By Larry G. Johnson
A major development in e-discovery is for law firms to let third-party vendors collect and process their clients’ electronically stored information (ESI), then host it online “in the Cloud” so various members of the litigation team regardless of location can access the documents for privilege and relevance reviews. While this use of the Internet provides a convenient way to manage and divide labor, if you go that route, have you considered the risks involved in terms of possible ethics violations or potential malpractice claims?There have been so many cases of spectacular computer hacks in the news lately (e.g., Target, T-Mobile, federal employees’ data), how do law firms think they can do any better in keeping confidential client information secure when allowing their clients’ data to be hosted online for document reviews?The Ethics Basics
Before discussing how you can limit your risks in handling and housing your clients’ ESI, let’s look at what the Rules of Professional Conduct expect of you, and where you might even run afoul of a law you may not have fully appreciated that applies to you as well as your client (e.g., HIPAA, if you have health care industry clients, or FERPA, which covers student records confidentiality for schools/school districts and those who represent them).
The relevant RPCs that apply to online data risks are the following:RPC 1.1, COMPETENCE: A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.
RPC 1.6, CONFIDENTIALITY OF INFORMATION: (a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).
“Competence” as understood in RPC 1.1 includes knowledge about your clients’ computer and information management systems, and that includes a minimum ability to engage in a proper communication and liaison with the IT and records management people. The days of lawyers gleefully proclaiming computer ignorance (“Hey, I can’t even tell you where the F1 key is!”) are over.
If you think you lack tech-savvy to talk intelligently about your clients’ ESI with their employees entrusted with that information, then you need to obtain the services of an expert to do that for you, or who can advise and educate you so you can. If there was ever any doubt about that, it was amply laid to rest in WSBA Advisory Opinion 2215,1 which directly deals with the “ethical obligations related to the use of online data storage managed by third party vendors to store confidential client documents.”
Here is the meat of Opinion 2215:
A lawyer using [a third party service provider of online data storage] must, however, conduct a due diligence investigation of the provider and its services and cannot rely on lack of technological sophistication to excuse the failure to do so. While some lawyers may be able to do more thorough evaluations of the services available, best practices for a lawyer without advanced technological knowledge could include:
1. Familiarization with the potential risks of online data storage and review of available general audience literature and literature directed at the legal profession, on cloud computing industry standards and desirable features.
2. Evaluation of the provider’s practices, reputation and history.
3. Comparison of provisions in service provider agreements to the extent that the service provider recognizes the lawyer’s duty of confidentiality and agrees to handle the information accordingly.
4. Comparison of provisions in service provider agreements to the extent that the agreement gives the lawyer methods for retrieving the data if the agreement is terminated or the service provider goes out of business.
5. Confirming provisions in the agreement that will give the lawyer prompt notice of any nonauthorized access to the lawyer’s stored data.
6. Ensure secure and tightly controlled access to the storage system maintained by the service provider.
...login to read the rest of this article.