The Florida Bar
www.floridabar.org
PROFESSIONAL ETHICS OF THE FLORIDA BAR

OPINION 10-2 PDF document opens in new window
September 24, 2010

A lawyer who chooses to use Devices that contain Storage Media such as printers, copiers, scanners, and facsimile machines must take reasonable steps to ensure that client confidentiality is maintained and that the Device is sanitized before disposition, including: (1) identification of the potential threat to confidentiality along with the development and implementation of policies to address the potential threat to confidentiality; (2) inventory of the Devices that contain Hard Drives or other Storage Media; (3) supervision of nonlawyers to obtain adequate assurances that confidentiality will be maintained; and (4) responsibility for sanitization of the Device by requiring meaningful assurances from the vendor at the intake of the Device and confirmation or certification of the sanitization at the disposition of the Device.


The Professional Ethics Committee has been asked by the Florida Bar Board of Governors to write an opinion addressing the ethical obligations of lawyers regarding information stored on hard drives. An increasing number of devices such as computers, printers, copiers, scanners, cellular phones, personal digital assistants (“PDA’s”), flash drives, memory sticks, facsimile machines and other electronic or digital devices (collectively, “Devices”) now contain hard drives or other data storage media1 (collectively “Hard Drives” or “Storage Media”) that can store information.2 Because many lawyers use these Devices to assist in the practice of law and in doing so intentionally and unintentionally store their clients’ information on these Devices, it is important for lawyers to recognize that the ability of the Devices to store information may present potential ethical problems for lawyers.

For example, when a lawyer copies a document using a photocopier that contains a hard drive, the document is converted into a file that is stored on the copier’s hard drive. This document usually remains on the hard drive until it is overwritten or deleted. The lawyer may choose to later sell the photocopier or return it to a leasing company. Disposal of the device without first removing the information can result in the inadvertent disclosure of confidential information.

Lawyers have an ethical obligation to protect information relating to the representation of a client. Rule 4-1.6(a) of the Rules Regulating the Florida Bar addresses the duty of confidentiality and states:

A lawyer must ensure confidentiality by taking reasonable steps to protect all confidential information under the lawyer’s control. Those reasonable steps include identifying areas where confidential information could be potentially exposed. Rule 4-1.1 addresses a lawyer’s duty of competence:

If a lawyer chooses to use these Devices that contain Storage Media, the lawyer has a duty to keep abreast of changes in technology to the extent that the lawyer can identify potential threats to maintaining confidentiality. The lawyer must learn such details as whether the Device has the ability to store confidential information, whether the information can be accessed by unauthorized parties, and who can potentially have access to the information. The lawyer must also be aware of different environments in which confidential information is exposed such as public copy centers, hotel business centers, and home offices. The lawyer should obtain enough information to know when to seek protection and what Devices must be sanitized, or cleared of all confidential information, before disposal or other disposition. Therefore, the duty of competence extends from the receipt, i.e., when the lawyer obtains control of the Device, through the Device’s life cycle, and until disposition of the Device, including after it leaves the control of the lawyer. Further, while legal matters are beyond the scope of an ethics opinion, a lawyer should be aware that depending on the nature of the information, misuse of these Devices could result in inadvertent violation of state and federal statutes governing the disclosure of sensitive personal information such as medical records, social security numbers, criminal arrest records, etc.
A lawyer’s supervisory responsibility extends not only to the lawyer’s own employees but over entities outside the lawyer’s firm with whom the lawyer contracts to assist in the care and maintenance of the Devices in the lawyer’s control. If a nonlawyer will have access to confidential information, the lawyer must obtain adequate assurances from the nonlawyer that confidentiality of the information will be maintained.

A lawyer has a duty to obtain adequate assurances that the Device has been stripped of all confidential information before disposition of the Device. If a vendor or other service provider is involved in the sanitization of the Device, such as at the termination of a lease agreement or upon sale of the Device, it is not sufficient to merely obtain an agreement that the vendor will sanitize the Device upon sale or turn back of the Device. The lawyer has an affirmative obligation to ascertain that the sanitization has been accomplished, whether by some type of meaningful confirmation, by having the sanitization occur at the lawyer’s office, or by other similar means.

Further, a lawyer should use care when using Devices in public places such as at copy centers, hotel business centers, and outside offices where the lawyer and those under the lawyer’s supervision have little or no control. In such situations, the lawyer should inquire and determine whether use of such Devices would preserve confidentiality under these rules.

In conclusion, when a lawyer chooses to use Devices that contain Storage Media, the lawyer must take reasonable steps to ensure that client confidentiality is maintained and that the Device is sanitized before disposition. These reasonable steps include: (1) identification of the potential threat to confidentiality along with the development and implementation of policies to address the potential threat to confidentiality; (2) inventory of the Devices that contain Hard Drives or other Storage Media; (3) supervision of nonlawyers to obtain adequate assurances that confidentiality will be maintained; and (4) responsibility for sanitization of the Device by requiring meaningful assurances from the vendor at the intake of the Device and confirmation or certification of the sanitization at the disposition of the Device.

_____________________
1. As used in this opinion, Storage Media is any media that stores digital representations of documents.
2. See Brian Smithson, The IEEE 2600 Series: An Introduction to New Security Standards for Hardcopy Devices, ISSA Journal, Nov. 2009, at 28; Holly Herman, Experts Warn Copiers Can Be Fertile Ground for ID Thieves, Reading Eagle (Jun. 2, 2010, 12:28:54 P.M.), http://readingeagle.com/article.aspx?id=222523; Mark Huffman, Digital Copiers Could Be an Identity Theft Threat, ConsumerAffairs.com (May 19, 2010), http://www.consumeraffairs.com/news04/2010/05/digital_copiers.html; Armen Keteyian, Digital Photocopiers Loaded with Secrets, CBSNews.com (April 15, 2010), http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml; Gregg Kelzer, Photocopiers: The Newest ID Theft Threat, Computerworld (March 14, 2007), http://www.computerworld.com/s/article/9013104/Photocopiers_The_newest_ID_theft_threat.

[Revised: 09-24-2014]