Ethics Opinion 1240
Topic: Duty to protect client information stored on a lawyer’s smartphone
Digest: If “contacts” on a lawyer’s smartphone include any client whose identity or other information is confidential under Rule 1.6, then the lawyer may not consent to share contacts with a smartphone app unless the lawyer concludes that no human being will view that confidential information, and that the information will not be sold or transferred to additional third parties, without the client’s consent.
- When the inquiring lawyer downloads or accesses an app on his smartphone, the lawyer is sometimes asked whether the lawyer gives consent for that app to access the lawyer’s “contacts” on the smartphone. The lawyer’s contacts include clients in criminal representations.
- May a lawyer consent for an app to access contacts on the lawyer’s smartphone that include the lawyer’s current, former or prospective clients?
- Rule 1.6(c) of the New York Rules of Professional Conduct (the “Rules”) requires a lawyer to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure or use of, or unauthorized access to” the confidential information of current, former and prospective clients. Rule 1.6(a), in turn, provides that confidential information “consists of information gained during or relating to the representation of a client, whatever its source, that is (a) protected by the attorney- client privilege, (b) likely to be embarrassing or detrimental to the client if disclosed, or (c) information that the client has requested be kept confidential.”
- Rule 1.6(c) has been interpreted to require a lawyer to take reasonable care to protect clients’ confidential information when carrying electronic devices containing such information across the border (see N.Y. City 2017-5 (2017)), when using an online storage provider to store clients’ confidential information (see N.Y. State 842 (2010)), and when sending emails containing confidential information (see N.Y. State 709 (1998)).
- In N.Y. State 820 (2008), we applied this general principle to a lawyer’s use of an e-mail service provider that scans e-mails for keywords and sends or displays targeted computer- generated advertisements to the lawyer using the service based on the words in the e-mail communications. We concluded that using such a service is permissible if “[u]nder the particular e-mail provider’s published privacy policies, no individuals other than e-mail senders and recipients read the e-mail messages, are otherwise privy to their content or receive targeted advertisements from the service provider.” We reasoned: “Merely scanning the content of e-mails by computer to generate computer advertising . . . does not pose a threat to client confidentiality, because the practice does not increase the risk of others obtaining knowledge of the e-mails or access to the emails’ content.” In contrast, we stated it would not be permissible to use the service “if the e-mails were reviewed by human beings or if the service provider reserved the right to disclose the e-mails or the substance of the communications to third parties without the sender’s permission (or a lawful judicial order).” Accordingly, we opined that a “lawyer must exercise due care in selecting an e-mail service provider to ensure that its policies and stated practices protect client confidentiality” in conformance with these governing principles.
- In N.Y. State 1088 (2016), we addressed whether an attorney could disclose to a potential client the names of actual clients the attorney had represented in the same practice area. To answer that inquiry, we needed to determine, as a threshold matter, whether and under what circumstances the names of current or past clients could be “confidential information,” as defined in Rule 1.6(a). We stated, first, that clients’ names will be confidential information if the clients have requested keeping their names confidential. See N.Y. State 1088 ¶ 6 (2016). We then opined:
If the client has not requested that the lawyer keep the client’s name confidential, then the lawyer must determine whether the fact of representation is generally known and, if not, whether disclosing the identity of the client and the fact of representation is likely to be embarrassing or detrimental to the client. This will depend on the client and the specific facts and circumstances of the representation.
N.Y. State 1088 ¶ 7.
- We discussed in Opinion 1088 what it meant to be “generally known” within the meaning of Rule 1.6(a) (¶ 8) and stated, “The client is more likely to find that disclosure of the fact of a current or prior representation by a lawyer is embarrassing or detrimental where the representation involves or involved criminal law, bankruptcy, debt collection or family law.” Id. ¶ 9. Finally, we noted there might be other factors, other than the subject matter of the representation, that are relevant to determine whether the client would object to being identified as the lawyer’s client. Id. ¶ 10.
- Contacts stored on a smartphone typically include one or more email addresses, work or residence addresses, and phone numbers (collectively sometimes called “directory information”), but contacts often also include additional non-directory information (such as birth date or the lawyer’s relationship to the contact). Social media apps may seek access to this information to solicit more users to the platform or to establish links between users and enhance the user experience. Apps which sell products or services may seek such access to promote additional sales. Apps that espouse political or social beliefs may seek such access to disseminate their views. These are but three examples of how an attorney’s contacts might be exploited by an app, but there are more, and likely many more to come.
- Insofar as clients’ names constitute confidential information, a lawyer must make reasonable efforts to prevent the unauthorized access of others to those names, whether stored as a paper copy in a filing cabinet, on a smartphone, or in any other electronic or paper form. To that end, before an attorney grants access to the attorney’s contacts, the attorney must determine whether any contact – even one – is confidential within the meaning of Rule 1.6(a). A contact could be confidential because it reflects the existence of a client-attorney relationship which the client requested not be disclosed or which, based upon particular facts and circumstances, would be likely to be embarrassing or detrimental to the client if disclosed. N.Y. State 1088 (2016).
- Some relevant factors a lawyer should consider in determining whether any contacts are confidential are: (i) whether the contact information identifies the smartphone owner as an attorney, or more specifically identifies the attorney’s area of practice (such as criminal law, bankruptcy law, debt collection law, or family law); (ii) whether people included in the contacts are identified as clients, as friends, as something else, or as nothing at all; and (iii) whether the contact information also includes email addresses, residence addresses, telephone numbers, names of family members or business associates, financial data, or other personal or non-public information that is not generally known.
- If a lawyer determines that the contacts stored on his smartphone include the confidential information of any current or former client, the lawyer must not consent to give access to his contacts to an app, unless the attorney, after reasonable due diligence, including a review of the app’s policies and stated practices to protect user information and user privacy, concludes that such confidential contact information will be handled in such a manner and for such limited purposes that it will not, absent the client’s consent, be disclosed to additional third party persons, systems or entities. See N.Y. State 820 (2008).
- If “contacts” on a lawyer’s smartphone include any client whose identity or other information is confidential under Rule 1.6, then the lawyer may not consent to share contacts with a smartphone app unless the lawyer concludes that no human being will view that confidential information, and that the information will not be sold or transferred to additional third parties, without the client’s consent.