chevron-down Created with Sketch Beta.

Law Practice Magazine

The TECHSHOW Issue

Hot Buttons: It’s Time to Do the DEW Around Confidential Data

Daniel J Siegel

Summary

  • It is time for lawyers to do DEW and adopt a policy of DEW-ing—Digitizing, Encrypting and building Walls.
Hot Buttons: It’s Time to Do the DEW Around Confidential Data
istockphoto.com/mictian

Jump to:

It sounds like a bad joke: What do Donald Trump, Alex Jones and the New York State Bar Association have in common? The former president and disgraced radio host/ conspiracy theorist are in the news thanks to the criminal and civil cases swirling around them. As I write this column, we are learning more details about the search warrant served on the former president. In addition, the verdict against Jones and the revelations about his attorney’s handling of Jones’ cellphone remain news stories. The New York State Bar Association is not the subject of lurid news stories, of course, but its recent ethical guidance is relevant in light of Trump and Jones.

Allow me to connect the dots with an acronym: DEW.

DEW stands for Digitize, Encrypt and Walls, my three-point plan for how lawyers and firms can secure data and avoid becoming a headline. For lawyers, this means: 1) digitize, 2) encrypt and 3) use security walls to protect documents and other mate- rial that is confidential, protected by the attorney-client privilege or relates to the representation under the Model Rules of Professional Conduct.

In other words, lawyers should:

  • Digitize (scan and convert paper items to an electronic form) all documents to assure that, as necessary, the information can only be viewed electronically and in a manner that allows firms to restrict who can view, copy or edit the information, while also allowing the firm to audit/verify who has viewed the data;
  • Encrypt documents with secure passwords and other limitations on accessing them; and
  • Create walls that limit access to the documents. For example, remove certain material from locations where outside access is available, or create the types of ethical walls used when firms must limit access to certain information. Doing so assures that only authorized users see materials designated for them.

By employing these steps, firms can comply with their ethical obligations and have technologically sound ways to track necessary information. Alternatively, they could leave the information in a basement storage locker where even mice could access it.

When you look more closely, you can see why DEW makes sense in the context of Trump and Jones.

First, the search warrant. The warrant allowed FBI agents to seize physical documents and records with “Top Secret/Sensitive Compartmented Information” classification markings, along with any containers/boxes in which the documents were located, as well as any other containers/boxes collectively stored or found with the documents. In other words, the warrant sought paper documents.

According to multiple reports, many of the items sought, including those with top secret designations, were in an unsecured basement at Mar-a-Lago. In other words, they were left in an unlocked area where anyone could discover them—the janitor, a neighbor, a foreign agent who broke into the property or anyone else.

The documents seized would have fallen under one of three national security clearance levels: Confidential, Secret or Top Secret. According to former analyst Jeffrey Fields, “classified documents must be handled in a way that protects the integrity and confidentiality of the information they contain. This includes securing documents in a safe or other authorized storage container when the documents are not being used by staff. If staff needs to move them from one place to another, they must follow security protocols to do so. Though classified information can be taken off the premises in the course of official duties, taking classified documents home is prohibited by executive order.”

According to the Center for Development of Security Excellence, “Confidential information has stricter storage requirements than unclassified information. Likewise, Secret information must be protected at a higher level than Confidential. And Top Secret information requires even greater protection than Secret. Sometimes, additional control markings are required to identify highly sensitive classified information that requires the highest possible levels of protection. One such type of special information is Sensitive Compartmented Information (SCI). The range of required protection measures includes the types of storage containers or facilities as well as other, supplemental, controls, such as guards, alarms, and electronic surveillance systems.”

Compare these national security obligations with those applicable to lawyers, who are also required to maintain confidentiality of client information. Cornell Law School’s website explains that “the duty of confidentiality is in effect at all times, not just in the face of legal demands (e.g., by a court) for client information. According to this duty, lawyers must not affirmatively disclose information about a client’s representation.” While lawyers generally do not hire guards, it is not uncommon to store paper documents in locked cabinets. Similarly, at a minimum, persons accessing electronic documents of any type in a law firm should be required to log in with a password.

That the Trump documents were on paper, or that law firms store paper files, is an enormous danger. After all, removing physical documents from an office is relatively easy: Just put them into a briefcase and walk out the door. That is essentially what the former president apparently did, and so could anyone who entered his basement.

Conversely, if material is electronic, there are many ways to restrict removal or copying of them. For example, firms with case, matter or document management programs can restrict access to files, including by placing limitations on what users can do with the files. Thus, administrators can provide read-only access, which grants users permission to access files or directories and allows the user to read or view the file, but not to make changes, copy the file or save it with a new name.

There are also software programs that allow administrators to restrict access or copying of files. In general, to configure the software, administrators create a policy containing the types of restrictions applicable to certain files, then they specify computer or network locations where the policy applies and add users to the group. With these limitations in place, copying files is prohibited.

Similarly, firms can limit certain actions on individual users’ computers. For example, disabling write protection, either on individual PCs or for all members of a group, will prevent users from copying data and files onto a USB or another external device. While the process to create this restriction on individual computers involves editing the Windows Registry, administrators can do so using a Group Policy. The result is the same: Data remains where the firm wants it and cannot be relocated.

Another method for limiting remote drive access is to use software that notifies a firm administrator when a USB or other external device is plugged into any device on a network. There is also software available that will allow users or administrators to view the USB device history on a computer because Windows stores the information. These types of products can provide a wide range of information.

None of these options is available with paper. It is possible, for example, that the materials seized in the Trump raid were already copied or scanned and copies have been circulated just about anywhere. The same cannot be said for digital copies, especially if they are tracked. While in many cases the Trump documents were required to be viewed in a sensitive compartmented information facility (SCIF), they clearly were not. According to the U.S. Department of Defense, a SCIF is “an accredited area, room, group of rooms, or installation where sensitive compartmented information may be stored, used, discussed and/or electronically processed.” SCIFs are designed to protect against espionage, while guarding against electronic surveillance and preventing data leakage. This works only if they are used.

Law firms do not need SCIFs generally, but they need to protect information, some of which should never be widely available. It seems unlikely, to say the least, that a law firm representing Coca-Cola stores the formula for the soda in a manila folder or on a cloud server. After all, in 2010, the maker of Thomas’ English Muffins successfully sued to prevent an executive who knew the recipe from joining a rival company. That type of data is invaluable.

In short, for law firms, it is easier to prevent unauthorized persons from accessing confidential material if the items are digitized and proper safeguards are in place. And of course, if the information remains solely on paper, there is always the possibility that a fire or some other disaster could destroy it.

Now let’s turn back to Jones and why encryption, the second prong of DEW, is so important. While it remains unclear how the cellphone or its data was accidentally produced by Jones’ attorney, there are lessons from this incident, beyond the obvious need for Jones’ attorney to have been more vigilant about what he produced.

The primary lesson is the need for encryption, that is, the need to prevent unauthorized access to data. While lawyers often shudder when they hear the word, encryption is merely a way of scrambling information to assure only authorized parties can view the information.

Encryption requires use of a cryptographic key, commonly called a password, to allow users access. It could be access to a device, such as a computer or cellphone, or to more limited data, such as a texting app or a file. Had Jones’ device been encrypted with a strong password, then opposing counsel could not have accessed the device. Had his texting app been encrypted with a strong password, then opposing counsel could not have accessed the texts.

And if, as some reports indicated, texts were copied from the device, then encrypting the files containing copies of the texts would have also prevented the opposing side from seeing them. Instead, it appears that none of those security measures were in place. The result was headlines that should have never occurred. Regardless of what you think of Alex Jones, the lesson for lawyers is what his lawyer did, and did not, do.

Which brings us to walls, the final part of DEW. To secure technology, and even the paper document world, walls are critical. That is why lawyers have always placed physical documents behind walls, whether it is an office wall or the wall created by a locked file cabinet. For highly secret information, such as Colonel Sanders’ secret recipe for fried chicken, the walls are more secure.

Electronic walls replace SCIFs and apply to electronic information. For example, a computer or internal network with no inter- net access is safe from outsiders. In certain cases, clients already require lawyers to use such precautions. In most cases, however, the restrictions are a bit less stringent, but equally necessary.

As technology has developed, so have electronic walls, which include encryption, passwords, firewalls and other forms of protection. Which brings us to the New York State Bar Association, and Opinion 1240 from its Committee on Professional Ethics. In the Opinion, the committee discusses a lawyer’s duty to protect client information stored on a lawyer’s smartphone, but its message is broader. The Opinion also implicitly ties the Trump and Jones fact patterns together and highlights the crucial need for DEW.

The Opinion concludes that “If ‘contacts’ on a lawyer’s smart- phone include any client whose identity or other information is confidential under Rule 1.6, then the lawyer may not consent to share contacts with a smartphone app unless the lawyer concludes that no human being will view that confidential information, and that the information will not be sold or transferred to additional third parties, without the client’s consent.”

Think about that for a second. The information contained on a smartphone, a device more powerful than many computers, needs protection. The information needs protection from hackers, the people trying to get into the device to discover data such as the names, birthdates and Social Security numbers of clients. The information also needs protection from users, the Donald Trumps and Alex Joneses of the cellphone world, really

you and me, who do not take reasonable precautions to protect the data we store on these computers, and instead leave them lying around to be accessed by app makers and others who will use the information in any way they please. All because users granted them permission, often unknowingly, and also because users did not install the walls needed to prevent this disclosure.

The New York Opinion raises several issues. The first is the need for basic cellphone security, which many lawyers often ignore or minimize. Lawyers need to install firewalls and antivirus products on their devices, they need to use virtual private networks when communicating about client matters, and they need to use their eyes and view, and review, the permissions and access they grant to apps when they install them.

After all, if you polled most lawyers, they believe that nothing will happen to them, whether it is their devices or their PCs, if they don’t build walls around the information stored on them. This despite the adage that it is a matter of time when, not if, you will be hacked.

There are multiple ways to improperly access the information on a cell- phone or other portable device. One is to misplace a phone and have someone access it simply because the device has no password. Another is the danger New York’s Committee on Professional Ethics contemplates, allowing apps to access client data and use it for purposes inconsistent with an attorney’s obligation to protect confidential and other information.

It is time for lawyers to do DEW and adopt a policy of DEW-ing—Digitizing, Encrypting and building Walls to ensure that they honor their obligation to protect client data and other confidential information.

    Author