State Bar of Arizona Ethics Opinions

05-04: Electronic Storage; Confidentiality
7/2005

ER's 1.6 and 1.1 require that an attorney act competently to safeguard client information and confidences. It is not unethical to store such electronic information on computer systems whether or not those same systems are used to connect to the internet. However, to comply with these ethical rules as they relate to the client's electronic files or communications, an attorney or law firm is obligated to take competent and reasonable steps to assure that the client's confidences are not disclosed to third parties through theft or inadvertence.  In addition, an attorney or law firm is obligated to take reasonable and competent steps to assure that the client's electronic information is not lost or destroyed. In order to do that, an attorney must be competent to evaluate the nature of the potential threat to client electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end. An attorney who lacks or cannot reasonably obtain that competence is ethically required to retain an expert consultant who does have such competence.

FACTS[1]

The Inquiring Attorney has sought guidance from the Committee regarding the steps the lawyer's firm must take to safeguard electronic client information from Internet hacking and viruses.  The Inquiring Attorney's firm has, until recently, kept documents which include confidential client information in electronic form on a computer system which is accessible only from computers within the law firm itself.  Although the law firm had access to the internet, that access was through a separate computer system.  Neither the computer system on which the client information was stored nor any computer which could access that information was ever connected to the internet.

The Inquiring Attorney's firm now wishes to change that system and allow attorneys and staff to access the internet through the same computers they use to access the client information.  Though the Inquiring Attorney does not specifically state this, it is assumed that firm attorneys and other employees will be able to access the client documents remotely.  That is, an attorney or other employee may access this information from a computer outside the physical offices of the firm.  Such access would be through the internet.

QUESTION PRESENTED
 
How do we protect the confidentiality and integrity of client information while continuing to increase reliance on internet for research, filings, communication, and storage of documents?

RELEVANT ETHICAL RULES
 
ER 1.1     Competence:

A lawyer shall provide competent representation to a client.  Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.

ER 1.6(a)     Confidentiality of Information:

(a)     A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted or required by paragraphs (b), (c), or (d), or ER 3.3(a)(3).

ER 5.1(a)     Responsibilities of Partners.  Managers, and Supervisory Lawyers:

(a)     A partner in a law firm, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm, shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct.

ER 5.3(a) and (b)     Responsibilities Regarding Nonlawyer Assistants:

With respect to a nonlawyer employed or retained by or associated with a lawyer:

(a)     a partner, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the person's conduct is compatible with the professional obligations of the lawyer;

(b)     a lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer; . . .

OPINION

It is clear that a lawyer has an ethical obligation to protect the confidences entrusted by clients.  Comment 19 to ER 1.6 makes this plain:

[19]     A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision.  See ERs 1.1, 5.1 and 5.3.

Thus, the short answer to the Inquiring Attorney's inquiry is that a lawyer must act in a competent and reasonable manner to assure that the information in the firm's computer system is not disclosed through inadvertence or unauthorized action.  Of course, this syllogism does not really answer the question.

The State Bar of Arizona's Committee on the Rules of Professional Conduct (the "Committee") has not directly addressed this issue.  However, in 1997, the Committee addressed the related question of whether an attorney may ethically communicate with clients via e-mail regarding confidential matters.  There, the Committee stated that a lawyer may communicate with clients via e-mail.   Op. 97-04 (April 7, 1997). However, the Committee warned that a lawyer may want to encrypt the e-mail or use passwords or other electronic measures to guard against inadvertent disclosure.  The Committee noted that some courts have deemed e-mail not to be a "sealed" mode of transmission and, thus, subject to unauthorized interception.  See, e.g., American Civil Liberties Union v. Reno, 929 F.Supp. 824, 834 (E.D.Pa. 1996).  The Committee also noted that this recommendation was consistent with the Committee's prior ruling in Op. 95-11 where lawyers were cautioned against discussing "sensitive information" via cellular telephone because of concerns that such discussion may be intercepted.  Importantly, the Committee noted that unauthorized interception of cellular telephone calls would be illegal - presumably violating a host of Arizona and Federal laws regarding wire-tapping.

In neither opinion did the Committee deem that the conduct in question was unethical, only that a lawyer should be cautious and take necessary precautions to safeguard client information.

The same reasoning can and should be applied to the questions posed by the Inquiring Attorney.  However, it is also important to note that both the law and the practice have changed markedly since 1997.  Obviously, the use of e-mail and cellular telephones has significantly expanded since 1997.  Moreover, the use of the internet in businesses of all kinds - including the practice of law - has exploded.  Not only do more lawyers now use computers than ever before, they use them in ways not imagined ten years ago.  It is common to do legal research through the internet - indeed many law firms are abandoning most, if not all, of their physical libraries in favor of on-line resources.  It is common for attorneys to exchange correspondence, documents and other information via e-mail and other electronic modes of communication which utilize the internet.  Electronic filing in bankruptcy court, for example, requires an internet connection.

Areas of the law relating to client confidences have also changed in recent years.  The recent evolution of the law relating to waiver of the attorney-client and work product privileges is instructive.  While a lawyer's ethical obligations to safeguard the client's confidences go beyond just protecting privileged material, the reasoning of courts addressing these provisions is most helpful in setting a minimum level of conduct.  

The Inquiring Attorney's concerns focuses on what a lawyer must do to protect electronic files from being (1) stolen, (2) inadvertently disclosed to others, and (3) lost or destroyed.  All of those scenarios have been extensively discussed by the courts in the context of waiver of the attorney-client or work product privilege.

Stolen Electronic Information - the Purloined Letter.

The Inquiring Attorney's first concern was that electronic information stored on computers which are also used to access the internet may be subject to "hackers" who wish to steal the client's information.  It does not matter whether the hacker's motive is to obtain information for sale or for the hacker's own mysteriously prurient interests. 

The courts' treatment of document theft have changed in recent years.  Until the late twentieth century, the common rule was that any document, otherwise protected from disclosure by the attorney-client or work product privilege, would lose that privilege if it was disclosed even when such disclosure was caused by theft.  This rule, sometimes referred to by commentators as the "Wigmore Rule," has been largely abandoned.

In Suburban Sew 'N Sweep, Inc. v. Swiss-Bernina, Inc., 91 F.R.D. 254 (N.D.Ill. 1981), the District Court for the Northern District of Illinois addressed the Wigmore rule and noted the modern trend away from that rule.  There, plaintiff routinely searched the trash dumpster located in the parking lot behind the defendant's offices.  In the course of these searches, plaintiff discovered drafts of letters and other information which was clearly protected by the attorney-client privilege.  Defendants sought to have such documents returned and to prohibit use of those documents at trial.

The court noted that the rule adopted by Wigmore was simple and precise. 

. . . [T]he traditional rule effectively presumed that if the parties to a communication intended it to be and remain confidential, they could protect its confidentiality.  Accordingly, even where the eavesdropper acted surreptitiously or the communication was stolen, and the parties reasonably expected that it was confidential, the privilege was considered destroyed.

91 FRD at 258 n.3.

However, the court also noted that the modern rule was less draconian and was based upon the notes of the Advisory Commission to Proposed Rule 503, Federal Rules of Evidence.   The Commission noted:

. . . Unless intent to disclose [an otherwise privileged communication] is apparent, the attorney-client communication is confidential.  Taking or failing to take precautions may be considered as bearing on intent. . . .  Substantial authority has in the past allowed the eavesdropper to testify to overheard privileged conversations and has admitted intercepted privileged letters.  Today, the evolution of more sophisticated techniques of eavesdropping and interception calls for abandonment of this position.  The [proposed] rule accordingly adopts a policy of protection against these kinds of invasion of the privilege.

91 F.R.D. at 260 n. 4.

However, this "modern rule" does not wholly relieve the attorney or his client from taking precautions against theft and disclosure.  The court held that preservation of the privilege does not "in any way reduce the client's need to take all possible precautions to insure confidentiality."  91 F.R.D. at 260 (quoting 2 Weinstein's Evidence,  503(b)(2)).

Thus, the modern rule is that precautions must be taken to prevent the theft of confidential communications to preserve the privilege.  

Inadvertent Disclosure

Instances where privileged information has been stolen are relative rare.  More common is the predicament where a lawyer has inadvertently disclosed otherwise privileged information.  The Eighth Circuit Court of Appeals has summarized the three approaches generally taken in analyzing the effect of inadvertent disclosure.  First, it notes what it refers to as the "lenient" approach. 

Under the lenient approach, attorney-client privilege must be knowingly waived.  Here the determination of inadvertence is the end of the analysis.  The attorney-client privilege exists for the benefit of the client and cannot be waived except by an intentional and knowing relinquishment.

Gray v. Bicknell, 86 F.3d 1472, 1483 (8th Cir. 1996) (citing cases from the Southern District of Florida and the Northern District of Illinois).

The Eighth Circuit rejected that rule.  A privileged document must be confidential to retain its privilege but, the court stated, "under this test, the lack of confidentiality becomes meaningless. . . ."  Id.

The court also rejected what it called the "strict" test.

. . . Under the strict test, any document produced, either intentionally or otherwise, loses its privileged status with the possible exception of situations where all precautions were taken.  Once waiver has occurred, it extends "to all other communications relating to the same subject matter."

Id. at 1483 (citing cases from the DC and First Circuits).

Noting that the strict test has "some appeal" because it makes attorneys and clients accountable for their own carelessness, the Eighth Circuit rejected it "because of its pronounced lack of flexibility and its significant intrusion on the attorney-client relationship."  Id.

Ultimately, the Eighth Circuit adopted what it called the "middle-of-the-road" test, sometimes referred to as the "Hydraflow test" after Hydraflow, Inc. v. Enidine, Inc., 145 F.R.D. 626 (WDNY 1993).  This test sets out a five-part analysis to determine whether inadvertently disclosed documents retain their privileged status.

. . . These considerations are:  (1) the reasonableness of the precautions taken to prevent inadvertent disclosure in view of the extent of document production, (2) the number of inadvertent disclosures, (3) the extent of the disclosures, (4) the promptness of measures taken to rectify the disclosure, and (5) whether the overriding interest of justice would be served by relieving the party of its error.

Id. at 1483-84.

While no Arizona State court has directly addressed these issues, the Arizona Federal District Court has.  In Resolution Trust Corporation v. Dean, 813 F.Supp. 1426 (D. Ariz. 1993), a senior attorney representing the Resolution Trust Corporation ("RTC") prepared an internal memorandum discussing the RTC's investigation of certain claims it was pursuing against J. Fife Symington relating to the Camelback Esplanade project in Phoenix, Arizona.  The memorandum (called the "ATS Memo") discussed possible claims against Symington, possible defenses to such claims, the probability of success on those claims and defenses, the cost of proceeding and the likelihood of recovery.  The ATS Memo was deemed by the court to be covered by the attorney-client privilege.

Unfortunately, all or part of the ATS Memo was "leaked" to the press.  Defendants sought production of the entire document, the RTC refused, and a motion to compel production followed.  The court's analysis followed and expressly relied upon two different cases, In re Grand Jury Proceedings Involving Berkley & Co., 466 F.Supp. 863 (D. Minn. 1979) ("Berkley") and In re Dayco Corp. Derivative Securities Litigation, 102 F.R.D. 468 (S.D. Ohio 1984) ("Dayco").   The RTC claimed that, because it had taken extensive precautions against disclosure of the ATS Memo and because it could not determine how the document was leaked to the press, such disclosure was unauthorized and amounted to a crime.  

The Arizona District Court noted that, in Berkley, the Minnesota Court held that, "to the extent the documents can be viewed as stolen, they should not lose the protection of the attorney-client privilege."  RTC v. Dean, at 1429.  It also noted that, before reaching that conclusion, the Minnesota Court conducted an in camera review of the documents to determine the privilege status and ordered Berkley to "provide information as to the manner in which it maintains its records."  Id. 

Defendants argued that, unlike the situation in Berkley, there was no evidence that the ATS Memo had been stolen.  The Arizona court found this distinction to be without merit, stating:

. . . This argument rests on a narrow reading of Berkley, for although there is no evidence of thievery in this case at bar, there is an indication that the disclosure of the documents was in itself a criminal act.

Id.

The Arizona court then turned to the Dayco case.  There, although the subject documents were also leaked to the press, the documents were not prepared by the government and, thus, such action did not amount to a crime.  The Arizona court noted with approval that the Dayco court first examined the documents and the manner in which they were kept before reaching its holding:

. . . The [Dayco] court held that, absent any indication that the defendants voluntarily gave the diary to the press, publication of excerpts of the diary should not be considered a waiver of the privilege.  Id. citing J. Weinstein & M. Berger, Weinstein's Evidence, para 503(a)(4)[01] at 503-31 (1982 ed.) ("Communications which were intended to be confidential but are intercepted despite reasonable precautions remain privileged.")

Id. (emphasis added).

In the end, the Arizona court found that the facts before it to be "roughly analogous to those in Berkley and Dayco."  The court held that, despite the disclosure of the ATS Memo to the press, the document retained its privileged status because the RTC had affirmatively demonstrated that it had taken "precautions to secure the confidentiality of the ATS memo and that the memo's leak remains inexplicable."  Id. at 1429-30.

ER 1.6 requires a lawyer to take reasonable precautions to protect client confidences.  The foregoing analysis outlines the kind of procedures the courts have followed in the similar situation of determining when an otherwise privileged communication loses its privileged status because of involuntary disclosure.

It is not difficult, in that light, to conclude that an attorney must take similar precautions with regard to electronically stored communications.  It is plain that some efforts must be undertaken.  A panoply of electronic and other measures are available to assist an attorney in maintaining client confidences.  "Firewalls" - electronic devices and programs which prevent unauthorized entry into a computer system from outside that system - are readily available.  Recent upgrades in Microsoft operating systems incorporate such software systems automatically.  A host of companies, including Microsoft, Symantec, McAfee and many others, provide security software that helps prevent both destructive intrusions (such as viruses and "worms") and the more malicious intrusions which allow outsiders access to computer files (sometimes call "adware" or "spyware").

Software systems are also readily available to protect individual electronic files.  Passwords can be added to files which prevent viewing of such files unless a password is first known and entered.  The files themselves can also be encrypted so that, even if the password protection is compromised, the file cannot be read without knowing the encryption key - something that is extremely difficult to break.

Precisely which of these software and hardware systems should be chosen - and the extent to which they must be employed - is beyond the scope and competence of the Committee.  This is the kind of thing each attorney must assess.  The expectation of the client that the client's records and communications will be held in confidence is significant.

As set forth in the Comment to ER 1.6, an attorney must not only take reasonable precautions to protect client confidences, the lawyer must "act competently" in that regard.  ER 1.1 requires, in general terms, that a lawyer act competently with regard to client representation.  ER 5.1 and 5.3 require that a lawyer manage the lawyer's firm and assistants in such a way as to be certain that the lawyer's ethical responsibilities are discharged.  Once again, it is the lawyer's individual responsibility to know when the lawyer can act competently or not.

It is not surprising that few lawyers have the training or experience required to act competently with regard to computer security.  Such competence is, however, readily available.  Much information can be obtained through the internet by an attorney with sufficient time and energy to research and understand these systems.  Alternatively, experts are readily available to assist an attorney in setting up the firm's computer systems to protect against theft of information and inadvertent disclosure of client confidences.

Malicious Destruction of Client Files
 
The Inquiring Attorney also expressed concern that allowing access to client files on computers which are also used to access the internet can lead to the malicious destruction of those files.  The threat of such destructive viruses is well known. 

As with the inadvertent disclosure analysis above, ER 1.6 and 1.1 require the lawyer to act competently in assuring that electronic information transmitted to the attorney is not lost or destroyed.  Much of the security software and hardware discussed above provides protection against such destructive intrusions.  Moreover, it is common practice to routinely back-up computer files.  In that way, even if a computer system is entirely disabled through malicious attack, nearly all data can be retrieved from back-up files.  Easy to use and inexpensive systems are available to make this kind of back-up an automatic process.

Once again, the extent to which such systems need to be employed and which systems best accomplish that goal is something which an individual attorney must determine.  Doing so competently may require additional research or the employment of an expert consultant.

CONCLUSION
 
ER's 1.6 and 1.1 require that an attorney act competently to safeguard client information and confidences.   It is not unethical to store such electronic information on computer systems whether or not those same systems are used to connect to the internet.  However, to comply with these ethical rules as they relate to the client's electronic files or communications, an attorney or law firm is obligated to take competent and reasonable steps to assure that the client's confidences are not disclosed to third parties through theft or inadvertence.  In addition, an attorney or law firm is obligated to take reasonable and competent steps to assure that the client's electronic information is not lost or destroyed.  In order to do that, an attorney must either have the competence to evaluate the nature of the potential threat to the client's electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence.

--------------------------------------------------------------------------------

[1] Formal Opinions of the Committee on the Rules of Professional Conduct are advisory in nature only and are not binding in any disciplinary or other legal proceedings.  © State Bar of Arizona 2003