In today's society, it is the rare attorney who puts in a long day at the office and goes home, leaving all further work to be resumed the next morning. Attorneys today continue working by BlackBerry or other smartphone during the commute home, frequently also logging additional time connecting to the office remotely from a home computer or laptop, and already have reviewed and responded to new emails before stepping back into the office the next morning.
While lawyers generally are not early adopters of new technologies, our industry's reliance on new technologies has by and large transformed the way we work during the last decade. More and more attorneys have moved to electronic filing systems and paperless office environments; use BlackBerries, electronic notebooks and/or laptops; increasingly communicate via email or instant messaging; and, have the ability to log into work remotely anyplace and anytime.
These new technologies have allowed us to become more productive and accessible to our clients and colleagues, but also pose potential new risks to the confidentiality of our communications. This article will explore the following areas: (1) ethical obligations to maintain the confidentiality of client information; (2) the various state and federal laws that impose requirements for protecting certain types of data; (3) the potential liabilities in the event the confidentiality of data inadvertently is breached; (4) the specific risks of inadvertent disclosure posed by unsecured wireless networks, mobile devices and cloud computing; and (5) suggested practices to help our industry develop effective data security protocols and keep pace with a rapidly changing environment.
2. Duty of Confidentiality
All fifty states and the District of Columbia have an ethical rule prohibiting, subject to certain exceptions, a lawyer from revealing information related to the representation of his/her client unless the client provides informed consent. The ABA's Comments to Rule 1.6 specifically address a lawyer's obligation to preserve confidentiality, providing that a lawyer must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure.1
Twenty-nine states and the District of Columbia have issued comments to Rule 1.6 requiring attorneys take "reasonable precautions" to prevent unauthorized access to client communications. The comments provide that attorneys typically need not use "special security measures if the method of communication affords a reasonable expectation of privacy," but notes that:
Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer's expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement....
The State Bar of California Standing Committee on Professional Responsibility and Conduct recently issued an opinion addressing Rule 1.6, in response to a query from a California lawyer regarding wireless access to the Internet.
The Standing Committee noted that guidance to lawyers on this issue has not kept pace with technology. Accordingly, the Committee set out six general factors to be analyzed by lawyers when considering the use of any new technology in the course of representing a client, particularly any technology that uses the Internet:
- the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security;
- the legal ramifications to a third party who intercepts, accesses or exceeds unauthorized use of the electronic information;
- the degree of sensitivity of the information;
- the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product;
- the urgency of the situation; and
- the client's instructions and circumstances, such as access by others to the client's devices and communications.
The Committee emphasized that due to the evolving nature of technology and differences in available security features, a lawyer has a continuing obligation to monitor the efficacy of steps taken to ensure his/her use of technology does not subject confidential client information to an undue risk of unauthorized disclosure.
3. Laws Requiring Specific Levels of Data Security
In 2010, Massachusetts enacted a law setting forth certain requirements for "every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information."2 These requirements include having a written information security program (commonly known as a "WISP"), and encryption of all personal information of residents that will travel across public networks, be transmitted wirelessly or be stored on laptops or other portable devices.3
Nevada law provides that data collectors doing business in its State who accept payments via credit card must comply with the Payment Card Industry ("PCI") Data Security Standards.4 Data collectors not accepting payment via credit card are prohibited from: transferring "any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption..." and moving "any data storage device containing personal information beyond the logical or physical controls of the data collector or its data storage contractor unless the data collector uses encryption...".5
Lawyers who perform legal services for entities such as hospitals also may be considered a Business Associate ("BA") under the Health Information Technology for Economic and Clinical Health Act ("HITECH"), which went into effect in February 2010. HITECH provides that BAs are subject to the HIPAA Security and Privacy rules that apply to electronic Protected Health Information ("ePHI"). These security regulations include physical safeguards, such as safeguards for workstation security and policies for disposal of ePHI on workstations, as well as administrative safeguards, such as developing information security policies and procedures, appointing a security officer, sanctioning violations, and providing regular training.6
4. Implications of a Law Firm's Breach of Information
The unauthorized disclosure of a client's information obviously triggers various ethical obligations. In addition, the unauthorized disclosure or breach also could implicate breach notice laws and require notification to governmental agencies or state attorneys general.
Forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted laws requiring notice to their residents in the event the resident's personally identifiable information is breached. Most of these laws have a "risk of harm" trigger, requiring notice only if it is determined, after a reasonable investigation, that there is a reasonable likelihood of harm to consumers; however, some states (including California and Massachusetts) do not limit the notice requirement to the "risk of harm" standard. The definition of "personally identifiable information" varies in each state, but generally includes a resident's first or last name, in conjunction with one non-public identifier, such as a social security number, state ID or driver's license number, or credit card or bank account number. The majority of these laws are limited to electronic data, but at least six states (Alaska, Hawaii, Indiana, Massachusetts, North Carolina and Wisconsin) apply the laws to paper records.7 HITECH also requires notice to impacted individuals of a breach involving PHI. Such notices must be issued within sixty days of the discovery of the breach. In addition, if the breach involves more than 500 individuals, the Department of Health and Human Services ("HHS") must be notified, and if the breach involves more than 500 residents of a state, a statement to the media also is required.8
The cost to comply with the various notification requirements can be very significant, especially since it has become the norm to provide free credit monitoring to individuals whose credit or financial information has been breached (though such offerings are not legally required).
A breach also can result in regulatory investigations and/or penalties. Many of the state breach notice laws require notice to the state Attorney General of the breach incident; a handful of Attorneys General offices are particularly active with respect to data breaches, often initiating investigations into breaches impacting their residents, as well as issuing penalties. The Office of Civil Rights, which is the enforcement arm for HHS, increasingly has become active in connection with breaches, and can issue civil penalties of $100 to $50,000 per violation, up to $1,500,000 per calendar year, as well as injunctive relief.
5. Specific Risks Presented by New Technologies
On May 2, 2011, the ABA Commission on Ethics 20/20 examined lawyers' use of new technologies and concluded that online interactions do not merit separate rules, but instead require increased guidance in applying existing ethical rules. To that end, the Commission proposed certain modifications to the ABA Model Rules of Professional Conduct,9 which are designed to account for lawyers' growing use of technology, especially technology that stores or transmits confidential information. The proposed modifications avoid regulating any specific form of technology or use, and instead propose flexible principles, including expanding the duty of confidentiality to include a requirement that lawyers make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, confidential information and expanding the duty of competence to include a duty to remain aware of the benefits and risks associated with technology. With this in mind, the benefits and risks associated with unsecured wireless networks, cloud computing and mobile handheld devices are examined below.
1. Unsecure Wireless Networks
An unsecured wireless network essentially is wireless internet that one can use without entering a network key. Unsecured wireless networks are everywhere – your local coffee shop, the airport, the public library, etc. In addition, many personal households have unsecured wireless networks in place.
Unsecured wireless networks are exactly that – unsecure. Last year the New York Times published an article10 regarding the risks to users of unsecured wireless networks. The article examines how such networks are susceptible to cracking programs which allow hackers to easily watch users browse the Web and even to modify what users do online.
2. Cloud Computing
Cloud computing provides computation, software, data access, and storage services that do not require end-user knowledge of the physical location and configuration of the system that delivers the services. Cloud computing is analogous to the electricity grid, whereby one consumes electricity without needing to understand the component devices or infrastructure required to provide the service.
Benefits include lower costs and the ability to increase capacity or add capabilities without investing in new infrastructure.
On September 10, 2010, the New York State Bar Association Committee on Professional Ethics published Ethics Opinion 842, in which the Committee considered whether a lawyer may use an online "cloud" system to store a client's confidential information without violating any ethical duties. The Committee concluded that a lawyer may use an online "cloud" computer data backup system to store client files so long as the lawyer takes "reasonable care" to protect the client's confidential information from unauthorized disclosure. The Committee proposed that "reasonable care" includes consideration of the following three steps:
- Ensuring that the online data storage provider has an enforceable obligation to preserve confidentiality and security, and the provider will notify the lawyer if served with process regarding the production of client information;
- Investigating the online data storage provider's security measures, policies, recoverability methods, and other procedures to determine if they are adequate under the circumstances; and
- Employing available technology to guard against reasonably foreseeable attempts to infiltrate stored data.
The Committee concluded that, because technology is changing rapidly, a lawyer should stay abreast of technological advances to ensure the storage system remains sufficiently advanced to protect client information and lawyers should monitor the changing law of privilege to ensure that storing information in the cloud will not waive or jeopardize any privilege protecting the information. This constitutes a significant, ongoing responsibility placed on the lawyers to understand and keep up with complex technology specifically designed for users who do not necessarily desire or set out to be engaged in the details of how the technology works.
3. Mobile Computing Devices
Lost or stolen smartphones – including BlackBerry devices – are all susceptible to hacking. A BlackBerry device is wiped of all information if the wrong password is entered ten times, all data transmitted between a BlackBerry server and device is encrypted with a highly secure algorithm, and system administrators remotely can change BlackBerry device passwords, lock or delete information from lost or stolen passwords; nevertheless, a Russian software developer has discovered that the BlackBerry offline back-up scheme allows access to passwords and encrypted business data for those who gain access to back-up files.11
iPhones and iPads also are susceptible to hacking. In 2011, the Fraunhofer Institute for Secure Information Technology announced that passwords for networks and corporate information systems can be revealed within as little as six minutes if an iPhone or iPad is lost or stolen – even if the device itself is password protected.12
The Florida Bar has addressed the ethical duties involved with storing information on hard drives, including computers, printers, copiers, scanners, cellular phones, PDAs, flash drives, memory sticks, facsimile machines and other electronic or digital devices. On September 24, 2010, the Florida Bar published Ethics Opinion 10-2, concluding that lawyers who utilize such storage devices must take reasonable steps to ensure that client confidentiality is maintained and that the device is sanitized before disposition. The "reasonable steps" proposed are as follows:
- identify any potential threat to confidentiality and develop and implement policies to address any potential threat to confidentiality;
- inventory all devices that contain hard drives that store media;
- supervise non-lawyers (including "entities outside the lawyer's firm with whom the lawyer contracts to assist in the care and maintenance of the devices") to obtain adequate assurances that confidentiality will be maintained; and
- take responsibility for sanitization of a device by requiring "meaningful assurances from the vendor at the intake of the Device and confirmation or certification of the sanitization at the disposition of the Device."
The Florida Bar concluded that a lawyer affirmatively should identify and address potential threats to confidentiality, stating: "[a] lawyer has a duty to keep abreast of changes in technology to the extent that the lawyer can identify potential threats to maintaining confidentiality".
4. Videoconferencing Equipment
The videoconference is a ubiquitous tool for most legal practitioners today. However, videoconferencing equipment recently has been revealed to be extremely vulnerable to hackers, potentially causing embarrassing and dangerous inadvertent disclosure of privileged information. In an article published by the New York Times in January 2012, a security company, Rapid7, announced it had discovered 5,000 wide-open conference rooms belonging to a range of businesses, including law firms, as a result of their insecure videoconferencing systems.13
Rapid7 is a company that looks for security holes in computer systems. In their investigations, they established that most businesses today use Internet protocol videoconferencing systems and, although such businesses might invest in top-quality videoconferencing units, the system often is set up outside the firewall, leaving the system open to attack. In addition, systems frequently are outfitted with a feature that automatically accepts inbound calls. By doing so, companies are putting their systems on the Internet and allowing anyone to listen in unnoticed. Accordingly, law firms must ensure that effective safeguards are in place to protect confidential client information shared during videoconferencing.
5. Internet Email Accounts
Internet email accounts may be accessed by hackers using equipment that rapidly is able try multiple possible combinations.
In this regard, the Google email account of a Virginia-based law firm recently was hacked by the Anonymous collective, which led to the exposure of emails containing client documents. The hackers gained access via the firm's Google email passwords, which were not sufficiently secure. The law firm currently is awaiting an opinion from the state bar's ethics council to determine whether notification will be required to all of the firm's current and former clients.14
6. Risk Management Considerations
While new technologies do present security risks, these risks can be managed. Firms cannot prevent lost or stolen equipment, or perhaps even an intrusion by a third party hacker, however, there are practices and procedures that can be considered by firms wishing to address and mitigate these risks.
- Establishing and enforcing a written information security program (WISP), including a firm policy dictating technology use. Make certain all employees are familiar with the WISP and understand the significance of the program. Requiring employee signatures to the WISP and reviewing the program on an annual basis are good ideas.
- Prohibiting or limiting work via unsecured wireless networks (i.e., on airplanes, coffee shops, unsecured home networks). If being able to access work out of the office is important, consider providing attorneys secure portable modems.
- Preventing employees from downloading information to flash drives, laptops, etc. (unless, of course, the devices are encrypted).
- Encrypting all portable devices and sensitive email.
- Requiring password protection for all blackberries, iphones and other smartphones/PDAs.
- Establishing a 24 hotline to report lost/stolen blackberries and immediate kill functions for all such reported devices.
- Conducting background checks on staff (especially IT staff).
- Setting up a password for the videoconferencing system, deactivating the automute function for incoming calls and keeping a lens cap on the camera lens when not in conference.
- Establishing an incident response plan (IRP), just in case a breach happens.
Implementing some or all of these risk management guidelines will assist in limiting risk in the event of lost or stolen information. Staying abreast of the changing laws can be a challenge, but the rewards are meaningful. Many industry observers compare the current situation to the employment arena, where federal and state laws, as well as litigation, helped shape and develop standard protocols for companies of all sizes to assist in mitigating or obviating risk.
1 Model Rules of Prof'l Conduct R. 1.6 cmt. .
2 201 CMR 17.03(1)
3 201 CMR 17.03 (1), 17.04 (3) and (5)
4 Nev. Rev. Stat. § 603A.215(1)
5 Nev. Rev. Stat. § 603A.215(2)
6 45 C.F.R. §§164. 308 and 164.310
7 Alaska Stat. § 45.48.010 et seq.; HAW. REV. STAT. §§ 487N-1 to 487N-4; Ind. Code Ann. §§ 24-4.9-2-2; ALM GL CH 93H §§ 1, 3-6; N.C. Gen. State. § 75-65; Wis. Stat. § 134.98
8 HITECH §§ 13402(e), codified at 42 U.S.C. §§ 17932(e)
9 ABA Comm. On Ethics 20/20, Initial Draft Proposals – Technology and Confidentiality (May 2, 2011), available at: http://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/20110502_technology.authcheckdam.pdf
10 Kate Murphy, New Hacking Tools Pose Bigger Threats to Wi-Fi Users, N.Y. Times, February 14, 2011, available at: http://www.nytimes.com/2011/02/17/technology/personaltech/17basics.html?_r=1&scp=2&sq=unsecure%20networks&st=cse
13 Nicole Perlroth, Cameras May Open Up The Board Room to Hackers, The New York Times, January 22, 2012, available at: http://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html
14 Martha Neil, Unaware 'Anonymous' Existed Until Friday, Partner of Hacked Law Firm Is Now Fielding FBI Phone Calls, ABA Journal, Feb. 6, 2012, available at: http://www.abajournal.com/news/article/unaware_that_anonymous_existed_until_friday_law_firm_partner
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.