A multitude of federal and state privacy laws and industry guidelines regulate the storage and transfer of sensitive data, and invoke severe financial or even criminal consequences for noncompliance. Many attorneys may be subject to such penalties without even knowing it.
For instance, attorneys may not think they need to worry about the Health Insurance Portability and Accountability Act (HIPAA) if they do not practice health law. But personal injury, malpractice, family, and Social Security law often require handling medical records, which are protected under HIPAA. Recent updates to HIPAA regulations require stricter compliance by third parties, attorneys included.
Real estate attorneys may be affected by the creation of the Consumer Financial Protection Bureau (CFPB), which regulates a wide range of consumer financial transactions. Although CFPB rules are aimed largely at lenders, third parties such as closing attorneys also may be liable. Real estate attorneys who handle investment properties also deal with information regulated by the Securities and Exchange Commission (SEC) and/or state securities laws, as do tax, financial, commercial, or other attorneys who deal with bank records.
Given the potentially disastrous results of noncompliance with these regulations, attorneys must take every precaution to secure their digital data. They also should keep a less threatening but more common problem in mind: loss of client trust. Even if they are not harmed by its breach, clients will feel personally violated if their information is exposed through poor business practices. Attorneys have an ethical responsibility to avoid this outcome by keeping client data private through good security measures.
However, most don’t. The ABA TECHREPORT 2013 reported that fewer than half of law firms encrypted their files. Worse, 25 percent had no security policy at all. The numbers got worse as the size of the firm in question decreased. Only 11 percent of solo respondents reported having an Internet use policy.
Why is that? Because data security is complicated.
To achieve data security, law practices must rely on their own in-house staff or outside security consultants. Large firms often employ both. However, small to midsize practices often don’t have the resources to invest in outside help. Security falls to small IT departments, administrative staff, or practitioners themselves, who may not be well-trained or technically proficient in data security. They may have a hard time keeping up with which regulations they need to follow, much less complying with them.
In these cases, law firms can reduce their security burdens with data storage and transfer tools that already support privacy compliance. File-sharing services are one such tool, and the legal field increasingly uses these products. However, many attorneys still have concerns about whether this is an ethical practice.
To determine whether file sharing is ethical, attorneys must ask themselves two questions:
- What are my ethical data security obligations?
- Can my file-sharing service fulfill them?
Formal ethical guidelines for data security
In some ways, the ethical guidelines that govern digital data security in the legal field predate the issue itself. The American Bar Association Model Rules of Professional Conduct, which were adopted in 1977, state in section 1.6(c) that a lawyer must “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” In previous decades, maintaining physical barriers like locks or alarm systems and transferring documents outside of the office carefully were enough to fulfill privacy obligations. While those measures are still important, the clause should now be interpreted to include best data security practices.
Though attorneys are primarily governed by the ethical guidelines of their own state bars, the ABA Rules have been used as a model by most bar associations. In all states, the same ethical obligation to maintain client privacy through good data security is required.
Attorneys are also enjoined to serve their clients with “competent representation.” (Model Rules, 1.1). Today, competency includes reasonable data security measures.
Data security challenges
Unfortunately, maintaining good security is as difficult as it is important. New technologies crop up quickly, and each introduces new security weaknesses. To account for them, attorneys need the money and time to implement best practices and the knowledge of how to do so—all of which are limited resources.
Network security can be expensive. Creating secure private networks, hiring IT staff to maintain the hardware and software they require, or talking to outside security consultants can cut into the yearly budget. Many people don’t understand the importance of data security or the increasing threat to it, so executive committees, managing partners or other key stakeholders may not be willing to invest the funds necessary to plug the holes in their own systems.
Money pressures are matched by time pressures. The Digital Age has made us impatient; studies have shown that waiting even a few seconds for a page to load is unacceptable to some people using the Internet. Clients expect the same immediate results and instant communication.
To serve this need, law offices often communicate and transfer files using email, the fastest method available. But email is only as secure as its source and destination networks. Attorneys often don’t realize that every time they email, they are taking the recipient’s network security on faith. They also may not have taken care of their own internal networks by maintaining firewalls and security patches. Mobile devices introduce additional threat; attorneys may not think twice about emailing on their smartphones from places like the local coffee shop, whose network security is far from guaranteed.
Mobile devices also introduce the threat of simple human error. They are susceptible to damage, theft, and loss. The Ponemon Institute, a data security think tank, has found that in the healthcare field, loss of mobile devices is the No. 1 cause of security breach. For modern professionals it’s difficult to resist the temptation to take documents home on a laptop or work on the go from a tablet. But if those devices are stolen or go missing, data breach has occurred. It’s almost impossible for even the most rigorous data security plan to fully account for this kind of error.
Security breach: a case study
In 2011, a Baltimore law firm discovered just how common human error is. A staff member of Baxter, Baker, Sidle, Conn & Jones took a portable hard drive out of the office and accidentally left it on a commuter train. Though she discovered her mistake and went back for the device minutes later, it was already gone.
The drive contained an unencrypted backup of all the firm’s data, including the private health information of 161 patients of a physician client. Its loss put the firm at risk of punishment under regulatory laws like HIPAA, which protects personal health information. It put many people in danger of identity theft and other crimes by exposing their Social Security numbers and private records. More to the point, it also violated each attorney’s ethical obligations by exposing client data.
This incident demonstrates the complexities of data security. The firm did have a security plan, which included taking the device out of the office as a physical protection against fire and flood. However, in doing so, they exposed the data to other kinds of risk. Though it was password-protected, the firm had not encrypted the drive, which is now standard best practice. They relied on a plan that didn’t make room for mistakes.
File sharing as a data security tool
File-sharing services allow you to store information on remote servers and access it through the Internet. This process is often referred to as being “in the cloud” or as “cloud computing.” When you use a file-sharing service to store and transfer records, you are relying on that service’s security measures to keep the data safe.
If the service you’ve chosen maintains good security protocols, it can solve some of your challenges. File sharing is fast; users can still email documents, but in the form of a link to the document in the cloud rather than as an attachment. This way, security is maintained by the file-sharing service’s encryption protocols rather than by the sender’s or recipient’s knowledge or implementation of best practices.
File sharing is often as or more cost-effective than implementing and maintaining complicated security features like virtual private networks or hiring outside IT consultants. It is less complicated than other older solutions to network security issues, such as FTP or SFTP sites. File-sharing services often employ mobile apps that allow users to download encrypted files to their devices; even if they are on unsecured Wi-Fi networks, their files are protected. And because data lives in the cloud, not on a device, it’s not accessible if the device is lost or stolen.
Ethics opinions on cloud computing
A total of 19 state bar associations have found that cloud computing is ethical under certain conditions. The consensus is that if attorneys take reasonable measures to assure themselves that the service in question secures data appropriately, third-party file storage and sharing is acceptable.
California’s opinion provides a good example. The State Bar of California issued this blanket ethics opinion on the subject of the storage and transference of electronic data across various technologies, including file sharing:
Before using a particular technology in the course of representing a client, an attorney must take appropriate steps to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client’s instructions and circumstances, such as access by others to the client’s devices and communications.
—The State Bar of California Standing Committee on Professional Responsibility and Conduct, Formal Opinion No. 2010-179
The last points depend on the first. If the technology in question is secure enough, then even very sensitive data can be stored and transmitted without legal ramifications to third parties and without negative impact on a client, and attorneys will be able to meet their urgent needs for speed in communication.
Ohio is even more specific. The Ohio State Bar Association addresses the question of storage in the cloud in the Informal Advisory Opinion 2013-03. It found that “storing client data in ‘the cloud’ is a permutation on traditional ways of storing client data, and requires lawyers to follow the ethics rules that apply to client information in whatever form.” In other words, the same ethics that apply to paper-and-folder file systems apply to the cloud.
The opinion lists four criteria under which cloud computing is acceptable: “Competently selecting an appropriate vendor; preserving confidentiality and safeguarding the client’s data; supervising cloud storage vendors; communicating with the client.” To meet the last three criteria, attorneys must take care with the first—here, an appropriate vendor is one that uses best data security practices.
Selecting a secure file-sharing service
As Ohio says, the first step to using file-sharing services ethically is selecting the right one. But here again, attorneys run into a scarcity of knowledge. Data security is not the core competency of most law practitioners. How do they know whether a file-sharing service secures data appropriately?
Unfortunately, “appropriate” is a moving target. As new security weaknesses are exposed, new protocols need to be put in place. Creating those protocols is the job of organizations like the National Institute for Science and Technology, which conducts ongoing security investigations and regularly updates its recommendations for best security practices.
In turn, keeping up with NIST and other regulatory standards is the job of other organizations that help companies implement best practices. If a file-sharing service has been certified through industry-recognized audits by national or international standards organizations, attorneys can be assured that its security measures are up to par.
When evaluating a service, attorneys should look for certifications such as:
- SSAE 16
- SOC 1, 2 and 3
- ISO 27001
Audits examine various features, including how a service encrypts its data during storage and transfer and whether its servers are physically secure. Attorneys should look for NIST-recommended security features such as:
- AES 256-bit encryption on servers
- Transport Layer Security encryption during transfer
- Multiple redundant datacenters with weather and emergency preparedness
A file-sharing service also should be able to take care of mobile security problems. Its apps should offer features like remote wipe, which allows users to delete files via the Internet if their device is lost or stolen, and multifactor authentication, which requires the entry of multiple kinds of security codes.
Administrative functions can offer extra security. For instance, thorough reporting features allow administrators to see who has downloaded a file, when, and in some cases from what IP address. This allows them to carefully track a document’s lifecycle and identify any problems with unauthorized access quickly.
Another way to judge a service’s security measures is by its adherence to federal regulations that govern the security of sensitive information. To comply with these regulations, services will often need to pass certain audits and employ a wide range of security features and protocols. Examining the regulations with which a service complies is one of the best tests of its security. If, for instance, a service is HIPAA-compliant, then it meets the most stringent standards yet devised by the government.
Information technology is evolving at an increasingly rapid rate. It is becoming more complex, more efficient and more integrated with our daily lives. The ethical responsibilities that affect attorneys’ interactions with today’s technology—competent representation and client confidentiality—require attorneys to take all reasonable data security precautions. Legal firms can use all the help they can get.
Good file-sharing services can provide that help. Outsourcing data security needs can help firms save money and time and circumvent the problem of limited technological know-how. They can solve some of the network security challenges created by mobile devices and allow attorneys all the efficiency and convenience of the modern workplace while helping them maintain the same client privacy for which they’ve been ethically responsible for generations.
As attorneys continue to evaluate file-sharing services, they should keep in mind that data security is now its own ethical responsibility and that they have an obligation to make sure that the services they choose measure up. By thoroughly researching their service’s security standards, attorneys can assure themselves that they are meeting the ethical obligations of their field and representing clients to the very best of their abilities.
Disclaimer: Any statements made in the above document are for promotional, educational and/or informational purposes only, are general in nature, and are not intended, and should not be construed, as legal advice. Citrix hereby disclaims any responsibility in connection with the above document and customer should consult a licensed attorney for appropriate legal advice.