Practicing Law Securely — Be Aware
Lawyers owe a high duty to their clients to protect the confidentiality, security, and privacy of communications, documents and data of their engagements.
29 October 2014
Lawyers owe a high duty to their clients to protect the confidentiality and privacy of communications, documents and data of their engagements. Clients expect no less, making breaches of confidentiality and privacy a serious threat to retaining and getting clients. Lawyers must abide by the rules of ethics to which they are bound when admitted to the bar, as well as by laws concerning data security and breach and their common law obligations to clients. Failure to do so can lead to ethics penalties or malpractice liability to clients. An Ames & Gough 2014 survey of malpractice insurers reports that half of them had claims arising from cyber or network security events.
Whether or not “the old ways were best,” today all lawyers must practice in a world of pervasive and ubiquitous technology — tablets, phablets, smartphones, and perhaps even wearables — that constantly connect (and expose) us. Law practices face not only risks of accident and inadvertent disclosure, but deliberate attacks on law firms, which have been described by the FBI as easier quarry than their corporate clients.
These blog posts will address professional, practice, and technical issues that data security poses for lawyers. I draw upon long experience practicing law, and as a consultant and technology staff member designing, deploying and training technologies of law.
While strong tools and secure habits are critical parts of our study and counsel, advice must be practical lest it go unused. Too often I see bicyclists riding with helmets hanging from their handlebars, or on their heads with straps loose. They fail to understand (or refuse to accept) that helmets save their lives. Data security tools or procedures — unknown, ignored or bypassed — provide no more protection.
Technology — A Professional Responsibility
As lawyers, private and confidential information is our stock in trade. To serve our clients, we must know, gather, record, and employ information critical to their business or personal lives. Some of our practices gather information explicitly protected by privacy statutes and regulations, such as the medical data covered by The Health Insurance Portability and Accountability Act of 1996 (HIPAA). Our duty as lawyers to protect and secure the confidentiality of that information is a fundamental professional responsibility. These obligations are incorporated in the American Bar Association’s (ABA) Model Rules of Professional Conduct 1.6.
Lawyers can’t afford to be ignorant of technology’s impact. Protection against risk of exposure requires not only back office infrastructure, but awareness and action by every lawyer interfacing with clients, opponenents, and the courts. In early 2013, the ABA adopted the report of its 20/20 Commission, including a lawyer’s professional responsibility to keep abreast of the technology of their practice and the risks and benefits associated with it in the Comment 8 to Model Rule 1.1. This updated obligation has been adopted by 13 states across the United States at this writing.
The ABA has devoted significant resources to cybersecurity. The ABA’s Cybersecurity Law Task Force has published The ABA Cybersecurity Handbook: A Resource for Attorneys, Law Firms and Business Professionals. The Task Force announced a Cybersecurity Series of webinars devoted to cybersecurity issues. We have much to learn from their work.
Accidents, Incursions, Attacks, Liability
The momentary accident of breaking confidentiality by sending emails to the wrong addresses remains a risk right at one’s fingertips. For cyber risks, law practices find themselves in the company of Target and Home Depot (and a growing list). Law practices with high profile and hot commercial value practices (oil and gas, IP, a takeover of Potash Corp. of Saskatchewan Inc. by BHP Billiton Ltd.) have been attacked as well.
Cyber criminals can be indiscriminate and agnostic about their targets. For example, for several months beginning in fall 2013, an unwary click of a poisoned link allowed the Cryptolocker malware to hide the contents of a network full of files behind unbreakable encryption — destroying a practice’s work product and client files. The criminals behind this demanded a ransom. While computer security companies trapped the perpetrators, and found the keys to recover some of the broken files, the damage from the original and copycat programs continues.
A single lost or stolen mobile device (laptop, tablet, or smart phone) may pour forth millions of records of confidential information, or open the keys to “protected” systems. Data breaches trigger reporting requirements and potential liabilities.
Preserving and Protecting a Secure Practice
To practice law securely today, each lawyer and each law practice must be aware of these risks, and how to operate safely. When the technology systems, methods and tools with which lawyers work get at least as much attention as the decoration of their offices, they may have a decent chance of success.
Please join me in this exploration. In the next post, I will explore details of the attacks and accidents that can compromise the security and integrity of a law practice’s documents and client information. Your thoughts and comments will be most welcome.
Robert L. Blacksberg Esq.
Bob’s experience spans more than two decades of technology leadership for lawyers, following a law practice that included partnerships at two Philadelphia law firms. Bob is principal of Blacksberg Associates, LLC and leads engagements with law firms in strategic technology planning and implementation, creates and delivers CLE training programs, and works with leading technology vendors to explain, promote and train leading-edge technology products for lawyers. An author and speaker, Bob has appeared at the International Legal Technology Association (ILTA) conference and on ILTA Roadshows.