to client information. The duty of confidentiality should mirror the attorney’s duty.
• The agreement should make clear that in the event that the relationship between the law firm and the IT professional terminates for any reason, or the IT professional goes out of business, then the data that it has maintained will be returned to the law firm and when receipt of this information is confirmed, the IT professional will destroy its copy.
• The agreement should not allow the IT professional, if an outside vendor, to revoke the law firm’s access to client information in the event of a breach by the law firm including for a failure to pay. The vendor should have adequate protections to ensure the law firm’s performance, however, the lawyer’s ability to control and access client data should not be susceptible to be cut off which could jeopardize the client’s representation.
• The vendor’s servers should be located in a jurisdiction that applies similar or equivalent legal protections against search and seizure to those that are applied in Minnesota (or any other jurisdiction in which the lawyers of the firm are licensed to practice).
• Related, the agreement should require that the vendor notify the law firm as soon as possible in the event of a subpoena so that the law firm can take all appropriate measures to protect this information. Id.
4) Obtain client consent in advance of using cloud services and certain IT providers.
The Rule 1.6(a) prohibition against revealing information related to a client’s representation includes exceptions for disclosures that are “impliedly authorized” or where a lawyer has obtained a client’s informed consent to the disclosure. Ethics authorities disagree about whether lawyers are “impliedly authorized” to use outside service providers to electronically store or manage confidential client information.
The jurisdictions that follow the model rule mandate that law firms must obtain the informed consent of clients prior to utilizing the services of a cloud service provider. At the other end of the spectrum are several state ethics authorities that overlook analysis of Rules 1.2 and 1.4 and conclude that lawyers are “impliedly authorized” to make confidential client information accessible to outside service providers pursuant to Rule 1.6(a).
The Pennsylvania Bar Association indicated that an attorney’s obligation to require client consent depends upon the type of information that the law firm will maintain on a cloud server. “While it is not necessary to communicate every minute detail of a client's representation, ‘adequate information’ should be provided to the client so that the client understands the nature of the representation and \"material risks\" inherent in an attorney's methods. So, for example, if an attorney intends to use cloud computing to manage a client's confidential information or data, it may be necessary, depending on the scope of the representation and the sensitivity of the data involved, to inform the client of the nature of the attorney's use of the cloud computing and the advantages as well as the risks endemic to online storage and transmission.” Pennsylvania Bar Association committee on legal ethics and professional responsibility, Formal Opinion 2011-200. Ultimately, though, given the discord among the states about whether the ethics rules permit the hiring of an outside online service provider without client consent, lawyers should obtain client consent in the initial retainer agreement as a precaution.
5) Notify the client in the event of a data breach.
Additional responsibilities flow from actual breaches of data. In the event of an actual breach, the attorney has an obligation to notify the client of the breach and should explain the measures in place to protect against such a data breach. In addition to the ethical obligation, law firms have a legal obligation to inform a client of a theft of their information. At least forty-five States, including Minnesota, currently have data breach notification laws. Minnesota’s notification law states:
Any person or business that maintains data that includes personal information that the person or business does not own shall notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person. Minn. Stat. § 325E.61, Subd. 1(b).
Breach of the security of the system means unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business. Good faith acquisition of personal information by an employee or agent of the person or business for the purposes of the person or business is not a breach of the security system, provided that the personal information is not used or subject to further unauthorized disclosure. Minn. Stat. § 325E.61, Subd. 1(d).
Personal information means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the data element is not secured by encryption or another method of technology that makes electronic data unreadable or unusable, or was secured and the encryption key, password, or other means necessary for reading or using the data was also acquired: (1) social security number; (2) driver's license number or Minnesota identification card number; or (3) account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. Minn. Stat. § 325E.61, Subd. 1(f).
Although the legal obligation placed on a law firm to disclose data breaches is limited to those referenced above in Section 325E, any known theft of client information should be disclosed to the client so that the attorney and the client can take all necessary steps to minimize the harm caused by the breach.
Generally, the consensus is that, while “cloud computing” is permissible, lawyers should proceed with caution because they have an ethical duty to protect sensitive client data. In order to meet the minimum ethical requirements, which will likely be well below client standards for data security, attorneys must: (1) include terms in any agreement with the provider that require the provider to preserve the confidentiality and security of the data, and (2) be knowledgeable about how providers will handle the data entrusted to them. An attorney cannot blindly trust an IT service provider with client information and must exercise some control and require that the IT provider, whether an employee or a contractor, observe certain precautions and put in place security safeguards. The client should be notified generally about any risks to data loss in the retainer and the law firm should be careful to scrutinize and demand necessary amendments to service provider agreements.