As a lawyer, you have an ethical duty to ensure that your clients’ electronic information. What steps are reasonable to protect data and documents in your firm?

By Wells H. Anderson

As a lawyer, you have an ethical duty to ensure that your clients’ electronic information is not lost, destroyed, or disclosed inadvertently. Some states have ethical opinions specifically addressing electronic information. In other states, the existing rules and opinions applicable to paper documents logically extend to electronic documents.

You do not need an ethics board to tell you that you should protect your clients’ confidential materials from destruction and disclosure. But it is all too easy to become complacent. Focusing on your ethical duties regarding electronic information may motivate you to make some changes to protect your clients, your practice, and your professional status.

Duty to Back Up Clients’ Data

You have a duty to take reasonable steps to protect the electronic information of your clients. The American Bar Association’s Model Rule of Professional Conduct 1.15 obligates you to ensure that client property is appropriately safeguarded. This duty has been interpreted to extend not only to client funds and personal property but also to papers and the client’s file itself (see Florida Bar Ethics Committee Opinion 63-3). It also has been extended to a client’s electronic information (see Arizona Opinion 05-04).

What steps are reasonable to protect your data and documents? They are not spelled out precisely by opinions interpreting the ethical rules. The existing opinions indicate that the materials you need to back up include electronic communications, financial data, and documents that you have generated or received in the course of representing your clients. But they do not specify particular backup methods.

Duty to Maintain Off–Site Backups

In my opinion you have an obligation to maintain secure off-site backups of your clients’ electronic data and documents as one of your “reasonable steps” to protect your clients and your practice. This opinion, from a lawyer and consultant who has used and studied backup devices and services since the 1970s, is based on the opinions interpreting the Rules of Professional Conduct and on the development that backing up computers to off-site locations has become the norm in the legal profession as well as the business world.

Offices that have gone mostly or completely paperless are not the current norm, so you are not obligated to scan all of your clients’ paper materials into electronic files and back them up. But as part of your “reasonable steps,” you must protect all of the important electronic materials that are important to your representation of your clients.

In your office, your data, backup disks, tapes, and papers are exposed to destruction and loss from a long list of threats: building fires, theft, floods, tornados, hurricanes, and earthquakes, among others. Despite your appreciation of these threats, no precautions can guarantee they will not destroy everything in your office. Therefore, off-site backups are critical to protect your practice and your clients’ information.

Electronic off-site backups make practical sense, too. Compared to making and transporting paper client file materials, it is far less costly and time consuming to back up and transfer electronic information off-site. Electronic backups reduce both the hard and soft costs of retrieving and storing information and protecting it from destruction and improper access.

Problems with Traditional Off–Site Backup

Tape backup systems have long been the most popular method for maintaining off-site backups. You can meet your ethical duties by regularly creating, rotating off-site, and testing backup tapes; however, tape backup systems have significant disadvantages.

Information on backup tapes is vulnerable to undetected mechanical defects in backup units and to deterioration and defects in the tapes. Compatible backup units and software may be difficult to obtain or unavailable in the event of an emergency that destroys the original unit. The time-consuming nature of performing test restores from backup tapes means that these vital verification procedures are performed infrequently or not at all.

My colleagues in the field of legal technology consulting and I have sad stories to tell about law firms that discovered to their horror that their backup tapes were bad or badly out-of-date. The most significant limitation of backup tape systems is their repeated exposure to human errors and oversights. Tapes must be manually ejected, reloaded, and rotated physically off-site. Too often these mundane operations are performed erratically or improperly.

Backing up to external hard drives suffers from most of the disadvantages of tape cartridges. A hard drive typically has a useful life of three years and is susceptible to damage from shock, dust, water, and other environmental factors. Most drives are not designed to be archived and left in a powered-off state for long periods of time. And again, rotating these backup volumes leaves too much room for human errors and oversights.

The problems with traditional off-site backup methods do not make them worthless. Keep using them if you have them in place and add an online system to provide superior backup protection.

Why Online Backups?

A number of lawyers have said: “I wouldn’t trust my confidential data to the Internet!” That fear may be natural, but it is not well-founded. The right online backup services give lawyers much more safety and security than traditional backup systems.

Today’s encryption technology affords complete confidentiality to information transmitted across the Internet. Strong encryption methods have been exposed to the brightest minds and the best hackers since 1993, yet they have not been broken.

The science of encryption has advanced to the point where it has become usable, affordable, and unbreakable. Using a modern computer that processes 400,000 12-character passwords per second, it would take 42 billion years to break Blowfish strong encryption. Even though computer processing power continues to double every 18 months, the mathematics of encryption science proves that strong encryption will remain safe far into the future.

When competently designed and implemented, online backup systems have compelling advantages. Only online backup systems deliver these crucial protections:

• Automatic operation, eliminating reliance on manual rotation by people
• Unattended electronic transfer to off-site locations
• Efficient creation of redundant backups in different locations
• Option for continuous, 24/7 backup of new information
• Fast, secure access to any backed–up file
• Instant capability to perform selective test restores

Rotating tape or hard drive backups cannot deliver the peace of mind you get from online systems. You can select and remotely access any backed-up document in a full-featured online backup system. Performing that test shows you immediately that your backup system really is working.

Your Specific Backup System Duties

What are your specific obligations regarding backup systems?

A firm acts within the ethical rules if it subscribes to an online backup service provided it ensures that the security of the data transmission and storage is adequate for the sensitivity of the records (Opinion 99-03, Ethics Committee, ND, www.sband.org/data/ethics/99-03.pdf).

According to the ABA’s Model Rule on Financial Recordkeeping (www.abanet.org/cpr/clientpro/fpreface.html ), “If trust records are computerized, a system of regular and frequent (preferably daily) back-up procedures is essential.” Many states have followed the Model Rule, for example, Minnesota: “Electronic records should be regularly backed up by an appropriate storage device” (Maintenance of Books and Records, Appendix 1, Minnesota Rules of Profession Conduct).

Either you must competently set up and run a reasonable backup system or you must hire a competent vendor to do so. Arizona Ethics Opinion 05-04 states that, consistent with the attorney’s duty to prevent the loss or destruction of a client’s electronic information, an attorney must either be competent to evaluate the threat to client electronic files and deploy appropriate computer hardware and software, or retain an expert consultant who has that competence. Presumably your use of a reputable online backup company would satisfy your duty to take reasonable protective steps.

The bargain-priced, consumer-oriented online backup companies do not measure up. They have standard terms of service that disclaim any responsibility for the security of their services. You should select a vendor that either allows you to keep the only password to your encrypted data or a vendor that will make a written commitment to keep your information confidential. Many online backup companies do not give you the exclusive option to keep the only password. They can access your data either with your password or with a “back door” to your data. If your vendor retains the ability to access your clients’ confidential data, you have added duties. You must:

• Inform the vendor of your obligation to protect the confidentiality of the data
• Ensure that the vendor has an enforceable obligation to preserve the confidentiality and security of the confidential information (New Jersey Opinion 701)

Duties Regarding Remote Access Services

When communicating with clients, attorneys have an ethical duty to protect their confidential communications from disclosure to others. Virtual meeting services allow attorneys to confer with clients by telephone while sharing control of the same computer screen. When using these services, attorneys must take reasonable steps to prevent the interception of confidential information.

Although there does not appear to be an ethics opinion directly addressing the issue, Massachusetts Opinion 05-04 supports this duty. It states: “A law firm may provide a third-party software vendor with access to confidential client information stored on the firm’s computer system. . . .” The opinion requires that the firm make “reasonable efforts” to ensure that any independent service provider protect confidential information.

Current encryption technology can be used to secure remote access sessions. For example, two popular remote access services illustrate the kinds of features and protections that are important for attorneys.

GoToMyPC (www.gotomypc.com) from Citrix Online is best known as a service that enables you to access your unattended computer while you are out of the office, but it may also be used for a virtual meeting with one client. GoToMeeting (www.gotomeeting.com ), also from Citrix Online, allows you to share your screen with up to 15 other people. Each of these services encrypts the streams of information exchanged between the participating computers using end-to-end 128-bit AES encryption, the standard selected by the National Institute of Standards and Technology and used by the U.S. government to protect sensitive information.

Although unencrypted information transferred across the Internet is inherently insecure, end-to-end encryption keeps the transfer stream secure from the moment it leaves one computer until it arrives at another. Not all vendors provide this level of protection, so make sure you use a service that uses both strong encryption—128-bit AES or better—and end-to-end encryption.

Based on advances in ease of use and security, virtual meetings are well worth the small effort and cost to set them up. Using a remote access or virtual meeting service, attorneys and clients can make changes to documents and immediately see the results. Diagrams, charts, spreadsheets, and photographs can all be shared, changed, and discussed together. Travel time and the associated unproductive expenses are eliminated.

Action Steps

Safeguarding your clients’ electronic information is your ethical duty—and with the tools available today, it’s not that hard to do. Just remember the following key points: Back up your electronic client information and vital law practice data using an automatic, encrypted online backup service; choose an online backup service that gives you exclusive access to your files or a written assurance of confidentiality; periodically check your backups by restoring files from them; and, finally, use remote access and virtual meeting services that provide end-to-end strong encryption.

Additional Resources

“GoToMeeting Security White Paper.” Citrix Online (January 31, 2008): www2.gotomeeting.com/default/downloads/pdf/p/GoToMeeting_Security_White_Paper.pdf

“GoToMyPC Corporate Security White Paper: Discover the Secret to Secure Remote Access.” Citrix Online (December 2006): http://whitepapers.techrepublic.com/abstract.aspx?docid=328040

Hartley, Joe, and Wells Anderson. “Avert Disaster: Protect Your Practice with Online Backups.” Law Practice Today (October 2005): www.abanet.org/lpm/lpt/articles/tch10051.html

Heels, Erik J. “FYI: The Ethics of Online Backup Systems.” ABA Legal Technology Resource Center: www.abanet.org/tech/ltrc/fyidocs/OBSethicsfyi.html

Petro, Nerino, Jr. “The Ethical Implications of Online Software.” GPSolo, 25:4 (June 2008): 30-33, www.abanet.org/genpractice/magazine/2008/jun/onlinesoftware.html

Wells H. Anderson, J.D., consults with solos and firms throughout North America via remote access and telephone to implement practice management software. His company, Active Online Inc. (www.activeonlineinc.com) provides an online backup service designed for attorneys. He may be reached at info@activepractice.com.