Lawyers are bound by Rule of Professional Conduct 1.15, which requires that client files be "appropriately safeguarded"; failure to comply is a failure in the overall duty to act competently and in the best interests of a client.
The duty covers electronic client files and technology. Last year, the American Bar Association House of Delegates reinforced that point by approving a new Comment 8 on Rule 1.1 regarding competency. It states that "to maintain the requisite knowledge and skill," a lawyer "should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology ... ."
Increasingly, the issue of data security is passing from abstract concern to hard client requirement. Bank of America/Merrill Lynch, as one example, has said it is auditing the data security policies at its outside law firms, partly under pressure from government regulators to do so. The FBI and other government agencies have emphasized concerns over cybersecurity at law firms — particularly given the value of their corporate clients' information to potential attackers, and law firms' often slow adaptation to new technologies.
BofA isn't just relying on its law firms to say they are keeping information systems safe; it is actually sending its own auditors out to review firm systems, and they frequently find the firms to be lacking in security practices.
Could your firm pass a data security audit, whether from a global giant like Bank of America or from the community bank that is your largest local client? Would you even know which areas pose the greatest security risks? Consider this checklist and ask how your firm would fare:
- Enterprise security - Do you make it a point to back up all computer data and store important records and documents off-site? Do you have a full inventory of all electronic client files and papers? Are you using use the most up-to-date firewalls and anti-virus/spyware protection?
- Wireless security - Do all of your lawyers' smartphones have secure wireless connections, including email and file encryption? Do your emails have language stating that a communication is privileged and stating the recipient's obligation to notify the sender of the receipt of erroneously received emails?
- Cloud security - If your firm uses Internet-based document assembly, document management or practice management software, have you satisfied yourself about the security of the cloud service's servers? Do you know if their services are replicated across different data centers (particularly for special legal software) in case of an outage?
- Email security - Does your firm use email backup or archiving solutions, as well as alternate email continuity service? Do you use a tape recovery system, electronic vaulting (storage of large data) and shadowing (storage of email copies at a remote location)?
- Insurance coverage - Does your general liability policy or a special rider cover first-party liabilities losses caused by accidents or security breaches, third-party liabilities that involve client losses from compromised or misused data (for example, as in identity theft) and lawsuit judgments for those harmed by denial-of-service attacks and viruses?
Any client would be justified in asking those questions at any time, as they go to the heart of a firm's obligation to protect client records. How would your firm answer?