- New York Bar Allows Online Storage of Confidential Client Information With Third Parties
- November 10, 2010
- Law Firm: Hinshaw Culbertson LLP - Chicago Office
A lawyer may store confidential client information online with third parties, provided that he or she stays abreast of relevant changes in the law and technology, and ensures that the third party storage provider also stays abreast of changes in technology.
The New York State Bar Committee on Professional Ethics opined that lawyers may store confidential client information online with third parties so long as certain precautions are taken. Those precautions include taking measures to protect confidentiality and staying abreast of changes in both technology and relevant law.
Although lawyers need not guarantee that information is secure from unauthorized access, they must exercise reasonable care to prevent such access; this requirement applies to the supervision of third parties. The Committee noted that “reasonable care” may include:
- Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and that the provider will notify the lawyer if served with process requiring the production of client information;
- Investigating the online data storage provider’s security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances;
- Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored; and/or
- Investigating the storage provider’s ability to purge and wipe any copies of the data, and to move the data to a different host, if the lawyer becomes dissatisfied with the storage provider or for other reasons changes storage providers.
The Committee noted that changes in technology could require lawyers to reassess some of these criteria periodically. It also stated that attorneys should monitor the law relevant to online storage systems to ensure, inter alia, that the use of certain technology does not waive an otherwise applicable privilege.
In the event that a lawyer learns of a security breach of online information, the Committee noted, he or she must investigate whether any client confidences have been revealed, notify any affected clients, and stop using the online storage service until he or she is assured that any security issues have been fixed.
Significance of Opinion
This opinion is consistent with the majority of jurisdictions which have addressed this specific issue. Further, the practical implications of this opinion are notable because online storage with third parties is beneficial in terms of both freeing up storage space within the firm and providing a backup in case something happens to the firm’s own information system. But with these benefits comes the added burden of overseeing a third party.