By Pat Murphy
A recent Florida Bar opinion advising that lawyers have an ethical duty to sanitize their storage devices has put a spotlight on how attorneys handle their discarded equipment.
Ethics Opinion 10-2 states that attorneys who use electronic devices, including iPhones, Blackberrys, flash drives, laptops and copiers, that store documents “must take reasonable steps” to ensure that client confidentiality is maintained when disposing of such devices.
The opinion states that reasonable security precautions include obtaining “meaningful assurances” from vendors that discarded or leased machinery has been wiped clean of sensitive records.
While a duty to maintain client confidences is implicit in the Rules of Professional Responsibility, the opinion creates an explicit requirement with the potential for liability, said Michael Downey, a partner at Armstrong Teasdale in St. Louis, Mo.
“Lawyers need to understand where they are putting information, assess what the risks are of that location, and consider whether or not it is appropriate to put the information there,” Downey said.
For example, putting a presentation given in a public forum on an unencrypted flash drive is probably acceptable, he said. But putting client information such as medical records, intellectual property or trade secrets on a similar device would be bad idea.
Sharon Nelson, president of Sensei Enterprises, Inc., a computer forensics and legal tech company based in Fairfax, Va., said the Florida opinion serves as an educational tool for attorneys unaware of the need to sanitize their storage devices.
“It makes sense to make [the requirement] explicit, because scads of lawyers just don’t get it,” she said. “Lawyers need to be more careful of the security risks of public places and not cleaning their … devices.”
The opinion defines storage media as “any media that stores digital representations of documents,” including computers, printers, copiers, scanners, cellular phones, PDA’s, flash drives, memory sticks and fax machines.
Attorneys must affirmatively ascertain that devices like a leased copier have been stripped of all confidential information, “whether by some type of meaningful confirmation, by having the sanitization occur at the lawyer’s office, or by other similar means.”
Further, lawyers who use devices in public places – including offices of opposing counsel, cyber cafés or hotel business centers – should “inquire and determine whether use of such devices would preserve confidentiality.”
The ethics opinion was approved by the Florida Bar’s Professional Ethics Committee and became effective after review by the organization’s board of governors, explained Elizabeth Clark Tarbert, the association’s ethics counsel.
While some had expressed concern that the opinion would set unrealistic requirements, Tarbert said the committee didn’t receive any feedback at all from the state’s lawyers when the opinion was made available for public comment.
“The fact that the opinion didn’t receive any comment indicates that lawyers generally didn’t disagree with it,” she said.
Downey noted that the American Bar Association’s Ethics 20/20 Commission is considering a rule change that would address this issue. A proposal dated Sept. 19, 2011 would add a §1.6(c) to the Model Rules and require lawyers to “make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.”