Ethical Obligation to Wipe Your Old Computers – and Other Media

It remains a continuing problem as to how to destroy digital data. In some instances one may have to destroy the storage medium itself.

Lately the Florida State Bar published a proposed advisory ethics opinion to the effect that lawyers have an obligation to ensure that confidential data — personal information but also client data generally — must be effectively erased from any storage medium before that medium is disposed of. This extends beyond computer drives to cell phones, digital fax machines and copiers (which have memories that keep the data), and even to third-party service providers’ equipment. The opinion does not say how the media are to be “sanitized”.

Is there any reason why a Canadian lawyer would not have the same obligations? We have an obligation to understand the implications of the technology we use. Is this not just another such implication?

From the Florida Bar News report (emphasis added):

If a lawyer chooses to use these devices that contain storage media, the lawyer has a duty to keep abreast of changes in technology to the extent that the lawyer can identify potential threats to maintaining confidentiality,” the proposed opinion said. “The lawyer must learn such details as whether the device has the ability to store confidential information, whether the information can be accessed by unauthorized parties, and who can potentially have access to the information. The lawyer must also be aware of different environments in which confidential information is exposed, such as public copy centers, hotel business centers, and home offices. The lawyer should obtain enough information to know when to seek protection and what devices must be sanitized, or cleared of all confidential information, before disposal or other disposition. Therefore, the duty of competence extends from the receipt, i.e., when the lawyer obtains control of the device, through the device’s life cycle, and until disposition of the device, including after it leaves the control of the lawyer.

Although not covered by an ethics opinion, the proposed opinion also noted that a lawyer could face legal issues if disposed equipment or memory devices have personal information, such as medical records, Social Security numbers, or criminal arrest records.

Besides the lawyer’s own action, the lawyer must supervise nonlawyer personnel who use computers and computerized equipment to protect confidential matters.

The opinion also said the lawyer must get “adequate assurances” that discarded or leased machinery has been stripped of sensitive records.

“The lawyer has an affirmative obligation to ascertain that the sanitization has been accomplished, whether by some type of meaningful confirmation, by having the sanitization occur at the lawyer’s office, or by other similar means,” the opinion said.

In other words, a contractual promise to delete the information is not satisfactory.