Maintaining client confidentiality when working from home during the COVID-19 pandemic

With the onset of the COVID-19 virus, many attorneys find themselves working from home in adherence to stay-at-home orders and recommendations.  But, using portable storage drives or emailing documents between one’s work computer and home laptop is burdensome and a little archaic, considering the plethora of cloud-based software and storage services readily available.  Dropbox, Microsoft OneDrive, iCloud, Google Docs, Clio, Practice Panther, and MyCase are all examples of web-based software services or solutions that can increase productivity and facilitate a lawyer’s ability to seamlessly access client files from anywhere in the world, including while working from home.

Depending on the service chosen, these web-based solutions process and store information on remote servers rather than on an attorney’s local server or hard-drive, thus taking it out of the attorney’s direct control.  This begs the question on each attorney’s mind:  am I violating attorney-client privilege and my duty of confidentiality by permitting third-party access to client documents and information?

Nevada’s Standing Committee for Ethics and Professional Responsibility addressed this very question in 2006, when it issued its opinion on whether an attorney could store electronically formatted client information with a third-party outside of the attorney’s direct control. (Opinion 33, Feb. 9, 2006).  The Opinion concluded that so long as the attorney acts competently and reasonably safeguards the information from inadvertent and unauthorized disclosure, an attorney may, without client consent, store client files in an electronic format or on a server or device that is not exclusively within the attorney’s control.

The Opinion recommends the attorney (1) ensure the third-party contractor can be reasonably relied upon to keep the information confidential, and (2) instruct and require that the third-party keep the information confidential and inaccessible to others.  The attorney should also have a reasonable expectation that the information will be kept confidential.  This is directly in line with an attorney’s obligations pursuant to Nevada Rules of Professional Conduct 5.3 to ensure that when a non-lawyer is “employed or retained by or associated with” a lawyer, the lawyer will ensure that the non-lawyer’s conduct is “compatible with the professional obligations of the lawyer.”

Given the rising frequency in data breaches, ransomware, and malware, however, there is an understandable hesitation by the legal profession to adopt cloud-based services.  In fact, pursuant to the recent ABA TechReport 2019 Cloud Computing survey, only 58% of law firms answered “yes” as to whether they used web-based services, up only 3% from the previous year.  Solo practitioners and small firms led the way in using cloud-based services.

Just because a breach occurs, however, does not automatically mean that the lawyer may be subject to professional discipline.  Nevada Ethics Opinion No. 33 addresses this exact situation by analogizing it to a law firm storing physical files at a third-party warehouse that is then broken into by a disgruntled employee or a burglar.  The Opinion provides that such a situation does not necessarily result in a violation of an attorney’s ethical obligations so long as the attorney undertook the appropriate steps to maintain the confidentiality of the information in the warehouse.  Such is the same with using web-based storage or software services.

The ABA Standing Committee for Ethics and Professional Responsibility has also recently weighed in on the use of web-based services with Formal Opinion 477r (2017).  This opinion analyzes several Model Rules applicable to maintaining client confidentiality in the digital age.  The ABA Opinion explains that Comment [3] to Model Rule 5.3 (lawyer supervision over non-lawyers) was added to address outsourcing to third-party vendors, including “using an Internet-based service to store client information.”  Comment [3] provides that the “reasonable efforts” required by Model Rule 5.3 to ensure that the non-lawyer’s services are provided in a manner that is compatible with the lawyer’s professional obligations “will depend upon the circumstances.”

However, the ABA Opinion provides multiple suggestions an attorney can take when assessing whether to use a web-based service when transmitting or storing client information.  Those suggestions include reviewing:

    1. reference checks and vendor credentials,
    2. vendor’s hiring practices,
    3. use of confidentiality agreements,
    4. vendor’s conflicts check system to screen for adversity, and
    5. the availability and accessibility of a legal forum for legal relief for violations of the vendor agreement.

Finally, to fulfill his or her ethical obligations, an attorney should communicate to the third-party provider “directions appropriate under the circumstances to give reasonable assurance that the non-lawyer’s conduct is compatible with the professional obligations of the lawyer.” ABA Opinion, p. 10.

In sum, web-based software and solutions can provide a seamless way for attorneys to maintain productivity and assist their clients during the COVID-19 pandemic while they work from home.  However, attorneys must also take steps to ensure that client information stored and transmitted via the web-based service has a reasonable expectation that it will be kept confidential and that the third-party will abide by attorney ethical rules to maintain that confidentiality.

At Lemons, Grundy & Eisenberg, we are serious about client confidentiality, cyber security, and ethics.  You are welcome to call us if you have legal questions on these topics.