Like all professionals in 2014, every modern litigator uses technology to get their job done. As with all industries, technology is the wonder drug delivering efficiency to a lawyer’s practice and duty of competent representation.
The fly in the ointment, however, is the issue of confidentiality regarding client data that has litigators rightly concerned about their ethical obligations when using these powerful tools. Let’s face it, most lawyers don’t know much about the complex, highly technical subject of data security. If you did, you’d be a computer engineer.
What you need to know about data security as a litigator.
So let’s get you set up. The following are four things to know when talking to your clients about their highly confidential data. The good news: Most of this is common sense. The bad news: it’s still a complex topic that unfortunately does not present you with facile answers.
1. I am concerned about the security of your data.
Your clients need and expect to hear this from you. So you should tell them this.
Lawyers are expected to keep secrets. The entire legal industry is built on the concept of attorney-client privilege. Just replace “security of your data” with “keeping your secrets” and you’ll see why they need to believe in your sincerity and vigilance on this topic. Clients need to be convinced that there is a determined focus and procedural strategy to protect confidentiality and maximize eDiscovery data security.
Now, that said…
2. This is complicated stuff. There are no guarantees.
Do you think your firm’s internal resources have data security covered? Probably not.
Telling your clients that your firm protocols are bullet-proof is problematic. They are not. Defense contractors have problems securing data, major banks have problems securing data, and the most advanced technology companies have problems securing data.
What are the chances that your law firm’s limited internal resources have figured out a better strategy? Slim to none. It defies simple logic. As Dirty Harry said, “A man’s gotta know his limitations.”
Think your firm is the anomaly? Email me, I’d love to hear about it. And make sure to include any security guarantee you provide to your clients.
What you should guarantee your clients is that your firm is aware of the complexity involved, and is taking steps to minimize risk. And your firm should be vigilantly working to protect and secure client data to a state-of-the-art level.
3. Any computer with Internet access is in the Cloud.
Internet = Cloud. An oversimplification? Sure. But for the sake of a security discussion, it is one and the same. There is a great deal of discussion out there about the security issues surrounding “Cloud” but what should do you need to know?
Public cloud, private cloud, virtual private cloud, virtual private networks (VPN), firewalls, secure data tunnels, extranets, e-rooms, encryption standards….techno-babble ad nauseum. It’s all unfamiliar and “scary” sounding stuff, but the lingo just obfuscates a simple truth: the Cloud is the Internet.
The risks are by definition the same with data stored in the Cloud as with data stored on any computing machine connected to the Internet. It’s not better, it’s not worse. It is a technology and as with any technology the difference is in the people who are managing it.
Skeptical? Let’s look at the aforementioned data breaches. The first two (US Defense, JP Morgan) were “behind the firewall” or in a theoretically secure “private” locations. Apple’s iCloud breach accessed pictures automatically backed up from smartphones. All were hacked via the Internet.
So be wary of making representations about “the cloud not being safe.” There are many experts who believe storing data in the cloud is a more secure strategy than storing data behind a firewall. Just ask the former CTO of the Federal Government.
Can you keep data “cloud-free?” Sure. It’s called an air gap.
Just keep data on a computer with no connection to the Internet, or to shared networks that may have other devices connected the the Internet. It cannot be connected to an email server, or have cellular connection, WiFi access, or a network card. Just a computer connected to nothing outside of the power grid.
In other words, a pretty useless computer, and a pretty unlikely technology scenario outside of the NSA (maybe).
Ask yourself: Is your smartphone a cloud-based device? Are your bank accounts in the cloud? Is your law firm network in the cloud? Is your clients’ data in the cloud?
The answer in every instance is yes. Now it gets pretty sticky, right?
4. We take competent and reasonable measures.
Attorney David Ries of Thorp, Reed & Armstrong presents a concise overview in trying to answer the question of what is a lawyer’s obligation in securing data in this article from the American Bar Association.
ABA Model Rule 1.1 covers the general duty of competent representation and provides that “Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” ABA Model Rule 1.6 generally defines the duty of confidentiality — and significantly, it broadly extends that duty to “information relating to the representation of a client.” It’s now commonly accepted that this duty applies to client information in computer and information systems as well.
Mr. Ries goes on to conclude:
The core challenge for lawyers in establishing information security programs is deciding what security measures are necessary and then implementing them. Determining what “competent and reasonable measures” are can be difficult. Legal standards that apply in other areas, like financial services, can be helpful in providing a framework, even though they do not legally apply to the practice of law.
Now, your client is inevitably going to ask what your firm has done that could be defined as “competent and reasonable.” This would be an ideal time for your firm to have a memo on data security drafted and ready – one that compares the firm’s level of preparedness to the above referenced FTC standards and ISO standards.
Seems downright competent and reasonable, right? And, without being overly broad or onerous. Firms should have a specific document outlining what security measures are in place – and how those measures compare with industries that have bright-line compliance requirements such as financial institutions, and healthcare providers.
Would love to hear from anyone with experience in drafting this sort of document in your own firm, or if your firm has one I can link to.