October 31, 2016 Practice Points

Data Diligence and Confidentiality Obligations

By Florence M. Johnson

Our office recently upgraded to a new digital copier. The company came to install the machine on our network, and a technician proudly went to each desk to explain the bells and whistles of the new XCopier 5000. In the midst of my personal demo, a file popped up on the screen. A closer look confirmed what I thought I’d seen: the file contained sensitive client information from a rival firm. Horrified, I pointed this out to the tech standing behind me. He smiled. He nodded. He looked again, and the smile disappeared.

Silence.

"Oh no. That isn't supposed to be there!" The technician disappeared, running at breakneck speed to delete the offending document. Poof! As if by magic, it disappeared. But is it gone forever? Somehow I don’t think so.

I have long puzzled over things that appear and disappear like magic. At a recent CLE during our Annual Meeting, our instructor advised that proper document storage certainly isn’t magic, and it can be fraught with peril. Remembering how easily another firm’s sensitive documents were mishandled by the copier company, I mulled over my responsibility to my clients and to my firm. Ultimately, I created an acronym to remind me of the steps I should be taking to protect these documents from unscrupulous eyes.

As lawyers, we regularly manage reams of paper, and we must handle this paper delicately. To wit:

Review
Encrypt
Assess
Monitor

These four buzzwords can help us all effectively manage the documents in our care.

Review your process. Take a good hard look at the document handling procedure in your office, as well as the personnel you have handling your precious material. Partners and associates and paralegals are obvious, but don’t forget your support staff, even down to the runners. Make them aware of the firm’s policies and what you expect from them.

Encrypt your files. During the CLE presentation I referenced earlier, we practitioners were presented with a number of scenarios to remind us that document encryption is paramount. Client information should be kept secure at all levels: when transferring to third parties, between office staff, and among lawyers. Giving an unencrypted flash drive to a colleague to take information home to use on a third-party machine is a definite no-no. The Model Rules tell us we above all have an obligation of confidentiality to our clients to our office and to protect the documents at all costs. 

Assess the weaknesses in your current process. Every office confidentiality plan for protecting client information could use some updating. Spot your gaps! How long does your state require that you keep material from a closed file? Can summer interns receive work assignments over the Internet containing confidential information? Do you have offsite backup for information in case of a catastrophic event like fire or flood? Do you use a cloud storage system to send and receive confidential information? If so, have you reviewed the Local Rules of your jurisdiction to determine if that is permitted?

• Monitor your plan and its implementation. It is up to you to follow through. Make sure that the mechanisms you establish to protect client confidence are followed to the letter. Did you shred documents last year? Do you have the certified destruction certificate detailing what was shredded and when? If you do not have this, then you haven't completed the final step of the REAM method and you have not protected your client’s information.

As attorneys we are under constant legal and ethical obligation to conduct our business in a manner that keeps confidential information under wraps. Taking the time to develop clear standards for document protection ensures the safety of your files, boosts confidence among your client base, and protects you from litigation.

Data breaches are no longer solely concerns for large, well-known organizations like Yahoo, Home Depot, or the Democratic National Committee. There has been discussion in Model Rule 1.4 that a client should be notified in the event of a breach, as the information contained therein is ultimately the property of the client (Rule 1.4(a), in relevant part, requires attorneys to (1) promptly inform the client of any decision or circumstance with respect to which the client’s informed consent is required by the Model Rules, (2) reasonably consult with the client about the means by which the client ’s objectives are to be accomplished, and (3) keep the client reasonably informed about the status of the matter). Sensitive information, like driver's license numbers, Social Security numbers (see, Fed. R. Civ. P. 5.2 (federal rule restriction against Social Security Numbers used in federal court pleadings)), or medical records (see, The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), 42 U.S.C. §§ 1320d–1320d-8)) collected for tort matters, must be safeguarded. A concerted effort on the part of the firm protects everyone involved.

Keywords: minority trial lawyer, litigation, data, diligence, confidentiality, HIPAA, Model Rule 1.4

Florence M. Johnson is the principal attorney at Johnson and Johnson, PLLC, in Memphis, Tennessee, and the chair of the Practice Points Subcommittee for the Section of Litigation’s Minority Trial Lawyers Committee.


Copyright © 2016, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).