Open a Firm

Facts

The inquiring law firm is incurring substantial storage fees for closed client matter files and wishes to dispose of files no longer of use that are more than ten years old. For many years, the firm has included the following or similar language in its standard engagement letter signed by clients: "At your request, your papers and property will be returned to you [after termination of the Matter] promptly upon receipt of payment for outstanding fees, service charges and disbursements. Our own files, including lawyer work product, pertaining to the Matter will be retained by the firm. For various reasons, including the minimization of unnecessary storage expenses, we reserve the right to destroy or otherwise dispose of any such documents or other materials retained by us within a reasonable time after the termination of the engagement." The firm states that locating and contacting former clients to seek consent for destruction, or to provide advance notice of destruction, would be impossible in some situations as well as costly and burdensome in most cases.

Question

Where clients have signed engagement agreements advising that a law firm may destroy or otherwise dispose of documents relating to a closed matter within a reasonable time after the end of the engagement, may the law firm do so: (1) ten years after the end of an engagement; and (2) without taking additional steps, including, for example, giving notice to the former clients?

Analysis

As noted in ISBA Opinion 12-06 (January 2012), there are minimum time periods that certain financial and trust account records regarding a lawyer’s practice must be maintained. Specifically, Illinois Rule 1.15(a) requires that complete records of trust account funds and other property of clients or third persons be kept by a lawyer and preserved for at least seven years after termination of a representation. Subparagraphs (1) to (8) of the Rule 1.15(a) list the specific requirements for the “complete records” of trust accounts.

Illinois Supreme Court Rule 769 defines two additional categories of lawyer records that must be maintained. Paragraph (1) requires a lawyer to maintain records that identify the name and last known address of each client and reflect whether the representation of the client is ongoing or concluded. In contrast to Rule 1.15(a) and paragraph (2) of Supreme Court Rule 769, paragraph (1) makes no reference to any period of time. It therefore appears that the client information described in paragraph (1) should be preserved indefinitely. Paragraph (2) of Supreme Court Rule 769 requires that all “financial records” related to a lawyer’s practice be maintained for a period of not less than seven years. Financial records are defined to include bank statements, time and billing records, checks, check stubs, journals, ledgers, audits, financial statements, tax returns, and tax reports.

In the present inquiry, the law firm typically advised new clients of the firm’s records retention policy, including the intention to dispose of closed files “within a reasonable time after the termination of the engagement,” in the initial engagement letter. The firm now wishes to consider ten years as a “reasonable” period of time. Apart from the specific rules discussed above, there appear to be no other Illinois professional conduct or court rules relevant to a minimum or “reasonable” retention period for lawyer file materials no longer needed for a client’s representation. Other authorities provide useful guidance on this question.

ISBA Opinion 12-06 (January 2012) considered whether an Illinois legal services program could routinely dispose of various types of case materials five years after a matter was closed. The opinion noted that records reflecting the client information covered by Supreme Court Rule 769(1) must be retained indefinitely, and that the financial and trust account records described in Supreme Court Rule 769(2) and Illinois Rule 1.15(a) must be kept for seven years. With respect to closed case files, except for original deeds, wills, and other documents with intrinsic value, ISBA Opinion 12-06 concluded that the program need not retain such files more than five years after a matter was closed if those materials were no longer useful to the clients’ representation.

As early as 1977, the American Bar Association advised that lawyers need not retain closed files indefinitely. ABA Informal Opinion 1384 (March 1977) observes: “A lawyer does not have a general duty to preserve all of his files permanently. Mounting and substantial storage costs can affect the cost of legal services, and the public interest is not served by unnecessary and avoidable additions to the cost of legal services.”

The Restatement Third, The Law Governing Lawyers § 46(1) (2000) provides that a lawyer must take “reasonable” steps to safeguard documents in the lawyer's possession relating to the representation of a client or former client. Comment b to § 46 notes, however, that “… a law firm is not required to preserve client documents indefinitely and may destroy documents that are outdated or no longer of consequence.”

The experience in other states is also instructive. In July 2016, the Missouri Supreme Court amended its Rule of Professional Conduct 4-1.22 to reduce that state’s general mandatory file-retention period from ten years to six years for all files where the representation ends on or after July 1, 2016. Missouri Rule 4-1.22 lists four exceptions to the general rule: (a) where a legal malpractice claim is pending; (b) where a criminal or other governmental investigation is pending; (c) where a disciplinary matter is pending; or (d) where other litigation is pending.

The Ohio Supreme Court Board of Professional Conduct Client File Retention Guide, issued in March 2016, acknowledged that there is no minimum file retention requirement in Ohio and observed that the “… decision of how long to maintain a client file always lies within the professional judgment of the lawyer….” The Guide also noted that other jurisdictions suggest minimum file retention periods that run concurrently with trust account recordkeeping requirements (seven years in Ohio), and agreed that the trust account period may be appropriate in many cases, except for particular matters that may require longer retention.

Tennessee Board of Professional Responsibility Opinion 2015-F-160(a) (March 2016) recommended that a lawyer retain former client files for five years after termination of representation, noting that the guideline may be altered by client agreement or the type of representation and contents of the file. Arizona State Bar Opinion 08-02 (December 2008) concluded that a general five-year retention period “… remains a safe default option for the lawyer and client in the absence of an agreement otherwise.” The opinion further noted that the five-year period was supported by Arizona Rule 1.15(a), which requires a five-year retention period for trust account records. Iowa State Bar Opinion 08-02 (March 2008) recommended a retention period of no less than six years if the lawyer has a written file retention policy and ten years in the absence of such a policy.

West Virginia Lawyer Disciplinary Board Opinion 2002-01 (March 2002) noted that lawyers do not have a general duty to preserve closed files permanently, and stated: “At some point in time, even absent explicit consent to destroy, it is no longer reasonable for a client to expect that the lawyer will still maintain the client’s property. At that point in time, the client’s consent to destroy the file is implicit.” The opinion concluded that, with certain exceptions, “holding the file for five years with no request for it by the client can be deemed implicit consent to destroy the file.”

In view of these authorities, the ten-year retention period for closed files proposed by the inquiring law firm is clearly reasonable. In fact, a general “default” retention period of seven years for the ordinary closed file materials of an Illinois law firm also appears reasonable. A general retention period of seven years after termination of the representation would be consistent with two of the Illinois Supreme Court’s three lawyer record-keeping requirements (records required by Supreme Court Rule 769(1) should be preserved indefinitely). As noted above, several other jurisdictions have chosen their state’s trust account record retention period as the appropriate default guideline for retention of ordinary closed files. Retaining closed files at least seven years could also prove advantageous in the event of a lawyer liability claim, given that the Illinois statute of repose for professional liability claims against lawyers, 735 ILCS 5/13-214.3(c), is six years.

There may be specific situations, like those listed as exceptions to Missouri Rule 4-1.22, or types of materials like those listed in ISBA Opinion 12-06 (original deeds, wills, and other documents with intrinsic value), where retaining a file, or portions of a file, longer than seven years may be necessary or prudent. And as long as the requirements of Illinois Rule 1.15(a) and Supreme Court Rule 769 are met, lawyers and adequately informed clients (see the definition of “informed consent” in Illinois Rule 1.0(e)) are free to agree on any mutually acceptable retention period for closed client files.

The inquiring law firm also asks whether, in view of the terms set out in the firm’s general engagement letter, it is necessary to give clients or former clients notice that the firm intends to destroy the file relating to a particular matter. In this regard, it is useful to note that neither Illinois Rule 1.15(a) nor Illinois Supreme Court Rule 769(2), which set the minimum retention periods for lawyer trust account and financial records, require any notice to clients after the minimum retention periods have ended and a lawyer is then impliedly free to destroy the trust account and financial records. It seems reasonable to assume that if the Court believed that notice to clients of the potential destruction of these important lawyer records was necessary or appropriate, the Court would have written those rules to require notice.

This approach is also consistent with Missouri Rule of Professional Conduct 4-1.22, which does not require notice to clients or former clients that a file will be destroyed. Like West Virginia Lawyer Disciplinary Board Opinion 2002-01, the Missouri rule presumes that if “… the client does not request the file within six years after completion or termination of the representation, the file shall be deemed abandoned by the client and may be destroyed.”

If appropriate steps have been taken to return or preserve actual client property or items with intrinsic value, sending former clients notice of the proposed disposal of routine closed file materials generally should not be required. Attempting to locate and communicate with former clients seven to ten years after a matter is closed will always be time-consuming and expensive – and in many cases, futile. As the Missouri Supreme Court and the West Virginia Lawyer Disciplinary Board concluded, former clients who have left their closed matter files untouched for five or six years should be considered to have lost interest. Clearly, as in the case of the present inquiry, former clients who have been given notice of the firm’s file retention policy in the initial engagement letter need no additional notice before the firm may destroy a closed file.

Finally, disposal of any part of a law firm’s closed file must be done in a manner that protects the confidentiality of all information relating to the client’s representation, consistent with a lawyer’s duty under Illinois Rule 1.6. Comment [18] to Rule 1.6 explains that a lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or others participating in the representation of the client or who are subject to the lawyer’s supervision. Hence, the law firm must assure that its method of disposing of closed files preserves the confidentiality of information relating to the representation of its clients or former clients.

References

• Illinois Rules of Professional Conduct 1.0, 1.6, and 1.15; 

• Illinois Supreme Court Rule 769;

• 735 ILCS 5/13-214.3(c);
• ISBA Professional Conduct Advisory Opinion 12-06 (January 2012);

• ABA Informal Opinion 1384 (March 1977);
• Restatement Third, The Law Governing Lawyers § 46 (2000);
• Missouri Rule of Professional Conduct 4-1.22 (2016);
• Ohio Supreme Court Board of Professional Conduct Client File Retention Guide (March 2016);
• Tennessee Board of Professional Responsibility Opinion 2015-F-160(a) (March 2016);
• Arizona State Bar Opinion 08-02 (December 2008);

• Iowa State Bar Opinion 08-02 (March 2008)
• West Virginia Lawyer Disciplinary Board Opinion 2002-01 (March 2002).

Facts

A lawyer wants to use cloud-based services in her delivery of legal services by contracting with a third party provider. The cloud service will include storage, processing and transmission of information in a shared infrastructure and a shared application, multi-tenant environment. The data will include client personal identifiable information, opposing party documents, financial information, health information and any other confidential and public information relevant to the delivery of legal services. The lawyer plans to conduct due diligence when selecting a third party provider to ensure the controls are in place to maintain confidentiality of the client information and data.

Question

May the lawyer use a third party provider for cloud-based services? If so, is the lawyer's due diligence at the time of entering into an agreement with the provider adequate to avoid an ethical violation if a breach of confidentiality should occur through a failure of the provider or through the action of hackers?

Analysis

Cloud-based services allow a lawyer to store and access software and data in the “cloud,” a remote location which is not controlled by the lawyer but is controlled by a third party internet service provider. Lawyers are increasingly choosing to use cloud-based services because the services offer increased flexibility and ease of access to data.

We have previously determined that a lawyer may retain or work with a private vendor to monitor the firm’s computer server and network, provided that the lawyer takes reasonable steps to ensure that the vendor protects the confidentiality of client information. See, ISBA Op. 10-01 (2009). A similar approach is appropriate when choosing and using cloud-based services. We believe that a lawyer may use cloud-based services. However, because cloud-based services store client data on remote servers outside the lawyer’s direct control, the use of such services raises ethics concerns of competence, confidentiality and the proper supervision of non-lawyers.

Rule 1.1 provides that lawyers must provide competent representation to their clients. The Illinois Supreme Court recently amended Comment 8 to Rule 1.1 to provide that as part of a lawyer’s duty of competence, lawyers must keep abreast of changes in law and its practice “including the benefits and risks associated with relevant technology.” Accordingly, lawyers who use cloud-based services must obtain and maintain a sufficient understanding of the technology they are using to properly assess the risks of unauthorized access and/or disclosures of confidential information.

Lawyers must protect as confidential “all information relating to the representation of the client” pursuant to Rule 1.6. Rule 1.6(e), as recently adopted, provides that a lawyer must make “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to,” confidential information. Factors to be considered in determining the reasonableness of the lawyer’s efforts are set forth in Comment 18 to the Rule.

A lawyer’s use of an outside provider for cloud-based services is not, in and of itself, a violation of Rule 1.6, provided that the lawyer employs, supervises and oversees the outside provider. See, e.g., Rule 5.3, Comment 3. As stated in a Nevada opinion that discussed a lawyer’s use of an outside agency to store electronic client information:

The use of an outside data storage or server does not necessarily require the revelation of the data to anyone outside the attorney’s employ. The risk, from an ethical consideration, is that a rogue employee of the third party agency, or a “hacker” who gains access through the third party’s server or network, will access and perhaps disclose the information without authorization. In terms of the client’s confidence, this is no different in kind or quality than the risk that a rogue employee of the attorney, or for that matter a burglar, will gain unauthorized access to his confidential paper files. The question in either case is whether the attorney acted reasonable (sic) and competently to protect the confidential information.

Nevada Formal Opinion No. 33 (2006), pp. 2-3.

Because technology changes so rapidly, we decline to provide specific requirements for lawyers when choosing and utilizing an outside provider for cloud-based services. Lawyers must insure that the provider reasonably safeguards client information and, at the same time, allows the attorney access to the data.

At the outset, as recognized by the inquiring lawyer here, lawyers must conduct a due diligence investigation when selecting a provider. Reasonable inquiries and practices could include:

1. Reviewing cloud computing industry standards and familiarizing oneself with the appropriate safeguards that should be employed;
2. Investigating whether the provider has implemented reasonable security precautions to protect client data from inadvertent disclosures, including but not limited to the use of firewalls, password protections, and encryption;
3. Investigating the provider’s reputation and history;
4. Inquiring as to whether the provider has experienced any breaches of security and if so, investigating those breaches;
5. Requiring an agreement to reasonably ensure that the provider will abide by the lawyer’s duties of confidentiality and will immediately notify the lawyer of any breaches or outside requests for client information;
6. Requiring that all data is appropriately backed up completely under the lawyer’s control so that the lawyer will have a method for retrieval of the data;
7. Requiring provisions for the reasonable retrieval of information if the agreement is terminated or if the provider goes out of business.

Our opinion is consistent with the advisory opinions issued by other state bar associations. Other states that have addressed the issue of cloud computing have also generally concluded that lawyers may use cloud-based services if they take reasonable steps to protect client information and address the potential risks. See e.g., Alabama Ethics Opinion 2010-2 (2010)(lawyer may outsource storage of client files through cloud computing if the lawyer takes reasonable steps to make sure data is protected); Iowa Ethics Opinion 11-01 (2011)(lawyer should conduct appropriate due diligence before storing files electronically); Tennessee Formal Ethics Opinion 2015-F-159 (2015)(a lawyer may allow client information to be stored in the cloud provided the lawyer takes reasonable care to assure that the information remains confidential and that reasonable safeguards are employed to protect the information from breaches, loss or other risks). See generally, “Cloud Ethics Opinions Around the U.S.”, American Bar Association, Legal Technology Resource Center.

The inquiring lawyer also asks whether the lawyer's due diligence at the time of entering into an agreement with the provider will be adequate to avoid an ethical violation if a breach of confidentiality should occur through a failure of the provider or through the action of hackers. We do not believe that the lawyer’s obligations end when the lawyer selects a reputable provider. Pursuant to Rules 1.6 and 5.3, a lawyer has ongoing obligations to protect the confidentiality of client information and data and to supervise non-lawyers. Future advances in technology may make a lawyer’s current reasonable protective measures obsolete. Accordingly, a lawyer must conduct periodic reviews and regularly monitor existing practices to determine if the client information is adequately secured and protected. See, e.g., Arizona Ethics Op. 09-04 (2009); Washington State Bar Association Advisory Op. 2215 (2012).

Conclusion

A lawyer may use cloud-based services to store confidential client information provided the attorney uses reasonable care to ensure that client confidentiality is protected and client data is secure. A lawyer must comply with his or her duties of competence in selecting a provider, assessing the risks, reviewing existing practices, and monitoring compliance with the lawyer’s professional obligations.

References

• Illinois Rules of Professional Conduct, Rules 1.1, 1.6, 5.1 and 5.3
• Illinois Rules of Professional Conduct, Rule 1.1, Comment 8 (amended effective Jan. 1, 2016)
• ISBA Op. 10-01 (2009)
• American Bar Association, Legal Technology Resource Center
• Alabama Ethics Opinion 2010-2 (2010)
• Arizona Ethics Op. 09-04 (2009)
• Iowa Ethics Opinion 11-01 (2011)
• Nevada Formal Opinion No. 33 (2006)
• Tennessee Formal Ethics Op. 2015-F-159 (2015)
• Washington State Bar Association Advisory Op. 2215 (2012)