Today we’ll talk about something near and dear to my heart: data security for lawyers. I recognize that this is not a topic that many lawyers want to discuss, or one that they feel comfortable discussing. But the reality is that data security is an important part of being a lawyer, even if it’s not the focus of your practice. In fact, data security in the protection of client information has become a central component of how lawyers maintain their obligation to protect client conferences. That means, in one sense, every lawyer has to have competency in data security, because every lawyer has an obligation to protect the privacy of their clients’ information. We have to be able to speak about this stuff and actually know what we’re talking about.
It’s no surprise then, that state bar associations have passed amendments to the rules of professional conduct in the last few years that require some understanding and awareness of technology, privacy, and data security. The idea is that, if lawyers are exposed to technology issues, they’ll be less likely to make a catastrophic mistake (see below). The reality is that these requirements are probably don’t rise to the level of “useful.” In Florida, for instance, the new rules require at least three hours of technology credits during reporting cycle. Sounds admirable, right? In fact, the reporting periods in Florida over the course of three years, and so that means that you’re obligated to take an hour of technology CLE per year year, or roughly 5 minutes a month. Not so great.
What, then, can you do as an attorney to be not just compliant with the state bar requirements, but actually of service to your clients and actually capable of handling data security issues within your own practice?
It starts, as it almost always does, with education. You need to take the time to learn with the relevant issues are for the practice before you can start making reason judgments about how to become better. So, for instance, read up on the types of data security risks that face law firms. You may remember from a few years ago that DLA piper, a very large and well respected firm, suffered a massive data breach that cost them client confidence, wasted time, and millions of dollars. The Petya ransomware outbreak in June 2017 affected businesses worldwide, but the consequences for lawyers at DLA were, of course, acute — lawyers walking into trial suddenly lost all their exhibit slides and counsel at closings suddenly couldn’t see the latest execution version of a loan sale agreement. A nightmare.
The reasons for the insecurity at DLA were not unique to the firm — in fact, DLA had
pretty good security measures in place. But all it takes is a single mistake to infect an entire global network of 3,600 lawyers and support staff. The mistakes at a big firm are the same as at a small one. Bad password management, bad data restrictions on access, bad limitations on who has access to hardcopy documents, refusal to modernize technology, and keeping pace with advances in tech. Each of these of criticisms could be leveled any firm, of any size. That said, if you were aware of these restaurants you can shore up your own security without having to create an entire IT/S/data security department within the law firm. We recognize as lawyers that sometimes cost outlays our determinative of what we can do, but they don’t always need to be. The alternative is to say to concerned clients that you don’t understand the technology or the law of data security because it’s too complex, which is unlikely to be reassuring.
The next thing to do is read up on issues facing clients. Just as you have to be careful in how you maintain your own data, understanding how your clients maintain theirs can give you insight into some of the issues that you both face. How has your client has sent data or documents to you in the last year? Was it encrypted? Has it been over a secure FTP server? Do the same people send you the emails every time? Or are they open channel, unencrypted, open access, documents that are sent from different people at different times? Do low-level staffers send you highly confidential materials or, conversely, does the client give you a multiplicity of names to send materials to? If the responses fall into this latter category, then there’s obviously some work that needs to be done.
This is an opportunity for you to demonstrate your sensitivity to issues facing your client. You can suggest minor changes to the way that your client handles documents, demonstrating your awareness of data security issues and also your concern for the clients’ own security practices. You might say something along the lines of “I noticed that last week an intern sent me a document that was highly confidential and reflected the company’s internal judgment about business plans for the upcoming quarter. It is probably a good idea not to allow junior level staff — especially interns — to have access to that kind of material. Maybe in the future, if you personally want to send those materials to me, that would be much more secure and better for all involved.” If need be, provide them with examples from other businesses that have had information stolen by giving access to those who should not have had access. Again it’s about educating your client to help them develop better practices.
One other tool at your disposal is the expertise of other lawyers. There are many lawyers who do specialize in data security or privacy (*cough cough*), and they are often more willing than not to share their insights or their tips with you about how to protect your practice and give guidance to your clients. There is enough data security work to go around that you shouldn’t be worried about getting intentionally misleading advice from another lawyer looking to cause a data breach at your firm – – because no lawyer would ever intentionally mislead anyone right?
Joking aside, getting advice end guidance from lawyers who understand this field is a very good way of developing your own understanding, and establishing connections with people who may be able to provide service in value to your clients if the need arises. Try to find lawyers in your community who will put together a webinar or a presentation or a lunch and learn for your firm so that they can give you tips on a practical level that are harder to come by just by scanning the Internet. Of course, you could always scan the Internet for webinars or lectures, of which there are plenty, and some of them are even good.
Data security and privacy are not niche subject matters anymore. In fact they are a fact of life for every lawyer, regardless of your practice area. Understanding the basics, and expanding your knowledge as your years go by, will stand you in good stead not only with clients, but also with the bar ethics committee and your malpractice carrier who are increasingly concerned about the tack on savviness of many lawyers. It’s a great way to differentiate yourself – – a lawyer who understands technology, who knows how to give good advice about data security to clients, and who is willing to work with clients to improve their own security without making it a central component of their practice.