Lawyers can make their clients’ files available to them on the World Wide Web — but only if they take proper safety precautions, the Ethics Committee of the State Bar of Arizona has concluded.
In a formal written opinion, the panel gave the go-ahead to a lawyer to let clients view and retrieve their own files. Committee members said the plan, as sketched out for them in an inquiry from the attorney, did not run afoul of existing ethics rules about what lawyers must do to safeguard client information.
But the committee cautioned that their approval was based on the kind of security the lawyer promised to set up, both in encrypting the files and taking other methods to preclude unauthorized “hacking.” And the panel also said that the attorney has the obligation to “conduct periodic reviews to ensure that security precautions in place remain reasonable as technology progresses.”
The name of the inquiring attorney was not disclosed, as is the practice with these opinions.
A prior Ethics Committee opinion said it was permissible to store client information electronically on systems which were accessible through the Internet.
What is proposed here, the panel noted, goes a bit farther. But the principles remain the same.
“In satisfying the duty to take reasonable security precautions, lawyers should consider firewalls, password protection schemes, encryption, anti-virus measures, etc.,” the opinion states.
In fact, the committee said, these considerations have become more relevant as more law offices and legal departments of firm convert to “paperless” file storage.
That duty, however, the committee said, does not mean lawyers have to offer an absolute guarantee that a computer system will be invulnerable to unauthorized access. Instead, it concluded lawyers are required to “exercise sound professional judgment” on what steps are necessary to secure against “foreseeable attempts at unauthorized access.”
But the panel said what constitutes that “sound professional judgment” is not necessarily based on a judgment that an attorney would reach about what is and is not secure.
“It is also important that lawyers recognize their own competence limitations regarding computer security measures,” the opinion states.
That requires them to take the necessary time and energy to become competent — or consult available experts in the field.
Looking specifically at this request, the committee said what the attorney here is proposing meets the current state of the art.
First, the lawyer is having the files protected by a Secure Socket Layer server, which encodes documents, making it difficult for third parties to intercept or read them.
Second, the plan is to assign unique randomly generated alpha-numeric names and passwords to each online client folder. And that folder name, even if someone could read it, would contain no information that could identify the client to which it belongs.
Finally, the documents would be converted to Adobe PDF formats and protected with another randomly generated password.
While providing its blessing for what the attorney wants to do now, the panel said that doesn’t mean the precautions being taken will forever be enough.
“As technology advances occur, lawyers should periodically review security measures in place to ensure that they still reasonably protect the security and confidentiality of the clients documents and information,” the opinion states.