Ethics Corner Article

Dear Ethics Committee:

I utilize accountants and IT providers in my firm. Accountants help manage firm finances and ensure IOLTA compliance, and IT providers help maintain our computer and communication systems. To perform their work, these consultants have access to confidential and privileged client information. Are any ethics rules implicated by my use of such consultants and are there things I should do to protect client information?

Law firms and lawyers often depend upon outside computer and electronic communication systems to perform their daily functions. These systems may require the services of outside professionals, such as vendors and contractors, to ensure they maintain client files, communicate effectively with clients, staff, courts, and other attorneys, and perform numerous other important tasks.  Similarly, lawyers may utilize the services of accountants to help manage the law firm’s finances and help the lawyer comply with IOLTA accounting requirements. The use of outside vendor/contractors implicates Rules 1.6 and 5.3 of the New Hampshire Rules of Professional Conduct which will be discussed below.

The Committee published an Opinion in 2013 on The Use of Cloud Computing in the Practice of Law, 2012-13/04. The reader may find it helpful to review that Opinion in conjunction with this article because it addresses analogous issues of the attorney’s responsibility to exercise due diligence with respect to the confidentiality of client information.

Analysis of the Relevant Rules

New Hampshire Rules of Professional Conduct 1.6: Duty of Confidentiality

Generally, “a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation, or the disclosure is permitted by paragraph (b) [of this Rule].” Rule 1.6(a). The New Hampshire Rules of Professional Conduct define the term ”Informed consent” as  “the agreement by a person to a proposed course of conduct after the lawyer has communicated adequate information and explanation about the material risks of and reasonably available alternatives to the proposed course of conduct.” N.H. R. Prof. Conduct 1.0(e).

Rule 1.6(c) requires that lawyers make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of the client.

Pursuant to Comment 18 to Rule 1.6, a lawyer must “act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. [Referencing Rules 1.1, 5.1 and 5.3.]” See Comment 18 to N.H. R. Prof. Conduct 1.6.

The Comments to the Rule clarify when a lawyer has done enough to protect electronic data. Lawyers do not need to take special security measures to protect electronic data communications if the method of communication “affords a reasonable expectation of privacy.” See Comment 19 to N.H. R. Prof. Conduct 1.6.

“Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this rule.” Id.

New Hampshire Rules of Professional Conduct 5.3: Responsibilities Regarding Nonlawyer Assistance

Service providers who provide accounting services, data security software, technical support, and, in some cases, offsite data management services, are generally non-lawyers who are being given access to confidential client information outside the lawyer’s direct control and supervision. Lawyers must take “reasonable precautions” to ensure that non-lawyer providers have taken reasonable measures to safeguard the confidentiality of client information, and that non-lawyers are adequately apprised of the lawyer’s confidentiality obligations. See N.H. R. Prof. Conduct 5.3.

Partners, attorneys with comparable managerial authority within the law firm, and any attorneys directly overseeing the non-lawyer employees or contractors are charged with making “reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the non-lawyer’s conduct is compatible with the professional obligations of the lawyer.” See N.H. R. Prof. Conduct 5.3(a) and (b).

These supervisor or managerial lawyers are responsible for the conduct of the non-lawyer outside professional if: “(1) the lawyer orders or, with the knowledge of the specific conduct, ratifies the conduct involved; or (2) the lawyer is a partner or has comparable managerial authority in the law firm in which the person is employed, or has direct supervisory authority over the person, and knows of the conduct at a time when its consequences can be avoided or mitigated but fails to take reasonable remedial action.” N.H. R. Prof. Conduct 5.3(c).

Comment 3 to Rule 5.3 provides that a lawyer may use nonlawyer consultants outside the firm to assist the lawyer in rendering legal services to the client. This may include investigative or paraprofessional services, hiring a document management company, and sending documents to a third party for copying or scanning. The lawyer must take reasonable steps to ensure that the services are provided in a manner consistent with the lawyer’s obligations to the client. The extent of those steps depends upon the nature of the services provided and the terms of any arrangements between the attorney and the outside provider, among other factors. The lawyer must also provide directions appropriate under the circumstances to give reasonable assurance the outside provider’s services are compatible with the lawyer’s obligations.

Practice Tips and Suggestions

Ensure that the outside vendors/contractors understand your duty of confidentiality.

Under Rule 5.3(b) a lawyer’s ethical obligation requires that the lawyer adequately explain their professional duty of confidentiality and ensure that the contractor or IT employee understands the attorney’s obligation. Although not required, most ethics authorities recommend some type of written acknowledgement that the contractor understands the confidential nature of the materials and agrees to protect the information from disclosure. (See, e.g. ABA Formal Ethics Opinion 08-451 (2008) and Michigan Informal Ethics Opinion RI-328 (2002)). In some jurisdictions, the written acknowledgement must constitute an enforceable agreement. See New Jersey Ethics Opinion 701 (2006). This acknowledgement should be included in the contract between the law firm and the vendor/contractor or in a separate written acknowledgment that is executed contemporaneously with that contract. If not made contemporaneously, this contract should be made at least before any confidential information is provided to the employee or contractor.

Understand the law firm’s rights and the provider’s obligation under the vendor service agreement.

In the event a law firm hires a contractor to manage or have access to portions of its electronic data, the responsible attorney must read and understand the agreement governing the vendor/contractor’s services. Particularly, focusing on how the service provider will use and protect the data prior to giving the service provider access to confidential client information.

The agreement should appropriately address the following issues:

  • The vendor/contractor should have a confidentiality agreement that binds the professional and any other employees or agents of the professional who will have access to client information. The duty of confidentiality should mirror the attorney’s duty.
  • The agreement should make clear that in the event that the relationship between the law firm and the vendor/contractor terminates for any reason, or the vendor/contractor goes out of business, then the data that it has maintained will be returned to the law firm and when receipt of this information is confirmed, the outside vendor/contractor l will destroy its copy.
  • Related, the agreement should require that the vendor notify the law firm as soon as possible in the event of a subpoena so that the law firm can take all appropriate measures to protect this information.

Conclusion

Generally, the consensus seems to be that using outside professional services is permissible, however lawyers should proceed with caution because they have an ethical duty to protect sensitive client data. In order to meet the minimum ethical requirements attorneys must: (1) include terms in any agreement with the vendor/contractor that require the vendor/contractor to preserve the confidentiality and security of the data, and (2) be knowledgeable about how vendor/contractors will handle the data entrusted to them. An attorney cannot blindly trust an outside vendor/contractor with client information and must exercise some control and require that the outside vendor/contractor observe certain precautions and put in place security safeguards. The client should be notified generally about the use of such services, and steps taken by the attorney/firm to protect confidentiality of client data. This information should be included in the client retainer agreement. The attorney/law firm should also be careful to scrutinize and demand necessary amendments to vendor/contractor agreements where needed to protect client data.

This Ethics Corner Article was submitted for publication review to the NHBA Board of Governors at its October 19, 2023, Meeting. The Ethics Committee provides general guidance on the New Hampshire Rules of Professional Conduct and publishes brief commentaries in the Bar News and other NHBA media outlets. New Hampshire lawyers may contact the Committee for confidential and informal guidance on their own prospective conduct or to suggest topics for Ethics Corner commentaries by emailing the Ethics Committee Staff Liaison.