The Risks of Innovation Through Technology in Legal Practice
Lawyers have always been innovators; any time an attorney crafts a novel legal theory or creates a contract to manage a new type of risk, he or she is innovating. Business innovation, though, has been less common among lawyers, but in recent years, technology has driven and empowered attorneys to pursue innovation in all areas of their practices. Faced with competitive pressures from lawyers and other legal service providers throughout the world, cost-cutting mandates from clients, and a need to remain relevant, attorneys are adopting technologies for research, collaboration and communications at an astonishing rate.
These technologies, however, are not without risks of their own. Attorneys may face ethical and business risks, and may entangle their clients in risks as well, through misuse or misunderstanding of innovative technologies. Among the biggest potential pitfalls:
- Cloud storage and applications: The combination of inexpensive mass storage and always-available bandwidth has led many practitioners to move digital files into “the cloud,” adopting third-party shared storage platforms such as Dropbox or Google Drive, and to shift from desktop or local network software to hosted “software-as-a-service” cloud solutions. While many of these services promise security and confidentiality, an attorney has no easy way to independently verify their claims. Even if the service does intend to properly protect and maintain the files stored by its users, malicious hackers or even technical glitches can open up attorneys’ cloud storage to breaches that could represent a violation of the obligation of confidentiality. For that matter, relying on cloud storage as the primary location for client files may put the attorney at risk of breaching record retention requirements, if the storage provider experiences a data loss or simply goes out of business.
To address these risks, a legal practice adding cloud storage and/or applications to its technology portfolio should ensure that any files stored in the cloud are also mirrored locally. As for security, layering file encryption on top of cloud storage (e.g. using the open-source TrueCrypt to encrypt files and folders before uploading them to the cloud) helps promote ethically sound practices.
- Mobile lawyering: Lawyers are no longer tied to offices, or limited in their out-of-office work to the amount of paper they can fit into a brief bag. Today, between remote logins, abundant home and wireless bandwidth, mobile devices and miniaturized mass storage (microSD cards the size of a fingernail can hold 64 GB of files or more), lawyers are able (and may be obligated) to work anywhere, anytime. As a result, confidential client information may be lost or stolen, together with the device on which it's stored; sensitive communications may be "sniffed" and intercepted as traffic on a compromised wired or wireless network; short-form informal mobile messages may offend clients or others; and an attorney regularly working remotely from home or from another location in a state in which he isn't admitted could find himself accused of unauthorized practice of law.
Mobile lawyering risks are best managed by a combination of careful design, education and support. The design side requires a firm or company to create systems and choose platforms that enhance security (virtual private networks; devices with easy file encryption and remote wipe capabilities); even when an organization adopts a bring-your-own-device (BYOD) policy, it may choose to only permit devices and software that are sufficiently secure. Whatever the platform and devices the organization supports, it must train all professionals, lawyers and non-lawyers alike, on the proper way to configure, use and secure them, including the unique issues arising from legal ethics obligations. Ongoing support should include regular updates and evaluations to ensure that everyone continues to observe best practices.
- Privacy and data protection: The confidentiality obligation from the ethics rules is by no means the only privacy challenge facing attorneys pursuing innovation through technology. Many laws and regulations regarding privacy and data breaches apply to lawyers as well as other professionals, although legal practices may not be as ready for compliance as those other enterprises more familiar with privacy rules. For example, attorneys who access and use personal health information provided by healthcare business clients (for example, when defending a hospital or insurance company in a lawsuit involving patient care) may well be considered “Business Associates” under the privacy and security rules of the Health Insurance Portability and Accountability Act of 1996 (HIPAA); if so, the attorneys must execute, and comply with, a formal business associates agreement controlling whether and how they use the health information, with serious potential liability for data misuse or breach. Even if lawyers aren’t officially business associates under HIPAA, they may well collect and store personal health information as well as other sensitive information from their clients, and failing to adequately protect that information could lead to its being obtained and potentially misused. (For example, in August 2013, the office of the Legal Aid Society of San Mateo County, California was burglarized. Laptops stolen from the society included not only general information but health information from clients, possibly relating to the society’s health advocacy services.) As with other industries, if and when legal practices experience data breaches either through malice or negligence, they will likely have to notify anyone whose information has been compromised and potentially government agencies of the breach; almost all U.S. states have some form of data breach notification law.
Beyond breaches, another way lawyers may inadvertently reveal private client information to the public is in the process of electronic filing of litigation documents, now required by federal and many state courts. While e-filing systems generally enable lawyers to mark as confidential (and available only to parties) sensitive information contained within litigation documents, the attorneys may fail to take advantage of this capability, leaving information ranging from social security numbers to bank accounts to health information available to anyone searching the (generally public) electronic filing sites operated by the courts.
Another pathway through which lawyers may accidentally disclose private information from clients is social media. Most lawyers are aware of how easy it can be to accidentally post or tweet a message to the public that was intended for a private audience. Fewer, though, are aware that even without explicitly including client information in the body of a posting, the lawyer can still accidentally reveal confidences through some of the more subtle features of social media services. For example, most social media services enable users to include the physical location of the user (especially when the post comes from a GPS-enabled smartphone or tablet). Lawyers may accidentally disclose their participation in negotiations on their clients’ behalf by tagging a post with a physical location associated with the other side in the negotiations, even if the post itself doesn’t mention the negotiations or location (e.g. Google’s headquarters in New York City is a separate location for the Foursquare geographic social network; see http://ezor.org/googlehqnyc).
The best way for legal professionals to address the privacy and data breach risks they face through their collection and use of client information is to be aware of their legal obligations beyond the ethics rules. With this awareness, lawyers can follow the example and adopt methods of other professionals to secure and protect client information both within and outside of ongoing representation. Litigators filing papers electronically can and must be familiar with each court’s rules for designating filings as non-public, and attorneys working with clients that are covered entities under HIPAA must enter into and comply with business associates agreements.
Beyond the benefits to their practices, lawyers who understand and adopt best practices for their use of technology will give much better advice to their clients on managing technology-driven risk in the clients’ businesses. As a result, both attorneys and their clients will be better able to reap the benefits of technology as a driver of business innovation.
Jonathan I. Ezor is an assistant professor of law and director of the Touro Law Center for Innovation in Business, Law and Technology, and is counsel at Olshan Frome Wolosky LLP in New York.
LAW PRACTICE TODAY
Micah U Buchdahl, HTMLawyers, Inc
Richard Goldstein, Goldstein Patent Law
Andrea Malone, White and Williams LLP
BOARD OF EDITORS
Janis Alexander, Ambrose Law Group LLC
David Ambrose, Ambrose Law Group LLC
Leah Beckham, BillBLAST
John Bowers, Fox Rothschild LLP
Amy Drushal, Trenam Kemker
Chase Edwards, Paul M. Hebert Law School, Louisiana State University
Nicholas Gaffney, Infinite Public Relations
Nancy Gimbol, Eastburn and Gray, P.C.
Richard Goldstein, Goldstein Patent Law
Katy Goshtasbi, KG Consulting Group Inc, d/b/a Puris Image
Alan Craig Haston, The Haston Law Firm, P.C.
William Henslee, Florida A&M University College of Law
Kathryn M Jakabcin, Young Conaway Stargatt & Taylor LLP
James Matsoukas, Pierce Atwood LLP
Lisa McBee, Roberta F. Farrell, LLC
Thomas "Jason" Smith, Duff & Phelps, LLC
Jay Roderik "Rod" Stephen, The Stephens Law Firm
Pegeen Turner, Turner IT Solutions, Inc.
Gabriela Vega, Vega Acosta Law Firm, Chtd.
James Zych, Greensfelder, Hemker & Gale, P.C.
Send us your feedback here.