In a pair of recent ethics, the Florida Bar and Alabama State Bar issued ethics opinions concerning the sanitization of media containing client information. Recent news stories exposed how disposed printer hard drivers may contain sensitive information, which the owners or lessees failed to destroy before disposing the printers. In an effort to minimize the risks to client information, the Florida Bar and Alabama State Bar opinions say that lawyers must take reasonable steps to sanitize data on media on any storage media.
For a copy of the Florida opinion, click here. For a copy of the Alabama opinion, click here.
Florida Bar Ethics Opinion 2010-2, issued, on September 24, 2010, focused strictly on the issue of client information held on storage media. The Bar opinion recognized the proliferation of various kinds of devices that hold electronically stored information: “computers, printers, copiers, scanners, cellular phones, personal digital assistants (‘PDA’s’), flash drives, memory sticks, facsimile machines and other electronic or digital devices.” These devices may contain hard drives or other data storage media. Computers, flash drives, and PDAs are pretty obvious sources of electronically stored information. But some may not be aware that some printers, scanners, and fax machines may contain information that persists after a print, scan, or fax job has been completed. Failing to sanitize all of these devices’ media before disposal may result in the unauthorized disclosure of client information.
The Florida opinion looked at the attorney’s duty to maintain the confidentiality of client information relating to the attorney’s representation of the client. Attorneys also have a duty of competence, including to keep abreast of changes in technology that may threaten the confidentiality of client information. Finally, lawyers have a duty to supervise non-lawyers that may have access to or control client information, such as information technology services providers. Given all these duties, lawyers have a duty to sanitize their devices containing client information before disposing of them.
Alabama Ethics Opinion 2010-02 handled a number of subjects. The Bar Disciplinary Commission covered a number of subjects relating to client files, including “a lawyer’s ethical responsibilities relating to the retention, storage, ownership, production and destruction of client files.” For instance, the opinion states that an attorney must have a backup of client electronic information in case of information technology failure or a disaster.
The opinion even mentioned attorneys’ use of cloud computing. It recognized the reality of attorneys’ use of cloud services, but said that lawyers have an ethical obligation to exercise reasonable care to choose appropriate cloud services, ensure that they reasonably maintain the confidentiality of client information, and remain abreast of their security practices to ensure continued confidentiality of client information. (Formal Op. 2010-02, at 14-16.)
Like the Florida opinion, the Alabama opinion states that attorneys have an obligation to take reasonable measures to ensure that client files and client confidential information have been erased from discarded electronic devices. Interestingly, the opinion does not give the usual admonition to delete information securely, since simple erasure may permit easy recover of the information by readily available software tools. Nonetheless, it is implicit in the opinion that the term “erased” means erased so that the information cannot practically be recovered (at least without resort to sophisticated forensic tools).
With these two opinions, the bar seems to be expressing advice that the public has already heard. We should destroy information on media that we discard. A failure to do so may lead to unauthorized access to sensitive information.
Stephen Wu
Partner, Cooke Kobrick & Wu LLP