Increasingly, data security is passing from an abstract concern to a law firm management challenge because of client requirements. Bank of America Merrill Lynch, as one example, is auditing the data security policies at its outside law firms, partly under pressure from government regulators to do so. The FBI and other government agencies have emphasized concerns over cybersecurity at law firms – particularly given the value of their corporate clients' information to potential attackers, and law firms' often-slow adaptation to new technologies. The bank isn't just relying on its law firms to say they are keeping information systems safe; it is actually sending its own auditors out to review firm systems, and these frequently find the firms to be lacking in security practices.
There are other Rules that apply to data safeguarding. For example, Rule 1.6 details each lawyer's responsibility to preserve client confidentiality. But the many lawyers using smart phones and wireless laptops potentially expose client information to anyone who can access the wireless connection. Several years ago, the State Bar of California's opinion no. 2010-179 emphasized that wireless connections should have a reasonable level of security which should include use of precautions such as file encryption. And in its 2012 update to the Model Rules, the ABA House of Delegates added language to Rule 4.4, covering Rights of Third Persons, clarifying that the obligation to notify the sender of the receipt of inadvertently sent documents applies also to electronic information. That is explicitly clarified in Comment 2 to include “when an email or letter is misaddressed or a document or electronically stored information is accidentally included with information that was intentionally transmitted.”
Between client requirements and ethical demands, lawyers who are not stepping up to the management challenge of data security are putting their firms at risk. Could your firm pass a data security audit – whether from a global giant like Bank of America, or from the community bank that is your largest local client? Would you even know which areas pose the greatest security risks? Any such assessment should encompass these critical areas.
Make sure that email and other electronic media are part of your data recovery strategy. That strategy should include email backup or archiving solutions, as well as alternate email continuity service. Elements could include a tape recovery system, electronic vaulting (the storage of large amounts of data, such as generated by the constant flow of email), and shadowing or mirroring (a synchronized process by which each email is automatically stored at a remote location). If such storage also involves a remote cloud location, ensure that applications have their own servers, and that backup is replicated across different data centers.
Given all these risks, lawyers should have help with data security to fall back on. As discussed throughout this article, competence and care are the number one forms of reliance, but supplemental help can come from specialized insurance policies. Most law firms have some form of liability insurance to protect premises and their contents against losses from fire or other disasters. Yet computer security risks, and the disaster that can result from them, are fundamentally different – and are unprotected by general liability policies. It makes no sense to take a band-aid approach by seeking endorsements to traditional policies, such as property, fidelity, and professional liability insurance. An effective cyberinsurance policy can handle first-party liabilities (losses caused by accidents or security breaches), third-party liabilities that involve client losses from compromised or misused data (for example, as in identity theft) and lawsuit judgments for those harmed by denial-of-service attacks and viruses sent out over your system. Cyberinsurance is a definite cost, so before considering it, make sure what protection current liability policies may or may not provide.
Technology is not the driver of what law firms do, but it has become the number-one law firm tool. Careful thought to assessing and integrating technology concerns in every stage of a firm's professional responsibility is essential to a healthy and growing organization. This is the only way to assure that technology will increase efficiency and quality of work while supporting competence in firm management. In the practice of law, responsibility and not speed remains paramount. There is no one right way to combine technology systems and legal practice operations, but there are clearly wrong ways. Giving due attention to the issues of technology management has become essential to efficiently serve clients and effectively meet professional standards.
© 2024 Edward Poll & Associates, Inc. All rights reserved.