As data sharing platforms like NetDocuments, Clio, ShareFile and Dropbox are increasingly being used by attorneys for client data collection, transfer, and storage, law firms should set compliant firm policies, vet data management software, and advise on privacy frameworks to ensure their lawyers are not breaking legal ethics rules.

One of the biggest considerations with using technology to manage client data is client confidentiality and privacy, especially in light of the increase in data breaches and cyberattacks that all businesses face as hacking technology improves. Rule 1.6 of the California Professional Rule of Conduct (CRPC) states that a lawyer shall not reveal information protected from disclosure by Business and Professions Code section 6068(e)(1) unless the client gives informed consent or the disclosure is necessary to prevent a criminal act.

The State Bar of California Committee on Professional Responsibility and Conduct (COPRAC) has issued an opinion stating that lawyers have an ethical obligation with respect to unauthorized access by third persons to electronically stored confidential client data to take reasonable steps to secure their electronic systems to minimize the risk of unauthorized access (See FORMAL OPINION NO. 2020-203.)[1]  For lawyers to meet the threshold requirement for Professional Responsibility Rules regarding competence, they must have a basic understanding of the “benefits and risks associated with relevant technology.” (Cal. State Bar Formal Opn. No. 2015-193; see also Comment [1] to CRPC 1.1)[2]  A  lawyer’s duty of competence is nondelegable to a nonlawyer, even when the client employs an expert in any of the processes.[3] Therefore, every attorney should personally ensure that shared client information is not disclosed to any third party, in any format, without the client’s consent.

With so many software companies peddling the ease and efficiency of using online cloud-based tools for sharing client files, increasing database storage, and improving file transfer capabilities, lawyers have a duty to ensure that they are not sacrificing client confidentiality for convenience.  One solution is to attend virtual or self-guided training for the software being used.  Most technology sharing companies offer free training on their own websites so that every attorney who uses a data sharing platform can develop a basic understanding of how that tool encrypts its data and protects it during transfer to reduce the risk of client data vulnerabilities.

Other important considerations for partners and supervising attorneys are the duty to supervise and the duty to take reasonable efforts to ensure that the firm has measures for lawyer’s and nonlawyer assistants to meet the ethical obligations when it comes to protecting client data (See CRPC 5.1, 5.2 and 5.3.) One way attorneys can increase their overall understanding of privacy and data sharing is to attend on-line training on regulatory Data Privacy Frameworks such as that offered by TrustArc or VeraSafe. A Data Privacy Framework is a structured set of guidelines, principles, and practices that organizations use to manage and protect personal client data.

Law firms should develop thorough privacy policies with input from an experienced IT professional to ensure that any client data flow complies with professional rule requirements and privacy obligations to reduce the risk of a cyber-attack or data breach.  In addition, firms should train their attorneys on their own Data Privacy Framework to help organize and educate their attorneys on the various laws and regulations regarding the sharing and use of confidential client information, such as those found in the National Institute of Standards and Technology (NIST), General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA).  These Privacy Frameworks can help a firm resolve privacy concerns by providing guidelines on how to protect client information flowing through complex systems.

While firm-wide training can be a great resource, it does not eliminate the need for each attorney to be responsible for understanding the technology tools he or she uses and protecting their own client’s privacy. CRPC 1.6 holds each attorney accountable for keeping client information confidential. Thus, a firm can be useful in educating, setting policies, and training attorneys on how certain technology works, but each individual attorney is ultimately responsible for taking all reasonable steps to prevent any unauthorized disclosure. COPRAC recommends as a best practice that lawyers obtain help from appropriate technology experts on assessing risks with respect to each type of electronic device or system they utilize.  Lawyers should monitor the technology and office resources connected to the internet, become informed about any external data sources or external vendors providing services relating to data, and then take reasonable informed steps to prevent data breaches which potentially can harm the client.

[1] (See also: COPRAC Opinion Number 2005-168–Does a lawyer who provides electronic means on his website for visitors to submit legal questions owe a duty of confidentiality to visitors?) See also ABA Formal Opinion 512 which provides guidance on the issues of competency, confidentiality, and fees.

[2] COPRAC recognizes that while lawyers are not required to become technology experts and master the complexities and deficiencies of the security features of each technology available, lawyers owe clients a duty to have a basic understanding of the protections afforded by the technology used in their practice. If a lawyer lacks the necessary competence to assess the security of the technology, the lawyer must seek additional information, or consult with someone who possesses the necessary knowledge, such as an information technology consultant. (Cal. State Bar Formal Opn. Nos. 2012-184, 2010-179.

[3] See ABA article entitled, “Ethical Obligations to Protect Client Data when Building Artificial Intelligence Tools: Wigmore Meets AI” https://www.americanbar.org/groups/professional_responsibility/publications/professional_lawyer/27/1/ethical-obligations-protect-client-data-when-building-artificial-intelligence-tools-wigmore-meets-ai/