Technology provides great benefits to lawyers, but it also presents unique opportunities to violate ethics rules—particularly in the areas of competence and confidentiality.
The duty of competence (ABA Model Rule of Professional Conduct 1.1) requires lawyers to know what technology is necessary and how to use it. It also requires lawyers who lack the necessary technical competence to consult with others who have it. And the duty of confidentiality (ABA Model Rule 1.6) is, of course, one of a lawyer’s most important ethical responsibilities. That duty extends to lawyers’ use of technology, too.
Use this quick checklist to help protect your clients, your firm and your reputation from the growing ethical and malpractice threats created by technology.
SECURING YOUR PCS Attorneys have an ethical obligation to act competently and reasonably to safeguard client confidences, including electronic data, to ensure that it is not disclosed to third parties through theft or inadvertence and to ensure that it is not lost or destroyed. These basic security measures should be a minimum for securing your personal computers, whether in the office, at home or on the road:
- Install and use security software—including antivirus programs, spyware protection and a firewall application—and keep them current with automatic updates.
- Promptly install patches for your operating system and all applications.
- Use care when opening embedded links and e-mail attachments.
- Be sure your anti-malware software scans the latter before you open them.
- Religiously back up important data and files.
- Use strong passwords, passphrases or other authentication.
- Use caution when downloading and installing programs.
- Install and use a hardware firewall.
- Install and use a file encryption program.
- Configure the operating system, Internet browser and other software in a secure manner.
- Before disposal or reuse of computers and other storage media, securely erase the information on them using data-wiping software (such as Data Eraser or PGP Wipe). Deleting files or reformatting drives is not sufficient.
- Additional security measures are necessary for networks, including measures for secure network design, strong access controls and data segmentation. Wireless networks require particular attention, including use of current technology and secure configuration. Consult your IT professional for these.
SECURING MOBILE DEVICES Mobile devices, including laptops, PDAs, smartphones and portable storage media such as USB drives, present a special risk because they can be easily lost, stolen or compromised. In addition to the basic security steps previously listed, take the following steps to protect mobile devices:
- Don’t store unnecessary confidential information on your laptop or portable devices.
- Use strong authentication, preferably two-factor.
- Encrypt all sensitive data.
- Never leave access numbers, passwords or security devices in your carrying case or with your mobile device.
- Consider using a tracking-and-wiping program. This software will automatically transmit the location of your laptop or other device if it is lost or stolen.
- Provide for physical security of your equipment at all points of travel.
FUNDAMENTAL STEPS FOR SAAS SaaS, which is short for “software as a service,” is software that is not installed on your computer but instead is hosted remotely. Options for implementing SaaS in a law practice are multiplying rapidly. They range from online backup and data storage services (such as CoreVault and SugarSync) to case management programs (such as RocketMatter and Clio) and CRM solutions (such as SalesForce and Highrise). At a minimum, do this before purchasing any SaaS solution:
- Read the user or license agreement terms in detail.
- Determine who will “own” the data, you or the service provider.
- Determine who, besides you, will have access to the data.
- Find out how you retrieve your data and what happens to the data hosted by the service provider if you terminate the service.
- Examine the provider’s physical and electronic security and confidentiality policies.
- Lastly, but perhaps most importantly, remember that effective information security is an ongoing process that requires your constant vigilance.
- The alternative involves substantial risk of loss of clients, ethics violations and malpractice claims.