chevron-down Created with Sketch Beta.
December 20, 2018 Feature

Privacy in the Digital World

By Jessica T. Ornsby

Data security should be front of mind for all attorneys, including sole practitioners and lawyers in small firms. Not only is it good business, but it is also impliedly mandated that all attorneys do so. As we all know, ABA Model Rule of Professional Conduct 1.6 prohibits attorneys from sharing client confidences. Subsection C of the Rule extends that responsibility a bit further by requiring attorneys to also prevent “inadvertent” disclosures of client information. Arguably the duty to protect against inadvertent disclosures extends to protecting clients’ information against potential security breaches. This makes data privacy solutions an important aspect of every attorney’s practice. When you are running a small shop, “data security” can seem burdensome and expensive, but in reality, taking the necessary precautions to protect data can be a lot less expensive than you may think.

Protecting client data extends beyond firewalls and passwords.

Protecting client data extends beyond firewalls and passwords.

Protecting Client Data Against Internal and External Security Breaches

Technology places everything at our fingertips. It is not uncommon for an attorney’s entire practice to be paperless and accessible via various mobile devices. There is a law firm in the Washington, D.C., area known for its popular slogan: “If you have a phone, you have a lawyer.” This phrase conveys the message that this firm and its attorneys are accessible to most anyone who is seeking representation. The same idea applies to most law practices today, and on an even greater level. Our mobile devices connect us to our clients 24/7 and make it possible to access all kinds of information with just a quick swipe. Armed with only a laptop and an Internet connection, many attorneys are able to efficiently and effectively represent clients via “mobile” law offices. This style of practice is both convenient and cost-efficient; however, the cost savings should be invested into securing the information tucked into our briefcases.

Security breaches can be internal or external. Internal threats can be extremely challenging to defend against, but the Federal Communications Commission (FCC) provides some very helpful and cost-effective methods of protection. For small firms, cost is always a concern when implementing new processes. Thankfully, the FCC’s tips are all pretty cost-effective. The FCC’s recommendations are summarized below:

  1. Employee training, including training of any support staff, is critical. You and anyone working with you, or for you, must understand the importance of taking proactive steps to protect client data. From intake to termination, there should be solid processes in place that each member of your practice is familiar with to ensure compliance with Rule 1.6. Training should be supplemented as new information is gained regarding potential new threats.
  2. Keeping all firm computers and all mobile devices used to access client data free from malware and viruses will help keep client information secure. It is important to update all devices and computers regularly as well. Automatic system updates and virus scans will make this essentially burden free. If possible, use a separate computer for your legal work to limit the risk of security breaches from your personal use.
  3. Use firewalls both at the office and at home if work is completed remotely. Require staff members to do the same if they are permitted to work from home. Otherwise, staff should only complete work in the office.
  4. Password-protect all computers and mobile devices. If possible, password-protect mobile applications used to access data. Employees should also use encryption as a precaution. It should be noted that there is disagreement regarding whether unencrypted e-mail communications are protected by privilege. Change the settings on your mobile devices to automatically wipe the device if there is a password breach.
  5. All documents should be backed up regularly, and automatically, either on a cloud or on an external drive. Preferably, both.
  6. Ensure that computers and mobile access devices are not easily accessible by unauthorized users. Simply password-protecting devices and creating separate user accounts will help keep this issue at bay. You should also require employees to report when their cellular devices or laptop have been lost or stolen.
  7. Utilize Internet connections in the office and at home that are secure, encrypted, and hidden, and utilize a router that is password-protected.
  8. Utilize secure payment systems.
  9. Employee access to data should be limited as much as possible. Every employee should not have access to the entirety of the firm’s data.
  10. Passwords should be changed every few months, and each member of your firm should utilize multi-factor authentication to access data as often as possible.

Many of the same precautions attorneys take to protect client information can be utilized by clients to protect their information themselves. It may be advisable to flag potential security breaches for clients as they are made apparent.

Protecting Client Data While Traveling

Protecting client data extends beyond creating firewalls and password-protecting law firm files.

If you are traveling with any devices that have access to remotely stored client data, or devices with privileged information stored directly on them, you should be aware of the border search policies of the U.S. Transportation Security Administration (TSA) and U.S. Customs and Border Protection (CBP).

There has been a recent increase in the frequency of seizures of electronic devices by the TSA, raising concerns about whether information stored on the devices was being searched. In March 2018, TSA responded to a lawsuit filed by the American Civil Liberties Union Foundation of Northern California seeking information about government searches of domestic travelers’ electronic devices. In its response, TSA alleged that while it may seize an electronic device to determine whether the device has been tampered with or compromised, the contents of seized devices are not searched.

While protecting privileged communications and documents during domestic travel may not be problematic, international travel could be an issue. Under the administration of Barack Obama, the CBP released a Privacy Impact Assessment for border searches of electronic devices. The assessment discusses the need to expand the scope of searches of essentially all electronic devices as part of CBP’s authority to search cellular phones, cameras, and laptops, among other things. This is an important document to be aware of to determine how to protect client data against breaches while traveling.

CBP’s Directive 3340-049A, “Border Search of Electronic Devices,” dated January 4, 2018, explains that border searches of electronic devices may include an examination of the physical components of the device as well as “information that is resident upon the device and accessible through the device’s operating system.” It is interesting that the stated purpose of the CBP is to “ensure privacy protections while accomplishing its enforcement mission.” A such, a search under the new Directive would not appropriately include information that is stored remotely. To prevent remotely stored information from being compromised inadvertently (or intentionally), a border patrol officer should request that the device’s network access be disabled. If you find yourself subject to search, be sure to turn your network connection off even if an officer is not kind enough to remind you to do so.

Data that is stored locally is not exempt from search, however. Further, encrypting locally stored data is not sufficient to avoid search, as CBP is permitted to require travelers to “present electronic devices and the information contained therein in a condition that allows inspection.”

Any attorney whose devices are subject to border search should immediately notify the CBP officer that the device contains privileged information. Doing so will get the Chief Counsel’s office involved to begin the segregation and filter process. This process will help ensure that privileged data is separated from non-privileged data and handled appropriately. After the search is completed, CBP will (or should) destroy copies of any privileged data that may be in its possession.

Advising Clients on Data Security

Clients should be made aware of the need to protect their data and ways to avoid unintentionally waiving the confidentiality of otherwise privileged communications. Courts are on both sides of the fence in cases dealing with attorney-client privilege and electronic communications. The data security measures discussed above can help clients better secure their data; however, clients should also be advised that they could unintentionally waive privilege by sharing sensitive information or documents with third parties, or via unsecured means.

Protecting Client Data on Social Media

Social media includes many forms of communication and is quite broad. According to D.C. Legal Ethics Opinions 370 and 371, social media includes blogs, chat rooms, Listservs, Facebook, LinkedIn, Instagram, Twitter, Yelp, Angie’s List, Avvo, and Lawyers.com, among other platforms. When sharing information and communicating on a social media platform, or by any other medium, it is imperative to keep Rule 1.6 in mind. With the prevalence of social media accounts being hacked, it should be each attorney’s priority to protect his or her social media account from being compromised and possibly leading to client information being inappropriately disclosed. For an attorney using social media to communicate with clients, a hacked account is more than an inconvenience—it is a potential violation of Rule 1.6.

Many social media platforms do offer heightened security measures that should be employed by any attorney who utilizes these means of communication. For example, Facebook, Instagram, and Twitter all offer two-factor authentication features. This security feature must be opted into, and it will immediately notify an attorney of questionable log-in attempts. Attorneys should also seek to limit communications with clients and potential clients via social media. Linking social media accounts to third-party applications or accounts should also be limited to avoid security breaches.

Conclusion

The convenience of a modern-age law practice comes with the burden of taking necessary steps to properly secure and protect client data. You definitely should not cut any corners when it comes to data security, and you should consider consulting with an expert to ensure your practice’s security measures reflect industry best practices.

Jessica T. Ornsby is a civil litigator practicing in Washington, D.C., and Maryland and the founding partner of A+O Law Group. Before hanging her own shingle, Jessica litigated tax matters at a large Washington, D.C.,–based law firm. Currently, Jessica’s practice focuses primarily on family law, housing-related matters, and small business disputes. Jessica also serves as a Tenant Advocate for the Rockville City Council Landlord-Tenant Affairs Commission. Jessica received her LL.M. in taxation and J.D. from Georgetown University Law Center.

Entity:
Topic:
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.