In the last few years, an number of ethics opinions concerning information technology are aimed at the increasing entrustment of client data to third partis (viz. so-called “cloud computing”), and are trending along with proposed or enacted data privacy litigation across the country. For example, California’s proposed Formal Opinion 08–0002 requires a lawyer to evaluate information security and finds that “attorneys are faced with an ongoing responsibility of evaluating the level of security of technology that has increasingly become an indispensable tool in the practice of law.” State Bar of Cal. Standing Comm. on Prof’l Responsibility & Conduct, Formal Op. Interim No. 08-0002 (2010) Alabama’s Ethics Committee Opinion 2010–02 requires attorneys to exercise reasonable care against unauthorized access, which includes becoming knowledgeable about a cloud provider’s storage and security. Arizona’s Ethics Opinion 09–04 provides, in pertinent part, that:
[W]hether a particular system provides reasonable protective measures must be informed by the technology reasonably available at the time to secure data against unintentional disclosure. As technology advances occur, lawyers should periodically review security measures in place to ensure that they still reasonably protect the security and confidentiality of the clients’ documents and information.
It is also important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult experts in the field.
State Bar of Ariz., Ethics Op. 09-04, Confidentiality: Maintaining Client Files; Electronic Storage; Internet (12/2009) (citations and quotations omitted) (citing N.J. Ethics Op. 701).
Likewise, Opinion 842 of the New York State Bar Association requires lawyers to “stay abreast of technological advances,” (New York State Bar, Ass’n Comm. on Prof’l Ethics, Op. 842 (2010) (quoting N.Y. State 782 (2004))), and Minnesota’s Rule 1.6 requires that “[a] lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.” Minn. R. Prof’l. Conduct 1.6 cmt. 15 (emphasis added). See also Minn. Lawyers Prof’l Responsibility Bd., Op. No. 22, A Lawyer’s Ethical Obligations Regarding Metadata (2010).
And, earlier this year, the ABA Commission on Ethics 20/20 released it’s a proposal for comment regarding “lawyers’ growing use of technology, especially technology that stores or transmits confidential information.” The commission recommended amendments to Model Rules 1.6 and 5.3, adding a paragraph to the former requiring attorneys to “make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, confidential information, including information in electronic form.” The Commission also is concerned with the inadvertent transmission of information and recommend that lawyers have a duty to notify the sender of both physical and electronic information under certain circumstances.