Copyright 2004 ALM Properties, Inc. All Rights Reserved.
New Jersey Law Journal

September 13, 2004

Client Internet Services Expose Firms to New Liability

By Jonathan Bick ; Bick is of counsel to WolfBlock Brach Eichler of Roseland and is an adjunct professor of Internet Law at Pace Law School and Rutgers Law School. He is also the author of 101 Things You Need To Know About Internet Law [Random House 2000].

Increasingly, client services include, offering clients protected access to their personal case information over the Internet. These services are due to new client expectations of their attorneys to use the most modern communications technologies, including the Internet. Breaches of fiduciary obligations are increasingly becoming the basis for the civil liability of lawyers and law firms. A careful analysis of the nature and elements of a lawyer's fiduciary obligations to clients in the litigation context is therefore an integral part of evaluating what actions to take as a result of initiating such new offerings. As a consequence, law firms must initiate new notice, contractual and technical actions to make certain that the information stays sheltered. By undertaking such actions, law firms will be able to mitigate or eliminate their liability in the event their client’s personal information is acquired from a law firm’s computer or Internet system.

More and more attorneys, and their clients, are proffering client services which include offering clients secure access to their personal case information by means of the Internet. Some law firms find such Internet web site based offerings to be a rapid, efficient and cost effective method of communicating with clients, as well as other lawyers. Nevertheless, using client services, including offering clients protected access to their personal case information over the Internet, is not without an increase in legal liability for the law firm. Using the Internet to disperse confidential information raises potential ethical and legal issues that lawyers must face, with as of now, little guidance from the courts or bar associations.

For example, if stolen information, including Internet site content from the attorney's possession, are not protected by the attorney-client privilege on the principle that since the law has granted secrecy so far as its own process goes, it leaves to the client and attorney to take measures of caution sufficient enough to prevent interception by third persons. Thus, in the case of Internet based data located on the firm’s web site, the risk of insufficient precautions is upon the attorney. This in turn gives rise to legal liability – i.e. a suit against the firm by its own client.

Probably the most obvious advantage to using Internet client services, such as offering clients protected access to their personal case information over the Internet, is speed. A lawyer, or the lawyer's agent, can disseminate confidential information quickly and with ease. Internet client services moves at the speed of light, while paper communications moves at the speed of the U.S. Postal Service. Generally, Internet client services appear at its destination within seconds to minutes after being requested. Moreover, a lawyer can reach large groups of people, be they clients, co-counsel or opposing counsel with the same effort was reaching a single person. The new Internet service allow an interested party, such as the client need only access their law firm’s Internet site and press a key. Accordingly, with little effort and none of the hassle of scheduling a call with an attorney, many client questions may be answered. Internet client services are an efficient method for a team of lawyers working on a litigation project to keep their clients up to date, or solicit comments; particularly in matters which involve many clients, such as class action lawsuits.

Another advantage of using Internet client services is cost. Both communication via fax and mail are an order of magnitude more expensive than posting content on an Internet site. In addition, storing e-content transferred from Internet client services site to a clients computer is easier and more cost efficient than storing paper documents, especially for the space-conscious client. A client can store ten million pages of text for less than ten dollars; should the client desire to have his or her own copy of the Internet client services site content.

However, the flexibility of Internet client services and the ease-of-use, damages a law firm's ability to protect his or her client’s confidential information which is associated with the firm’s Internet client services offering. A law firm is subject to civil liability for an injury legally caused to a person by any wrongful act or omission of any principal or employee of the firm who was acting in the ordinary course of the firm's business or with actual authority.

Once client data is transmitted onto the Internet, as is the case when a client’s request for data from a law firm’s Internet site is honored, it potentially becomes available to third parties. Unencrypted Internet client service content appears in clear text. A system operator or other knowledgeable persons in the system can view clear-text messages when a client “views” his or her personal data via the Internet, by visiting the Internet client services web site.

Internet communications, including the transaction commonly described as reading content stored on an Internet site, may pass through dozens of computers before reaching its final destination. Each of the systems may be managed and monitored by a different network administrator or system operator and each operator may have a different attitude toward on-line privacy. While passing through the computers such operators can read plain text Internet client services e-content. Furthermore, each of the systems through which the communication passes may be capable of capturing and storing the confidential on-line communication.

Findings of fact in a recent federal district court decision, American Civil Liberties Union v. Reno, 929 F. Supp. 824 (E.D. Pa. 1996) supports the view that e-content exchange is not secure. The court pointed out that Visa and Mastercard credit card systems do not consider the Internet to be sufficiently secure for processing online credit card transactions.

Under the Electronic Communications Privacy Act ("EPCA") reading e-content exchange messages exchanged over public Internet systems by one other than the sender or receiver is a felony (18 U.S.C. 2701-05 (1994)). However, reading the e-content exchange may be a legitimate, and even necessary, function of a network system operator monitoring the traffic load on the network to ensure proper functionality. Although interception is illegal and a violation of a federal statute, a lawyer still has a duty to protect his or her client's secrets, confidences and documents. Accordingly, the criminality of the interception of e-content exchange from a lawyer Internet site is not enough to prevent a loss of privilege. Thus, lawyers should consider the possibility of the loss of privilege through illegal e-content exchange interception.

Most importantly, and as a general rule, a lawyer cannot trust Internet security and should not use unencrypted Internet client services when security is an issue. As lawyers' use of Internet client services increases, so too does the risk of inadvertently disclosing privileged electronic communications to a third party.

Prudent attorneys and law firms purchase liability insurance to help defend against the aforementioned liabilities associated with clients protected access to their personal case information over the Internet. However, law firms must also initiate new client notices, update contracts and take technical action as well.

Traditionally, full and proper disclosure combined with strict adherence to applicable ethical rules and legal standards have reduced or eliminated law firm liability. Such action is equally applicable to Internet transactions. Law firms should post notices both in their Internet site terms of use agreements and on each Internet search result transaction which informs clients of the risk their search involves. This will eliminate unreasonable expectations of privacy by the client. Such notices will also reduce or eliminate that possibility of innocent interceptor of client information.

Law firms should seek to place the risk of an unsafe Internet site with the Internet site providers. This means executing indemnification and hold harmless clauses in Internet site provider service contracts.

The legal allocation of liability should be assigned to those with control. This logic implies, for example, that if a law firm hire a third party to create and runs the firm’s Internet site which allows client services include offering clients protected access to their personal case information over the Internet, such Internet service providers should be the optimal target of liability.

Such risk-shifting is likely to produce a more secure client service. A contractual shift in liability to the Internet service provider is clearly appropriate since they normally have superior technical means to limit third party access to client transactions and the means to reduce the possibility of negligence. Under such risk shifting, the law firm’s service agreement would require the Internet service provider to pay the full cost of harm associated with third party interceptions.

Additional, risk shifting should also be considered. In particular, the law firm should also ask its client for indemnification in exchange for the client service.

Law firms should consider using encryption and other technology to protect client information which has been made available on the firm’s Internet site. This may the client to install new and additional hardware or software.