Ethics Committee Opinion 701 Advisory Committee on Professional Ethics Electronic Storage and Access of Client Files

Ethics Committee Opinion 701 Advisory Committee on Professional Ethics Electronic Storage And Access of Client Files Advisory Committee on Professional Ethics Appointed by the Supreme Court of New Jersey The inquirer asks whether the Rules of Professional Conduct permit him to make use of an electronic filing system whereby all documents received in his office are scanned into a digitized format such as Portable Data Format (“PDF”). These documents can then be sent by email, and as the inquirer notes, “can be retrieved by me at any time from any location in the world.” The inquirer notes that certain documents that by their nature require retention of original hardcopy, such as wills, and deeds, would be physically maintained in a separate file. In Opinion 692, we set forth our interpretation of the term “property of the client” for purposes of RPC 1.15, which then triggers the obligation of a lawyer to safeguard that property for the client. “Original wills, trusts, deeds, executed contracts, corporate bylaws and minutes are but a few examples of documents which constitute client property.” 163 N.J.L.J. 220, 221 (January 15, 2001) and 10 N.J.L. 154 (January 22, 2001). Such documents cannot be preserved within the meaning ofRPC 1.15 merely by digitizing them in electronic form, and we do not understand the inquirer to suggest otherwise, since he acknowledges his obligation to maintain the originals of such documents in a separate file. On the other hand, we also noted in Opinion 692 that a client file will likely contain other documents, such as correspondence, pleadings, memoranda, and briefs, that are not “property of the client” within the meaning of RPC 1.15, but that a lawyer is nevertheless required to maintain at least for some period of time in order to discharge the duties contained in RPC 1.1 (Competence) and RPC 1.4 (Communication), among others. While traditionally a client file has been maintained through paper records, there is nothing in the RPCs that mandates a particular medium of archiving such documents. The paramount consideration is the ability to represent the client competently, and given the advances of technology, a lawyer’s ability to discharge those duties may very well be enhanced by having client documents available in an electronic form that can be transmitted to him instantaneously through the Internet. We also note the recent phenomenon of making client documents available to the client through a secure website. This also has the potential of enhancing communications between lawyer and client, and promotes the values embraced in RPC 1.4. With the exception of “property of the client” within the meaning of RPC 1.15, therefore, and with the important caveat we express below regarding confidentiality, we believe that nothing in the RPCs prevents a lawyer from archiving a client’s file through use of an electronic medium such as PDF files or similar formats. The polestar is the obligation of the lawyer to engage in the representation competently, and to communicate adequately with the client and others. To the extent that new technology now enhances the ability to fulfill those obligations, it is a welcome development. This inquiry, however, raises another ethical issue that we must address. As the inquirer notes, the benefit of digitizing documents in electronic form is that they “can be retrieved by me at any time from any location in the world.” This raises the possibility, however, that they could also be retrieved by other persons as well, and the problems of unauthorized access to electronic platforms and media (i.e. the problems posed by “hackers”) are matters of common knowledge. The availability of sensitive client documents in an electronic medium that could be accessed or intercepted by unauthorized users therefore raises issues of confidentiality under RPC 1.6. The obligation to preserve client confidences extends beyond merely prohibiting an attorney from himself making disclosure of confidential information without client consent (except under such circumstances described in RPC 1.6). It also requires that the attorney take reasonable affirmative steps to guard against the risk of inadvertent disclosure. Thus, in Opinion 692, we stated that even when a closed client file is destroyed (as permitted after seven years), “[s]imply placing the files in the trash would not suffice. Appropriate steps must be taken to ensure that confidential and privileged information remains protected and not available to third parties.” 163 N.J.L.J. 220, 221 (January 15, 2001) and 10 N.J.L 154 (January 22, 2001). Similarly, in ACPE Opinion 694 and CAA Opinion 28 (joint opinion), we joined with the Committee on Attorney Advertising in finding that two separate firms could not maintain shared facilities where “the pervasive sharing of facilities by the two separate firms as described in the Agreement gives rise to a serious risk of a breach of confidentiality that their respective clients are entitled to.” 174 N.J.L.J. 460 and 12 N.J.L. 2134 (November 3, 2003). And in Opinion 515, we permitted two firms to share word processing and computer facilities without becoming “office associates” within the meaning of R. 1:15-5(b), but only after noting that “the material relating to individual cases of each attorney is maintained on separate ‘data’ disks used only by their respective secretaries and stored (while not in use) in each of their separate offices.” 111 N.J.L.J. 392 (April 14, 1983). We stress that whenever attorneys enter into arrangement as outlined herein, the attorneys must exercise reasonable care to prevent the attorneys employees and associates, as well as others whose services are utilized by the attorney, from disclosing or using confidences or secrets of a client. The attorneys should be particularly sensitive to this requirement and establish office procedures that will assure that confidences or secrets are maintained. Id. The critical requirement under RPC 1.6, therefore, is that the attorney “exercise reasonable care” against the possibility of unauthorized access to client information. A lawyer is required to exercise sound professional judgment on the steps necessary to secure client confidences against foreseeable attempts at unauthorized access. “Reasonable care,” however, does not mean that the lawyer absolutely and strictly guarantees that the information will be utterly invulnerable against all unauthorized access. Such a guarantee is impossible, and a lawyer can no more guarantee against unauthorized access to electronic information than he can guarantee that a burglar will not break into his file room, or that someone will not illegally intercept his mail or steal a fax. What the term “reasonable care” means in a particular context is not capable of sweeping characterizations or broad pronouncements. But it certainly may be informed by the technology reasonably available at the time to secure data against unintentional disclosure. Obviously, in this area, changes in technology occur at a rapid pace. In 1983, for instance, when Opinion 515 was published, the personal computer was still somewhat of a novelty, and the individual floppy disk was the prevailing data storage device. The “state of the art” in maintaining electronic security was not very developed, but the ability to prevent unauthorized access by physically securing the floppy disk itself satisfied us that confidentiality could be maintained. By implication, at the time we were less accepting of data stored on a shared hard drive, even one that was partitioned to provide for individual private space for use by different firms, because of the risk of breach of confidentiality under prevailing technology. We are of course aware that floppy disks have now become obsolete, and that it is exceedingly unlikely in this day and age that different law firms would attempt to share hard drive space on a conventional desktop computer, given the small cost of such computers in today’s market. New scenarios have arisen, however. It is very possible that a firm might seek to store client sensitive data on a larger file server or a web server provided by an outside Internet Service Provider (and shared with other clients of the ISP) in order to make such information available to clients, where access to that server may not be exclusively controlled by the firm’s own personnel. And in the context originally raised by the inquirer, it is almost always the case that a law firm will not have its own exclusive email network that reaches beyond its offices, and thus a document sent by email will very likely pass through an email provider that is not under the control of the attorney. We are reluctant to render an specific interpretation of RPC 1.6 or impose a requirement that is tied to a specific understanding of technology that may very well be obsolete tomorrow. Thus, for instance, we do not read RPC 1.6 or Opinion 515 as imposing a per se requirement that, where data is available on a secure web server, the server must be subject to the exclusive command and control of the firm through its own employees, a rule that would categorically forbid use of an outside ISP. The very nature of the Internet makes the location of the physical equipment somewhat irrelevant, since it can be accessed remotely from any other Internet address. Such a requirement would work to the disadvantage of smaller firms for which such a dedicated IT staff is not practical, and deprive them and their clients of the potential advantages in enhanced communication as a result. Moreover, it is not necessarily the case that safeguards against unauthorized disclosure are inherently stronger when a law firm uses its own staff to maintain a server. Providing security on the Internet against hacking and other forms of unauthorized use has become a specialized and complex facet of the industry, and it is certainly possible that an independent ISP may more efficiently and effectively implement such security precautions. We do think, however, that when client confidential information is entrusted in unprotected form, even temporarily, to someone outside the firm, it must be under a circumstance in which the outside party is aware of the lawyer’s obligation of confidentiality, and is itself obligated, whether by contract, professional standards, or otherwise, to assist in preserving it. Lawyers typically use messengers, delivery services, document warehouses, or other outside vendors, in which physical custody of client sensitive documents is entrusted to them even though they are not employed by the firm. The touchstone in using “reasonable care” against unauthorized disclosure is that: (1) the lawyer has entrusted such documents to an outside provider under circumstances in which there is an enforceable obligation to preserve confidentiality and security, and (2) use is made of available technology to guard against reasonably foreseeable attempts to infiltrate the data. If the lawyer has come to the prudent professional judgment he has satisfied both these criteria, then “reasonable care” will have been exercised.1 1 In the specific context presented by the inquirer, where a document is transmitted to him by email over the Internet, the lawyer should password a confidential document (as is now possible in all common electronic formats, including PDF), since it is not possible to secure the Internet itself against third party access.