The Issued and Revised Formal Opinion 477R
Although some lawyers may not have been paying attention, approximately five years ago the American Bar Association (ABA) adopted technology amendments to the Model Rules which included addressing a lawyer’s obligation to take reasonable measures to prevent inadvertent or unauthorized disclosure of information relating to representation. More recently, the ABA updated Opinion 99-413 to include cybersecurity measures for all attorneys. Therefore, it appears, some in the legal community have started to recognize that cybersecurity is really an ethical obligation. It would follow, therefore, that those engaged in the legal profession are experiencing “breach acceptance.” Breach acceptance (a term coined by SIM manufacturer Gemalto) is a state of being characterized by the realization that breach will happen, so the most important thing to consider is what will the consequence of the breach be. Will it be small and inconsequential because steps were taken to secure client data, or will it be massive, embarrassing and potentially devastating to the lawyers and clients?
A lawyer should, at the very least, be cognizant of the ever-changing technological world and the problems associated with maintaining client confidences and secrets because data is a big target, and there are lots of people who know how to exploit weakness in any security plan. Lawyers must understand the increasing impact of technology on the practice of law and their duties to safeguard the data associated with the representation of their clients. Many lawyers hold personally identifying information (PII) that must be safeguarded under Consumer Protection Acts in all but a few states and personal health information (PHI) that may be subject to the privacy and security rules of HIPAA. In either case, a lawyer should take reasonable precautions to protect the information in his or her possession.
It is noted that there are no mandatory requirements for all lawyers regarding any specific security measures, such as firewalls or passwords, but those are precisely the types of security measures every lawyer should be using in an attempt to secure data, client or otherwise. It is difficult to imagine that in 2017 there are lawyers who are not ensuring they have proper firewall management or that they are not utilizing some form of password protection, but apparently, there are some out there. And while there may be a lawyer somewhere who may not find it necessary to utilize a computer, or any device in any way connected with the Internet, such an office should be the only law practice that does not take at least some technological measures to secure client data or other sensitive information.
With this in mind, the ABA notes five factors to be considered when determining what security measures a lawyer should employ:
- the sensitivity of the information
- the likelihood of disclosure
- the cost of employing additional safeguards
- the difficulty of implementing the safeguards
- and the extent to which the safeguards adversely affect the lawyer’s ability to represent the client.
Thus, recollection of the term “breach acceptance” should produce the following thoughts: All clients expect that confidences and secrets will be secured; any unsecured data is likely to be exposed; there are many tools available to secure data; there are people who know how to assist with securing data; and secure data should be accessible by the lawyer whenever it needs to be accessed. So based upon the ABA recommendations and common sense, it follows that all lawyers who want to maintain the confidence of their clients should have some reasonable form of data security.
The ABA also suggests that a lawyer should discuss potential security safeguards with clients, but would any client reasonably assume the lawyer would not engage security measures, such as a firewall and some passwords, to protect their very important and very private information? It seems nonsensical for a lawyer to explain to a client that he or she intends to take no action, whatsoever, to protect the client’s confidences and secrets, so what should take place is a discussion regarding what methods the lawyer will employ to secure data and the fact that there is no such thing as absolute security of all data.
If a lawyer is serious about cybersecurity, consideration must be given to good employee training. One of the leading causes of data leak is the untrained employee who unfortunately allows a virus or phishing mechanism into the secured system, and, unlike medical personnel who have been trained under HIPAA for approximately 20 years now, legal staff may not have the same level of competence when it comes to cybersecurity. It should be noted that, although HIPAA training has been required for two decades, medical providers are still experiencing massive breaches and voluminous data leaks, so law offices may be in for a rude awakening.
It follows too that the lawyer needs to conduct due diligence reviews on vendors providing communication and technology resources. The ABA notes a list of requirements that a lawyer should include when selecting assistance with cybersecurity, and, at a minimum, the lawyer should check references and credentials, probably through another vendor, before making a selection. And since the lawyer’s duty to maintain confidences and secrets cannot be delegated, there should be a system in place to regularly review all vendors and security systems.
Julie-Karel Elkin is a Member and the Chief Compliance Officer at Spicer Rudstrom PLLC. She is the head of the Health Data Privacy and Security practice and has been helping companies and practices large and small with all aspects of their compliance needs for more than 20 years. Ensuring her clients protect and secure data through better training and the sensible use of technology is at the core of her mission.