Resources

Federal Government Websites
Dept. of Health and Human Services (HHS)
Dept. of Justice (DOJ)
Dept. of the Treasury
Environmental Protection Agency (EPA)
Federal Trade Commission (FTC)
Financial Crimes Enforcement Network (FinCEN)
Occupational Health and Safety Administration (OSHA)
Public Company Accounting Oversight Board (PCAOB)
Securities and Exchange Commission (SEC)
United States Sentencing Commission (USSC)
United States Supreme Court

Federal Agency Resources
EPA: Environmental Audit Policy
FinCEN: Bank Secrecy Act Regs
FTC: Financial Privacy: Gramm-Leach-Bliley Act
HHS: Health Care Compliance Guidance
HHS: HIPAA Compliance
OSHA: Workplace Self-Audit Policy
PCAOB: Audit Standard No. 2
USSC: Organizational Sentencing Guidelines
USSC: Advisory Group on the Organizational Sentencing Guidelines
USSC: Post-Booker Developments

Federal Prosecutorial Resources
Antitrust Leniency Policy (DOJ)
Seaboard Report (SEC)
Thompson Memorandum (DOJ)

Private Organizations
ABA Business Law Section, Corporate Compliance Committee
Association of Corporate Counsel: America
Business Roundtable
The Conference Board
Corporate Compliance Center (South Texas College of Law)
Ethics Officers Association
Ethics Resource Center
Greater Houston Business Ethics Roundtable
Open Compliance and Ethics Group
Texas General Counsel Forum

Private Resources
Industry Specific
Defense Industry Initiative on Business Ethics and Conduct
Health Care Compliance Association
Risk Specific
Association of Certified Anti-Money Laundering Specialists
International Compliance Association (anti-money laundering)
NASD Rule 4350 (Corporate Governance)
NASD Rule 3011 (Anti-Money Laundering)
NYSE Listed Company Manual Section 303A (Corporate Governance)
Aspen
Transparency International (foreign bribery)
Transparency International: USA Anti-Bribery Toolkit

Case Law
Burlington Industries v. Ellerth
Faragher v. City of Boca Raton
Kolstad v. American Dental Association
United States v. Booker
Sentencing Law & Practice

Compliance and Ethics Publications
BNA/ACCA Compliance Manual
ethikos

Related Blogs
White Collar Crime Prof Blog
Sentencing Law & Practice

Free Legal Web Sites
Findlaw
JURIST

Blogware

Powered by TypePad

Notices

© Copyright 2005 by Law Professor Blogs, LLC. All rights reserved.

« Compliance 101 -- Motivating Employees | Main | Thompson Memorandum -- MCI Enters Non-Prosecution Agreement »

September 7, 2005

Compliance and Electronic Storage of Client Confidences

ABA Model Rule of Professional Conduct 5.1(a) requires supervisory lawyers to ensure that their
firms or legal departments implement legal ethics compliance measures:

(a) A partner in a law firm, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm, shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that all lawyers in the firm conform to the Rules of Professional Conduct.

This requirement falls on individual lawyers and cannot be sloughed off on the firm or legal
department.  (New York and New Jersey allow discipline of law firms.)  Arizona Ethics Opinion
05-04 applies that state's version of Model Rule 5.1(a) (as well as other applicable rules) to a lawyer’s duty to protect client confidences.  A lawyer sought guidance on the following situation:    

The Inquiring Attorney has sought guidance from the Committee regarding the steps the lawyer’s firm must take to safeguard electronic client information from Internet hacking and viruses. The Inquiring Attorney’s firm has, until recently, kept documents which include confidential client information in electronic form on a computer system which is accessible only from computers within the law firm itself. Although the law firm had access to the internet, that access was through a separate computer system. Neither the computer system on which the client information was stored nor any computer which could access that information was ever connected to the internet.

The Inquiring Attorney’s firm now wishes to change that system and allow attorneys and staff to access the internet through the same computers they use to access the client information. Though the Inquiring Attorney does not specifically state this, it is assumed that firm attorneys and other employees will be able to access the client documents remotely. That is, an attorney or other employee may access this information from a computer outside the physical offices of the firm. Such access would be through the internet.

QUESTION PRESENTED

How do we protect the confidentiality and integrity of client information while continuing to increase reliance on internet for research, filings, communication, and storage of documents?

The reality of modern communication and data storage is that electronic information is vulnerable
to attack, unauthorized access, and destruction, and that many lawyers do not have the
technological knowledge to address those threats.  Nonetheless, the Arizona Bar interpreted its
rules to require its lawyers to adequate precautions and suggested how lawyers might do so:

. . . .  A panoply of electronic and other measures are available to assist an attorney in maintaining client confidences. “Firewalls” – electronic devices and programs which prevent unauthorized entry into a computer system from outside that system – are readily available. Recent upgrades in Microsoft operating systems incorporate such software systems automatically. A host of companies, including Microsoft, Symantec, McAfee and many others, provide security software that helps prevent both destructive intrusions (such as viruses and “worms”) and the more malicious intrusions which allow outsiders access to computer files (sometimes call “adware” or “spyware”).

Software systems are also readily available to protect individual electronic files. Passwords can be added to files which prevent viewing of such files unless a password is first known and entered. The files themselves can also be encrypted so that, even if the password protection is compromised, the file cannot be read without knowing the encryption key – something that is extremely difficult to break.

Precisely which of these software and hardware systems should be chosen – and the extent to which they must be employed – is beyond the scope and competence of the Committee. This is the kind of thing each attorney must assess. The expectation of the client that the client’s records and communications will be held in confidence is significant.

As set forth in the Comment to ER 1.6, an attorney must not only take reasonable precautions to protect client confidences, the lawyer must “act competently” in that regard. ER 1.1 requires, in general terms, that a lawyer act competently with regard to client representation. ER 5.1 and 5.3 require that a lawyer manage the lawyer’s firm and assistants in such a way as to be certain that the lawyer’s ethical responsibilities are discharged. Once again, it is the lawyer’s individual responsibility to know when the lawyer can act competently or not.

And the Opinion goes on to address lawyers who might profess technological ignorance:

It is not surprising that few lawyers have the training or experience required to act competently with regard to computer security. Such competence is, however, readily available. Much information can be obtained through the internet by an attorney with sufficient time and energy to research and understand these systems. Alternatively, experts are readily available to assist an attorney in setting up the firm’s computer systems to protect against theft of information and inadvertent disclosure of client confidences.

I find it interesting that the Opinion makes no mention of similar data protection requirements in other industries.  This is especially odd given that lawyers routinely advise their clients on compliance with such data retention requirements.  Why not put that same advice to work in one's own firm.  And for lawyers without familiarity with such regulations, the Opinion could have given further, concrete guidance by pointing the practicing bar to the vast compliance literature that discusses how to design, implement, and test such compliance measures.

September 7, 2005 in Risk Spotlight | Permalink

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/t/trackback/89778/3140202

Listed below are links to weblogs that reference Compliance and Electronic Storage of Client Confidences: