Confidentiality. Ease of Use. Access. Client. Protect. Security. Malpractice.
These are some of the words that most commonly appear when lawyers and legal professionals were asked an open-ended survey question: What would you say is the most important issue or concern attorneys or laws firms should keep in mind with regard to file sharing?
“Educating clients on the importance of security and options for achieving it without sacrificing economy and convenience,” wrote one survey taker, an attorney from a small law firm focused on general practice, in response to this question.
“Attorneys could risk the attorney-client privilege and have their practices devastated by malpractice claims,” said another, a bankruptcy attorney, also from a small law firm.
“Where is the data being stored? What is the security level provided? Is it verifiable?” asked a third respondent, an IT professional working at a law firm.
In many ways these three open-ended answers are a qualitative reflection of the overall quantitative findings from the survey:
1. File sharing has become increasingly important for law firms. Clients have come to expect an easy way to collaborate with legal service providers. The web has gone mainstream and enabled simplicity of services—from banking to ordering a pizza—this has conditioned consumers to expect real time communication and collaboration. In this survey, 73 percent of law firms say file sharing has become more important this year than in previous years. The vast majority use unencrypted email as the primary means of collaboration—email is the default file sharing service—though usage of free commercial file sharing services has proliferated.
2. Law firms are keenly aware that IT comes with security risks. Though clients demand an easy way to collaborate with counsel, they may not be as attuned to the risks. Law firms, on the other hand, are quite aware. More than 80 percent of respondents said it would be consequential or very consequential if someone other than a client or privileged third-party was able to gain access to shared documents.
3. Securing privileged communications hinges on confidentiality statements. When asked what precautions were taken when sending client-privileged communication via email, 77 percent said they rely on a statement of confidentiality in the message body. The next highest responses included email encryption (22%), including a confidentiality statement in the subject line (21.6%), and requiring clients to provide written consent (17%).
A statement of confidentiality is a suspect strategy for IT security, which is the underlying concern, implied by the law firm IT professional in the open-ended comment above.
“If I were to leave a document on a table entitled, ‘My Deepest, Darkest Secrets,’ under which I wrote, ‘Please do not read this unless you are someone I intended to read this,’ how securely would you think I’d protected myself?” wrote Bob Ambrogi on a LawSites blog post. “That, effectively, is all the majority of lawyers do to protect confidential documents they share with clients and colleagues, according to a LexisNexis survey published this week.”
Even so, it may well be a double-edge sword, given the needs or desires of law firm clients.
“Law firms are caught in a bit of a bind because their clients demand a simple way to collaborate, but the risks, as this survey found, are exceptionally high,” said Christopher T. Anderson. “There’s clearly a disconnect between expressed security concerns—and measures law firms employ to protect their clients and themselves.”
At the time of this statement, Mr. Anderson who has served in a variety of legal roles including as a prosecutor, corporate counsel and managing partner for a small law firm, was serving as a product manager for LexisNexis. He has since returned to a law practice.
11 File Sharing Tips for Attorneys by Attorneys
Most of the 282 respondents to the survey were attorneys (77%) working for small firms—73 percent reported working for law firms with 10 or fewer attorneys. This includes just under half that identified themselves in the solo- or duo-firm category.
The open-ended question above was the last question of the survey and was optional, though about 80 percent of participants answered the question. In total, it earned 233 responses, which in many ways read like advice for attorneys and by attorneys. We’ve distilled this volume of responses down to the following tips.
Here is what attorneys said were most important to keep in mind:
1. Establish a written policy. Put procedures in writing for the use of any technology or system. This policy should govern both those employed by the law firm and personal devices or technologies which law firm staff or attorneys are inclined to use.
2. Understand ethical guidelines. In the 2014 ABA Legal Technology Survey Report, just 30.5 percent of attorneys said they reviewed ethical rules and opinions. Five respondents made ethics the central focus of their response and one stated that law firms in Massachusetts had additional obligations under state law.
3. Understand where data is encrypted. There are two fundamental areas where data is at risk – at rest and in transit. Law firms should ensure that the terms of service from any technology provider provide encryption for data both while it is being transmitted and also when it is stored.
4. Ease of use counts for something. Driving at the crux of the conundrum, many attorneys noted that ease of use is important and that services that mirror commercial services stood the best chance of client adoption. After all if a client cannot or will not use a service, the law firm is back to square one.
5. Security must be ingrained in the culture. One attorney noted that sloppy security measures in a paper-based world have spilled over into technology. “Small firms need to think beyond just storing files on their individual computers. I also find it interesting that everyone seems more concerned with security of electronic files than faxed files and paper files stored all willy-nilly.”
6. Educate clients. Clients need to understand the risks a law firm may or may not take with confidential information—a breach is a poor time for an explanation. Beyond awareness, law firms should take deliberate measures to educate clients so when they demand instant collaboration—they have a clear sense for the potential exposure.
7. Educate staff. One attorney broke this answer into a simple process; a) provide adequate initial training and continue training every quarter; b) adequately train supervisors to learn how to spot problems; c) conduct internal audits quarterly; and d) reward those who report issues or propose new protocols (i.e. Starbucks gift cards).
8. Desirable technology features. Features attorneys recommended for law firms in file sharing tools often centered on digital rights management. That is to say, an ability to establish who and how shared documents may be accessed, know who in fact accessed it, and the capability to revoke those rights.
9. Vendor location, history and reputation. First, “use [a] reliable company or product to feel secure with confidentiality and ease of use.” Second, “know from the beginning that the product you are using is in your control and is safe for the firm and the firm's clients.” Third, understand the geographic “location of the file sharing services systems, their security, and what they have the ability to do with the files that are shared via their system.”
10. Do not send confidential information as unencrypted email attachments. There are simply too many alternatives to send privileged information as an unencrypted email attachment. Ban this practice as a matter of firm policy.
11. Assume the worst. Law firms may face different risks depending on the practice area, but every firm should “assume that someone is trying to access your files who should not.” Though some can get close, there isn’t a technology available that can ensure data remains 100 percent confidential.
One attorney, from a small general law firm based in Virginia, summed up his assessment succinctly:
“Any time technology is involved, security is the most important issue,” the attorney wrote. “Nothing is ever completely secure, even when using strictly hard copies, but a diligent effort should be made. The IT industry has standards regarding security, and lawyers need to become better versed in them or hire consultants that are familiar with these standards.”