Advisory
Committee on Professional Ethics
Appointed
by the Supreme Court of New Jersey
The
inquirer asks whether the Rules of Professional Conduct permit him to make use
of an
electronic
filing system whereby all documents received in his office are scanned into a
digitized
format
such as Portable Data Format (“PDF”). These documents can then be sent by
email, and as the
inquirer
notes, “can be retrieved by me at any time from any location in the world.” The
inquirer notes
that
certain documents that by their nature require retention of original hardcopy,
such as wills, and
deeds,
would be physically maintained in a separate file.
In
Opinion 692, we set forth our interpretation of the term “property of the
client” for purposes
of RPC 1.15, which then
triggers the obligation of a lawyer to safeguard that property for the client.
“Original
wills, trusts, deeds, executed contracts, corporate bylaws and minutes are but
a few examples
of
documents which constitute client property.” 163 N.J.L.J. 220, 221 (January 15,
2001) and 10 N.J.L.
154
(January 22, 2001). Such documents cannot be preserved within the meaning ofRPC 1.15 merely
by
digitizing them in electronic form, and we do not understand the inquirer to
suggest otherwise, since
he
acknowledges his obligation to maintain the originals of such documents in a
separate file.
On
the other hand, we also noted in Opinion 692 that a client file will likely
contain other
documents,
such as correspondence, pleadings, memoranda, and briefs, that are not
“property of the
client”
within the meaning of RPC 1.15, but that a lawyer is nevertheless required
to maintain at least
for
some period of time in order to discharge the duties contained in RPC 1.1 (Competence)
and RPC
1.4
(Communication), among others. While traditionally a client file has been
maintained through
paper
records, there is nothing in the RPCs that mandates a particular medium of
archiving such
documents.
The paramount consideration is the ability to represent the client competently,
and given
the
advances of technology, a lawyer’s ability to discharge those duties may very
well be enhanced by
having
client documents available in an electronic form that can be transmitted to him
instantaneously
through
the Internet. We also note the recent phenomenon of making client documents
available to the
client
through a secure website. This also has the potential of enhancing
communications between
lawyer
and client, and promotes the values embraced in RPC 1.4.
With
the exception of “property of the client” within the meaning of RPC 1.15, therefore, and
with
the important caveat we express below regarding confidentiality, we believe
that nothing in the
RPCs
prevents a lawyer from archiving a client’s file through use of an electronic
medium such as
PDF
files or similar formats. The polestar is the obligation of the lawyer to
engage in the
representation
competently, and to communicate adequately with the client and others. To the
extent
that
new technology now enhances the ability to fulfill those obligations, it is a
welcome development.
This
inquiry, however, raises another ethical issue that we must address. As the
inquirer notes,
the
benefit of digitizing documents in electronic form is that they “can be
retrieved by me at any time
from
any location in the world.” This raises the possibility, however, that they
could also be retrieved
by
other persons as well, and the problems of unauthorized access to electronic
platforms and media
(i.e.
the problems posed by “hackers”) are matters of common knowledge. The
availability of sensitive
client
documents in an electronic medium that could be accessed or intercepted by
unauthorized users
therefore
raises issues of confidentiality under RPC 1.6.
The
obligation to preserve client confidences extends beyond merely prohibiting an
attorney
from
himself making disclosure of confidential information without client consent
(except under such
circumstances
described in RPC 1.6). It also requires that the attorney take reasonable
affirmative
steps
to guard against the risk of inadvertent disclosure. Thus, in Opinion 692, we
stated that even
when
a closed client file is destroyed (as permitted after seven years), “[s]imply
placing the files in the
trash
would not suffice. Appropriate steps must be taken to ensure that confidential
and privileged
information
remains protected and not available to third parties.” 163 N.J.L.J. 220, 221 (January 15,
2001)
and 10 N.J.L 154
(January 22, 2001). Similarly, in ACPE Opinion 694 and CAA Opinion 28
(joint
opinion), we joined with the Committee on Attorney Advertising in finding that
two separate
firms
could not maintain shared facilities where “the pervasive sharing of facilities
by the two separate
firms
as described in the Agreement gives rise to a serious risk of a breach of
confidentiality that their
respective
clients are entitled to.” 174 N.J.L.J. 460 and 12 N.J.L. 2134 (November 3, 2003).
And
in Opinion 515, we permitted two firms to share word processing and computer
facilities
without
becoming “office associates” within the meaning of R. 1:15-5(b), but only after
noting that
“the
material relating to individual cases of each attorney is maintained on
separate ‘data’ disks used
only
by their respective secretaries and stored (while not in use) in each of their
separate offices.” 111
N.J.L.J. 392 (April 14, 1983).
We
stress that whenever attorneys enter into arrangement as outlined herein, the
attorneys
must exercise reasonable care to prevent the attorneys employees and
associates,
as well as others whose services are utilized by the attorney, from disclosing
or
using confidences or secrets of a client.
The
attorneys should be particularly sensitive to this requirement and establish
office
procedures
that will assure that confidences or secrets are maintained.
Id.
The
critical requirement under RPC 1.6, therefore, is that the attorney “exercise
reasonable
care”
against the possibility of unauthorized access to client information. A lawyer
is required to
exercise
sound professional judgment on the steps necessary to secure client confidences
against
foreseeable
attempts at unauthorized access. “Reasonable care,” however, does not mean that
the
lawyer
absolutely and strictly guarantees that the information will be utterly
invulnerable against all
unauthorized
access. Such a guarantee is impossible, and a lawyer can no more guarantee
against
unauthorized
access to electronic information than he can guarantee that a burglar will not
break into
his
file room, or that someone will not illegally intercept his mail or steal a
fax.
What
the term “reasonable care” means in a particular context is not capable of
sweeping
characterizations
or broad pronouncements. But it certainly may be informed by the technology
reasonably
available at the time to secure data against unintentional disclosure.
Obviously, in this area,
changes
in technology occur at a rapid pace. In 1983, for instance, when Opinion 515
was published,
the
personal computer was still somewhat of a novelty, and the individual floppy
disk was the
prevailing
data storage device. The “state of the art” in maintaining electronic security
was not very
developed,
but the ability to prevent unauthorized access by physically securing the
floppy disk itself
satisfied
us that confidentiality could be maintained. By implication, at the time we
were less
accepting
of data stored on a shared hard drive, even one that was partitioned to provide
for individual
private
space for use by different firms, because of the risk of breach of
confidentiality under
prevailing
technology.
We
are of course aware that floppy disks have now become obsolete, and that it is
exceedingly
unlikely
in this day and age that different law firms would attempt to share hard drive
space on a
conventional
desktop computer, given the small cost of such computers in today’s market. New
scenarios
have arisen, however. It is very possible that a firm might seek to store
client sensitive data
on
a larger file server or a web server provided by an outside Internet Service
Provider (and shared
with
other clients of the ISP) in order to make such information available to
clients, where access to
that
server may not be exclusively controlled by the firm’s own personnel. And in
the context
originally
raised by the inquirer, it is almost always the case that a law firm will not
have its own
exclusive
email network that reaches beyond its offices, and thus a document sent by
email will very
likely
pass through an email provider that is not under the control of the attorney.
We
are reluctant to render an specific interpretation of RPC 1.6 or impose a
requirement that is
tied
to a specific understanding of technology that may very well be obsolete
tomorrow. Thus, for
instance,
we do not read RPC 1.6 or Opinion 515 as imposing a per se requirement that,
where data is
available
on a secure web server, the server must be subject to the exclusive command and
control of
the
firm through its own employees, a rule that would categorically forbid use of an
outside ISP. The
very
nature of the Internet makes the location of the physical equipment somewhat
irrelevant, since it
can
be accessed remotely from any other Internet address. Such a requirement would
work to the
disadvantage
of smaller firms for which such a dedicated IT staff is not practical, and
deprive them and
their
clients of the potential advantages in enhanced communication as a result.
Moreover,
it is not necessarily the case that safeguards against unauthorized disclosure
are
inherently
stronger when a law firm uses its own staff to maintain a server. Providing
security on the
Internet
against hacking and other forms of unauthorized use has become a specialized
and complex
facet
of the industry, and it is certainly possible that an independent ISP may more
efficiently and
effectively
implement such security precautions.
We
do think, however, that when client confidential information is entrusted in
unprotected
form,
even temporarily, to someone outside the firm, it must be under a circumstance in
which the
outside
party is aware of the lawyer’s obligation of confidentiality, and is itself
obligated, whether by
contract,
professional standards, or otherwise, to assist in preserving it. Lawyers
typically use
messengers,
delivery services, document warehouses, or other outside vendors, in which
physical
custody
of client sensitive documents is entrusted to them even though they are not
employed by the
firm.
The touchstone in using “reasonable care” against unauthorized disclosure is
that: (1) the lawyer
has
entrusted such documents to an outside provider under circumstances in which
there is an
enforceable
obligation to preserve confidentiality and security, and (2) use is made of
available
technology
to guard against reasonably foreseeable attempts to infiltrate the data. If the
lawyer has
come
to the prudent professional judgment he has satisfied both these criteria, then
“reasonable care”
will
have been exercised.1
1
In
the specific context presented by the inquirer, where a document is transmitted
to him by email
over
the Internet, the lawyer should password a confidential document (as is now
possible in all
common
electronic formats, including PDF), since it is not possible to secure the
Internet itself against
third
party access.
For
more information, go to http://njwillsprobatelaw.com/opinion701.html?id=2386&a=
No comments:
Post a Comment