Lawyers have had, at least preceding the memory of any living human being, an obligation to preserve the confidences of their clients. Some variation of Rule 1.6 of the ABA’s Model Code of Professional Responsibility is in effect in all 50 states and the District of Columbia. Specifically, Rule 1.6 (c) states:
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
Back in the pre-digital age, if the lawyer did not talk too much at cocktail parties where alcohol was served and locked his office when he left for the day he was covered. If the document was really, really sensitive, you put it in a safe. That was reasonable security when information was limited by a physical presence.
Time and technology have changed. While most lawyers are not early adapters of technology, most lawyers now use the internet, email and have some way to work remotely. How has the law kept up?
Most states and the District of Columbia have issued comments to expand on the rule. Comment 18 imposes an obligation that the lawyer be competent in preserving the confidentiality. Specifically the Comment provides:
Acting Competently to Preserve Confidentiality
 Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
So what should a reasonably competent lawyer in the Digital age do?
A starting point might be to understand the basics in how the digital technology they are employing works so they can employ the digitally analogous solutions they employed in a paper environment.
Your client’s information is now stored electronically on a computer and when you transmit the information you send it by email. What are you doing to reasonably and competently to protect your clients secrets from inadvertent disclosure in the digital age?
You must know where your data is, how it is stored and whether it is secure. If it is in your office, do others have access to it? Do you leave your computers on? Can the cleaning crew access it? If it is stored in the cloud, where is your cloud? Is it in the US subject to US law or some foreign jurisdiction?
The real issue is the security of the solution, not whether it is in the lawyer’s office or in a private cloud. An installed locked down office environment can be secure, but it will not allow the benefits of remote access. A cloud solution can be secure but it requires reasonable inquiry to determine if it is so. A highly encrypted private cloud solution, backed up instantaneously where the data does not leave the US is the way to go.
An email is essentially sending a letter with your client’s secrets in it without an envelope. Encryption is the envelope that hides the content of the email from others. Low level encryption is using a see through envelope. High level encryption is using an opaque envelope. Which would a reasonable competent attorney use?