On Nov. 19, 2018, Robert Ambrogi, a lawyer and consultant who writes about the internet and legal technology, published a blog post titled “As Federal Courts Urge Caution On Docket Services, Vendors Respond.”1 The blog published notices from two federal courts that “urged attorneys not to share their CM/ECF (Case Management/Electronic Case Files) credentials with vendors.”2 These courts were concerned about “the possibility of attorneys inadvertently providing vendors or others with access to confidential sealed documents.”3
The next day, Nov. 20, 2018, the U.S. Bankruptcy Court for the Eastern District of Wisconsin issued the following notice:
“The Administrative Office has asked that courts remind CM/ECF filers that sharing CM/ECF filing credentials and PACER account credentials with a third-party service provider or designating that provider as a secondary recipient of a Notice of Electronic Filing or Notice of Docket Activity (NEF/NDA) will give it access to sealed case information and documents in violation of court orders. You are urged to use caution in your computer security practices to ensure that sealed documents to which you have access are not disclosed. Fee exempt users should not share the documents they obtain from PACER under the exemption, unless expressly authorized by the court.”4
This notice raises concerns for lawyers who use third-party service providers in their practices. The language in the notice is unqualified: it states that “sharing … filing credentials with a third-party service provider or designating that provider as a secondary recipient … will give it access to sealed case information and documents in violation of court orders.” In addition, lawyers are “urged to use caution in [their] security practices to ensure that sealed documents to which [they] have access are not disclosed.” Consequently, it is difficult for lawyers to determine which third-party service providers they should avoid.
Consider, for example, a bankruptcy lawyer who uses one third-party software service for compiling and filing bankruptcy cases and another third-party software service for downloading and storing court documents from the electronic case filing system5 and ultimately placing those documents into an electronic storage location. Most software programs that automate the filling of a case or the downloading of electronic court information require access to the lawyer’s CM/ECF credentials. Without the use of these services, the lawyer would be required to manually input information into the appropriate court forms; manually upload each of the forms into the court’s electronic filing system; and, finally, manually download the documents from the court’s electronic case filing system into the lawyer’s case management system.
As this example demonstrates, the use of third-party services has helped lawyers become more efficient in their practices. These types of services can reduce the cost of representation6 and can also increase accuracy. Lawyers’ use of third-party software services, however, is not without restriction: lawyers must comply with the Rules of Professional Conduct (hereinafter the Rules) as well as the rules of the particular tribunal and other lawful obligations.
Compliance with Ethics and Court Rules and Other Obligations
As a general rule, a lawyer may use third-party software services as long as the lawyer uses reasonable efforts to adequately address the associated risks.7 SCR 20:1.1 and SCR 20:1.6, like their Model Rule counterparts, require that lawyers act competently to protect client information and confidentiality and to protect the lawyer’s ability to reliably access and provide relevant client information when needed.8 In addition, SCR 20:5.3, like its Model Rule counterpart, permits a lawyer to use nonlawyers outside the firm to assist the lawyer in rendering legal services if the lawyer makes reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations.9
Other obligations under the Rules may also apply. For example, SCR 20:3.4(c), like its Model Rule counterpart, requires that a lawyer not knowingly disobey an obligation under the rules of a tribunal, except for an open refusal based on an assertion that no valid obligation exists.10
As a general rule, a lawyer may use third-party software services as long as the lawyer uses reasonable efforts to adequately address the associated risks.
The Rules also recognize that lawyers have lawful obligations that exist outside the Rules.11 A lawyer’s obligation to obey law outside the Rules normally supersedes the lawyer’s obligation under the Rules. For example, a lawyer may seek the permission of a court to withdraw from a matter because of a conflict of interest. If the court denies the lawyer’s request, SCR 20:1.16(c), like its Model Rule counterpart, makes plain that the lawyer must continue the representation notwithstanding that the lawyer is now acting under a conflict of interest.12 Similarly, while a lawyer’s use of third-party services may comply with the rules regarding competence, confidentiality, and the use of nonlawyer assistance, the lawyer must determine whether the use of such services complies with other obligations such as rules of the tribunal and court orders.
Issues Related to Rule Compliance
The bankruptcy lawyer in our example uses at least three third-party services: a service for compiling and filing cases, a service for downloading court documents from the electronic case filing system, and a service for document storage. As illustrated by the example, compliance with the notice from the federal courts raises several related questions.
Aviva Meridian Kaiser, Univ. of Buffalo 1979, is ethics counsel with the State Bar of Wisconsin. Ethics question? Call the Ethics Hotline at (608) 229-2017 or (800) 254-9154.
Christopher C. Shattuck, Univ. of La Verne College of Law 2009, M.B.A. U.W.-Oshkosh 2015, is manager of Practice411™, the State Bar’s law practice assistance program. Questions about the business aspects of your practice, call (800) 957-4670.
First, although the notice cautions lawyers against providing their login and filing credentials to third-party service providers, it also instructs lawyers “to use caution in your computer security practices to ensure that sealed documents to which you have access are not disclosed.” From this language, it is unclear whether a lawyer’s use of a third-party case-management service or cloud-based file storage system to manage and store documents would constitute “access” and “disclosure,” even though the lawyer’s login and filing credentials are not provided to the service.
Second, it is unclear how the term “disclosed” is to be defined. While the term “disclosed” can be read to encompass all third-party service providers without exception and regardless of the security precautions taken by the providers, it also can be read less expansively. The term “disclosed” can be interpreted as excluding documents that are encrypted because they are incapable of being read. For example, Wisconsin’s breach-notification statute excludes from the definition of “personal information” any information that is “encrypted, redacted or altered in a manner that renders it unreadable.”13 Similarly, the term “access” can be interpreted to either include or exclude documents that are encrypted.
Third, it is unclear how lawyers are to decide at the outset of representation whether they are prohibited from using the third-party services that they have incorporated into their practices to improve efficiency.14 In most instances when a lawyer agrees to represent a client, the lawyer cannot predict whether the court will order any documents sealed.
Fourth, the Rules do not require lawyers to guarantee that a breach of confidentiality cannot occur when using a third-party service provider. Moreover, lawyers are not required to use only infallibly secure methods of communication. Lawyers are, however, required to use reasonable efforts to protect information relating to the representation of their clients from unauthorized disclosure, regardless of the medium used.15 To be reasonable, those efforts must be commensurate with the risks presented, and one of the risks is the sensitivity of the information. It is unclear from the notice whether lawyers are prohibited from using third-party services unless the lawyers can guarantee that there will be no access to, or disclosure of, sealed documents. Such a guarantee, of course, is not possible. Even Pacer has vulnerabilities.16
Finally, it may be difficult to identify or limit the entities that might have access to sealed documents. Consider the different technologies that are involved with filing a sealed document with the court and then providing the filed, signed, and sealed order to the affected parties. Likely, the document will be emailed; will reside on case-management systems, desktops, or servers; will exist on electronic storage devices maintained by clients or other interested parties; and will be backed up to off-site storage devices.
Third-party service providers who are responsible for the communication, case management, or storage of documents must have security precautions in place to prevent the unauthorized access to and disclosure of information. The providers must also have precautions in place, such as redundant storage, to prevent the loss of documents. These precautions, although included in the terms of service agreements, may not provide specific information, such as the specific locations of the servers located in the United States.
Ethics Opinions Regarding Unauthorized Information Disclosure
The possibility of unauthorized or inadvertent disclosure of client information is not a new one. In February 2006, the State Bar of Nevada Standing Committee on Ethics and Professional Responsibility issued Formal Opinion No. 33.17 The opinion concluded that “[i]f the lawyer acts competently and reasonably to ensure the confidentiality of the information, then he or she does not violate [the Rules] simply by contracting with a third party to store the information, even if an unauthorized or inadvertent disclosure should occur.”
Since then, the American Bar Association and at least 19 other state bar associations, including the State Bar of Wisconsin,18 have issued opinions echoing this conclusion. Many states have also amended their rules of professional conduct to require that lawyers “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”19
Lawyers can request the courts to modify order language to allow for the permissible use of third-party service providers.
Although there have been formal opinions from the ABA and other state bar associations, courts are not bound by those opinions. Instead, those opinions serve as advisory opinions that a judge may consider when determining whether to impose sanctions or refer a lawyer for discipline. It is possible that a lawyer could comply with a state’s rules of professional conduct regarding the use of third-party service providers and yet fail to comply with the notice from the Administrative Office and the rules of the federal courts.
Ways Lawyers Can Comply with Notice
Although the questions posed remain largely unanswered, lawyers can, however, take a few precautions to help ensure their compliance with the notice. First, lawyers can request courts to modify case-specific order language to allow for the permissible use of third-party service providers.
Second, lawyers who use these third-party service providers should carefully read the terms of service and research the provider’s qualifications, reputation, and longevity. Lawyers have an obligation to be knowledgeable enough about how these services work so that they can determine whether the services’ security precautions are commensurate with the risk.
Third, lawyers can petition for a clarification of the local court rules regarding CM/ECF credentials or electronic systems that may have access to sealed case information. Absent clarification, lawyers may continue to be uncertain about which systems they can use or what consequences they may face.
Conclusion
The bankruptcy lawyer example showcases the tension between protecting client information and using technology to increase efficiency. The example also illustrates the difficulty in complying with the rules of various jurisdictions when those rules may conflict. As discussion continues regarding the challenges presented in this article, we welcome your feedback and suggestions.
Endnotes
1 https://tinyurl.com/y5d7wfg9.
2 Id.
3 Id.
4 Issued by Janet L. Medlock, Clerk, U.S. Bankruptcy Court for the Eastern District of Wisconsin, on the Bankruptcy Insolvency and Creditors’ Right Section electronic list.
5 Some services also integrate with case management systems or cloud-based file hosting systems.
6 SCR 20:1.5, like its ABA Model Rule counterpart, requires that fees be reasonable.
7 Wis. Formal Ethics Op. EF-15-01 (as amended in Sept. 2017).
8 Id.
9 ABA Comment [3] following SCR 20:5.3 provides some of the examples, which include “hiring a document management company to create and maintain a database for complex litigation” and “using an Internet-based service to store client information.”
10 For example, a lawyer who is admitted to practice in the state of Wisconsin and before the U.S. District Court for the Eastern District of Wisconsin is, when practicing in the Eastern District, subject to discipline pursuant to General Local Rule 83(d)(1), which states, “[a]ttorneys practicing before this Court are subject to the Wisconsin Rules of Professional Conduct for Attorneys, as such may be adopted from time to time by the Wisconsin Supreme Court and except as may be modified by this Court.” If that same attorney were practicing in the U.S. Bankruptcy Court for the Eastern District of Wisconsin, Local Rule 9029(f) would apply. That rule states, “[a]ttorneys practicing before this court are subject to the Wisconsin Rules of Professional Conduct for Attorneys, as such may be adopted from time to time by the Wisconsin Supreme Court and except as may be modified by this court.” Local Rule 9029(a) also states, “[u]nless otherwise directed by the court or these Local Rules, the Local Rules of the United States District Court for the Eastern District of Wisconsin do not apply to cases or proceedings in the bankruptcy court.”
See also Wis. Memo. Ethics Op. EM-18-01, which discusses the ethical obligations of a defense attorney when a local court rule requires the attorney to file a motion to withdraw at the pretrial hearing if the lawyer has not been in communication with the client.
11 Id.; Preamble and Scope [15] to the Wisconsin Rules of Professional Conduct.
12 Wis. Memo. Ethics Op. EM-18-01.
13 Wis. Stat. § 134.98(1)(b).
14 Lawyers are often faced with deciding the appropriate level of automation worthy of investment. The market helps shape this decision. As the use of automation grows, lawyers cannot afford to charge market rate prices and, at the same time, complete certain tasks manually.
15 Wis. Formal Ethics Op. EF-15-01 (as amended Sept. 2017).
16 For example, an article on the Ars Technica website, “‘Pretty Egregious’ Security Flaw Raises Questions About Pacer,” discussed security concerns. Even today, Pacer sites receive a C grade from SSL Labs, a service from security firm Qualys that rates the strength of a site’s transport layer security protections. See https://tinyurl.com/y5zrpnbk.
17 http://ftp.documation.com/references/ABA10a/PDfs/3_12.pdf.
18 Wis. Formal Ethics Op. EF-15-01 (as amended Sept. 2017).
19 E.g., SCR 20:1.6(d); ABA Model Rule 1.6(c).