Does a Pennsylvania lawyer need a signed confidentiality agreement from every vendor who can see client data?
PA Bar Ethics Opinion 2024-100: Third-Party Vendors With Access to Confidential Information
Short answer: The opinion concludes that a lawyer using third-party vendors who have access to confidential client information is not required to obtain a signed agreement from every vendor, but must make "reasonable efforts" under Rule 5.3 to ensure the vendor has adequate procedures to safeguard confidential information consistent with Rule 1.6.
Disclaimer: This is an advisory ethics opinion. Advisory opinions are not binding; they interpret the Pennsylvania Bar Association's reading of the Rules of Professional Conduct and are persuasive authority. This summary is for research purposes only and is not legal advice. Verify current rules before acting on any specific guidance.
About this page: The plain-English summary and Q&A below were written by Ezel based on the official opinion. We do not reproduce the opinion text on this page; follow the linked source for the official text, which controls.
Plain-English summary
The opinion concludes that "the Pennsylvania Rules of Professional Conduct do not prohibit lawyers and law firms from utilizing third-party vendors for nonlegal support services," such as case management, network maintenance, accounting, printing, or document reproduction. A lawyer does not violate the Rules by using such vendors so long as the lawyer provides competent representation under Rule 1.1, which under Comment [8] requires keeping abreast of the benefits and risks of relevant technology, and understands the obligations governing nonlawyer assistance under Rule 5.3, which requires "reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer."
The opinion explains that when it issued PBA Formal Opinion 2011-200, Rule 5.3 was titled "Responsibilities Regarding Nonlawyer Assistants" and was centered on personnel within the firm, but "the word 'Assistants' was later changed to 'Assistance,' signifying the broadening of the rule to expressly encompass outside vendors, as noted in Comment [3]." On the central question, the opinion concludes that "lawyers are not required to obtain a signed agreement from every third-party vendor," because "depending upon the size of a vendor or the manner in which it conducts its operations, it may not be feasible to have every vendor sign an agreement." Instead, reasonable efforts entail verifying that the vendor satisfies one of the enumerated assurances regarding confidentiality.
Relying on ABA Formal Opinion 95-398, the opinion states that a lawyer must ensure the service provider has in place, or will establish, reasonable procedures to protect confidentiality and fully understands its obligations, and that "should a significant breach of confidentiality occur within a computer maintenance company, accounting firm, or the like, a lawyer may be obligated to disclose such breach to the client or clients whose information has been revealed" under Rule 1.4(b). Finally, the opinion notes that Rule 1.6 permits disclosures impliedly authorized to carry out the representation, so a lawyer exercising effective supervision and control "may disclose confidential information to the extent necessary to carry out the representation."
In practice
Under this opinion, a Pennsylvania lawyer may use outside vendors for nonlegal support services that involve access to confidential information without a signed agreement from each one, but must make reasonable efforts under Rule 5.3 to confirm the vendor has adequate procedures to protect that information. The opinion holds that competence under Rule 1.1 includes understanding the relevant technology, that a significant vendor breach may trigger a duty to notify affected clients under Rule 1.4(b), and that the lawyer may disclose confidential information to a supervised vendor only to the extent necessary to carry out the representation.
Common questions
Q: Do I need every vendor to sign a confidentiality agreement?
A: No. The opinion concludes "lawyers are not required to obtain a signed agreement from every third-party vendor," partly because for some vendors it may not be feasible.
Q: What does Rule 5.3 require instead?
A: The opinion concludes the lawyer must make "reasonable efforts" to ensure the vendor has adequate procedures to safeguard confidential information consistent with Rule 1.6.
Q: Can I even share client information with an outside vendor?
A: Yes, within limits. The opinion concludes that under Rule 1.6 a lawyer exercising effective supervision may disclose confidential information "to the extent necessary to carry out the representation."
Q: What if the vendor has a data breach?
A: The opinion states that a significant breach at a vendor may obligate the lawyer to disclose it to the affected clients under Rule 1.4(b).
Background and rules framework
The opinion interprets Pennsylvania Rule of Professional Conduct 5.3 (responsibilities regarding nonlawyer assistance), Rule 1.1 (competence, including Comment [8] on technology), and Rule 1.6 (confidentiality, including impliedly authorized disclosure), together with Rule 1.4(b) (communication) and Rule 5.1 (supervisory responsibilities). These track ABA Model Rules of the same numbers.
Citations and references
Rules of Professional Conduct:
- Pa.R.P.C. 5.3, including Comment [3]; ABA Model Rule 5.3
- Pa.R.P.C. 1.1, including Comment [8]; ABA Model Rule 1.1
- Pa.R.P.C. 1.6, 1.4(b), 5.1; ABA Model Rules 1.6, 1.4, 5.1
Other opinions cited:
- PBA Formal Op. 2011-200: attorneys using cloud computing
- ABA Formal Op. 95-398: nonlawyer access to a lawyer's database
- ABA Formal Op. 88-356: supervision of temporary lawyers
See also
- ABA Formal Op. 506: Responsibilities Regarding Nonlawyer Assistants
- ABA Formal Op. 477R: Securing Communication of Protected Client Information
- ABA Formal Op. 483: Lawyers' Obligations After a Data Breach
Source
- Landing page: PBA Ethics Opinions (Public)
- Original PDF: F2024-100.pdf