Data Security is a Professional Responsibility

Published September 3, 2013

News reports have indicated that Bank of America Merrill Lynch is auditing the data security policies at its outside law firms, partly under pressure from government regulators to do so. The FBI and other government agencies have emphasized concerns over cybersecurity at law firms – particularly given the value of their corporate clients’ information to potential attackers, and law firms’ often slow adaptation to new technologies. BofA isn’t just relying on its law firms to say they are keeping information systems safe; it is actually sending its own auditors out to review firm systems, and these frequently find the firms to be lacking in security practices. [Read “Outside Law Firm Cybersecurity Under Scrutiny.”]

That such impetus could come from a client, and regulators of a client, should be unnecessary. Lawyers are bound by Rule of Professional Conduct 1.15, which requires that client files be “appropriately safeguarded,” and failure to do so is a failure in the overall duty to act competently in the best interests of a client. Last year the ABA House of Delegates reinforced this duty for client electronic files by approving a new Comment 8 on Rule 1.1 regarding Competency; it states that “to maintain the requisite knowledge and skill” a lawyer “should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…”

There are other Rules that apply to data file safeguarding. For example, Rule 1.6 details each lawyer’s responsibility to preserve client confidentiality. But the many lawyers using smart phones and wireless laptops potentially expose client information to anyone who can access the wireless connection. Several years ago the State Bar of California’s opinion no. 2010-179 emphasized that wireless connections should have a reasonable level of security, which should include use of precautions such as file encryption. And in its 2012 update to the Model Rules, the ABA House of Delegates added to Rule 4.4, covering Rights of Third Persons, language clarifying that the obligation to notify the sender of the receipt of inadvertently sent documents applies also to electronic information. That is explicitly clarified in Comment 2 to include “when an email or letter is misaddressed or a document or electronically stored information is accidentally included with information that was intentionally transmitted.”

Such issues as these go to the heart of any firm’s obligation to protect client records. Any client, not just Bank of America, would be justified in asking about them at any time. Would your firm’s answer show that you take safeguards to comply with ethical responsibility?

Categorized in: ,

Audience type: Administrators, Associates, Large Law Firms, Small Law Firms, Sole Practitioners