Data Center Advisors

Before anyone comments on the “ethics for lawyers” in the title, I understand that some lawyers may be a bit challenged in this regard…but that’s a topic for another day.

Humor aside, I’ve been tracking the legal community since the December 2006 changes to the Federal Rules of Civil Procedure (FRCP), which introduced language about electronically stored information (ESI) among other things. These rule changes have sent a bit of a shock wave through the legal community as lawyers and judges come to grips with things like digital evidence and electronic discovery with a backdrop of serious sanctions for mismanagement and/or inappropriate actions.

To add to the digital buzz, the CBS Evening News ran an investigative report entitled “Photocopier Fallout: Company Notifies 409,000 of Data Breach” on April 19, 2010. In a nutshell, this piece highlighted the fact that many hardcopy devices (especially copiers) have internal storage media that could retain copies of anything that had been presented to the device, and further, some of this information could be very sensitive and subject to privacy protection. To demonstrate the point, CBS acquired several used copiers and then analyzed the contents of the internal hard disk drives. They hit pay dirt.

So what does this have to do with ethics? It seems that the CBS News piece hit a nerve with the leadership of at least two state bar associations, Florida and Texas. At the risk of over-simplifying their roles, many state bar associations are responsible for regulating lawyers in their jurisdictions, including both licensing as well as sanctioning lawyers for ethics violations. A lawyer’s failure to protect client confidentiality is potentially such an ethics violation, so data breaches involving client information tend to get a lot of attention.

Given this background, I had a recent opportunity to work with the Professional Ethics Committee (PEC) of the Florida Bar while they were drafting a proposed advisory opinion (PAO) addressing the ethical obligations of lawyers regarding information stored on hard drives. Even though this activity was in response to the original CBS News report associated with copier-based data breaches, the PEC had the foresight to broaden its focus and include devices such as computers, printers, copiers, scanners, cellular phones, personal digital assistants, flash drives, memory sticks, facsimile machines and other electronic or digital devices that contain hard drives or other data storage media that can store information.

The draft PAO highlighted the need for proper sanitization and disposal to avoid data breaches as well as emphasizing the ethical obligations under the duty of confidentiality and duty to supervise (i.e., the motivation for action). It also offered a set of reasonable steps that a lawyer must take, including: (1) identification of the potential threat to confidentiality along with the development and implementation of policies to address the potential threat to confidentiality; (2) inventory of the Devices that contain Hard Drives or other Storage Media; (3) supervision of non-lawyers to obtain adequate assurances that confidentiality will be maintained; and (4) responsibility for sanitization of the Device by requiring meaningful assurances from the vendor at the intake of the Device and confirmation or certification of the sanitization at the disposition of the Device.

I must say that I find the efforts of Professional Ethics Committee of the Florida Bar commendable as well as being applicable to just about anyone who is handling sensitive information. Bravo.