On December 10, the Florida Bar Board of Governors issued final approval to Ethics Advisory Opinion 10-2, which speaks to a lawyer’s ethical duty to sanitize storage media that may contain client data. The Opinion, available on the Florida Bar Association’s website, is an extension of existing rules that reinforce the premise that lawyers have an ethical obligation “to protect information relating to the representation of a client.” It states that a lawyer who uses a device with “storage media” within it (such as printers, copiers, scanners, and fax machines) must take “reasonable steps to ensure that client confidentiality is maintained and that the Device is sanitized before disposition.”
This Advisory Opinion was written in response to a request from the Florida Bar Board of Governors to address the ethical obligations of attorneys regarding client data stored on hard drives. The Opinion acknowledges the increasing number of devices that now contain hard drives (or similar storage media) that can store client information. Further, the Opinion addresses the often unintentional storage of client data by attorneys due to a lack of awareness related to the behind-the-curtain machinations of such devices.
The Opinion states that is is important for lawyers to “recognize that the ability of the Devices to store information may present potential ethical problems for lawyers.” It goes on to prescribe a series of steps that attorneys must follow to ensure that inadvertent disclosure of confidential information, including: (1) identification of the potential threat to confidentiality along with the development and implementation of policies to address the potential threat to confidentiality; (2) inventory of the Devices that contain Hard Drives or other Storage Media; (3) supervision of nonlawyers to obtain adequate assurances that confidentiality will be maintained; and (4) responsibility for sanitization of the Device by requiring meaningful assurances from the vendor at the intake of the Device and confirmation or certification of the sanitization at the disposition of the Device.
Interestingly, the confidentiality and competence rules upon which this Opinion 10-2 is based applies to all information relating to the representation of a given client, whether provided to counsel in confidence or not. Put differently, an attorney may not disclose such information except as permitted or required under the professional conduct rules or by law.
This raises non-trivial considerations for counsel throughout their representation of a client. In effect, attorneys must keep current with changes in technology to the extent that such changes may impinge upon client confidences.
It will be interesting indeed to see where these new duties lead. It raises a host of questions about the storage and disclosure of not only client information but other forms of sensitive data (e.g., medical records, personally identifiable information, social security numbers). Likewise, the Opinion directly implicates the lawyer’s duty to supervise others (including non-lawyers) in the protection of confidentiality. Undoubtedly, this will present unique challenges for both corporate counsel and their external counsel, as technology will continue to evolve at a rapid pace, and with it the speed and portability of potentially sensitive data.
On August 5, 2010, the Governor of Massachusetts signed into law an amendment to the Massachusetts personnel records statute (q.v., Chapter 149, §52C). This amendment creates a duty to employers to notify an employee whenever his or her personnel record is updated with anything that can “negatively affect the employee’s qualification for employment, promotion, transfer, or additional compensation or the possibility that the employee will be subject to disciplinary action.”
Forensic Update 