I thought this might be of interest to the list, especially after
yesterday's discussion about how a law firm manages its client files and
what a firm's clients should be concerned about with regard to same ...
___________________________

With Safeguards, Firms May Offer Clients Online File Storage and Retrieval
System
26 Law. Man. Prof. Conduct 11
With reasonable precautions to safeguard security and confidentiality, firms
may use an online file storage and retrieval system that enables clients to
access their files over the internet, the Arizona state bar's ethics
committee advised in December (Arizona State Bar Comm. on the Rules of
Professional Conduct, Op. 09-04, 12/09).

The committee approved a proposed system in which documents would be
converted to password-protected PDF format and stored in folders with
unique, randomly generated alphanumeric names and passwords.

The opinion makes clear, however, that a lawyer who lacks competence in the
field of online computer security must consult someone who does have that
knowledge. The adequacy of the system must also be revisited as technology
evolves, the committee indicated.

Duty of Competence Extends to Computer Security
The inquiring lawyer wanted to offer clients a service that would give them
online access to see their files. The lawyer designed a system with several
levels of security in an effort to maintain the confidentiality and safety
of the files.

The committee pointed out that in Arizona Ethics Op. 05-04 (2005), it
analyzed the ethical implications of storing client information
electronically on systems accessible through the internet and determined
that this method of storage is permissible as long as lawyers and firms
“take competent and reasonable steps to assure that the client's confidences
are not disclosed to third parties through theft or inadvertence.”

Arizona Rule of Professional Conduct ER 1.6, which governs lawyer-client
confidentiality, is the rule primarily applicable to the issue of electronic
client information, the committee said. It zeroed in on Comment [19] to that
rule, which states: “A lawyer must act competently to safeguard information
relating to the representation of a client against inadvertent or
unauthorized disclosure by the lawyer or other persons who are participating
in the representation of the client or who are subject to the lawyer's
supervision.” [Although the committee did not mention it, Comment [16] to
Model Rule 1.6 contains the same language.]

As for what measures are needed to help an attorney maintain client
confidences, the committee harked back to the precautions discussed in
Arizona Ethics Op. 05-04, which advised lawyers to use firewalls, password
protection schemes, encryption, and antivirus measures.

The committee made clear, however, that the duty to take reasonable
precautions does not force a lawyer to guarantee a system's invulnerability
to unauthorized access. Instead, the lawyer is required to exercise sound
professional judgment about the steps needed to secure client confidences
against foreseeable attempts at unauthorized access, the opinion says,
citing New Jersey Ethics Op. 701 (2006) and North Carolina Ethics Op. 2008-5
(2008).

Also, the committee said that lawyers must be aware of the limits of their
knowledge of computer security measures, and either take the time and
trouble to become competent on that subject or consult experts. To evaluate
the reasonableness of online file security precautions, “the lawyer must
have, or consult someone with, competence in the field on online computer
security,” the opinion states.

A lawyer who wants to provide clients with access to online files “must
have, or consult someone with, competence in the field on online computer
security.”

Arizona Ethics Op. 09-04
Emphasizing that technological advances may make protective measures
obsolete over the years, the committee said that whether a particular system
provides reasonable protective measures depends on the technology reasonable
available at the time. Lawyers should periodically review security measures
in place to ensure that those precautions remain reasonable, the opinion
states.

Features of Proposed System
The system proposed by the inquiring lawyer would feature several levels of
security:
• The client files would be accessible only through a Secure Socket Layer
(SSL) server, which by encoding documents makes it difficult for third
parties to intercept or read them.

• The lawyer would assign unique, randomly generated alphanumeric names and
passwords to each online client folder, and the folder name would contain no
information to identify the client and would differ from the password.

• All online client files would be converted to Adobe PDF (Portable Document
Format) files and protected with another randomly generated unique
alphanumeric password.

The committee concluded that the proposed system appears to meet the
requirements of Rule 1.6 and Arizona Ethics Op. 05-04. The SSL server,
multiple layers of password protection, and conversion to PDF format enhance
the security of the proposed system, it found.

Full text at http://www.myazbar.org/Ethics/opinionview.cfm?id=704


-- 
Julie J. Colgan, CRM

[log in to unmask]
http://twitter.com/juliecolgan
http://www.linkedin.com/in/juliecolgan

List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
To unsubscribe from this list, click the below link. If not already present, place UNSUBSCRIBE RECMGMT-L or UNSUB RECMGMT-L in the body of the message.
mailto:[log in to unmask]