GPSOLO July/August 2007
Confidentiality in a High-Tech World
In our era of virtual offices, shared office spaces, and the continuing tide of ever-evolving technologies, lawyers must remain vigilant in protecting confidential client information. This article discusses some of the common loopholes and suggests reasonable measures solos or small firm lawyers can take to ensure client confidentiality and satisfy their ethical obligations.
Rule 1.6 of the ABA Model Rules of Professional Conduct requires attorneys to maintain the confidentiality of information relating to client representation. The rules also state that disclosure is permitted in limited circumstances, such as when a client consents to disclosure, when disclosure is necessary for the prevention of a crime that is reasonably certain to result in substantial injury to the financial interests or property of another and in furtherance of which the client has used or is using the lawyer’s services, or when disclosure is implicitly authorized by the client.
Because all lawyers use various forms of technology to share and communicate client information, and many solos or small firm practitioners share office space with other lawyers and office personnel, the potential for inadvertent disclosure is an issue that must be taken seriously. Office-sharing situations often mean attorneys and staff have access to one another’s file cabinets, reception area, conference room, computers, telephones, and fax machines. Each of these situations creates an opportunity for inadvertent disclosure of confidential client information. Overheard conversations are only one way in which client confidences may be innocently disclosed, but many physical conditions and technology lapses should also be considered. For example, are your paper files secured in locked cabinets? Are your computers password protected? Is your server accessible to strangers? Physical theft is no longer the only loss that businesses must face.
To minimize inadvertent disclosure, attorneys must assume responsibility for the conduct of staff members and ensure that they not disclose or make use of client confidences or secrets by instituting and enforcing written policies. Inside the office or out at lunch, indiscreet conversations concerning clients must be avoided. In addition, without client consent, a lawyer may not seek counsel from other lawyers in the office if there is a reasonable possibility that client confidences would be revealed. Additional measures to guard against inadvertent disclosures might include some or all of the following suggestions:
- Lock file cabinets containing hard-copy files;
- Require network and workstation passwords to protect access to files;
- Restrict voice-mail access on shared telephone systems;
- Arrange the reception area so that third parties are not able to overhear confidences from a lawyer’s clients;
- Remind all personnel to avoid conversations about client matters in the common areas;
- Instruct staff not to leave confidential materials in the copy area, in the library, or on their desks in open view;
- Avoid sharing staff members who have access to confidential information with other attorneys or office personnel;
- Mandate that all employees, including lawyers, using a shared office space sign nondisclosure agreements; and
- Inform clients of the space-sharing arrangement and of the measures undertaken to avoid threats to confidentiality.
New Technologies, New Threats
Improved technologies provide unique concerns. There are a number of obvious examples of unacceptable disclosure that attorneys should avoid, such as conversations concerning clients on cell phones, especially on commuter trains or in restaurants. But many less obvious examples of disclosure can present problems even for vigilant attorneys.
Your office may employ a number of communications technologies-e-mail, wireless network, VoIP phone system, BlackBerrys or other PDA devices, and "web access" to e-mail accounts or client files. Each of these technologies presents different challenges for attorneys trying to meet nondisclosure obligations.
One way to take on the technology behemoth is to first understand how the specific system or device functions. When you send an e-mail, for example, the data is divided into packets of information that are first sent to your Internet service provider (ISP). From there, the data comprising the e-mail moves to other servers, where it is stored or forwarded (remember, all of this occurs in digital time) until it reaches the recipient’s ISP, where it is reassembled from the packets and passes through a secure server to the recipient. E-mail follows no set path to its final destination; it can travel any number of routes, in any number of packets, and still end up in the intended place. The problem is that the e-mail can be intercepted whenever it is sitting on a third party’s server. Even worse, it is difficult to know when an e-mail has been compromised.
"Packet-sniffing" programs search these packets to copy—and to steal—useful information. The programs have many legitimate uses, but they can be very helpful in misusing electronic data. Other technologies employ similar or analogous methods of transferring data in small pieces or packets across a series of networks. Knowing how technology works is crucial in evaluating how best to protect the information passed through it.
Despite some security risk, the American Bar Association issued an ethics opinion that states e-mail should be treated the same as traditional mail (ABA Comm. on Ethics and Prof’l. Responsibility, Formal Op. 99-413 (1999)). Several bar association ethics committees have opined that encryption is not necessary. An ethics opinion from the New York State Bar Association (709 N.Y. St. Bar Ass’n. Ethics Op., 55-97 (1998)) states that lawyers generally may use current technologies to send unencrypted Internet e-mail carrying confidential information without breaching their duties of confidentiality under Canon 4. But, it warns, the lawyer’s judgment as to security must be reasonable:
Thus, in circumstances in which a lawyer is on notice for a specific reason that a particular e–mail transmission is at heightened risk of interception, or where the confidential information at issue is of such an extraordinarily sensitive nature that it is reasonable to use only a means of communication that is completely under the lawyer’s control, the lawyer must select a more secure means of communication than unencrypted Internet e–mail.
The opinion advises lawyers to keep abreast of improved technologies that may reduce such risks at reasonable cost, and it suggests lawyers discuss with clients the risks inherent in the use of Internet e–mail and abide by the clients’ wishes regarding preferred methods of communication. Where a client uses e–mail freely in contentious situations (particularly a public company setting), it would be prudent to discuss with the client the evidentiary risks such e–mails could pose if circumstances led to litigation or if taken out of context.
To be on the safe side, you can take certain relatively simple steps to ensure that your e–mails have additional protection. First, because of packet–sniffing programs, never send an e–mail containing a password, and regularly change any passwords that you use. Also, Microsoft Outlook has the capacity to encrypt e–mail using a process called Pretty Good Privacy (PGP). For example, in Outlook 2003 it can be found under Tools > Options > Security. It is useful to search Outlook’s help file for "encryption" to obtain specific instructions for your version. The name of the technology actually understates its effectiveness. In additon, you can put a confidentiality notice on e–mails containing confidential or sensitive information. (Be sure to watch for possible changes in law as it pertains to e–mail confidentiality notices, which have become so common–and commonly ignored–that their effectiveness as notice may at some point be questioned.)
As if the potential breaches of the visible world are not thorny enough, lawyers also must be aware of the hidden information contained in their documents. Microsoft Word and other word processing programs contain hidden information known as metadata that keeps track of potentially confidential material such as edits and comments and the identities of the parties who made them. Some of this information is stored automatically, and some is at the discretion of the user (when in Comments, Track Changes, or Properties in Microsoft Word). Having the opposing party find edits that your client proposed to you in confidence could be crippling to contract negotiations. Although most rules or opinions note that reasonable care should be taken to ensure you do not inadvertently disclose the client’s confidential information, the definition of "reasonable" varies. NYSBA Ethics Opinion 782-12/8/04 notes that qualifiers may include the subject matter of the document, whether the document was based on a "template" used in another matter for another client, whether there have been multiple drafts of the document with comments from multiple sources, whether the client has commented on the document, and the identity of the intended recipients of the document.
As with e–mail, reasonable care may call for the lawyer to stay abreast of technological advances and the potential risks in transmission in order to make an appropriate decision with respect to transmitting data.
Luckily, there are a few ways to avoid erroneously including metadata. The most useful method is a tool from Microsoft (available on its website as the "Remove Hidden Data" add–in, www.microsoft.com/downloads/details.aspx?FamilyId=144E54ED-D43E-42CA-BC7B-5446D34E5360&displaylang=en) that automatically removes all metadata from MS documents. Another possible solution is to save the document in the Rich Text Format; this may compromise some formatting such as footnotes, but RTF does not support much of the metadata included in MS Word. There are also dedicated "metadata scrubber" programs that will remove this information from your documents (e.g., Metadata Assistant, $79, www.payneconsulting.com).
Wireless (WiFi) Networks
Wireless networks have become increasingly popular in recent years owing to their decreasing cost and ease of accessibility, but they come with their own security concerns. As with any form of client communication, lawyers must use reasonable care to assess the risks attendant to the use of this mode of transmission for client confidences. Although standard WiFi networks use a form of encryption called WEP to transmit the data wirelessly, the encryption code can be broken. Additionally, some wireless networks have open access and no encryption compatibility at all. And hackers—or even your next–door neighbor—can gain access to the information you transmit over the wireless network, as well as to information stored on the devices also on the network. And this is possible whether you are multitasking during your beachfront vacation or working right at your office desk. A common practice known among hackers as "war driving" lets them drive around a neighborhood and remotely locate the wireless networks in their frequency range-just as your computer does when you log on. By comparison, wired networks are more difficult to hack into because hackers generally must break through firewalls and other Internet security features or gain physical access to the firm and hack in through a network jack.
Relatively simple measures can improve the security of a wireless network, however. First, avoid using a wireless router with your network unless you also use its built–in encryption software. Second, rename the router network after installation-don’t use the default name provided by the manufacturer. This savvy move might deter potential interlopers and convince them that your wireless security is well in place. Third, periodically change the password for wireless access network to ensure that anyone who should no longer have access, doesn’t. The most secure method, many suggest, is to create both wireless and wired networks, so that all privileged client data would be stored on the wired network and protected by the latest security measures. The wireless router would connect directly to the Internet from outside your firewall, so employees can use it for nonconfidential communications and outside parties can use it to access the Internet from your workspace. This configuration will make your wired office network inaccessible to outside parties who access your Internet connection.
Another increasingly popular technology is voice–over–Internet–protocol (VoIP), which uses data lines rather than traditional phone lines to make calls. Because VoIP functions by breaking down conversations into data packets, the method raises the same security concerns as e–mail or any other traditional Internet communications. It is susceptible to attacks of eavesdropping and "phishing" (stealing a person’s identifying information through poorly protected web connections). An important security choice to consider before installing VoIP is whether the office needs a closed or open system. A closed system does not access the Internet and is generally used as an internal tool to call between office locations. An open system travels on the Internet and can transmit to mobile devices and transfer data through the connection. This unfortunately renders the open system a greater risk. In most cases, employees should be prevented from utilizing peer–to–peer VoIP software such as Skype or Google Talk, which break through your network and access the Internet independently, because they are relatively insecure. Be sure to explain why you are banning them from staff usage and you will likely gain greater cooperation.
One approach to avoid VoIP’s problems is to use a virtual private network (VPN). When data is transferred over a VPN, it can be encrypted multiple times for added security. Another benefit is that it allows employees relatively secure access from remote locations to documents and other information contained on your network.
Mobile devices such as the BlackBerry and other PDAs have exploded in popularity during the past few years because they function as a portable office. But they pose two security issues: (1) information sent or received may be intercepted, and (2) if you lose the device, client information may fall into the wrong hands. Thankfully, most mobile devices are now designed to bypass both these scenarios. For example, all information sent from a BlackBerry is encrypted three times and then decrypted three times by the device server or desktop software. The encryption can be broken only by utilizing a unique "key", which is determined by random mouse movements made by the user each day. Frequent docking is recommended to allow the device to update the key to the more secure computer network. BlackBerrys are equipped with an encrypted password security feature, so, if lost, the finder cannot access any data without the password. Attorneys whose portable devices, including laptops, contain confidential client information should use an extremely secure password to protect their information.
Unfortunately, however, as mobile devices proliferate and become less expensive and more consumer–oriented, the professional market may find security features becoming less and less important. If you are in the market for a PDA, be sure to ask about the security systems that are built in or can be added.
Every technology comes with new security risks. After you understand how the product works and what it can do for you, measure its benefits against its costs, taking into account the security issues, to determine whether it’s worth adopting. In general, you can add increased protection to anything. If the situation warrants it and you want to be extra careful, investigate several of the more effective measures. Lastly, make sure your employees, providers, and computer technicians are aware of their and your confidentiality obligations and of any increased security requirements they require. Periodically review the protocols you have set up to update them or reinforce their necessity. Technology is becoming crucial to the modern practice of law, but nothing will replace your vigilance in avoiding disclosures or breaches of confidentiality.
Steven Masur is the managing partner of MasurLaw (www.masurlaw.com), a media and entertainment law firm based in New York City. He may be reached at firstname.lastname@example.org. Mr. Masur would like to thank Jon Purow, Cheryl Wickham, and Andrew McCormick for their invaluable contributions to this article.