Are your clients and potential clients asking you to prove that their information is being kept confidential on your network? Simply understanding attorney ethical obligations is no longer enough. Audit letters are only the first step these days. There are often follow-up phone calls, and even visits to the firm asking to view how electronic client data is maintained.
Why Client Files Are at Risk
When you ask an attorney who’s been practicing law for 30 years to describe client files, the person might talk about folders, redwelds and banker boxes. Those days are long gone.
Client files now conjure up images of data on network drives, in your document management system, and files located in “the cloud,” on CDs, USB drives and the like.
The challenge of protecting confidential client data has increased dramatically in the past few years.
ABA Model Rule 1.6(c) requires that “[a]lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
It sounds simple enough, but if you lose your iPhone and it contains attorney-client emails and client contacts, you possibly inadvertently disclosed information relating to the representation of your clients. The same can easily happen with a laptop that isn’t encrypted. If client files are compromised, you are required to notify the client of the breach. That could lead to not only losing a client, but embarrassment for the firm if the breach becomes public.
A Breach Can Happen to You
According to Digital Guardian, a data security software company, at least 80 percent of the biggest 100 law firms have had some sort of digital data breach. The demands of clients to keep their data safe and the expense posed to law firms to acquire top-notch cybersecurity has prompted the ABA and other groups to look for solutions. In fact, the ABA recently published “The ABA Cybersecurity Handbook,” available for purchase on the ABA website. The goal is to provide law firms with cost-effective solutions for keeping client data safe and avoid the type of catastrophic data breaches that have happened in the financial services sector.
Clients have become more demanding of law firms – often issuing cybersecurity surveys prior to hiring a firm. Your goal is to safeguard confidential client information while allowing access to the same data across numerous platforms.
As law firms feel pressure to increase security, firms are coming together to share ideas on how to balance client requirements for data confidentiality with the workflow and productivity of attorneys and staff. Five firms have formed an alliance to share information about data breaches and how they are strengthening their defenses. Instead of working against each other, as the competitive market often dictates, they are joining forces to bring about positive changes.
The pressure to change client data confidentiality comes in large part from regulatory pressure and health care and financial clients. That pressure is revealing itself in a few ways. Outside counsel guidelines include greater clarity of client expectations for confidentiality. They are giving a list of things not permitted and things they want done in a certain way.
Many clients are now requesting assurance for attorney “need-to-know” access to their data, asking to close down access from other members inside the firm. This creates the greatest challenge for firms moving forward.
Which Repositories Are Most at Risk?
DMS: Open access document management systems (DMS) – such as Worldox, iManage and OpenTextDM – improve collaboration and work-flow, but now clients are saying they do not want that approach by default and they are concerned about the confidentiality of their information when the access is that broad and open. The challenge is to modify the settings in your DMS to meet client needs while assuring easy access to documents to keep work-flow optimal.
File Shares: Think about file shares (network drives, lit support data, data in the cloud DropBox, ShareFile, etc.). What is being kept there? Rogue documents that belong in your DMS? Lit support data? It’s hard to keep up with security on this data. Who has access to those file shares? File share maintenance becomes very difficult. Clients are becoming more demanding that this data be looked at and accounted for.
Traditionally, law firms had an open by default system. Perhaps a document was secured, or set at view-only, but by and large the vast majority of documents were not secured. Law firms are now systematically changing how their DMS documents are managed based on client security needs.
The most draconian result is to make each document secure only to the author, but that’s not feasible, so many firms are considering restricting by practice group. However, that still will not be adequate for many clients who are asking for access on a “need to know only” basis. Restricting by client-matter may be more popular for some clients.
Firms are encouraged to offer these various levels of document security based on client needs.
How do you handle staff? At some point, this starts becoming similar to the issues considered in establishing ethical walls. Tools are increasingly becoming available to help manage these issues. Ask Terrapin about collaboration/security tools that would fit your firm’s needs.
Situations are arising where clients are asking for things that are either impossible to implement or impractical, and firms are starting to consider whether the request and what it would take to implement the change makes it feasible to represent certain clients. These are real issues for law firms.
Client requirements are dictating that attorneys can no longer say security and confidentiality are not my problem to worry about and that it’s for IT or risk management to handle.
Try to look at the war and not the battle. When you are looking at the issues of security and information governance, you need to find the right champion. Just because these items are housed in a repository maintained by IT, they should not be viewed as being owned by IT. There needs to be larger governance oversight with firm partners involved to champion the cause.
Build a system that has tools to allow changes to structure as demands change. Build these questions into the client-matter intake so that that security can be set properly at the inception of the client.
Make these decisions based on the demands of the clients, your firm culture and the complexity and size of your systems. Feel free to reach out to your contacts here at Terrapin Technology Group for advice. We can help you create a client data confidentiality solution that is realistic for your particular needs.