Opinion #194: Client Confidences: Confidential firm data held electronically and handled by technicians for third-party vendors
Issued by the Professional Ethics Commission
Date Issued: June 30, 2008
An attorney has asked for guidance on the ethical propriety of using third party vendors to process and store electronically held firm data. The data would be transmitted to the third parties over a presumptively secure network connection. Processing of firm data may include transcription of voice recordings and transfer of firm computer files to an off-site "back-up" of the firm's electronically held data.
More specifically, the question is whether the use of such services and resources, which may involve disclosure of client information to technicians who maintain the relevant computer hardware and non-lawyer transcribers outside the sphere of the attorney's direct control and supervision, would violate the lawyer's obligation to maintain client confidentiality. The attorney further seeks guidance on what, if any, safeguards would make such practices permissible.
While there is no provision of the Code of Professional Responsibility of the Maine Bar Rules that directly addresses this question, several provisions, along with previous opinions of this Commission, provide a framework for our response. We conclude that, with appropriate safeguards, an attorney may utilize transcription and computer server backup services remote from both the lawyer's physical office and the lawyer's direct control or supervision without violating the attorney's ethical obligation to maintain client confidentiality.
Rule 3.6(a) sets forth the general standard requiring the lawyer to "employ reasonable care and skill and apply the lawyer's best judgment in the performance of professional services." More specifically, Rule 3.6(h)(1) sets forth the lawyer's general obligations to maintain client confidentiality:
(1) Except as permitted by these rules, or when authorized in order to carry out the representation, or as required by law or by order of the court, a lawyer shall not, without informed consent, knowingly, disclose or use information (except information generally known) that:
i. Is protected by the attorney-client privilege in any jurisdiction relevant to the representation;
ii. Is information gained in the course of representation of a client or former client for which that client or former client has requested confidential treatment;
iii. Is information gained in the course of representation of the client or former client and the disclosure of which would be detrimental to a material interest of the client or former client; or
iv. Is information received from a prospective client, the disclosure of which would be detrimental to a material interest of that prospective client, when the information is provided under circumstances in which the prospective client has a reasonable expectation that the information will not be disclosed.
Rule 3.6(h)(2) addresses the lawyer's obligation to ensure that others working on the lawyer's behalf in the course of representation who are privy to confidential client information likewise maintain the client's confidences. The rule states: "A lawyer shall exercise reasonable care to prevent lawyers and non-lawyers employed or retained by or associated with the lawyer from improperly disclosing or using information protected by paragraph (1) of this subdivision."
The current question concerning these internet based services arises because transcription and backup services are now available at an attractive cost from companies using personnel working outside the lawyer's office and not subject to the lawyer's direct oversight. This situation leaves the lawyer with no direct control over individuals who have access to confidential client information.
As Rule 3.6(h)(2) makes clear and as we have opined previously, the primary responsibility for file integrity, maintenance, disposition, and confidentiality rests with the attorney employed by the client. See Maine Professional Ethics Commission Opinion # 74 (10/1/86). In this case, although the transcriptionists or technicians maintaining the computer backup files are not employed by the attorney, the directives of Rule 3.13(c) still govern because they also apply to non-lawyers "retained by or associated with a lawyer" and therefore require that an attorney "shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the conduct of these individuals is compatible with the professional obligations of the lawyer."
Rule 3.6(h)(2) implies that lawyers have a responsibility to train, monitor, and discipline their non-lawyer staff in such a manner as to guard effectively against breaches of confidentiality. Failure to take reasonable steps to provide adequate training, to monitor performance, and to apply discipline for the purpose of enforcing adherence to ethical standards is grounds for concluding that the lawyer has violated Rule 3.6(h)(2). See Maine Professional Ethics Commission Opinion #134 (9/21/93). Clearly, when employing any outside contractor to perform law-related services, the lawyer does not directly train, monitor, and discipline the employees of the service provider; however, the lawyer retains the obligation to ensure that appropriate standards concerning client confidentiality are maintained by the contractor. The precise parameters of what constitutes "appropriate standards" are not defined in the rules or opinions, but are based on reasonable efforts to prevent the disclosure of confidential information.
With the pervasive and changing use of evolving technology in communication and other aspects of legal practice, particular safeguards which might constitute reasonable efforts in a specific context today may be outdated in a different context tomorrow. Therefore, rather than attempting to delineate acceptable and unacceptable practices, this opinion will outline guidance for the lawyer to consider in determining when professional obligations are satisfied.
At a minimum, the lawyer should take steps to ensure that the company providing transcription or confidential data storage has a legally enforceable obligation to maintain the confidentiality of the client data involved. See ABA Ethics Opinion 95-398 (lawyer who allows computer maintenance company access to lawyer's files must ensure that company establishes reasonable procedures to protect confidentiality of information in files, and would be "well-advised" to secure company's written assurance of confidentiality); N.J. Sup. Comm. Prof. Ethics Opinion 701 ("Lawyers may maintain client files electronically with a third party as long as the third party has an enforceable obligation to preserve the security of those files and uses technology to guard against reasonably foreseeable hacking.") .
 Although the Privacy and Security Rules of the federal Health Insurance Portability and Accountability Act ("HIPAA"), 45 C.F.R. Part 164, requirements are generally not applicable to lawyers in their obligations to their clients, this law provides very detailed examples of standards intended to protect the confidentiality of patient health information that are now widely in use in the medical field. Under HIPAA, regulated entities that contract with others to provide services involving protected patient information are generally required to have "Business Associate Agreements" with prescribed provisions that detail the contractor's obligations to ensure the confidentiality of the patient information involved.
The contract between a covered entity and a business associate must provide that the business associate will:
(A) Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity as required by this subpart;
(B) Ensure that any agent, including a subcontractor, to whom it provides such information agrees to implement reasonable and appropriate safeguards to protect it;
(C) Report to the covered entity any security incident of which it becomes aware;
(D) Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract. 45 C.F.R. §164.314.
Similarly, the Security Rule, 45 C.F.R. §164.302-318, describes various administrative, physical, technical, and organizational security-related safeguards applicable to healthcare entities maintaining protected patient information electronically.
In some circumstances, such as with transcription, human involvement with confidential client information by the contractor's staff is inherent in the service. In that case, additional contractual obligations may be needed to ensure that the contractor's employees or agents who will have direct knowledge of the confidences are adequately trained and understand their personal obligation to maintain the information confidentially. In addition, the lawyer would be well-advised to include a contract provision requiring the contractor to inform the lawyer in the event the contractor becomes aware of any inappropriate use or disclosure of the confidential information. The lawyer can then take steps to mitigate the consequences and can determine whether the underlying arrangement can be continued safely.
Along with taking steps to ensure that the confidential information will be maintained securely by the company providing remote services, the lawyer should also take care to ensure that confidential information is conveyed to the service provider in a secure manner. While data encryption can provide appropriate levels of additional security for highly confidential data in transit in the internet, in some circumstances it may be reasonable to transmit information securely via email without encryption. See ABA Ethics Opinion 99-413 (lawyers may ethically communicate client confidences using unencrypted e-mail sent over Internet, but should discuss with their clients different ways of communicating client confidences that are "so highly sensitive that extraordinary measures to protect the transmission are warranted"); United States. v. Councilman, 418 F.3d 67 (1st Cir. 2005) (holding that unauthorized interception of email violated federal wiretapping law, thus providing support for a reasonable expectation of privacy in e-mail transmissions). The lawyer will need to evaluate carefully the level of confidentiality protection needed for different types of information transmitted via the internet.