Volume 11, no. 2
I’ve Got a Secret: Tips to Ensure Client Privacy
By David J. Abeshouse
How comfortable are you with the level of privacy you provide your clients? Below is a list of tips both to protect your clients’ confidentiality and to protect you against a charge of negligent failure to implement security safeguards. The list is by no means exhaustive, but it gives you the foundation to build a more secure practice.
• Paper and files: (a) Remember to take the original out of the copy machine. (b) Dispose of old files effectively (shredding or incinerating). Document destruction companies will place locked security containers at your office; your employees place all sensitive materials in these secure containers; the materials are picked up regularly and shredded off-site promptly; and a “Certificate of Destruction” is provided to you. (c) Archival files should be stored securely, either in a limited access or managed facility.
• Computers: (a) Require login (locking code or biorecognition programs) each time you reboot, and consider using an automatic standby switchover that requires login after 30 or 60 minutes of no mouse or keyboard use (so if you leave your office without shutting off the computer, no one can use your computer.) (b) Use both software and hardware firewalls. (c) Dedicate one computer for Internet use only, and store no files on it—this is the ultimate firewall since files cannot be scanned or spied upon. (d) Remember to clear the memory of your digital networked printer. (e) Routinely change the passwords on your computer network. (f) Be aware of the potential threats posed by metadata, the historical information about a document that lurks beneath the surface and can—unless protected against—be used to track the changes you and your client have made to a file. (g) Properly dispose of old computer components, particularly the hard drive or other storage media. (h) Be aware of the risks of wireless and remote access.
• E-mail: Check your “TO” list twice before hitting the “SEND” button. A common error is to inadvertently hit “REPLY TO ALL” and send information to unintended recipients. Careful use of “reply” and “send” functions (including cc and bcc) is essential.
• Locking: Place sensitive files in file cabinets and lock your file drawers. Restrict and maintain control over office access—caveat former employees, nighttime cleaning staff. Where appropriate, link alarm systems to central station for monitoring.
• Talking: Cell phones are both boon and bane; use them consciously and wisely.
Executive office suite neighbors (usually unrelated firms and businesses) should be aware that their conversations often are audible through thin Sheetrock wallboard walls. (I hear the lawyer next door to me all too well—imagine if he were on the other side of a matter, or if he discussed confidential information about someone I know.) Many years ago, I worked for a major Wall Street law firm that distributed a staff memo about confidentiality with the example of two secretaries speaking in an elevator about the current trip to Paris of one of their the bosses; this seemingly innocent tidbit of information provided an adversary, riding in the same elevator, with information that could be used to the detriment of the boss and the client. The moral is to educate your staff about privacy and confidentiality even in such mundane locations as elevators, on trains, in restaurants, or at the beauty parlor.
• Meetings: Some lawyers never hold meetings in a lawyer’s private office, as clients may see the names of other clients on files or papers lying on the desk. Instead, they always meet in conference rooms. Similarly, some lawyers with home offices elect to meet at the client’s office or at rented conference rooms; restaurants often are disfavored if confidential information is being discussed.
• Retainer/engagement letters: Lawyers should consider whether to include provisions about whether e-mail must be encryption-protected, and whether the client permits use of cell phones and faxes, which may not be wholly private. (In particular, always be sure to ask clients about whether their fax numbers are private or publicly accessible in the office—this is an oft-repeated client complaint.)
• A new statutory concern: Two new California laws may affect your business or that of your client, even beyond California’s borders. One requires a business that maintains, owns, or licenses personal information about California residents to implement and maintain security procedures and practices to protect that information from unauthorized access, destruction, use, modification or disclosure. The other, a California “sunshine” law, requires either notice and consumer choice or detailed explanations of a business’ disclosure of California customer personal information to third parties for marketing purposes.
• Miscellaneous: Health-care attorneys often are required to enter into a business associate agreement with health-care clients due to HIPAA, the federal privacy law requiring that health-care providers in possession of protected health information have a contract with all vendors who are furnished access to medical information, including billing companies and lawyers. The contracts impose considerable privacy and secrecy obligations, which are more extensive than those of the attorney-client relationship, as HIPAA protects information of third parties (patients).
Finally, try to avoid the “black hole” filing system used by some firms in which documents are so deeply buried that they are never again found or seen by human eyes.
David J. Abeshouse practices business litigation and alternative dispute resolution in Uniondale, Long Island, New York. He welcomes inquiries from readers. Visit his Web site at www.BizLitNY.com, or contact him at DavidLaw@OptOnLine.net.