An ethical approach at ensuring your client’s critical data is protected
Author Carlos A. Baradat, Esq., The Baradat Group
The past two years have given lawyers little choice but to embrace technology. In many ways, lawyers have had to face their biggest fear, change. Historically speaking, the legal industry has been slow to adjust in both practice and law to the new trends in technology. It is no surprise that it took nearly twenty years for the rules of civil procedure to incorporate language directly addressing electronic discovery, and not at all unexpected that it took another ten years to add the first set of amendments to the rules.
Whatever the reason for the legal system to tread slowly in the seemingly murky technology waters, these past two years have forced an unexpected positive change and a likely unintentional leap forward in the practice of law. Simply stated, being up to date with basic technology “know-how” is no longer a choice, but an ethical duty.
One of the areas in which this is now particularly prevalent is in working remotely. Law firms have had to adapt to a new normal for a working office, and although there are many reasons for which a law firm should be “mobile-ready,” this article will focus on the ethics of protecting client data while working remotely.
The reasons for implementing a virtual or “mobile-ready” office environment into a law firm are many. It brings about flexibility, it can reduce cost, it facilitates a business continuity plan, and supports personnel safety when needed. But as we move into this virtual environment, lawyers and administrators ought to consider the following in order to maximize productivity, reduce potential financial loss, and protect a law firm’s biggest and perhaps most important asset, client data.The reasons for implementing a virtual or “mobile ready” office environment into a law firm are many. It brings about flexibility, it can reduce cost, it facilitates a business continuity plan, and supports personnel safety when needed. But as we move into this virtual environment, lawyers and administrators ought to consider the following in order to maximize productivity, reduce potential financial loss, and protect a law firm’s biggest and perhaps most important asset, client data.
Rule 1.6 Confidentiality of Information
[1] This Rule governs the disclosure by a lawyer of information relating to the representation of a client during the lawyer’s representation of the client.
[19] When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients . . . Whether a lawyer may be required to take additional steps in order to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules.
Even though the governing bodies have made some attempts at addressing a lawyer’s responsibility when it comes to protecting “client data” (mainly through Comments to the Rules), lawyers are still left with many uncertainties about their role in protecting and handling digital information. In many ways, the legal community is once again left to rely upon what may be considered “reasonable” as the standard.
Because of this uncertainty, it would be wise for lawyers to take an aggressive approach at protecting their client’s data, and it all starts with having a basic personal working knowledge of data protection issues and policies.
How To Get Connected
When working remotely, many users tend to connect to the internet via personal or public internet connections. These may include home wi-fi networks, coffee shops, hotels, restaurants, and libraries. Connecting to the internet in this manner can put the user’s data in a vulnerable state, as most people do not have the necessary technical knowledge to ensure that their home internet connection has adequate safety guards in place, such as firewalls, VPNs, and virus protection.
ABA Rule 1.1 Competence
A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.
In addition, public wi-fi’s may not adhere to even the minimum standard of security that “might” be required to meet the reasonable standard. In other words, when we go to a local coffee shop and everyone shares the same password to connect, it facilitates the work for a would-be hacker to gain access to all user’s connected to the wi-fi network and get access to their information.
Hackers are clever. Spoofing is another method they use. The hacker sets up a hotspot and gives it a name similar to what a reasonable person might expect at that location. The hacker could name the hotspot “hotel guest Wi-Fi” or “guest Wi-Fi.” At this point, most of us would not think twice about connecting to one of these Wi-Fi networks. But once we do, we are once again putting our client data at risk without ever even knowing that it even happened.
In addition, public wi-fi’s may not adhere to even the minimum standard of security that “might” be required to meet the reasonable standard. In other words, when we go to a local coffee shop and everyone shares the same password to connect, it facilitates the work for a would-be hacker to gain access to all users connected to the wi-fi network and get access to their information.
Hackers are clever. Spoofing is another method they use. The hacker sets up a hotspot and gives it a name similar to what a reasonable person might expect at that location. The hacker could name the hotspot “hotel guest Wi-Fi” or “guest Wi-Fi.” At this point, most of us would not think twice about connecting to one of these Wi-Fi networks. But once we do, we are once again putting our client data at risk without ever even knowing that it even happened.
What Can I do Now?
One way a person can minimize their risk is by using a Virtual Private Network (VPN). A VPN is a service that helps protect an internet connection and the user’s privacy while online. This is done by creating an encrypted tunnel for the data being transmitted that hides the users IP address when connected. VPNs are an incredibly useful tool that are low-cost. Although nothing is full proof, using one may just help bolster the argument that reasonable steps were taken if your client’s data was ever compromised.
Ensuring that your home Wi-Fi and router are properly secured and configured is another positive step towards protecting your client’s data. Many home wi-fi connections still come with “default” settings. Hackers only need to do a simple Google search of your internet provider’s IP or router information to find either the default settings for the router’s username, password, and often both (i.e., username is often times “admin”, and the password is often times, you guessed it, “password”). Therefore, even if you have a strong wi-fi password for your home connection, a hacker could easily get access to your account via the router, by simply guessing the typically used default settings. Once they have access to your router, they have access to your internet connection, and so on.
To protect client data, be sure that not only you have changed the password on your Wi-Fi connection at home, but also for the router.
If you are working remotely from home, it is also wise to create a separate wi-fi connection for your law office that is different from the one that is used in your household. This would separate the internet traffic that is generated from other users in your household or “personal” from your law firm’s connection; think Rule 1.6 Confidentiality of Information and Rule 1.1 Competence. Again, this action could help provide a reasonable argument that you are doing what you can to protect client data.
ABA 5.3 Duty to Supervise Non-lawyers . . . a lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person’s conduct is compatible with the professional obligations of the lawyer;
It is important to take into consideration a lawyer’s “duty to supervise non-lawyers”. Ultimately, it is up to the attorney to provide their remote working staff with the adequate tools that ensure compliance with their “reasonable” client data protection policies.
Data Protection Policies
Policies that should be in place ought to cover at a minimum: where client data will be stored (office server or the “cloud”), how that connection will be made by the employees, and what virus protection software will be installed on the individual’s devices, home wi-fi connection protocols, remote desktop software, and perhaps most importantly, procedures on how to handle client data information being downloaded to non-law firm owned equipment.
It may not seem reasonable that a copy of a client’s deposition, case notes, or settlement agreements, be downloaded and stored (temporarily or otherwise) into the same computer that kids play online games at home.
The rapid advancement of working remotely has changed the landscape of practicing law today, and probably forever. Although many firms have had the ability to do this for years, the current situation has made catching up absolutely necessary. The ability to work remotely gives attorneys the ability to practice at a new level. Having access to client files from anywhere and being able to move an office location in an instant are some of the great benefits of working remotely. But there are ethical challenges that go along with this progress.
As many attorneys work hard to rethink their business model given the current situation, establishing a virtual office might just be the answer that makes sense at this time. Nevertheless, the great benefits of working remotely do not come without potential hazards. Establishing “remote working” policies for your firm to follow, taking into consideration the Rules addressing client confidentiality, competence, and non-lawyers’ supervision, are necessary. With thoughtful planning, action, and guidance, you can find that ever-elusive “reasonable standard” related to protecting your client’s data in this new age of practicing law.
DISCLAIMER: THIS IS NOT LEGAL ADVICE. The articles contained on this site are solely for educational purposes to provide general information about general eDiscovery, tech law, social media, and business principles, and not to provide any legal advice applicable to any particular circumstance. The content of this site should not be used to substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you. WE ARE NOT a law firm. Each legal problem depends on its particular facts, and different jurisdictions have different laws and regulations. Because of these differences, you should not act or rely on any information from this site without seeking the advice of a competent attorney licensed to practice law in your state.