The Oklahoma Bar Journal December 2024

E thics & P rofessional R esponsibility

L AWYERS ARE, AMONG THEIR NUMEROUS OTHER ROLES, stewards of informa tion who collect, process and store large amounts of confidential data on a daily basis, regardless of their area of practice. Personal injury attorneys, for example, may collect and hold a significant amount of their clients’ medical information. Employment lawyers may receive information related to their clients’ employees, like Social Security numbers. Given the sensitivity of this data, maintaining client confidentiality is a cornerstone of legal eth ics and a fundamental duty of every attorney. Ethical Considerations and Practical Guidance for the Storage and Transfer of Digital Client Data By Lauren Watson

law. Lawyers and law firms are generally not excepted from these laws. Depending on the amount of personal data held by the lawyer or firm, the jurisdiction of residence of their clients and, in some cases, the amount of revenue they gener ate annually, attorneys and firms may be required to implement a number of potentially onerous and specific technical obligations with respect to collecting, storing and using personal data. For example, if a law firm acts as a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA), it will be expected to adhere to the security requirements detailed in the HIPAA Security Rule to protect the confi dentiality, integrity and availability

of the electronically protected health information in its possession. Law firms that are subject to state com prehensive privacy laws, such as the California Consumer Privacy Act (CCPA) and its implementing regu lations, will be expected to provide for enumerated data subject rights, including the rights to access, cor rect and delete personal data. In addition to these statutory and regulatory requirements, lawyers have an ethical duty to provide appropriate privacy protections for client information, stemming from the attorney ethics rules of their jurisdiction(s), like the Oklahoma Rules of Professional Conduct (ORPC). For example, compli ance with Rule 1.1 of the ORPC, which requires lawyers to provide

While lawyers should gener ally be aware of the ethical duties associated with the confidentiality of client information, those duties take on additional nuance when client data is stored, used and shared electronically. This article will serve as a refresher on the ethical duties applicable to digital client data and discuss how attorneys can meet their ethical obligations through the use of technology, the development of appropriate policies and procedures, and disaster planning. LEGAL AND ETHICAL DATA PRIVACY OBLIGATIONS In the United States, data privacy obligations associated with collect ing personal data are governed by a combination of federal and state

Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff.

32 | DECEMBER 2024

THE OKLAHOMA BAR JOURNAL