By the rules of ethics and our own engagement letters, attorneys commit to, and are responsible for, keeping their clients’ data confidential. Further, the rules of ethics require attorneys to be up-to-date on technology and to make appropriate decisions to avoid selecting technology that could compromise the confidentiality of client information. When making these decisions, attorneys need to take into consideration what vendors they are using to assist in their delivery and/or performance of legal services, whether it is the vendor used to stamp documents prior to discovery production, or the office cleaning service that may have unfettered and unsupervised access to offices. If attorneys fail to assess vendors properly and to identify and manage the potential risks they may create, attorneys fail in their ethical obligations to their clients and do disservice to their own personnel too. This article will discuss appropriate processes to manage supplier risk and to document those programs accordingly from vendor selection to onboarding, during the relationship, and offboarding.

A lawyer has an obligation to “not reveal information relating to representation of a client” except under certain limited circumstances. RPC 1.6. In Opinion 701, the Supreme Court of New Jersey’s Advisory Committee on Professional Ethics discussed this requirement in the context of an inquiry regarding the use of an electronic filing system. The New Jersey Advisory Committee noted that the touchstone of RPC 1.6 is that attorneys must “exercise reasonable care against the possibility of unauthorized access to client information” and must use “sound professional judgment” to access the necessary safeguards to ensure confidentiality.