Are You Making 'Reasonable Efforts' to Safeguard Your Client’s Information

Despite ample warning and rules, many law firms and lawyers are still not doing enough.
In 2009, the Federal Bureau of Investigation (FBI) first warned that law firms were the targets of hackers. The agency repeated the warning in 2013 with the special agent in charge of cyber and special operations for the FBI’s New York Office saying, “We have hundreds of law firms that we see increasingly being targeted by hackers.”
This should not come as a surprise. Law firms have a wide range of types of valuable information from the identities of targets of takeovers to corporate financial information to trade secrets to embarrassing details of the lives of client. There is a ready and eager market for this information, and it easily can end up in the hands of unscrupulous opposing counsel, business competitors or a foreign competitor.
Further, there are now a number of ABA Model Rules of Professional Conduct that speak to a lawyer’s ethical cybersecurity duty. Under the Model Rules lawyer are required “to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Model Rule 1.6(c).
In turn, “reasonable efforts” may include taking steps to prevent someone from hacking into a law firm’s computer network or a staff posting client information on the Internet. Comment [16] to Model Rule 1.6(c). Further, Comment [17] now states: “Whether a lawyer may be required to take additional steps in order to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these rules.” Thus, a lawyer must also consider duties arising under HIPAA, for example, and other laws intended to protect data privacy. Finally, ignorance of technology is not a defense to an ethical violation: Comment [6] to Rule 1.1 (Competence) provides lawyers must “stay abreast of changes in the law and its practice, [and] need to have a basic understanding of the benefits and risks of relevant technology.”
Yet, despite all this, many law firms and lawyers still are not doing enough. While it is beyond the scope of this article to describe in detail all of the specific steps that lawyers and law firms should undertake to protect their computer systems and electronic data, there are several basic areas discussed below that law firms and lawyers should address in much greater detail.
Email Security First, consideration should be given to email security. This includes whether the data being transmitted and stored is encrypted. Transmitting encrypted data can be accomplished efficiently and without appreciably slowing down the system. Many email programs already do this. In contrast, encrypting stored data may interfere with using the information efficiently. While there are a number of factors involved, consideration should be given to whether to encrypt all sensitive client information stored on a hard drive, thumb drive, mobile device or attached to an email.
It is amazing how many people, including lawyers, fail to follow basic password protection protocols. In 2012, the must common password was “password” with “123456” in second place. There is no reason to believe that password security has changed much in the past four years. However, there is simply no excuse for lawyers who use a weak password, don’t change their passwords regularly or keep it on a post-it note in an easily discovered location. The longer the password, and the use of a password with characters, not just letters makes it far more difficult for the password to be guessed through the use of brute-force programs, which attempt every possible password combination.
It will become increasingly difficult for a lawyer to successful claim that he or she has met Model Rule 1.6’s requirement of undertaking “reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client” where the use of a weak password led to the disclosure of such information.
Personal Devices Another important area of concern for computer security for lawyers is the use, or rather the loss or theft of smartphones and other PDAs. With the storage capacity of smartphones increasing, lawyers are storing more and more information on them, including email, email attachments and documents. The use of personal devices also makes it more difficult for firms to institute good security practices. Lawyers should give consideration they have taken “reasonable steps” to safeguard the confidential information accessible on their mobile phones. For example, does the phone permit remote wiping of the information stored in the event that it is lost or stolen.
Another area of concern is the increase use of cloud computing that offers significant advantages especially for the storage of large amounts of data. In short, information stored in the “cloud” allows users to access the information from anywhere using almost any type of device. However, users may not be aware of the level of security provided by the cloud computing service. According to New York State Bar Association Committee on Professional Ethics Opinion 842, a lawyer in New York may use an online “cloud” computer data backup system to store client files so long as the lawyer takes “reasonable care” to protect the client’s confidential information form unauthorized disclosure, which included the following three steps:
Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and the provider will notify the lawyer if served with process regarding the production of client information; Investigating the online data storage provider’s security measures, policies recoverability methods, and other procedures to determine if they are adequate under the circumstances; and
Employing available technology to guard against reasonably foreseeable attempts to infiltrate stored data.
The Committee concluded that, because technology is changing rapidly, a lawyer should stay abreast of technological advances to ensure the storage system remains sufficiently advanced to protect client information and lawyers should monitor the changing law of privilege to ensure that storing information in the cloud will not waive or jeopardize any privilege protecting the information.
Unsecure Wi-Fi The last area of concern addressed here is the use of unsecure Wi-Fi networks, which are essentially wireless networks that can be freely accessed without a password. It is no secret that many lawyers spend a great deal to time away from the office, and attempt to get work done wherever they may find themselves. In the haste to get work done while on the road, lawyers may access the Internet while at the airport or other hotspot that has open access.