February 7, 2019
It’s after the Holidays. Here’s what’s happening at one New York law firm (and possibly many): a report from its technology consultant shows the firm is at high risk for a data breach. The firm’s clients require evidence of stronger technology controls and data security policies, including compliance with data privacy laws. The firm’s IT director has a lengthy and costly wish list from last year for technology upgrades. Meanwhile, a major client has scheduled an onsite data audit involving physical inspection of the firm’s offices. The client has its own pass-through cybersecurity and privacy obligations to its own clients and is, itself, under intense scrutiny. The Holidays are truly over.
Old Wine in New Bottles, or New Wine in Old Bottles?
Lawyers are guardians of client data. They have always been the protectors of confidentiality, the preservers of privilege and the keepers of security. Before the digital age, the lawyer’s role in managing these duties was relatively uncomplicated, primarily because client data was not a product of technology as we know it today. Client data existed in physical, tangible form and client documents were created on paper using a fountain pen or typewriter, delivered by hand or courier, and stored in the lawyer’s office or off-site. Reasonable safeguards were (presumably) employed by the lawyer’s firm based on appropriate security standards of yesteryear, without the lawyer’s direct involvement or knowledge. There were rarely any sensational confidentiality breaches or security incidents that grabbed the attention of clients, regulators or the media. Protection of client data back then was no less important than it is today, but the risks of theft, loss or hacking were mostly unheard of, which meant that the lawyer’s personal efforts to pro-actively protect client data were not a significant concern that needed client or regulatory oversight.
With the advent of technology and its pervasive use in the delivery of legal services, everything has changed. Much client data is now intangible and invisible, stored on hard drives, servers, devices or the cloud. Nonetheless, lawyers have a duty to see or foresee the risks and avoid them. The most noteworthy shift is in the perception of the lawyer’s role in using technology for client work. Updates to Rule 1.1 of New York’s Rules of Professional Conduct have reshaped our understanding of the duty of competence. This ramped-up duty requires lawyers to not only be legally competent, but to be technologically competent as well. Competence under Rule 1.1 does not require a mastery of the subject of technology, but rather an adequate understanding of the available technology tools and, most importantly, the potential risks in using technology tools for legal work and the security features that should be employed to avoid loss, damage or misuse of client data. Essentially, this means that the firm’s IT department across the hallway (or the ocean) no longer plays a mere operational support function; instead, it has a vital and integral role in the process of delivering legal services. Any technological issue facing the lawyer – misdirected email, improperly redacted documents, metadata, storing corporate data in the cloud, putting sensitive client documents on a flash drive, bringing your own device – can become a critical firm or client issue that can create risks to confidentiality, privilege, privacy, information security and cyber security.
A Kaleidoscope of Concerns
Let’s turn back to the not-so-hypothetical hypothetical in the introduction, where multiple information security and privacy concerns were swirling around our beleaguered (fictional) law firm. The first thing to keep in mind is that lawyers need to keep a watchful eye on everything concerning client data, not only on any one thing: information security (of which cyber security is a part), to prevent the unauthorized or mischievous misuse of technology or the physical work environment; data privacy, to protect personal data from improper use; confidentiality, to safeguard information relating to the representation from unauthorized use or inadvertent disclosure; and attorney-client privilege, to preclude disclosure of attorney-client communications involving legal advice.
Information security, data privacy, confidentiality and privilege are, to some extent, related concepts that overlap and intersect with each other. Lawyers need to be aware of their interaction and understand that taking steps to protect one may not be sufficient to safeguard any or all of the others. Consequently, client data could potentially be left open to significant risk of loss, misuse and disclosure. To illustrate, moving client data to the cloud may enhance information security, but may compromise privilege if proper measures are not taken to preserve it; having a confidentiality policy without addressing data privacy concerns could make the firm susceptible to privacy claims and hackers; and maintaining carefully organized files of privileged information without paying attention to information security could leave the firm vulnerable to a panoply of cyber-breaches, which are an increasing concern for law firms. These concepts demand that lawyers and firms move beyond their traditional comfort zone to embrace the technological challenges, responses and opportunities inherent in managing information security and data privacy, while recognizing the new demands that this places on resolving the more lawyerly concerns of confidentiality and privilege.
Data is dynamic and never static, which adds another layer of monitoring and control over the transmission, storage and use of data. Constant and continuing vigilance is necessary to ensure that data-at-rest, data flow and data storage are carefully managed to avoid information security lapses, privacy breaches, privilege loss and confidentiality violations.
Considerations for Law Firms
As a practical matter, law firms today need to treat information security and data privacy on an equal footing with other critical firm functions. They should not be considered mere sub-functions of other firm departments, such as IT; rather, they should receive management-level attention and allocation of resources. This may include the formation of a committee focused on information security and data privacy which would oversee review of internal and externally-facing policies, documenting and coordinating internal firm practices for security and privacy compliance purposes, reviewing and obtaining sufficient insurance coverage, conducting personnel training and third-party vendor review, among other things.
In order to be addressed properly, information security and data privacy awareness need to become a part of the everyday culture of law practice. The firm should take the lead, but each lawyer has an individual duty of competence in this area. It’s no longer considered amusing to joke about technical incompetence. Data security and privacy awareness go beyond technical awareness, just as information security and data protection go well beyond IT concerns. A fundamentally different mindset needs to take hold.
“It won’t happen to me” was never a good mantra, but it’s only getting worse. It may already have happened to you -- you just don’t know it yet. In many ways, the greatest threat to information security “exists between keyboard and chair” – the lawyer (or legal assistant, secretary or other staff member or firm executive). How many times have stressed-out, time-challenged, multi-tasking lawyers clicked past an error message, or dismissed an odd spelling or phrase in an email, or clicked on a random link while taking a shopping or social break at their desk, or left their desk without locking their computer, or given someone their phone to take a picture? Those are all security or privacy breaches waiting to happen – or worse yet, signs that a security or privacy breach is happening right now.
Death and Taxes (and Data)
Until the time that lawyers and law firms begin to treat information security and data privacy awareness and diligence as key components of their practice management - on an even footing with other critical issues such as conflicts of interest, confidentiality and privilege - our collective blind spot will continue to be a target for rogue actors, ranging from bored teenagers and disgruntled (or incompetent) employees, to organized crime syndicates and state-sponsored hacker groups. While many of these bad actors may evade punishment, the damage suffered by the law firms that were their victims - and their clients - may be permanent or even terminal. Not only would such a result be tragic - it is a result that each lawyer is professionally bound to avoid.
Devika Kewalramani is a partner at Moses & Singer LLP and co-chair of its Legal Ethics and Law Firm Practice group. Gregory S. Shatan is a partner in the firm’s Intellectual Property group. Liberty T. McAteer is an associate in the firm’s Intellectual Property group.
Reprinted with permission from the February 7, 2019 edition of the New York Law Journal © 2019 ALM Media Properties, LLC. All rights reserved.