A Nevada-based financial services company has retained a law firm in connection with litigation pending in New York State that arose out of the company’s alleged breach of a consumer protection statute. Given that the litigation will involve the review and production of sensitive electronically stored information (ESI) relating to the company’s customers, the company has asked the law firm how it intends to securely collect, review and produce ESI and has inquired about the firm’s technological competence with respect to electronic discovery.
New York County Lawyers Association Ethics Opinion on ESI
The questions from the company are timely: a recent opinion issued by the New York County Lawyers Association’s (NYCLA) Committee on Professional Ethics provides guidance on the ethical duties lawyers must meet with respect to protecting a client’s confidential information that is stored and transmitted electronically, as well as in the context of conducting e-discovery. The opinion indicates that a lawyer practicing in New York owes his or her clients a duty of competence that “expands as technological developments become integrated into the practice of law,” and recognizes that the question of whether a lawyer satisfies his or her duty of technological competence depends on the particular circumstances of the representation.
Technological Competence and the Protection of Confidential Information
Drawing on prior opinions of both the New York State Bar Association and NYCLA, as well as the New York Rules of Professional Conduct, the NYCLA opinion observes that a lawyer’s duty to protect client confidences and secrets extends not only to electronic communications with clients but also to confidential information that is stored and transmitted electronically. The opinion indicates that a lawyer must use reasonable care when transmitting information electronically to ensure that client confidences and secrets are maintained. Lawyers must understand the risks associated with the use of technology, including the threat of cyber attacks and inadvertent disclosures, and determine whether the use of such technology to store or transmit client confidences is prudent under the circumstances. The opinion also cautions that, to the extent that they represent clients outside of New York State, lawyers may be subject to the data protection laws of other states. Given these concerns, the opinion observes that lawyers must either personally possess, or associate with persons who possess, sufficient understanding of the technology at issue “to determine how to satisfy the lawyer’s duty of reasonable care.” The opinion indicates that whether the duty of reasonable care has been satisfied depends on circumstances such as “the subject matter, the sensitivity of the information, the likelihood that the information is sought by others, and the potential harm from disclosure.”
Building on the principles laid out in the NYCLA opinion, lawyers can take several steps to ensure that their use of technology to communicate with clients and to store confidential information is consistent with the lawyer’s duty of technological competence:
- Gain a sufficient understanding of relevant technologies (email, cloud storage, flash drives, etc.), either through education or association with others, to adequately weigh the risks and benefits associated with the use of such technologies
- Encrypt mobile communication and storage devices, especially when these devices leave the physical confines of the law firm
- Communicate with clients, vendors, co-counsel and employees through secure electronic means
- Research and comply with laws governing protection of personal data in the jurisdictions where the lawyer practices, as well as where his or her clients conduct business
- Whether required in their jurisdiction or not, seek out continuing legal education on subjects relevant to technology and the practice of law
- Educate employees and outside vendors on cybersecurity risks and best practices for maintaining client confidences
Technological Competence and Electronic Discovery
The NYCLA opinion also recognizes that e-discovery has become a significant part of most litigation, as well as government and regulatory investigations. Noting that federal and state rules govern a lawyer’s obligations with respect to ESI, the opinion goes on to provide concrete guidance on steps that lawyers can take to meet their duty of competence as it pertains to e-discovery:
- Continually assess the lawyer’s own e-discovery skills and resources and determine whether the lawyer must either acquire additional skills and resources or associate with e-discovery experts or other lawyers who possess the required skills and resources
- Conduct an early assessment of ESI issues that are likely to arise during the course of discovery, including issues relating to the preservation, collection and production of ESI
- Identify custodians of ESI and preserve and collect ESI in a manner that allows the lawyer to search for responsive ESI throughout the course of discovery
- Gain a thorough understanding of the client’s systems for creating and storing ESI
- Advise clients of their options for preserving, collecting and producing ESI and their associated costs
- Supervise employees and outside vendors to ensure that work is done properly and in accordance with all relevant laws, rules and court orders
As the storage and transmission of sensitive information increasingly occurs by electronic means, lawyers must take steps to ensure that they continue to meet their duty to protect the confidences and secrets contained in ESI. Lawyers must also gain an understanding of the unique challenges posed by e-discovery and provide competent advice to clients concerning the preservation, collection and production of ESI.