Lawyers providing an online file storage and retrieval system for client access of documents must take reasonable precautions to protect the security and confidentiality of client documents and information. Lawyers should be aware of limitations in their competence regarding online security measures and take appropriate actions to ensure that a competent review of the proposed security measures is conducted. As technology advances over time, a periodic review of the reasonability of security precautions may be necessary.
The inquiring lawyer wants to offer a service to clients that would allow clients online access to view and retrieve client files. The lawyer designed a multi-level security system in an effort to maintain the confidentiality and security of the files. First, the client files would be accessible only through a Secure Socket Layer (SSL) server, which encodes documents, making it difficult for third parties to intercept or read them. Second, the lawyer would assign unique randomly generated alpha-numeric names and passwords to each online client folder. The folder names contain no information that could identify the client to which it belongs. The password would not be the same as the client folder name. Third, all online client files would be converted to Adobe PDF (Portable Document Format) files and protected with another randomly generated unique alpha-numeric password.
May the inquiring lawyer maintain an encrypted online file storage and retrieval system for clients in which all documents are converted to password-protected PDF format and stored in online folders with unique, randomly-generated alpha-numeric names and passwords?
APPLICABLE ARIZONA RULES OF PROFESSIONAL CONDUCT (“ER __”)
ER 1.1 Competence
A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.
ER 1.6 Confidentiality of Information
(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted or required by paragraphs (b), (c) or (d) or ER 3.3(a)(3).
. . . .
RELEVANT ARIZONA ETHICS OPINIONS
Ariz. Ethics Ops. 05-04, 07-02
This Committee has already determined that electronic storage of client files is permissible as long as lawyers and law firms “take competent and reasonable steps to assure that the client’s confidences are not disclosed to third parties through theft or inadvertence.” Ethics Op. 05-04. In that opinion, the Committee analyzed the ethical implications of storing client information electronically on systems accessible through the Internet. Then, as today, the primarily applicable rule is ER 1.6. Comment 19 to ER 1.6 states:
A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.
Thus, it is clear “that a lawyer must act in a competent and reasonable manner to assure that the information in the firm’s computer system is not disclosed through inadvertence or unauthorized action.” Ethics Op. 05-04. After analyzing the precautions required by courts to safeguard lawyer-client privileged information, we concluded that similar precautions were required for compliance with ER 1.6. Id.
The “panoply of electronic and other measures … available to assist an attorney in maintaining client confidences” remains similar to those discussed in Ethics Op. 05-04. In satisfying the duty to take reasonable security precautions, lawyers should consider firewalls, password protection schemes, encryption, anti-virus measures, etc. Id. Indeed, these considerations have become more relevant as more law offices and departments convert to “paperless” file storage. See, e.g., Ethics Op. 07-02.
Other bar associations have recognized that the duty to take reasonable precautions does not require a guarantee that the system will be invulnerable to unauthorized access. See, e.g., N.J. Ethics Op. 701 (Apr. 10, 2006). Instead, the lawyer “is required to exercise sound professional judgment on the steps necessary to secure client confidences against foreseeable attempts at unauthorized access.” Id. See also 2008 N.C. Formal Ethics Op. 5 (“law firm must enact appropriate measures to ensure that each client only has access to his or her own file [and] that third parties cannot gain access [to] any client file”).
It is also important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult available experts in the field. The competence requirements of ER 1.1 apply not only to a lawyer’s legal skills, but also generally to “those matters reasonably necessary for the representation.” Therefore, as a necessary prerequisite to making a determination regarding the reasonableness of online file security precautions, the lawyer must have, or consult someone with, competence in the field of online computer security.
Based on the facts supplied by the inquiring lawyer, the proposed online client file system appears to meet the requirements set forth by ER 1.6 and interpreted in Ethics Op. 05-04.  The lawyer has taken the preliminary step of having the files protected by a Secure Socket Layer (SSL) server, which encrypts the files, and also applied several layers of password protection. The fact that the system also utilizes unique and randomly generated folder names and passwords appears to satisfy the requirement of taking reasonable measures to protect client confidentiality and prevent unauthorized access. The further measure of converting each document to PDF format and requiring another unique alpha-numeric password to review its contents enhances the security of the proposed system.
However, the Committee also recognizes that technology advances may make certain protective measures obsolete over time. Therefore, the Committee does not suggest that the protective measures at issue in Ethics Op. 05-04 or in this opinion necessarily satisfy ER 1.6’s requirements indefinitely. Instead, whether a particular system provides reasonable protective measures must be “informed by the technology reasonably available at the time to secure data against unintentional disclosure.” N.J. Ethics Op. 701. As technology advances occur, lawyers should periodically review security measures in place to ensure that they still reasonably protect the security and confidentiality of the clients’ documents and information.
The inquiring lawyer appears to have satisfied the obligation to take reasonable precautions to protect the security and confidentiality of client documents and information. The proposed system uses encryption and three layers of unique randomly generated alpha-numeric folder names and passwords. Although the proposed system appears to constitute a reasonable precaution at this time, competent personnel should conduct periodic reviews to ensure that security precautions in place remain reasonable as technology progresses.
Formal opinions of the Committee on the Rules of Professional Conduct are advisory in nature only and are not binding in any disciplinary or other legal proceedings. This opinion is based on the Ethical Rules in effect on the date the opinion was published. If the rule changes, a different conclusion may be appropriate. © State Bar of Arizona 2009
 In so concluding, the Committee does not intend to suggest that all of the measures employed by the inquiring lawyer are necessary to comply with ER 1.6.