Technology and the Challenge of Maintaining Client Confidences
LACBA Update, October 2005
By Joel A. Osman, member, LACBA Professional Responsibility and Ethics Committee. Osman is a senior partner in Anderson, McPharlin & Conners, LLP, where his practice focuses primarily on the defense of legal malpractice cases. The opinions expressed are his own.
The California Constitution declares that we all have a right to privacy.1 Even with this constitutional protection, privacy as a practical matter is getting harder to maintain in the modern world. Every time you use a credit/debit card, drive your OnStar-equipped car, use a cell phone, or go online you may be enabling a further diminishing of your privacy. The technology that allows us to live and work more safely and efficiently also contributes to the overall erosion of privacy in our society.
This phenomenon is of particular import to lawyers. Maintaining client confidences is a cornerstone of the legal profession. Lawyers are required to protect their clients’ confidential information. See Rule of Professional Conduct 3-100.2 Failure to protect client confidences can expose lawyers to discipline or, worse, to malpractice claims. Thus, lawyers find themselves on the horns of a dilemma: They need to employ ever more sophisticated technology to boost efficiency and remain competitive; however, this need must be balanced by the continuing need to make sure that no new techno-toy—that is to say, tool—results in an inadvertent leak of confidential client information.
The ethical and risk management challenges posed by technology are the proper subject of a considerable treatise, which this is not. Neither is this a discussion of the when and how an inadvertent disclosure of client confidences might expose one to discipline and/or liability. Protecting clients’ confidential information is a worthy goal unto itself: What follows is a list of challenges that technology might pose for attorneys in this regard. It does not purport to be comprehensive, and anyone who spends two nanoseconds thinking about this subject will no doubt come up with issues not addressed herein. Nor does this article propose anything close to a comprehensive solution to this issue. Rather, this is an issue spotter, intended to provoke an increased awareness of problem areas that all practitioners must confront.
Mobile phones. The blessing and bane of modern existence, the cell phone allows practitioners to conduct business wherever they might be. But the careful practitioner must always remember a basic fact: A cell phone is a radio. It works by receiving and transmitting signals through open airwaves where they can be captured by anybody with enough incentive to try to do so.
Granted, most conversations are not as interesting as the terms of endearment that passed between the Prince of Wales and his then-lover, now-wife, but political, industrial, and probably legal espionage can and do occur.3 Given this risk, however slight, perhaps it would be better to discuss the details of a client’s multibillion-dollar M&A deal on a landline.
Just because it is possible to conduct telephonic business in an airport waiting room or at the deli counter of the local market does not mean that it is a good idea to do so. The question of appropriate mobile phone etiquette is one on which society as a whole needs to work; the necessity of maintaining client confidences makes the issue of immediate concern to lawyers.
One need not be the victim of electronic eavesdropping to disclose client confidences; speaking too loudly where conversations can be overheard can result in the same thing. This problem is likely to get worse, as the FAA and the FCC currently review proposals to allow cell phone use in flight. Won’t that be fun?
WiFi, wireless Internet, and Bluetooth. WiFi, cellular modems, and Bluetooth are all variations on the “It’s a radio” theme. Each of these technologies allows greater mobility and freedom from wires at the potential expense of decreased privacy.4
As with cell phones, e-mail, and other forms of mass communication, the sheer numbers of such communications and the presumed lack of a sufficient incentive to capture any one communication are the biggest factors protecting privacy.
But consider this: What makes your home or office WiFi network so convenient is the fact that it broadcasts a signal that allows you to move about within your home or office. At a minimum, this signal should be protected by appropriate security settings on the router and a firewall. It must be clearly understood, though, that given sufficient incentive, even these efforts at securing these communications can be overcome. Ask the National Security Agency or the more active paparazzi.
E-mail. The Internet, over which millions of confidential communications pass each day, can be compared to a big, old-fashioned, open telephone exchange.
The technology for encrypting e-mail traffic exists but requires planning as typically the sender and receiver have to share the same software to encrypt and decrypt messages.
This in turn requires the careful attorney to constantly balance the inconvenience and expense of employing such technology against the perceived risk that someone might have sufficient incentive and techno-savvy to intercept confidential communications.5
A less technological but even more pernicious danger arises from e-mail: Beware the difference between the Reply and Reply-to-All buttons. Choosing the wrong one can and does frequently result in inadvertent disclosure of the current response and all prior responses that form a part of a particular e-mail string.
Another danger arises from the increasingly common practice of transmitting documents electronically as attachments to e-mail. This is an enormously complicated can of worms. (See sidebar at the end of this article, "What is Metadata and Why Should You be Afraid of It?")
Disposal of old computers and storage media. Where do old computer hard drives and other storage media go when they are put out to pasture? Perhaps they are donated to a school, or perhaps they are simply thrown out. In either case, unless particular care is taken, they may unintentionally carry with them client confidences.
Many unsophisticated computer users tend to assume that Delete and Erase mean the same thing. This is not the case. When a computer file is deleted, the disc address for that file is deleted, but the file remains on the disk until it is overwritten or reformatted. Thus, no drives or media should be disposed of without steps being taken to insure that the data they once contained cannot be recovered by the next person to use them.
Maintaining client confidences is one of the oldest and most basic duties of an attorney. Cases arising out of new technologies, either in the context of attorney discipline or malpractice, are unlikely to bring forth new concepts in law; it has long been understood that either intentional or inadvertent disclosures of client confidences are to be avoided. The challenge for the careful practitioner is simply to recognize the myriad of new and different ways that using new technologies could give rise to such an inadvertent disclosure.
1 ARTICLE 1. DECLARATION OF RIGHTS
SECTION 1. All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.
2 Rule 3-100. Confidential Information of a Client
(A) A member shall not reveal information protected from disclosure by Business and Professions Code section 6068, subdivision (e)(1) without the informed consent of the client, or as provided in paragraph (B) of this rule....
3 August 25, 1992: The Sun newspaper prints transcript of a phone call monitored in December 1989 between Princess Diana and a man who affectionately calls her “Squidgy.” See www.foxnews.com/story/0,2933,146984,00.html.
4 The relative ease with which such communications can be intercepted is a popular topic. See, for example, the December 2004 issue of Wired magazine, which included an article by Annelee Newitz titled “They’ve Got Your Number....”
5 There is a debate ongoing among legal ethics experts over whether lawyers are ethically required to employ encryption to protect client confidences. An August 11, 2005 en banc decision of the First Circuit of the U.S. Court of Appeals adds fuel to this debate. The opinion in United States v. Councilman, 2005 WL 1907528 (1st Cir. Aug. 11, 2005), holds that interception of e-mail while on its way to the recipient violated the Electronic Communications Privacy Act. This may lend strength to the position of those who believe that attorneys may use e-mail without encryption.
What is Metadata and Why Should You be Afraid of It?
Many documents created on a computer contain far more data than visible text. Depending on the software used to create it, a document may invisibly store its entire history including (but not limited to) the time it took to create, author information, portions pasted from other documents, markups, and revision history. This hidden information is called metadata. Metadata remains invisible when a document is printed. If, on the other hand, the documents is transferred electronically either by copying to storage media or as an attachment to e-mail, its metadata goes with it. This information can be viewed by any recipient with the knowledge and inclination to do so. This is of great concern as the history of a document could directly or inferentially disclose information protected by either the attorney-client or work product privileges.
To date, one state bar association determined that it is unethical to examine information contained in metadata (N.Y. State Bar Assn. Op. 749 (Dec. 14, 2001)). Even if other jurisdictions follow suit, it could be argued that it would be unduly optimistic to rely on an opponent’s ethics to protect privileged information. Thus, the question comes down to this: What can be done to avoid this problem now that it has been recognized? There are a number of possible solutions ranging from a technophobic (and probably impractical) refusal to share any document electronically at one end of the spectrum to the employment of sophisticated (and expensive) metadata-scrubbing software at the other. Although a complete review of available options cannot be accomplished here, it is clear, having recognized a problem exists, that steps should be taken to address the problem. Keep in mind, though, that whatever solution a lawyer chooses, the solution will be only as good as the lawyer’s conscientious determination to use it consistently. —J.A.O.