Ethics Committee Opinion 701 Advisory Committee on Professional Ethics Electronic Storage and Access of Client Files
Advisory Committee on Professional Ethics
Appointed by the Supreme Court of New Jersey
The inquirer asks whether the Rules of Professional Conduct permit him to make use of an
electronic filing system whereby all documents received in his office are scanned into a digitized
format such as Portable Data Format (“PDF”). These documents can then be sent by email, and as the
inquirer notes, “can be retrieved by me at any time from any location in the world.” The inquirer notes that certain documents that by their nature require retention of original hardcopy, such as wills, and deeds, would be physically maintained in a separate file.
For more information go to
http://njwillsprobatelaw.com/opinion701.html?id=2386&a=
In Opinion 692, we set forth our interpretation of the term “property of the client” for purposes
of RPC 1.15, which then triggers the obligation of a lawyer to safeguard that property for the client.
“Original wills, trusts, deeds, executed contracts, corporate bylaws and minutes are but a few examples of documents which constitute client property.” 163 N.J.L.J. 220, 221 (January 15, 2001) and 10 N.J.L. 154 (January 22, 2001). Such documents cannot be preserved within the meaning ofRPC 1.15 merely
by digitizing them in electronic form, and we do not understand the inquirer to suggest otherwise, since he acknowledges his obligation to maintain the originals of such documents in a separate file.
On the other hand, we also noted in Opinion 692 that a client file will likely contain other
documents, such as correspondence, pleadings, memoranda, and briefs, that are not “property of the
client” within the meaning of RPC 1.15, but that a lawyer is nevertheless required to maintain at least
for some period of time in order to discharge the duties contained in RPC 1.1 (Competence) and RPC
1.4 (Communication), among others. While traditionally a client file has been maintained through
paper records, there is nothing in the RPCs that mandates a particular medium of archiving such
documents. The paramount consideration is the ability to represent the client competently, and given
the advances of technology, a lawyer’s ability to discharge those duties may very well be enhanced by
having client documents available in an electronic form that can be transmitted to him instantaneously through the Internet. We also note the recent phenomenon of making client documents available to the client through a secure website. This also has the potential of enhancing communications between
lawyer and client, and promotes the values embraced in RPC 1.4.
With the exception of “property of the client” within the meaning of RPC 1.15, therefore, and
with the important caveat we express below regarding confidentiality, we believe that nothing in the
RPCs prevents a lawyer from archiving a client’s file through use of an electronic medium such as
PDF files or similar formats. The polestar is the obligation of the lawyer to engage in the
representation competently, and to communicate adequately with the client and others. To the extent
that new technology now enhances the ability to fulfill those obligations, it is a welcome development.
This inquiry, however, raises another ethical issue that we must address. As the inquirer notes,
the benefit of digitizing documents in electronic form is that they “can be retrieved by me at any time
from any location in the world.” This raises the possibility, however, that they could also be retrieved
by other persons as well, and the problems of unauthorized access to electronic platforms and media
(i.e. the problems posed by “hackers”) are matters of common knowledge. The availability of sensitive
client documents in an electronic medium that could be accessed or intercepted by unauthorized users
therefore raises issues of confidentiality under RPC 1.6.
The obligation to preserve client confidences extends beyond merely prohibiting an attorney
from himself making disclosure of confidential information without client consent (except under such
circumstances described in RPC 1.6). It also requires that the attorney take reasonable affirmative
steps to guard against the risk of inadvertent disclosure. Thus, in Opinion 692, we stated that even
when a closed client file is destroyed (as permitted after seven years), “[s]imply placing the files in the
trash would not suffice. Appropriate steps must be taken to ensure that confidential and privileged
information remains protected and not available to third parties.” 163 N.J.L.J. 220, 221 (January 15,
2001) and 10 N.J.L 154 (January 22, 2001). Similarly, in ACPE Opinion 694 and CAA Opinion 28
(joint opinion), we joined with the Committee on Attorney Advertising in finding that two separate
firms could not maintain shared facilities where “the pervasive sharing of facilities by the two separate
firms as described in the Agreement gives rise to a serious risk of a breach of confidentiality that their
respective clients are entitled to.” 174 N.J.L.J. 460 and 12 N.J.L. 2134 (November 3, 2003).
And in Opinion 515, we permitted two firms to share word processing and computer facilities
without becoming “office associates” within the meaning of R. 1:15-5(b), but only after noting that
“the material relating to individual cases of each attorney is maintained on separate ‘data’ disks used
only by their respective secretaries and stored (while not in use) in each of their separate offices.” 111
N.J.L.J. 392 (April 14, 1983).
We stress that whenever attorneys enter into arrangement as outlined herein, the
attorneys must exercise reasonable care to prevent the attorneys employees and
associates, as well as others whose services are utilized by the attorney, from disclosing
or using confidences or secrets of a client.
The attorneys should be particularly sensitive to this requirement and establish office
procedures that will assure that confidences or secrets are maintained.
Id.
The critical requirement under RPC 1.6, therefore, is that the attorney “exercise reasonable
care” against the possibility of unauthorized access to client information. A lawyer is required to
exercise sound professional judgment on the steps necessary to secure client confidences against
foreseeable attempts at unauthorized access. “Reasonable care,” however, does not mean that the
lawyer absolutely and strictly guarantees that the information will be utterly invulnerable against all
unauthorized access. Such a guarantee is impossible, and a lawyer can no more guarantee against
unauthorized access to electronic information than he can guarantee that a burglar will not break into
his file room, or that someone will not illegally intercept his mail or steal a fax.
What the term “reasonable care” means in a particular context is not capable of sweeping
characterizations or broad pronouncements. But it certainly may be informed by the technology
reasonably available at the time to secure data against unintentional disclosure. Obviously, in this area,
changes in technology occur at a rapid pace. In 1983, for instance, when Opinion 515 was published,
the personal computer was still somewhat of a novelty, and the individual floppy disk was the
prevailing data storage device. The “state of the art” in maintaining electronic security was not very
developed, but the ability to prevent unauthorized access by physically securing the floppy disk itself
satisfied us that confidentiality could be maintained. By implication, at the time we were less
accepting of data stored on a shared hard drive, even one that was partitioned to provide for individual
private space for use by different firms, because of the risk of breach of confidentiality under
prevailing technology.
We are of course aware that floppy disks have now become obsolete, and that it is exceedingly
unlikely in this day and age that different law firms would attempt to share hard drive space on a
conventional desktop computer, given the small cost of such computers in today’s market. New
scenarios have arisen, however. It is very possible that a firm might seek to store client sensitive data
on a larger file server or a web server provided by an outside Internet Service Provider (and shared
with other clients of the ISP) in order to make such information available to clients, where access to
that server may not be exclusively controlled by the firm’s own personnel. And in the context
originally raised by the inquirer, it is almost always the case that a law firm will not have its own
exclusive email network that reaches beyond its offices, and thus a document sent by email will very
likely pass through an email provider that is not under the control of the attorney.
We are reluctant to render an specific interpretation of RPC 1.6 or impose a requirement that is
tied to a specific understanding of technology that may very well be obsolete tomorrow. Thus, for
instance, we do not read RPC 1.6 or Opinion 515 as imposing a per se requirement that, where data is
available on a secure web server, the server must be subject to the exclusive command and control of
the firm through its own employees, a rule that would categorically forbid use of an outside ISP. The
very nature of the Internet makes the location of the physical equipment somewhat irrelevant, since it
can be accessed remotely from any other Internet address. Such a requirement would work to the
disadvantage of smaller firms for which such a dedicated IT staff is not practical, and deprive them and
their clients of the potential advantages in enhanced communication as a result.
Moreover, it is not necessarily the case that safeguards against unauthorized disclosure are
inherently stronger when a law firm uses its own staff to maintain a server. Providing security on the
Internet against hacking and other forms of unauthorized use has become a specialized and complex
facet of the industry, and it is certainly possible that an independent ISP may more efficiently and
effectively implement such security precautions.
We do think, however, that when client confidential information is entrusted in unprotected
form, even temporarily, to someone outside the firm, it must be under a circumstance in which the
outside party is aware of the lawyer’s obligation of confidentiality, and is itself obligated, whether by
contract, professional standards, or otherwise, to assist in preserving it. Lawyers typically use
messengers, delivery services, document warehouses, or other outside vendors, in which physical
custody of client sensitive documents is entrusted to them even though they are not employed by the
firm. The touchstone in using “reasonable care” against unauthorized disclosure is that: (1) the lawyer
has entrusted such documents to an outside provider under circumstances in which there is an
enforceable obligation to preserve confidentiality and security, and (2) use is made of available
technology to guard against reasonably foreseeable attempts to infiltrate the data. If the lawyer has
come to the prudent professional judgment he has satisfied both these criteria, then “reasonable care”
will have been exercised.1
1
In the specific context presented by the inquirer, where a document is transmitted to him by email
over the Internet, the lawyer should password a confidential document (as is now possible in all
common electronic formats, including PDF), since it is not possible to secure the Internet itself against
third party access.
No comments:
Post a Comment