A law firm may provide a third-party software vendor with access to confidential client information stored on the firm’s computer system for the purpose of allowing the vendor to support and maintain a computer software application utilized by the law firm. The law firm’s clients are deemed to have “impliedly authorized” the firm to make their confidential information accessible to the vendor pursuant to Rule 1.6(a) in order to permit the firm to provide representation to its clients. However, the law firm must “make reasonable efforts to ensure” that the conduct of the software vendor (or any other independent service provider that the firm utilizes) “is compatible with the professional obligations of the lawyer[s],” including the obligation to protect confidential client information reflected in Rule 1.6(a). The fact that the vendor will provide technical support and updates for its product remotely via the Internet does not alter the Committee’s opinion.
Facts: The offices of Law Firm A employ a networked computer system on which the firm stores various types of confidential information belonging to its numerous clients, including privileged correspondence, private financial data, and legal memoranda. Law Firm A’s computer system runs a wide array of software applications, including an integrated document management application, which we shall refer to as “Lots-O-Docs,” that was created specifically for the legal profession by a third-party software vendor. Technical support and updates for Lots-O-Docs are provided by the vendor remotely over the Internet. The vendor has requested authorization to periodically access Law Firm A’s computer system, including the firm’s servers and document database, as necessary to support and maintain the Lots-O-Docs software application. Granting the vendor’s request means that the vendor unavoidably will have access to some or all of the confidential client information stored on Law Firm A’s computer system. Law Firm A has not sought or obtained approval from its clients to make their confidential information available to its software vendors. The issue arises whether Law Firm A can give the vendor of Lots-O-Docs the access that it seeks consistent with the firm’s ethical obligation to preserve the confidences of its clients.
Discussion: A lawyer’s core ethical obligation to protect confidential client information is set forth in Rule 1.6(a) of the Massachusetts Rules of Professional Conduct, which states, in relevant part, that,
[a] lawyer shall not reveal confidential information relating to representation of a client unless the client consents after consultation, except for disclosures that are impliedly authorized in order to carry out the representation….
Given that Law Firm A’s clients have not explicitly authorized the firm to make their confidential information available to the firm’s software vendors, the ethical analysis turns on whether it is reasonable to conclude that the firm’s clients have “impliedly authorized” the firm to make such a disclosure to the vendor of Lots-O-Docs for purposes of Rule 1.6(a). Assistance in answering that question can be found in subsections (b) and (c) of Rule 5.3, which state that, “[w]ith respect to a nonlawyer employed or retained by or associated with a lawyer,”
(b) a lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer; and
Massachusetts Bar Association Committee on Professional Ethics 149
2005 Opinions continued
(c) a lawyer shall be responsible for conduct of such a person that would be a violation of the Rules of Professional Conduct if engaged in by a lawyer if:
(1) the lawyer orders or, with the knowledge of the specific conduct, ratifies the conduct involved; or
(2) the lawyer is a partner in the law firm in which the person is employed, or has direct supervisory authority over the person, and knows of the conduct at a time when its consequences can be avoided or mitigated but fails to take reasonable remedial action.
Rule 5.3 of the current Massachusetts Rules of Professional Conduct, which became effective as a whole January 1, 1998, has no direct parallel in the prior Disciplinary Rules. DR 4-101(D), however, addressed some of the relevant ethical obligations now encompassed by Rule 5.3. It said, in relevant part, that,
[a] lawyer shall exercise reasonable care to prevent his employees, associates or others whose services are utilized by him from disclosing or using confidences or secrets of a client….
In its Opinion No. 89-3, the Committee on Professional Ethics interpreted DR 4-101(D) as permitting a lawyer to disclose confidential client information to an independent billing service to the extent necessary to allow the billing service to send an invoice to the client for legal services that the lawyer had rendered. The Committee explained its reasoning as follows:
The phrase “others whose services are utilized by him” simply assumes that lawyers will of necessity use non-employee personnel in the ordinary course of representing clients and running their offices and does not impose any requirement of consent in advance. We see no reason why such a requirement should be read in. Secretaries, telephone operators, computer operators, copy machine operators, printers, bookkeepers, accounting personnel and those who prepare, send and collect bills are some of the personnel whom lawyers may use on a regular basis who have access to varying amounts of confidences or secrets. Some of those personnel (e.g., secretaries) will have more access and some (e.g., bill preparers) will have less.
It is well known among the general population that some of those personnel may be used on a temporary or ad hoc basis and therefore will not be regular employees of the lawyer. In appropriate cases, use of such personnel can result in greater efficiency for the lawyer and cost savings for the client. It makes little sense to us to require that every time a secretarial service supplies a “temporary,” the lawyer must obtain the consent of each client on whose matter that temporary may work and, hence, obtain some confidential information.
In analyzing Law Firm A’s dilemma under Rules 1.6(a) and 5.3 of the current Rules of Professional Conduct, the Committee perceives no significant difference between the role of an independent billing service and that of a third party software vendor. We believe that it is “well known among the general population” that computer systems are an integral and essential tool of the modern-day legal profession, and that those computer systems, and the software that they operate, must be made available to technicians and other trained support personnel more often than we desire for the purpose of keeping them running. It would be impractical and unrealistic to expect a lawyer to delete or “scrub” all confidential client information from his or her
Massachusetts Bar Association Committee on Professional Ethics 150
2005 Opinion continued
computer before allowing it to be serviced. Indeed, in circumstances where the system has failed unexpectedly and completely, it may be physically impossible for the lawyer to do so.
It is worth emphasizing, however, that these practical considerations do not relieve Law Firm A and its lawyers of their duty under Rule 5.3(b) to “make reasonable efforts to ensure” that the conduct of the vendor of Lots-O-Docs (or, indeed, any independent service provider that the firm utilizes) “is compatible with the professional obligations of the lawyer[s],” including the obligation to protect confidential client information reflected in Rule 1.6(a). The Committee believes that, in the circumstances described in this opinion, “reasonable efforts” on the part of Law Firm A could include, among other things, (a) notifying the vendor of the confidential nature of the information stored on the firm’s servers and in its document database; (b) examining the vendor’s existing policies and procedures with respect to the handling of confidential information; (c) obtaining written assurance from the vendor that confidential client information on the firm’s computer system will only utilized solely for technical support purposes and will be accessed only on an “as needed” basis; (d) obtaining written assurance from the vendor that the confidentiality of all client information will be respected and preserved by the vendor and its employees; and (e) drafting and agreeing upon additional procedures for protecting any particularly sensitive client information that may reside on the firm’s computer system, to the extent necessary.
Finally, the fact that the vendor will provide technical support and updates for its Lots-O-Docs product remotely via the Internet does not change the Committee’s opinion. We previously concluded in Opinion No. 2000-01 that communicating confidential client information over the Internet by means of unencrypted e-mail does not violate Rule 1.6(a) in ordinary circumstances. The Committee reached that conclusion primarily because it believes that lawyers and other Internet users typically have a reasonable expectation that such communications will remain legally and effectively private. See. e.g., 18 U.S.C.A. 2510, et .seq. (the "Electronic Communications Privacy Act"). We see no reason to treat confidential information that is accessed or transmitted for technical support purposes differently. Again, the lawyers who comprise Law Firm A remain obligated to make “reasonable efforts” to maintain client confidentiality in such circumstances, including the use of standard protective systems (e.g., a computer firewall and/or password protection) to help ensure that all communications and client data remain secure.
This opinion was approved for publication by the Massachusetts Bar Association’s House of Delegates on March 3, 2005.
Massachusetts Bar Association Committee on Professional Ethics 151