Formal Opinion No. 2010-179
California Ethics Opinions
ISSUE: Does an attorney violate the duties of confidentiality and competence he or she owes to a client by using technology to transmit or store confidential client information when the technology may be susceptible to unauthorized access by third parties?
THE STATE BAR OF CALIFORNIA STANDING COMMITTEE ON PROFESSIONAL RESPONSIBILITY AND CONDUCT
DIGEST: Whether an attorney violates his or her duties of confidentiality and competence when using technology to transmit or store confidential client information will depend on the particular technology being used and the circumstances surrounding such use. Before using a particular technology in the course of representing a client, an attorney must take appropriate steps to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client’s instructions and circumstances, such as access by others to the client’s devices and communications.
INTERPRETED: Rules 3-100 and 3-110 of the California Rules of Professional Conduct.
Business and Professions Code section 6068, subdivision (e)(1).
Evidence Code sections 917(a) and 952.
STATEMENT OF FACTS
Attorney is an associate at a law firm that provides a laptop computer for his use on client and firm matters and which includes software necessary to his practice. As the firm informed Attorney when it hired him, the computer is subject to the law firm’s access as a matter of course for routine maintenance and also for monitoring to ensure that the computer and software are not used in violation of the law firm’s computer and Internet-use policy. Unauthorized access by employees or unauthorized use of the data obtained during the course of such maintenance or monitoring is expressly prohibited. Attorney’s supervisor is also permitted access to Attorney’s computer to review the substance of his work and related communications.
Client has asked for Attorney’s advice on a matter. Attorney takes his laptop computer to the local coffee shop and accesses a public wireless Internet connection to conduct legal research on the matter and email Client. He also takes the laptop computer home to conduct the research and email Client from his personal wireless system.
Due to the ever-evolving nature of technology and its integration in virtually every aspect of our daily lives, attorneys are faced with an ongoing responsibility of evaluating the level of security of technology that has increasingly become an indispensable tool in the practice of law. The Committee’s own research – including conferring with computer security experts – causes it to understand that, without appropriate safeguards (such as firewalls, secure username/password combinations, and encryption), data transmitted wirelessly can be intercepted and read with increasing ease. Unfortunately, guidance to attorneys in this area has not kept pace with technology. Rather than engage in a technology-by-technology analysis, which would likely become obsolete shortly, this opinion sets forth the general analysis that an attorney should undertake when considering use of a particular form of technology.
1. The Duty of Confidentiality
In California, attorneys have an express duty “[t]o maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client.” (Bus. & Prof. Code, § 6068, subd. (e)(1).) This duty arises from the relationship of trust between an attorney and a client and, absent the informed consent of the client to reveal such information, the duty of confidentiality has very few exceptions. (Rules Prof. Conduct, rule 3-100 & discussion [“[A] member may not reveal such information except with the consent of the client or as authorized or required by the State Bar Act, these rules, or other law.”].)
Unlike Rule 1.6 of the Model Rules of Professional Conduct (“MRPC”), the exceptions to the duty of confidentiality under rule 3-100 do not expressly include disclosure “impliedly authorized in order to carry out the representation.” (MRPC, Rule 1.6.) Nevertheless, the absence of such language in the California Rules of Professional Conduct does not prohibit an attorney from using postal or courier services, telephone lines, or other modes of communication beyond face-to-face meetings, in order to effectively carry out the representation. There is a distinction between actually disclosing confidential information to a third party for purposes ancillary to the representation,  on the one hand, and using appropriately secure technology provided by a third party as a method of communicating with the client or researching a client’s matter, on the other hand.
Section 952 of the California Evidence Code, defining “confidential communication between client and lawyer” for purposes of application of the attorney-client privilege, includes disclosure of information to third persons “to whom disclosure is reasonably necessary for the transmission of the information or the accomplishment of the purpose for which the lawyer is consulted.” (Evid. Code, § 952.) While the duty to protect confidential client information is broader in scope than the attorney-client privilege (Discussion  to rule 3-100; Goldstein v. Lees (1975) 46 Cal.App.3d 614, 621, fn. 5 [120 Cal.Rptr. 253]), the underlying principle remains the same, namely, that transmission of information through a third party reasonably necessary for purposes of the representation should not be deemed to have destroyed the confidentiality of the information. (See Cal. State Bar Formal Opn. No. 2003-161 [repeating the Committee’s prior observation “that the duty of confidentiality and the evidentiary privilege share the same basic policy foundation: to encourage clients to disclose all possibly pertinent information to their attorneys so that the attorneys may effectively represent the clients’ interests.”].) Pertinent here, the manner in which an attorney acts to safeguard confidential client information is governed by the duty of competence, and determining whether a third party has the ability to access and use confidential client information in a manner that is unauthorized by the client is a subject that must be considered in conjunction with that duty.
2. The Duty of Competence
Rule 3-110(A) prohibits the intentional, reckless or...