- Configuring settings correctly and using features as intended makes all the difference between properly safeguarding client confidentiality and risking inadvertent disclosure.
Sometimes a technology product becomes ubiquitous— common enough that people think they know how to use it even when they don’t. The lack of training and improper use of the system can be risky. Today, we’re going to discuss systems like Dropbox and client portals—and why lawyers who don’t pay attention to details or train properly on the systems they use can and do get themselves into trouble.
Let’s start with what most people are probably familiar with: services like Dropbox that allow sharing of large electronic documents with relative ease. The interface is simple to use. Office organization is greatly aided by the ability to store and sync files from your desktop to Dropbox, and it has helped lawyers become more familiar and comfortable with saving files to the cloud, rather than just locally on their device.
Configuring settings correctly and using features as intended makes all the difference between properly safeguarding client confidentiality and risking inadvertent disclosure. Let’s look at some issues lawyers have encountered and how to avoid missteps.
When lawyers struggle with or do not correctly control permissions and security for technology, it’s often because they’re struggling to understand the concepts. With that in mind, let’s compare a file-sharing system like Dropbox to the physical (not digital) locked filing cabinet that can hold many file folders and subfolders containing client and other confidential information inside.
Security measures should be multistep. You wouldn’t want to lock only the filing cabinet, but also the storage room door and the office itself, and perhaps have security cameras outside. This equates to adding on password protection for files or folders and using multifactor authentication. Perhaps some of the information contained should also be encrypted. Encryption is akin to secret messages; you need the right key to be able to read them—remember secret decoder rings?
User permissions. Think about which particular people in your firm should be able to only read files versus those who need to be able to edit documents contained in the files or even delete the file. That’s what user permissions encompasses. From a security standpoint, it’s best to limit access as closely as possible to the work individual firm members need to do on the file, matter or case. So, while you or your paralegal might need to be able to edit, perhaps your assistant might not need the same access. Perhaps access should be restricted to people in a practice area or team? This is a case-by-case analysis.
Administrator controls or access. Think about which users may need to set up or transfer other users’ permissions. A person with administrator access might be an IT person or legal administrator, or maybe it’s you, depending on the size and staffing of your firm. But keep in mind that the person with these rights has the keys to the kingdom and needs to be thoroughly trained.
Now that we have some understanding of the concepts, let’s look at specific features.
Just as there are differences between what you might require from a personal laptop versus a business laptop, there are considerable differences between, for example, Dropbox for personal use compared to Dropbox for business. These differences include that the latter was specifically built for organizations, with enterprise-level security and privacy controls.
There are measures for enterprise-level data encryption— meaning at the firm level. This is facilitated through secure data transfers, distribution of encrypted files and application-level controls distributed across a scalable, secure infrastructure. In other words, it should be required throughout the entire firm.
These control individual user access and other administrative permissions, such as the tracking of user activity and edits. There are heightened security features, such as the commonly understood two-step or multifactor authentication. It is also possible to set up password-protected files and links so that only trusted people can access the documents.
With the features cited above, you can see how systems like the business version of products such as Dropbox, even those not originally designed for the legal space, can be valuable tools when used properly. That’s the key. Sometimes law firms dive in and use these tools incorrectly at great risk, without sufficient attention to security features.
As with any technology, training matters—emphasis intended. Go through the support pages and training videos. Be sure you understand how to use the product before implementing it, especially when storing confidential client information. And it’s not just you; make sure your staff is also thoroughly trained.
File-sharing systems allow for granular permissions for each folder; yes, that takes a little more time, but it’s essential to your duty to safeguard your client information. Let’s say that a firm created one case folder for all the firm’s matters, with subfolders for each client name. If the subfolders are not given different granular permissions—remember, assigning access only to the proper people associated with the content in each subfolder—you could mistakenly allow Client A access to all firm files. Make sure you consider (and we suggest use) two-step or multifactor authentication.
Yes, nonindustry–specific file-sharing tools, when utilized properly with security features, can be a boon to lawyers. But they are not the only choice.
A tool continuing to grow in popularity, and favored by practice management advisors for sharing documents with clients, is the client portal. Client portals are often built into law practice management systems (LPMS). They are also referred to as secure client portals because they usually have built-in, end-to-end encryption.
There are many benefits to client portals. They can act as everything from your firm’s virtual lobby with how-to information, to a place where you can securely upload information to a virtual secure spot so both the lawyer and client may share information, with an audit trail. If you need to resend a document through the portal, it is quick and easy to resend the link. And do we even have to say that this method is infinitely better than sending an email with secure information in an attachment?
In addition to having strong built-in security that is more likely to be utilized, rather than hoping that someone remembered to password-protect the file with a strong, hard-to-guess password, client portals built into a LPMS also have great productivity potential. Since a LPMS is matter-centric with contacts, tasks, documents and more all relating to each case file in one place, uploading documents not only connects the files with the appropriate matter in a storage location but also connects to the appropriate permissions assigned to each client. You needn’t worry about what the client will see—the law firm chooses what goes into the portal to be shared with clients as read-only or editable. This circles back to the concept of permission levels— you have control over information you share with clients. This is advantageous organizationally and increases efficiency with file sharing and storing.
We pause at this point to tip our hats to our colleague Jim Calloway, of the Oklahoma Bar Association, for being one of the strongest proponents for use of client portals in the legal vertical. He has helped many law firms see pathways forward with this tool. Learn much more about client portals in his Law Practice Tips blog.
In the end, whatever method you choose to share files, keep in mind these principles: First and foremost, vet the technology you’re considering. Then, when you choose one, get thoroughly trained on the system before use, especially if you’re using it to share files. Next, it’s not enough to know about the product, you also must utilize available security measures from password-protection to encryption to strong passwords and multi-factor authentication. Then, consider permission controls and what levels of access various people should have.
Don’t keep all your client files comingled in one large folder. Be sure your file structure segregates information by client and/or matter with appropriately limited access, with consistent naming conventions. Finally, sending a link to a portal or a secure file location is far better than emailing attachments back and forth with clients.
Regardless of the system you use, you must safeguard client data. It’s your duty, and it’s not hard to do if you take the time to learn your system and train your staff.