Monday, June 25, 2012

Hyper Cybersecurity for Lawyers?

In a June 25, 2012, Wall Street Journal article, "Lawyers Get Vigilant on Cybersecurity," Jennifer Smith describes a number of security breaches and attempted hacks at law firms around the U.S. One of the scenarios describes hackers who target lawyers' smart phones to gather confidential information about the lawyers clients or legal services.  While most would argue that a law firm has a duty to use reasonable means to keep all equipment provided to the firm's employees, including smart phones, free from such malware, does that also apply to the personal devices used by firm employees?  What about online shared file services like DropBox, or Google Drive, where lawyers and clients can exchange documents electronically?

The Rules
Though most laws that cover cybersecurity also apply to lawyers and law firms, additional duties apply under rules of professional conduct ("ethics") and concepts of fiduciary responsibility under the law of agency.  The present American Bar Association Model Rules of Professional Conduct contains Rule 1.6(a) which reads:
(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).

The rule language, adopted in most states as binding on lawyers admitted to practice in those states, is very broad.  Two comments to the rule provide some clarity, though they were obviously written before smart phone hacking was perceived as a big risk to the legal profession.  I have emphasized some key language in Comments 16 and 17 below.
[16] A lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer's supervision. See Rules 1.1, 5.1 and 5.3.

[17] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule.
The rule and comments could be construed to require, depending on whether the state has adopted the ABA version of Model Rules 5.1 and 5.3, the law firm to take reasonable steps to protect client confidences regardless of whether the confidential information is transmitted via a firm-issued or employee-provided device.  That is a huge expansion of the domain most firm IT departments are given and potentially significant increase in cybersecurity costs.

The ABA is currently considering changes in this area.  On May 7, 2012, the ABA Commission on Ethics 20/20 published several proposals that will be considered by the ABA House of Delegates this August.  One Resolution and Report specifically addresses "Technology & Confidentiality."  Recognizing the fast-evolving world we work in, the Commission observed:
Today, lawyers regularly communicate with clients electronically, and confidential information is stored on mobile devices, such as laptops, tablets, smartphones, and flash drives, as well as on law firm and third-party servers (i.e., in the “cloud”) that are accessible from anywhere. This shift has had many advantages for lawyers and their clients, both in terms of cost and convenience. However, because the duty to protect this information remains regardless of its location, new concerns have arisen about data security and lawyers’ ethical obligations to protect client confidences.

Technology is also having a related impact on how lawyers conduct investigations, engage in legal research, advise their clients, and conduct discovery. These tasks now require lawyers to have a firm grasp on how electronic information is created, stored, and retrieved. For example, lawyers need to know how to make and respond to electronic discovery requests and to advise their clients regarding electronic discovery obligations. Legal research is now regularly and often more efficiently conducted online. These developments highlight the importance of keeping abreast of changes in relevant technology in order to ensure that clients receive competent and efficient legal services. (ABA Commission on Ethics 20/20 Report, "Introduction and Overview," p. 4, footnotes omitted.)
As a result, the Commission proposed a new paragraph (c) to Model Rule 1.6:
(c) A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
In addition, the Commission proposed a substantively revised Comment 16:
[16] Paragraph (c) requires a A lawyer must to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons or entities who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, confidential information does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of these Rules. For a lawyer’s duties when sharing information with nonlawyers outside the lawyer’s own firm, see Rule 5.3, Comments [3]-[4].
(Again, some of these changes will apply differently if your state does not have the exact ABA version of Rules 5.1 and 5.3.)

If adopted by the ABA House of Delegates, each state would then decide whether to adopt some or all of the changes in their rules of professional conduct.  Until adopted in a state, the ABA Model Rules are purely advisory, of course, but can be used by courts as guidance on issues of professional liability.

Pre-emptive Proactiveness
So what should a firm do?  First of all, a written policy is essential.  Lay out practical guidance for the employees that (a) reminds them of all the obligations that everyone--not just those with a law license--must follow, (b) points out the places of vulnerability and highest risk, much like you would warn against posting passwords on the wall by their computer, (c) explains what the firm can and will do--and what it will not do--to help protect office systems and confidential data, (d) clarifies through several examples of what information is confidential and best practices for reasonable efforts to prevent unauthorized disclosures and (e) draws a bright line wherever possible between which activities are permitted and which are not--as well as how to request an exception in appropriate circumstances.

Secondly, be very deliberate as to which employees get what hardware.  Some may only need a "dumb" device that has nothing stored on it locally, but can remotely access selected online resources in limited circumstances.  Others may need full-functioning tools some days and the "dumb" devices on others.  If you issue full-access hardware to everyone all the time, you may have a difficult time explaining how that is reasonable or part of a prudent program to prevent problems.

Thirdly, monitor. You may find that some IT policies are too restrictive and actually lead to more risk than they limit.  If staff are emailing confidential, unencrypted documents to their gmail accounts so they can work on them at home, look for a better way to support their needs that does not send them to a self-devised work-around.  If some people use their personal smart phones to talk to clients or co-counsel, determine if the firm should provide a phone it can routinely scan for viruses and remotely kill if lost, or if there is another way to help the lawyers work with less risk than an unprotected smart phone that could be home to listening and keylogging malware.

Fourth, educate the clients, too.  All the security in the firm won't be worth much if the client waives lawyer-client privilege by working on personal legal matters through her employer's computer or does not have a virus protection program.  The blame may be hard to place without a lot of forensic review and valuable time, even if you eventually confirm that no systems at the firm led to the disclosure.

Finally, know the law.  Is your firm subject to the mandatory disclosure laws when private information is disclosed through a hack?  Are you obligated to take preventive measures before a problem occurs?  Each state has different levels of responsibility for unauthorized disclosure of client information and some rules that traditionally have been enforced only against consumer businesses could also be used against professional services businesses (think: medical records) unless there is an express exemption.

Bottom line: start now to put "reasonable" preventive measures in place to prevent unauthorized disclosures of confidential information and to comply with state and federal data privacy laws that may govern how you store data as well as report security breaches.