PROTECTING CLIENT DATA: 11 Steps to Take When Using Technology
Secure socket layer? Encryption? Firewalls? Antivirus? A recent state bar opinion that mentions these terms may read like it was written by a bunch of computer geeks—but it is actually a wake-up call for lawyers everywhere.
The intersection of lawyer ethics and technology use can be murky, especially given the pace at which technology advances continue. So where’s the line on how you should safeguard the client information on your systems? In December the Arizona Bar’s Committee on the Rules of Professional Conduct weighed in when it published Opinion 09-04: “Confidentiality; Maintaining Client Files; Electronic Storage; Internet” (see http://tinyurl.com/ydfj6r9.) It give a “heads-up” to practitioners across the country in describing the concept of (changing) lawyer competence for protecting client information when using technology. We know that keeping up with the changes in the law is difficult enough. But the new ethics opinion suggests that is not all a lawyer must do:
… whether a particular system provides reasonable protective measures must be ‘informed by the technology reasonably available at the time to secure data against unintentional disclosure.’ N.J. Ethics Op. 701. As technology advances occur, lawyers should periodically review security measures in place to ensure that they still reasonably protect the security and confidentiality of the clients’ documents and information.
The committee further opined:
It is also important that lawyers recognize their own competence limitations regarding computer security measures and take the necessary time and energy to become competent or alternatively consult available experts in the field. The competence requirements of ER 1.1 apply not only to a lawyer’s legal skills, but also generally to ‘those matters reasonably necessary for the representation.’
In other words, Arizona is telling us that a certain level of lawyer competence in the security of technology is necessary to comply with Model Rule of Professional Conduct 1.1. What does “competence” mean in this context? Here, in order of importance and offered from a practice management advisor’s perspective, is a list of the present requirements of competency for protecting client information when using technology.
Data Safeguarding Checklist
1. Turn off the computers at night. Leaving a computer running after you have left for the day allows access to client information to anyone who comes through your office. If you have a storefront, street-level law office (not an office in a secure tall building), it is all the more important to turn off the computers when you close up shop.
2. Use a password to open your operating system. Whether you use a Macintosh or a Windows computer, be sure to set up the user accounts with a secure password. In Windows, go to Control Panel–User Accounts and follow the prompts. On the Mac, go to System Preferences, then Security.
3. Back up client data. This means making a copy of your electronic client data in case the original data is lost owing to a system failure, accidental deletion, file corruption or otherwise. Your backup system might involve CD-ROMs, DVDs, a flash drive, an external hard drive or an Internet backup vendor. A best practice is to use at least two methods of backup. For example, more lawyers are now using an external hard drive as a “local” (in office) backup as well as an Internet account where the files are also backed up on a regular basis. Disk imaging, which is another method of backup, enables copying the software applications, settings and so forth on your hard drive, too.
4. Run a test-restore on the backup. What a concept—actually finding out if you can retrieve the lost files from a backup! Be “from Missouri” and show yourself that the backup did its job by doing this: Create a file, back it up, delete the file, and attempt to retrieve the file from the backup. You’ll be glad you did.
5. Secure your wireless network. This prevents unauthorized persons from using your network, although technically it can be tricky. Ask your technology vendor to assist you with this important task.
6. Use antivirus software and a firewall. Keep the antivirus software updated on a routine basis. Also, be on your guard if you notice an e-mail that is out of the ordinary. Visit only known and trusted Web sites because malware is transmitted more often by Web sites than by e-mail.
7. Remove the metadata before e-mailing files. Metadata is “data about data.” Sounds geeky, but it is the common term for the potentially embarrassing data that resides hidden from the eye within your electronic files. Think edits, author names, date created and the like. (See http://tinyurl.com/yand6f2 for details on the subject.) You do not, for example, want the other side to be able to see the edits to your settlement offer or demand letter. Convert the file to a PDF before e-mailing it. Also, in Word 2007, go to the Office button and choose Prepare–Inspect Document to check for metadata.
8. Use a password to protect sensitive e-mail attachments. Oh no! You were tired and accidentally sent the draft settlement offer file to the other side—not to your client with the similar last name! But not to worry because on the attached file you set a password that is required for the recipient to open the file. In Word 2007, go to the Office button and choose Prepare–Encrypt Document–Set the password. In Adobe Acrobat 9 Professional (not Adobe Reader), go to File–Properties–Security, then Security Method–Choose Password Security. At the outset of a matter, discuss your security policy about electronic data with the client and agree on a password that is easy for the client to remember but difficult for others to guess.
9. Be familiar with Adobe Acrobat or PDF Converter 6. I like to think of these products as “environments” and not simply software applications. Why? Because the more you work within these programs, the more comfortable you become. Like visiting a foreign country, the longer you are there, the more familiar you become with the area. Soon, with PDF files and features, you realize there is very little you need to do with paper—and remember, using PDF helps reduce the metadata that could be unknowingly shared outside the office.
10. Move the Reply To All and Forward buttons away from the Reply button in your e-mail program. Nobody is perfect. We have all sent an e-mail message to an undesired recipient at one point or another. Fortunately, to reduce the odds of it happening again, those little toolbar buttons can be moved around by (in Outlook) going to Tools, then Customize. When you see the dialog box appear, ignore it and simply move the cursor to the button that you wish to move. Left-click the mouse and drag the button away from the Reply button. Then let go, and voilà.
11. Use Outlook’s practice management features. Okay, this is not exactly a security tip, but it can help you manage client files better. Beyond being simply an e-mail or a calendar program, Outlook has many ways to manage information in your practice. Examples are conflicts checks using the Contacts feature; managing telephone conversation records by caller, topic, date or case; tracking case calendars; and managing access to important documents, PDFs and images by attaching a shortcut to the document with the contact. (See http://tinyurl.com/y9o33ka for tutorials on using Outlook features.)
Implement as many of these tips as possible and rest easier that you are closer to achieving that level of technology competence that is increasingly being expected of lawyers by their respective bar associations.
About the Author
Peter Roberts is the Practice Management Advisor in the Law Office Management Assistance Program (LOMAP) of the Washington State Bar Association. Formerly a legal administrator in law firms in Washington, DC, New Hampshire, Boston and Seattle, he is a frequent speaker and writer on practice management topics.