Taking steps to protect all confidential information is more than a good business practice. As a lawyer, you have ethical, common law and regulatory obligations to protect client data. Are you clear on what those obligations are?
Any confidential data maintained on lawyers’ computers and information systems faces substantial and very real security risks. It is critical for all lawyers to understand and address these risks to ensure they comply with their ethical, common law and regulatory obligations to safeguard client data.
Any confidential data maintained on lawyers’ computers and information systems faces substantial and very real security risks.
Confidential data in any technology systems faces greater security threats than ever before — and lawyers and their firms are targets.
In an article titled “Law Firms Are Lucrative Targets of Cyberscams,” the San Francisco Chronicle discussed different attacks on law firms, ranging from ‘phishing’ scams to fll penetration and intrusions into a law firm network to steal lawsuit-related information.
Security experts said criminals gain access into law firms’ networks using highly tailored schemes to trick attorneys into downloading customized malware into their computers. It is not uncommon for them to remain undetected for long periods of time and come and go as they please, they said. The National Law Journal reported that one security firm has assisted over 50 law firms affected by security breaches.
In witness to how sophisticated such breaches can be, Wired Magazine article reported on Advanced Persistent Threats (APTs), a particularly nasty form of coordinated hacking attack. In an APT attack on a law firm that was representing a client in Chinese litigation, the attackers were in the firm’s network for a year before the firm learned that it had been hacked. By then, the hackers had harvested thousands of e-mails and attachments from mail servers, desktop workstation and laptops on the firm’s network.
Thankfully, most law firms do not currently face sophisticated attacks like these, but there are still many other forms of threats to the data on your systems. which can come from many sources, including:
- externally from hackers
- disgruntled employees
- Corporate spies
- Any dishonest adverse parties
- even trusted insiders – including staff members who are dishonest, disgruntled, bored or simply fooled by a clever malware program.
Competent representation, discretion and confidentiality are the foundation of the attorney-client relationship.
ABA Model Rule 1.1 addresses competent representation and provides that “Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” ABA Model Rule 1.6 generally defines the duty of confidentiality—and significantly, it broadly extends that duty to “information relating to the representation of a client.” It is understood that this duty applies to client information in computer and information systems as well.
In addition, an amendment to Model Rule 1.6, Comment 16 requires reasonable precautions to safeguard and preserve confidential information: “A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision”.
However, while it has become clear that these obligations apply to electronic client data on stored computers and elsewhere, it has been unclear what reasonable precautions lawyers must take to protect that data. The State Bar of Arizona has issued two well-reasoned ethics opinions that provide some specific direction on the information security requirements.
The State Bar of Arizona responded to an inquiry about the steps a law firm must take to safeguard client data from hackers and viruses. In addressing how to comply with the ethics rules as they relate to the client’s electronic files or communications, it concludes that “…an attorney or law firm is obligated to take competent and reasonable steps to assure that the client’s confidences are not disclosed to third parties through theft or inadvertence. In addition, an attorney or law firm is obligated to take reasonable and competent steps to assure that the client’s electronic information is not lost or destroyed. In order to do that, an attorney must either have the competence to evaluate the nature of the potential threat to the client’s electronic files and to evaluate and deploy appropriate computer hardware and software to accomplish that end, or if the attorney lacks or cannot reasonably obtain that competence, to retain an expert consultant who does have such competence”.
Arizona Bar Opinion No. 09-04, deals with an online file storage and retrieval system for client access to documents. It restates the ethical requirement of competent and reasonable measures to protect client confidences, further advising that: “…It is also important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult available experts in the field.”
The opinion discusses specific safeguards for lawyers to consider, such as secure socket layer (SSL) protocol, firewalls, password protection, encryption and antivirus measures, but it also cautions that “As technology advances occur, lawyers should periodically review security measures in place to ensure that they still reasonably protect the security and confidentiality of the clients’ documents and information”.
Several other states’ ethics opinions address requirements for safeguarding client electronic data, including New Jersey Committee on Professional Ethics Opinion 701, Nevada Standing Committee on Ethics and Professional Responsibility Formal Opinion 33 and Virginia Standing Committee on Legal Ethics Opinion 1818. While they vary in their degree of specificity, at their core they all require lawyers to take reasonable measures to protect the confidentiality of client information.
Common Law Duties
Along with the ethical obligations, there are also common law duties defined by case law in the various states. The Restatement (3rd) of the Law Governing Lawyers addresses this topic in Section 16(2) on competence and diligence, Section 16(3) addresses client’s confidences, and Chapter 5, “Confidential Client Information.”
Breach of these duties can result in a malpractice action.
Breach of these duties can result in a malpractice action.
There are also instances when lawyers may have contractual duties to protect client data. This is particularly the case for clients in regulated industries, such as health care and financial services, that have regulatory requirements to protect privacy and security.
State Laws and Regulations Covering Personal Information
Various state and federal statutes and regulations require protection of defined categories of personal information. Some of these apply to lawyers who possess any specified personal information about their employees, clients, clients’ employees or customers, opposing parties and their employees, or even witnesses.
Most states now have security laws that require measures to protect categories of personal information. While the scope of coverage, the specificity of the requirements and the definitions vary among these laws, personal information is usually defined to include, “general or specific facts about an identifiable individual”. They generally cover Social Security numbers, driver’s license numbers and financial account numbers, but some also cover health information. They include laws requiring reasonable security, breach notices and secure disposal.
Covered “personal information” includes Social Security numbers, driver’s license numbers, state-issued identification card numbers, financial account numbers and credit card numbers.
The laws require covered persons to “develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards.”
In addition to requiring a risk assessment/analysis, regulations contain detailed requirements for security programs and computer system security requirements. The security requirements include, “Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly”; and “Encryption of all personal information stored on laptops, tablets, phones or other portable devices.”
Any system that contains or has access to protected information is required to have:
- Secure user authentication (2FA)
- Secure access controls
- Constant monitoring to detect unauthorized access
- Up-to-date firewall protections
- Up-to-date security software (Anti-Virus / Anti-Malware(with current patches and virus definitions)
- Mandatory education and training of employees on security matters
High level encryption is already required for federal agencies that have information about individuals on laptops and portable media.
Forty-six states, the District of Columbia and the Virgin Islands have laws that require notification concerning data breaches. While there are differences in their scope and requirements, they generally require entities that own, license or possess defined categories of personally identifiable information about consumers to notify affected consumers if there is a breach. Like the security laws, many of these laws apply to covered information “about” residents of the state. Some require notice to a state agency in addition to notice to consumers. On the federal level, an attorney who receives protected individually identifiable health information (PHI) from a covered entity under the Health Insurance Portability & Accountability Act (HIPAA) will generally be defined as a “business associate” and be required to comply with all HIPAA security requirements. The HIGHTECH Act enhanced HIPAA security requirements, extended them directly to business associates, and added a new breach notification requirement.
Standards for Competent and Reasonable Measures
The primary challenge for lawyers in establishing information security programs is deciding what security measures are necessary and then implementing them. Determining what “competent and reasonable measures” are can be difficult. Legal standards that apply in other areas, like financial services, can be helpful in providing a framework, even though they do not legally apply to the practice of law.
The FTC’s Safeguards Rule under the Gramm-Leach-Bliley Act provides a helpful framework that lawyers can use to comply with their obligations to safeguard client data. The requirements in the rule, Standards for Safeguarding Customer Information, 16 C.F.R., Part 314, are general and cover less than two pages in the Federal Register. They provide a short yet comprehensive list of the components of a complete security program.
For larger firms, standards published by the International Organization for Standardization (ISO), at www.iso.org, provide a good framework. They include ISO/IEC 17799:2005, Information Technology—Code of Practice for Information Security Management and ISO/IEC 27001:2005, Information Technology—Security Techniques—Information Security Management System—Requirements.
Your Business Interests
Finally, even if the ethical and legal obligations do not provide sufficient motivation for law firms to apply security practices, there are business interests that should do so. Companies are recognizing the risks presented by sharing sensitive information with service providers like law firms and are, at a minimum, inquiring about the security safeguards the providers have adopted and, in some cases, are requiring a certain level of security and auditing that level of security.
For example, following pressure from regulators, Bank of America now requires its outside counsel to adopt certain security requirements and it is auditing the firms’ compliance with those requirements. Bank of America requires its outside counsel to have a written information security plan, and to follow that plan. Firms must also encrypt sensitive information that Bank of America shares with the firms. Bank of America also wants their law firms to safeguard information on their employees’ mobile devices. Most importantly, law firms must train their employees about their security policies and procedures. Finally, Bank of America is auditing their law firms to ensure they are complying with these requirements.