The Management Challenge of Data Security and Privacy

Reprinted from:
Published 10/13

Increasingly, data security is passing from an abstract concern to a law firm management challenge because of client requirements. Bank of America Merrill Lynch, as one example, is auditing the data security policies at its outside law firms, partly under pressure from government regulators to do so. The FBI and other government agencies have emphasized concerns over cybersecurity at law firms – particularly given the value of their corporate clients' information to potential attackers, and law firms' often-slow adaptation to new technologies. The bank isn't just relying on its law firms to say they are keeping information systems safe; it is actually sending its own auditors out to review firm systems, and these frequently find the firms to be lacking in security practices.

Ethical Requirements

That such impetus could come from a client, and regulators of a client, should be unnecessary. Lawyers are bound by Rule of Professional Conduct 1.15, which requires that client files be “appropriately safeguarded,” and failure to do so is a failure in the overall duty to act competently in the best interests of a client. Last year, the ABA House of Delegates reinforced this duty for client electronic files by approving a new Comment 8 on Rule 1.1 regarding Competency; it states that “to maintain the requisite knowledge and skill” a lawyer “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology …”

There are other Rules that apply to data safeguarding. For example, Rule 1.6 details each lawyer's responsibility to preserve client confidentiality. But the many lawyers using smart phones and wireless laptops potentially expose client information to anyone who can access the wireless connection. Several years ago, the State Bar of California's opinion no. 2010-179 emphasized that wireless connections should have a reasonable level of security which should include use of precautions such as file encryption. And in its 2012 update to the Model Rules, the ABA House of Delegates added language to Rule 4.4, covering Rights of Third Persons, clarifying that the obligation to notify the sender of the receipt of inadvertently sent documents applies also to electronic information. That is explicitly clarified in Comment 2 to include “when an email or letter is misaddressed or a document or electronically stored information is accidentally included with information that was intentionally transmitted.”

Between client requirements and ethical demands, lawyers who are not stepping up to the management challenge of data security are putting their firms at risk. Could your firm pass a data security audit – whether from a global giant like Bank of America, or from the community bank that is your largest local client? Would you even know which areas pose the greatest security risks? Any such assessment should encompass these critical areas.

Enterprise System Security

In today's law office, client files are produced by enterprise-wide computer systems. Do you make it a point to back up all computer data and store important records and documents off-site? Do you have a full inventory of all electronic client files and papers? Every document you produce and save on the computer should be backed-up on a regular basis. If you don't do this, and you lose the files in a disaster, you are failing your ethical responsibility to the client. But disaster isn't the only issue. For example, your computer system could be compromised by a hacker, or otherwise threatened by criminal activity. If you don't use the most up-to-date firewalls and protection software, their lack could support a malpractice claim.

Cloud Security

Enterprise security also encompasses cloud computing. The number of Internet-based document assembly, document management, practice management, and time and billing programs for the legal industry is growing, and the residence of programs in an offsite server means that the firm doesn't have the upfront expense of purchasing them. However, security problems can cause cloud-based programs suddenly to be unavailable. A given application may not have its own servers, and services may not be replicated across different data centers (particularly for special legal software) if there is an outage. Law offices using cloud computing should be as diligent on assuring the security arrangements there as with their own systems.

Wireless Security

The Rules of Professional Conduct have no formal ethical prohibition against conducting legal practice in cyberspace. In fact, the eLawyering Task Force of the ABA's Law Practice Division has created guidelines for such a practice, emphasizing the need for a secure, encrypted web site to maintain client confidentiality in representation, in retainer terms and in online payment. But with all online activities increasingly done over wireless connections – whether by laptop or smart phone – lawyers using wireless communication on client matters should use encryption and other appropriate security tools to protect that data transmission. Urgent and immediate communication needs should never override security concerns.

Email Preservation

It might seem that nothing would be more temporary than a quick email, text or Twitter message. Yet these messages are increasingly subject to a duty of preservation, whether for a lawyer specifically, or a lawyer on behalf of a client. These are client communications, and as such must be kept confidential and secure. Electronic communication systems have gone beyond PC-to-PC applications on Microsoft Outlook and today involve a whole host of wireless platforms through cell phone services. All of these platforms can be disrupted by natural disasters, facility power outages, hardware or network failure, or software of configuration errors – any of which could jeopardize the duty to preserve this information.

Make sure that email and other electronic media are part of your data recovery strategy. That strategy should include email backup or archiving solutions, as well as alternate email continuity service. Elements could include a tape recovery system, electronic vaulting (the storage of large amounts of data, such as generated by the constant flow of email), and shadowing or mirroring (a synchronized process by which each email is automatically stored at a remote location). If such storage also involves a remote cloud location, ensure that applications have their own servers, and that backup is replicated across different data centers.

Social Media Security

Many concerns exist about whether social media activity is freely available information, or is advertising controlled by the Bar, because social networking messages are available to the entire world, not just existing clients. The American Bar Association's Commission on Ethics 20/20 Working Group on the Implications of New Technologies has recommended that social networking not be used for “real time electronic contact” to solicit clients, and should be viewed as general communication to educate potential clients. But social media usage has other security concerns beyond client communication. For example, if a person involved in a divorce takes down or changes a Facebook page or other social media posting that might provide juicy insights to opposing divorce counsel, it could constitute spoliation of evidence – and thus be a crime, since electronic files are now fully accepted as part of the discovery responsibility in any litigation. It may be wise to print and save screen shots of such postings before deleting them, in case they need to be produced in court as part of the lawyer's duty to preserve client files.


Given all these risks, lawyers should have help with data security to fall back on. As discussed throughout this article, competence and care are the number one forms of reliance, but supplemental help can come from specialized insurance policies. Most law firms have some form of liability insurance to protect premises and their contents against losses from fire or other disasters. Yet computer security risks, and the disaster that can result from them, are fundamentally different – and are unprotected by general liability policies. It makes no sense to take a band-aid approach by seeking endorsements to traditional policies, such as property, fidelity, and professional liability insurance. An effective cyberinsurance policy can handle first-party liabilities (losses caused by accidents or security breaches), third-party liabilities that involve client losses from compromised or misused data (for example, as in identity theft) and lawsuit judgments for those harmed by denial-of-service attacks and viruses sent out over your system. Cyberinsurance is a definite cost, so before considering it, make sure what protection current liability policies may or may not provide.


Technology is not the driver of what law firms do, but it has become the number-one law firm tool. Careful thought to assessing and integrating technology concerns in every stage of a firm's professional responsibility is essential to a healthy and growing organization. This is the only way to assure that technology will increase efficiency and quality of work while supporting competence in firm management. In the practice of law, responsibility and not speed remains paramount. There is no one right way to combine technology systems and legal practice operations, but there are clearly wrong ways. Giving due attention to the issues of technology management has become essential to efficiently serve clients and effectively meet professional standards.

This Article is listed under the following categories:

This Article is categorized for the following audience(s):