SBM - State Bar of Michigan

RI-388

May 19, 2023

SYLLABUS

A lawyer’s obligations to safeguard digital property under MRPC 1.15(d) are the same as other property entrusted to the lawyer. Where the digital property is stored on a tangible medium, it is the tangible medium that must be safeguarded and not the underlying data. When the lawyer possesses the means to access the digital property, the obligation to safeguard the property extends only to the means of access.

References: MRPC 1.15, 1.15(d); MCR 2.310; FRCP 34; R-21, RI-381.

TEXT

Lawyers inquire as to their obligations when holding a client’s digital property and, specifically, whether they are different than those applicable to tangible, physical property. MRPC 1.15(d) requires a lawyer to appropriately safeguard a client’s property being held in connection with representation. The commentary to MRPC 1.15 further clarifies that the level of appropriateness is similar to the level of care required of a professional fiduciary.

For the purposes of this opinion, the term “digital property” is synonymous with “electronically stored information” (ESI) as defined in Federal Rule of Civil Procedure (FRCP) Rule 34 and Michigan Court Rule (MCR) 2.310:

data or data compilations stored in any medium including documents, writings, drawings, graphs, charts, photographs, sound recordings, and images, regardless of format, system, or properties.

While digital property and ESI are analogues, this opinion does not address the duties to preserve, safeguard, or disclose ESI a lawyer may have under other laws. Additionally, as more thoroughly discussed in R-21, the obligation to safeguard client property is required only when a lawyer receives

property in the course of a representation. If the lawyer becomes possessed of the property through some other means, MRPC 1.15(d) does not apply.

Following review of MRPC 1.15 and ethics opinion R-21, this opinion looks to answer the threshold question of whether the obligation to safeguard attaches to the data that may be accessed with the digital property entrusted, or simply the medium1 in which the data is stored. It is the opinion of this committee that the obligation to safeguard digital property should be treated the same as any other property where there is a tangible item containing information, and thus the obligation attaches to the medium, not the data. This opinion is explained in the following scenarios:

(1) Digital property is stored in a tangible medium and delivered to the lawyer, as illustrated in the following examples:

  • In the course of representation, Lawyer A is given a paper notepad containing a writing, in a language understood only by the client’s parents. Lawyer A’s obligation under MRPC 1.15(d) is to safeguard the notepad, keeping it safe from fire and water damage, theft, exposure, etc. Lawyer A does not have an obligation under MRPC 1.15(d) to ensure that the pages do not fade or yellow, or to get the writing translated before the client’s parents die. The obligation is to safeguard the tangible medium, not the writing.
  • In the course of representation, Lawyer B is given a rare cellulose nitrate-based motion picture reel containing a director’s cut of “The Paper Chase,” with commentary from John Houseman. Lawyer B’s obligation under MRPC 1.15(d) is to keep the film reel safe. Lawyer B does not have an obligation to ensure the reel continues to be playable or to have the movie copied so that it can be viewed on a DVD player.

The same analysis applies to digital property:

  • In the course of representation, Lawyer C is given a digital storage medium, e.g., USB drive, hard drive, floppy disk, etc. containing a MS Word document, pictures, or any other data or data compilation. Lawyer C’s obligation under MRPC 1.15(d) is to keep the digital storage medium safe, not to ensure the data on it is accessible or readable.

(2) The digital property is delivered electronically, e.g., as an attachment to an email or direct/text message. In that event, the storage medium may be the Lawyer’s property, such as a computer, phone, or data server. The file, for lack of a better term, is the item being safeguarded, and not the underlying code that makes up the file, whether the file is a document, photograph, sound recording, program, or any other type of data. The lawyer must safeguard the file but is not required to convert the file from its native format to be readable or accessible by successive generations of technology.2

(3) The digital property is neither stored in a tangible medium nor delivered electronically, but rather gives access to some other property. For example, the digital property may be a password to a website or data stored in the cloud, a cryptocurrency key, or non-fungible tokens (NFT). The obligation to safeguard client property is required only when the property is entrusted to the lawyer in the course of representing a client. Therefore, the lawyer may have an obligation to safeguard the tangible means of accessing the digital property, but since the digital property itself is not held by the lawyer MCRP 1.15(d) does not apply.

However, the means to access the digital property may be property in its own right. This principle is best illustrated in the following examples:

  • In the course of representation, a client entrusts Lawyer 1 with blank signed checks. Lawyer 1’s obligation under MRPC 1.15(d) is to safeguard the checks. Lawyer 1 does not have an obligation under MRPC 1.15(d) to manage or safeguard the funds in the checking account, as the lawyer does not hold the funds in the account, but instead holds the means to access the account via signed checks.
  • In the course of representation, Lawyer 2 is entrusted with corporate stock certificates. Lawyer 2’s obligation under MRPC 1.15(d) is to safeguard the stock certificates. Lawyer 2 does not have an obligation under MRPC 1.15(d) to ensure that the shares are sold at a certain price, or to exercise any of the rights of a shareholder.
  • In the course of representation, a client entrusts Lawyer 3 with a writing reflecting a lease to an apartment complex. Lawyer 3’s obligation under MRPC 1.15(d) is to safeguard the lease. Lawyer 3 does not have an obligation under MRPC 1.15(d) to collect rent or perform maintenance or otherwise take on the responsibilities of a landlord.

The same analysis applies to digital property:

  • In the course of representation, Lawyer 4 is entrusted with a cryptocurrency private key, which is stored as a mnemonic phrase on a post-it® note and a printed QR code. Lawyer 4’s obligation under MRPC 1.15(d) is to safeguard the medium (the post-it® note and the printed QR code). Lawyer 4 does not have an obligation under MRPC 1.15(d) to manage or safeguard the funds in the cryptocurrency account because the lawyer does not hold the funds in the account, but instead holds the means of accessing the account.
  • In the course of representation, Lawyer 5 is entrusted with the password to a client’s NFT wallet. Lawyer 5’s obligation under MRPC 1.15(d) is to safeguard the medium in which the password is memorialized. Lawyer 5 does not have an obligation under MRPC 1.15(d) to ensure that the digital or tangible property the NFT represents is sold at a certain price or to exercise any of the rights of an owner.
  • In the course of representation, Lawyer 6 is given the password to a client’s cloud storage account. Lawyer 6’s obligation under MRPC 1.15(d) is to safeguard the medium in which the password is memorialized. Lawyer 6 does not have an obligation under MRPC 1.15(d) to monitor the cloud storage, secure it, or otherwise do anything with the digital property in the cloud storage because the data in the cloud storage is not held by the lawyer.

CONCLUSION

For the above reasons, the committee concludes that a lawyer’s obligation to safeguard digital property under MRPC 1.15(d) is the same as any other property entrusted to the lawyer. Where the digital property is stored on a tangible medium, it is the tangible medium that must be safeguarded. When the digital property is stored on a medium that is the property of the lawyer, or firm, such as a computer or phone, it is the file, in its native format, that is safeguarded, not the underlying data. Lastly, when the digital property is not held by the lawyer, but the lawyer possesses the means to access the digital property, the obligation to safeguard the property extends only to the means of access, rather than to the digital property that may be accessed.


1. It should be noted that prior to safekeeping any property, the attorney should inquire as to the contents of the medium to ensure the legality of possessing such property.

2. However, in addition to the obligation under MRPC 1.15(d), RI-381 provides that “lawyers have ethical obligations to understand technology, including cybersecurity, take reasonable steps to implement cybersecurity measures, supervise lawyer and other firm personnel to ensure compliance with duties relating to cybersecurity, and timely notify clients in the event of a material data breach.