Data Security and Attorney Ethics

July 23, 2015

data securityWith data (in)security showing up more frequently in the headlines, with occasionally costly results, attorneys have to be concerned with their duty to protect client data from intrusion. Given that the comments to the Model Rules require lawyers to protect against even ‘inadvertent’ disclosure, what steps are attorneys required to take to protect client confidences?

Given the news about hacked e-mail accounts (not to mention the occasional unannounced warrantless search by government agencies), you might wonder whether consumer e-mail is secure enough for professional use.  Some practitioners in Texas didn’t just wonder, they went ahead and asked the state ethics board whether e-mail could be used for confidential communication.  The answer they got was reassuring: in general, e-mail is a suitable medium for confidential communication, as there is a certain amount of disclosure risk in any medium, and email is specifically protected from interception by federal law. However, the Texas Professional Ethics Committee was careful to note that if an attorney has reason to believe that e-mail won’t be a secure mode of communication (if, for example, the client shares an e-mail account with another person), the attorney must make sure the client understands the risks of electronic communication, and may need to find another channel to reach their client.

As cloud storage and cloud computing become more prominent in the digital toolbag, attorneys have to be worried about the propriety of literally handing a client’s information over to a third party for storage.  The Florida State Bar’s Ethics Committee addressed cloud computing in a recent opinion.  The bar gave cloud storage its blessing, but added some familiar warnings: an attorney will be under the usual ongoing duty to keep abreast of technological change, as well as a duty to investigate the cloud provider.  While some providers take extensive security measures and have confidentiality policies in place, not all do, and the duty to know the difference lies with the attorney.

Practitioners wishing to take advantage of a Virtual Law Office setting must face yet further ethical questions.  The California State Bar addressed this issue with a practitioner who wished to have a law office fully online, with client communication being run substantially (and possibly exclusively, with no face-to-face or telephone contact) through a password protected digital portal.  The State Bar said that, much as with cloud computing, an attorney must carefully scrutinize a vendor’s security practices, and revisit them regularly.  Additionally, an attorney must be sure that any representation is possible using only the internet, taking special care to be sure that the client is who he/she says he/she is.

This is just a sampling of a few ethical issues that have been addressed in a few large states, but a theme emerges that attorneys must be mindful of the security risks in digital communication and digital storage of private client information.  We don’t know what digital tools will become available to practitioners in the years to come, but they would be mindful to pay attention to these ethical concerns.