Ezel / Ethics Opinions / CABAR
CABAR 2010

When may a California attorney use email, public wireless internet, a home wireless network, and a firm-monitored laptop to handle a client's matter without violating the duties of confidentiality and competence?

Short answer: Per California Formal Opinion 2010-179, it depends on the technology and circumstances. Before using a technology with confidential client information, the attorney must evaluate (1) the security of the technology, including reasonable precautions, (2) the legal ramifications for a third party who intercepts or exceeds authorized access, (3) the sensitivity of the information, (4) the impact of inadvertent disclosure or possible privilege waiver, (5) urgency, and (6) the client's instructions and circumstances. Public wireless requires precautions like file/transmission encryption and a personal firewall; firm laptops monitored under a policy are acceptable with proper supervision; home wireless is acceptable if appropriately configured.
Currency note: this opinion is from 2010
Subsequent statutory amendments, court decisions, or later opinions or rule amendments may have changed the analysis. Treat this page as historical context, not current legal advice. Verify current law before relying on any specific rule, deadline, or remedy mentioned here.
Disclaimer: Advisory only. Not binding precedent.
About this page: The plain-English summary, reader guidance, and Q&A below were written by Ezel based on the official ethics opinion. The original opinion (linked at the bottom of this page, or PDF in the sidebar) is the authoritative source for any reliance.
View original ethics opinion (PDF)

State Bar of California COPRAC Formal Opinion 2010-179: Confidentiality and Competence Using Technology

Short answer: The opinion concludes that whether using a particular technology to transmit or store confidential client information violates the duties of confidentiality and competence depends on the technology and the circumstances. Before using a technology, the attorney must evaluate six factors: (1) the security afforded by the technology, including whether reasonable precautions may be taken to increase it, (2) the legal ramifications for a third party who intercepts, accesses, or exceeds authorized use, (3) the sensitivity of the information, (4) the possible impact on the client of inadvertent disclosure or waiver, (5) the urgency of the situation, and (6) the client's instructions and circumstances. Applied to the hypothetical, a firm laptop with monitored access by trained personnel is acceptable; a public wireless connection at a coffee shop requires precautions like file and transmission encryption and a personal firewall, and may require client informed consent depending on sensitivity; a properly configured home wireless network is acceptable.

Currency note

This opinion was issued in 2010, before the State Bar of California's adoption of the November 1, 2018 revisions to the Rules of Professional Conduct. The opinion interprets former Rules 3-100 (confidentiality) and 3-110 (competence), together with Business and Professions Code section 6068(e)(1) and Evidence Code sections 917(a) and 952. Functionally, current California Rules 1.1 (competence), 1.6 (confidentiality), 5.1 (supervision of subordinate lawyers), and 5.3 (responsibilities regarding nonlawyer assistants) now address the same ground. Technology has continued to evolve since 2010 and later California opinions and ABA opinions (e.g., ABA Formal Opinion 477R (2017) on email security and ABA Formal Opinion 498 (2021) on virtual practice) have refined the analysis. Treat this page as historical context, not current guidance. Verify against current rules and later authorities before relying on any specific technical recommendation.

Disclaimer: This is an advisory ethics opinion. Advisory opinions are not binding; they interpret the State Bar of California's rules of professional conduct and are persuasive authority. This summary is for research purposes only and is not legal advice. Verify current rules before acting on any specific guidance.

About this page: The plain-English summary and Q&A below were written by Ezel based on the official opinion. The opinion text is reproduced at the bottom; the official source (linked) controls.

View original opinion

Plain-English summary

The hypothetical: Attorney is an associate using a firm laptop subject to firm access for routine maintenance and policy compliance (with unauthorized use of obtained data expressly prohibited); the supervisor may also review work product. Attorney researches and emails Client over the coffee-shop public wireless, and later over his personal home wireless.

The committee declines to do a technology-by-technology analysis (which would quickly become obsolete) and instead sets out a general framework.

Duty of confidentiality: Under Business and Professions Code section 6068(e)(1) and former Rule 3-100, the lawyer must maintain client confidence and preserve secrets, subject to narrow exceptions. Unlike ABA Model Rule 1.6, former Rule 3-100 does not expressly include disclosure "impliedly authorized" to carry out representation. The committee distinguishes (a) actually disclosing confidential information to a third party for ancillary purposes (subject to former opinions like California State Bar Formal Opinion 1971-25 and LACBA Formal Opinion 374 (1978)) from (b) using appropriately secure technology provided by a third party as a method of communicating with the client or doing research. Evidence Code section 952 (defining confidential lawyer-client communication for privilege purposes) includes disclosure to third persons "to whom disclosure is reasonably necessary for the transmission of the information or the accomplishment of the purpose for which the lawyer is consulted." The duty of confidentiality is broader than the privilege (citing Goldstein v. Lees; California State Bar Formal Opinion 2003-161), but transmission through a third party reasonably necessary for representation does not destroy confidentiality.

Duty of competence: Former Rule 3-110(A) prohibits intentional, reckless, or repeated failure to perform with competence; the duty extends to supervising subordinate attorneys and nonattorneys. The committee imports the substance of ABA Model Rule 1.6 comments 16 and 17 (lawyer must act competently to safeguard information; must take reasonable precautions to prevent communications from reaching unintended recipients; need not use special security measures if the method affords a reasonable expectation of privacy; sensitivity and confidentiality protections are relevant factors; client may require special measures or consent to otherwise-prohibited communication methods).

Six factors:

  1. Security assessment: how the technology differs from other media (citing American Civil Liberties Union v. Reno on email versus postal mail, ABA Formal Opinion 99-413, LACBA Formal Opinion 514 (2005) holding that lawyers are not required to encrypt email, Orange County Bar Association Formal Opinion 97-0002, and City of Reno v. Reno Police Protective Assn.); whether reasonable precautions may be taken (encryption, firewalls, password protection on mobile devices); limitations on monitoring permitted by license or employment terms, including the duty under ABA Model Rule 5.3 (ABA Formal Opinion 95-398) to make reasonable efforts to ensure outside service providers will not make unauthorized disclosures. The committee says attorneys need not master every technology but must have a basic understanding of the electronic protections of what they use, and must seek additional information or consult an IT professional if they lack the necessary competence (former Rule 3-110(C)).

  2. Legal ramifications to interceptors: the existence of criminal penalties or civil claims for unauthorized access favors an expectation of privacy. The committee cites the Electronic Communications Privacy Act of 1986 (18 U.S.C. § 2510 et seq.), the Computer Fraud and Abuse Act (18 U.S.C. § 1030 et seq.), California Penal Code section 502(c), California Penal Code section 629.86, and eBay, Inc. v. Bidder's Edge, Inc.

  3. Sensitivity of information: the greater the sensitivity, the less risk an attorney should take. Highly sensitive information at risk of disclosure should be transmitted by alternatives unless the client provides informed consent (defined per LACBA Formal Opinion 456 (1989)).

  4. Inadvertent disclosure and privilege waiver: Evidence Code section 917(a) presumes lawyer-client communications confidential; section 917(b) preserves privileged character despite electronic delivery. The committee notes Penal Code section 629.80 and 18 U.S.C. section 2517(4) similarly preserve privilege. But the protections are not complete: a lack of essential security features could be deemed waiver, and Federal Rule of Evidence 502(b) requires reasonable steps to prevent disclosure and reasonable steps to rectify. Confidentiality harm may be immediate and independent of admissibility.

  5. Urgency: in exigent circumstances with no reasonable alternative, it may be reasonable to use the technology without additional precautions.

  6. Client instructions and circumstances: if the client has instructed against using certain technology, or if the attorney knows others have access to the client's devices or accounts and may intercept, the technology should not be used. Informed consent may be appropriate in some circumstances.

Application:

  • Firm laptop with monitored access: not a violation, because access is limited to authorized individuals for required tasks. The attorney should confirm personnel are properly instructed regarding client confidentiality and supervised under former Rule 3-110 (citing Crane v. State Bar, In re Complex Asbestos Litig., and California State Bar Formal Opinion 1979-50). Supervisor access is appropriate given her supervisory duty and own fiduciary duty.
  • Public wireless at the coffee shop: risks violating confidentiality and competence unless the attorney takes appropriate precautions, such as a combination of file encryption, encryption of wireless transmissions, and a personal firewall. Depending on sensitivity, the attorney may need to avoid the public wireless entirely or notify Client of risks (including potential disclosure of confidential information and possible waiver) and seek informed consent.
  • Personal home wireless: not a violation if configured with appropriate security features. Otherwise, notify Client of risks and seek informed consent.

Common questions

Q: Does the opinion require attorneys to encrypt all client email?

A: Per the opinion, no. Unencrypted email is generally treated as having a reasonable expectation of privacy similar to standard mail (citing ABA Formal Opinion 99-413 and LACBA Formal Opinion 514 (2005)). The committee notes that encryption may be a reasonable precaution where the information is highly sensitive and encryption is not onerous, particularly when using public wireless connections.

Q: What is required before using public wireless to handle client matters?

A: Per the opinion, the attorney should take reasonable precautions such as file encryption, encryption of wireless transmissions, and a personal firewall. Depending on the sensitivity of the matter, the attorney may need to avoid public wireless entirely or notify the client of risks and obtain informed consent.

Q: What does the lawyer need to do about firm IT monitoring of a work laptop?

A: Per the opinion, the firm laptop is acceptable because access is limited to authorized individuals for required tasks (maintenance, policy enforcement, and supervisory review of work product). The attorney should confirm that personnel have been properly instructed regarding client confidentiality and are supervised under former Rule 3-110. Supervisor access is acceptable in light of the supervisor's own duty under Rule 3-110 and her fiduciary duty to the client.

Q: What if the lawyer is not technically proficient enough to evaluate a technology's security?

A: Per the opinion, the lawyer is not required to master every technology, but the duties of confidentiality and competence do require a basic understanding of the electronic protections afforded by the technology used in practice. Where the lawyer lacks the necessary competence, the lawyer must seek additional information or consult someone with the necessary knowledge, such as an IT consultant, by analogy to former Rule 3-110(C).

Q: Do the federal and state privilege-preservation statutes mean privilege is never lost when electronic transmission is intercepted?

A: Per the opinion, no. Evidence Code section 917(b), Penal Code section 629.80, and 18 U.S.C. section 2517(4) preserve privilege despite electronic delivery, but they are not a complete safeguard. If a particular technology lacks essential security features, use could be deemed waiver. Federal Rule of Evidence 502(b) conditions non-waiver on inadvertence, reasonable steps to prevent disclosure, and reasonable steps to rectify the error.

Q: When must the lawyer not use a particular technology even if it is otherwise reasonable?

A: Per the opinion, when the client has instructed against using it, or when the lawyer knows others have access to the client's electronic devices or accounts and may intercept or be exposed to confidential information.

Background and rules framework

The opinion interprets former California Rules 3-100 (confidentiality) and 3-110 (competence, including supervision), together with Business and Professions Code section 6068(e)(1) and California Evidence Code sections 917 (privilege presumption and preservation despite electronic delivery) and 952 (definition of confidential lawyer-client communication). Functionally, the framework maps to current California Rules 1.1 (competence), 1.6 (confidentiality), 5.1 (supervision of subordinate lawyers), and 5.3 (responsibilities regarding nonlawyer assistants). The committee imports the substance of ABA Model Rule 1.6 comments 16 and 17 and ABA Formal Opinion 95-398 (selection of outside service providers under Rule 5.3) under California Rule 1-100(A), which allows consideration of out-of-state opinions in the absence of on-point California authority and conflicting state public policy.

Citations and references

Rules of Professional Conduct (former, in effect at time of opinion):

  • Former California Rule 1-100(A) (consideration of out-of-state authorities)
  • Former California Rule 3-100 (confidentiality)
  • Former California Rule 3-110, including 3-110(A), (B), (C) (competence and supervision)

Statutes:

  • California Business and Professions Code section 6068, subdivision (e)(1)
  • California Evidence Code sections 917(a) and 917(b) (privilege presumption; preservation despite electronic delivery)
  • California Evidence Code section 952 (confidential lawyer-client communication)
  • California Penal Code section 502(c) (unauthorized computer access)
  • California Penal Code section 629.80 (privilege preservation)
  • California Penal Code section 629.86 (civil cause of action for intercepted communications)
  • 18 U.S.C. section 1030 et seq. (Computer Fraud and Abuse Act)
  • 18 U.S.C. section 2510 et seq. (Electronic Communications Privacy Act of 1986)
  • 18 U.S.C. section 2517(4) (privilege preservation)
  • Federal Rule of Evidence 502(b) (inadvertent disclosure)

Cases:

  • Goldstein v. Lees (1975) 46 Cal.App.3d 614, duty of confidentiality broader than privilege
  • City & County of San Francisco v. Cobra Solutions, Inc. (2006) 38 Cal.4th 839, MRPC as guideline absent California authority
  • American Civil Liberties Union v. Reno (E.D. Pa. 1996) 929 F.Supp. 824, on email versus sealed mail
  • City of Reno v. Reno Police Protective Assn. (2003) 118 Nev. 889, document by email is privileged when requirements met
  • eBay, Inc. v. Bidder's Edge, Inc. (N.D. Cal. 2000) 100 F.Supp.2d 1058, trespass to chattel via unauthorized access
  • Crane v. State Bar (1981) 30 Cal.3d 117, attorney's responsibility for employees' work product
  • In re Complex Asbestos Litig. (1991) 232 Cal.App.3d 572, supervision of employees on confidentiality

Other opinions and authorities cited:

  • California State Bar Formal Opinion 1971-25 (use of outside data processor)
  • California State Bar Formal Opinion 1979-50 (lawyer's duty to instruct employees)
  • California State Bar Formal Opinion 1981-58 (definition of secrets)
  • California State Bar Formal Opinion 2003-161 (foundation of duty of confidentiality)
  • California State Bar Formal Opinion 2007-174 (metadata)
  • Los Angeles County Bar Association Formal Opinion 374 (1978) (data processor)
  • Los Angeles County Bar Association Formal Opinion 456 (1989) (informed consent)
  • Los Angeles County Bar Association Formal Opinion 514 (2005) (email need not be encrypted)
  • Orange County Bar Association Formal Opinion 97-0002 (encrypted email encouraged)
  • ABA Formal Opinion 95-398 (Rule 5.3 selection of outside service provider)
  • ABA Formal Opinion 99-413 (reasonable expectation of privacy in email)
  • ABA Model Rule 1.6 cmts. 16 and 17
  • Restatement (Third) of the Law Governing Lawyers § 60(1)(b)
  • David Ries & Reid Trautz, "Securing Your Clients' Data While On the Road," Law Practice Today (Oct. 2008)

See also

Source

Original opinion text

Reproduced from the official source for research purposes. The linked source is authoritative.

THE STATE BAR OF CALIFORNIA
STANDING COMMITTEE ON
PROFESSIONAL RESPONSIBILITY AND CONDUCT
FORMAL OPINION NO. 2010-179

ISSUE: Does an attorney violate the duties of confidentiality and competence he or she owes to a client by using technology to transmit or store confidential client information when the technology may be susceptible to unauthorized access by third parties?

DIGEST: Whether an attorney violates his or her duties of confidentiality and competence when using technology to transmit or store confidential client information will depend on the particular technology being used and the circumstances surrounding such use. Before using a particular technology in the course of representing a client, an attorney must take appropriate steps to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client's instructions and circumstances, such as access by others to the client's devices and communications.

AUTHORITIES INTERPRETED: Rules 3-100 and 3-110 of the California Rules of Professional Conduct. Business and Professions Code section 6068, subdivision (e)(1). Evidence Code sections 917(a) and 952.

STATEMENT OF FACTS

Attorney is an associate at a law firm that provides a laptop computer for his use on client and firm matters and which includes software necessary to his practice. As the firm informed Attorney when it hired him, the computer is subject to the law firm's access as a matter of course for routine maintenance and also for monitoring to ensure that the computer and software are not used in violation of the law firm's computer and Internet-use policy. Unauthorized access by employees or unauthorized use of the data obtained during the course of such maintenance or monitoring is expressly prohibited. Attorney's supervisor is also permitted access to Attorney's computer to review the substance of his work and related communications.

Client has asked for Attorney's advice on a matter. Attorney takes his laptop computer to the local coffee shop and accesses a public wireless Internet connection to conduct legal research on the matter and email Client. He also takes the laptop computer home to conduct the research and email Client from his personal wireless system.

DISCUSSION

Due to the ever-evolving nature of technology and its integration in virtually every aspect of our daily lives, attorneys are faced with an ongoing responsibility of evaluating the level of security of technology that has increasingly become an indispensable tool in the practice of law. The Committee's own research (including conferring with computer security experts) causes it to understand that, without appropriate safeguards (such as firewalls, secure username/password combinations, and encryption), data transmitted wirelessly can be intercepted and read with increasing ease. Unfortunately, guidance to attorneys in this area has not kept pace with technology. Rather than engage in a technology-by-technology analysis, which would likely become obsolete shortly, this opinion sets forth the general analysis that an attorney should undertake when considering use of a particular form of technology.

  1. The Duty of Confidentiality

In California, attorneys have an express duty "[t]o maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client." (Bus. & Prof. Code, § 6068, subd. (e)(1).) This duty arises from the relationship of trust between an attorney and a client and, absent the informed consent of the client to reveal such information, the duty of confidentiality has very few exceptions. (Rules Prof. Conduct, rule 3-100 & discussion ["[A] member may not reveal such information except with the consent of the client or as authorized or required by the State Bar Act, these rules, or other law."].)

Unlike Rule 1.6 of the Model Rules of Professional Conduct ("MRPC"), the exceptions to the duty of confidentiality under rule 3-100 do not expressly include disclosure "impliedly authorized in order to carry out the representation." (MRPC, Rule 1.6.) Nevertheless, the absence of such language in the California Rules of Professional Conduct does not prohibit an attorney from using postal or courier services, telephone lines, or other modes of communication beyond face-to-face meetings, in order to effectively carry out the representation. There is a distinction between actually disclosing confidential information to a third party for purposes ancillary to the representation, on the one hand, and using appropriately secure technology provided by a third party as a method of communicating with the client or researching a client's matter, on the other hand.

Section 952 of the California Evidence Code, defining "confidential communication between client and lawyer" for purposes of application of the attorney-client privilege, includes disclosure of information to third persons "to whom disclosure is reasonably necessary for the transmission of the information or the accomplishment of the purpose for which the lawyer is consulted." (Evid. Code, § 952.) While the duty to protect confidential client information is broader in scope than the attorney-client privilege (Discussion [2] to rule 3-100; Goldstein v. Lees (1975) 46 Cal.App.3d 614, 621, fn. 5 [120 Cal.Rptr. 253]), the underlying principle remains the same, namely, that transmission of information through a third party reasonably necessary for purposes of the representation should not be deemed to have destroyed the confidentiality of the information. (See Cal. State Bar Formal Opn. No. 2003-161.) Pertinent here, the manner in which an attorney acts to safeguard confidential client information is governed by the duty of competence, and determining whether a third party has the ability to access and use confidential client information in a manner that is unauthorized by the client is a subject that must be considered in conjunction with that duty.

  1. The Duty of Competence

Rule 3-110(A) prohibits the intentional, reckless or repeated failure to perform legal services with competence. Pertinent here, "competence" may apply to an attorney's diligence and learning with respect to handling matters for clients. (Rules Prof. Conduct, rule 3-110(B).) The duty of competence also applies to an attorney's "duty to supervise the work of subordinate attorney and non-attorney employees or agents." (Discussion to rule 3-110.)

With respect to acting competently to preserve confidential client information, the comments to Rule 1.6 of the MRPC provide:

[16] A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision. See Rules 1.1, 5.1 and 5.3.

[17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.

(MRPC, cmts. 16 & 17 to Rule 1.6.) In this regard, the duty of competence includes taking appropriate steps to ensure both that secrets and privileged information of a client remain confidential and that the attorney's handling of such information does not result in a waiver of any privileges or protections.

  1. Factors to Consider

In accordance with the duties of confidentiality and competence, an attorney should consider the following before using a specific technology:

a) The attorney's ability to assess the level of security afforded by the technology, including without limitation:

i) Consideration of how the particular technology differs from other media use. For example, while one court has stated that, "[u]nlike postal mail, simple e-mail generally is not 'sealed' or secure, and can be accessed or viewed on intermediate computers between the sender and recipient (unless the message is encrypted)" (American Civil Liberties Union v. Reno (E.D.Pa. 1996) 929 F.Supp. 824, 834), most bar associations have taken the position that the risks of a third party's unauthorized review of email (whether by interception or delivery to an unintended recipient) are similar to the risks that confidential client information transmitted by standard mail service will be opened by any of the many hands it passes through on the way to its recipient or will be misdirected (see, e.g., ABA Formal Opn. No. 99-413; Los Angeles County Bar Assn. Formal Opn. No. 514 (2005); Orange County Bar Assn. Formal Opn. No. 97-0002).

ii) Whether reasonable precautions may be taken when using the technology to increase the level of security. As with the above-referenced views expressed on email, the fact that opinions differ on whether a particular technology is secure suggests that attorneys should take reasonable steps as a precautionary measure to protect against disclosure. For example, depositing confidential client mail in a secure postal box or handing it directly to the postal carrier or courier is a reasonable step for an attorney to take to protect the confidentiality of such mail, as opposed to leaving the mail unattended in an open basket outside of the office door for pick up by the postal service. Similarly, encrypting email may be a reasonable step for an attorney to take in an effort to ensure the confidentiality of such communications remain so when the circumstance calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous. To place the risks in perspective, it should not be overlooked that the very nature of digital technologies makes it easier for a third party to intercept a much greater amount of confidential information in a much shorter period of time than would be required to transfer the same amount of data in hard copy format. In this regard, if an attorney can readily employ encryption when using public wireless connections and has enabled his or her personal firewall, the risks of unauthorized access may be significantly reduced. Both of these tools are readily available and relatively inexpensive, and may already be built into the operating system. Likewise, activating password protection features on mobile devices, such as laptops and PDAs, presently helps protect against access to confidential client information by a third party if the device is lost, stolen or left unattended.

iii) Limitations on who is permitted to monitor the use of the technology, to what extent and on what grounds. For example, if a license to use certain software or a technology service imposes a requirement of third party access to information related to the attorney's use of the technology, the attorney may need to confirm that the terms of the requirement or authorization do not permit the third party to disclose confidential client information to others or use such information for any purpose other than to ensure the functionality of the software or that the technology is not being used for an improper purpose, particularly if the information at issue is highly sensitive. "Under Rule 5.3 [of the MRPC], a lawyer retaining such an outside service provider is required to make reasonable efforts to ensure that the service provider will not make unauthorized disclosures of client information." (ABA Formal Opn. No. 95-398.)

Many attorneys, as with a large contingent of the general public, do not possess much, if any, technological savvy. Although the Committee does not believe that attorneys must develop a mastery of the security features and deficiencies of each technology available, the duties of confidentiality and competence that attorneys owe to their clients do require a basic understanding of the electronic protections afforded by the technology they use in their practice. If the attorney lacks the necessary competence to assess the security of the technology, he or she must seek additional information or consult with someone who possesses the necessary knowledge, such as an information technology consultant. (Cf. Rules Prof. Conduct, rule 3-110(C).)

b) Legal ramifications to third parties of intercepting, accessing or exceeding authorized use of another person's electronic information. The fact that a third party could be subject to criminal charges or civil claims for intercepting, accessing or engaging in unauthorized use of confidential client information favors an expectation of privacy with respect to a particular technology. (See, e.g., 18 U.S.C. § 2510 et seq.; 18 U.S.C. § 1030 et seq.; Pen. Code, § 502(c); Cal. Pen. Code, § 629.86; eBay, Inc. v. Bidder's Edge, Inc. (N.D.Cal. 2000) 100 F.Supp.2d 1058, 1070.)

c) The degree of sensitivity of the information. The greater the sensitivity of the information, the less risk an attorney should take with technology. If the information is of a highly sensitive nature and there is a risk of disclosure when using a particular technology, the attorney should consider alternatives unless the client provides informed consent.

d) Possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product, including possible waiver of the privileges. Section 917(a) of the California Evidence Code provides that "a communication made in confidence in the course of the lawyer-client . . . relationship . . . is presumed to have been made in confidence and the opponent of the claim of privilege has the burden of proof to establish that the communication was not confidential." (Evid. Code, § 917(a).) Significantly, subsection (b) of section 917 states that such a communication "does not lose its privileged character for the sole reason that it is communicated by electronic means or because persons involved in the delivery, facilitation, or storage of electronic communication may have access to the content of the communication." (Evid. Code, § 917(b).) See also Penal Code, § 629.80; 18 U.S.C. § 2517(4). While these provisions seem to provide a certain level of comfort in using technology for such communications, they are not a complete safeguard. For example, it is possible that, if a particular technology lacks essential security features, use of such a technology could be deemed to have waived these protections. Where the attorney-client privilege is at issue, failure to use sufficient precautions may be considered in determining waiver.

e) The urgency of the situation. If use of the technology is necessary to address an imminent situation or exigent circumstances and other alternatives are not reasonably available, it may be reasonable in limited cases for the attorney to do so without taking additional precautions.

f) Client instructions and circumstances. If a client has instructed an attorney not to use certain technology due to confidentiality or other concerns or an attorney is aware that others have access to the client's electronic devices or accounts and may intercept or be exposed to confidential client information, then such technology should not be used in the course of the representation.

  1. Application to Fact Pattern

In applying these factors to Attorney's situation, the Committee does not believe that Attorney would violate his duties of confidentiality or competence to Client by using the laptop computer because access is limited to authorized individuals to perform required tasks. However, Attorney should confirm that personnel have been appropriately instructed regarding client confidentiality and are supervised in accordance with rule 3-110. (See Crane v. State Bar (1981) 30 Cal.3d 117, 123 [177 Cal.Rptr. 670]; In re Complex Asbestos Litig. (1991) 232 Cal.App.3d 572, 588 [283 Cal.Rptr. 732]; Cal. State Bar Formal Opn. No. 1979-50.) In addition, access to the laptop by Attorney's supervisor would be appropriate in light of her duty to supervise Attorney in accordance with rule 3-110 and her own fiduciary duty to Client to keep such information confidential.

With regard to the use of a public wireless connection, the Committee believes that, due to the lack of security features provided in most public wireless access locations, Attorney risks violating his duties of confidentiality and competence in using the wireless connection at the coffee shop to work on Client's matter unless he takes appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall. Depending on the sensitivity of the matter, Attorney may need to avoid using the public wireless connection entirely or notify Client of possible risks attendant to his use of the public wireless connection, including potential disclosure of confidential information and possible waiver of attorney-client privilege or work product protections, and seek her informed consent to do so.

Finally, if Attorney's personal wireless system has been configured with appropriate security features, the Committee does not believe that Attorney would violate his duties of confidentiality and competence by working on Client's matter at home. Otherwise, Attorney may need to notify Client of the risks and seek her informed consent, as with the public wireless connection.

CONCLUSION

An attorney's duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client's representation does not subject confidential client information to an undue risk of unauthorized disclosure. Because of the evolving nature of technology and differences in security features that are available, the attorney must ensure the steps are sufficient for each form of technology being used and must continue to monitor the efficacy of such steps.

This opinion is issued by the Standing Committee on Professional Responsibility and Conduct of the State Bar of California. It is advisory only. It is not binding upon the courts, the State Bar of California, its Board of Governors, any persons, or tribunals charged with regulatory responsibilities, or any member of the State Bar.