Imagine the scenario:
You're out of the office for a much needed vacation. The client calls the office with an urgent request and you're the only one on the team with the expertise to address it. You're on the road and in a hurry so you have a colleague e-mail you the specifics of the inquiry. You log on to your firm's network and copy the merger and acquisition (M&A) agreement you've been working on to a thumb drive for easier access. You proceed to make your changes on your laptop, and when you're done, you load the document up to a storage repository hosted in the cloud that you are sharing with your client. Now you go on about your day; the crisis has been averted and the client has what he or she needs.
Technology can be a great partner. It allows you to be efficient, productive, responsive, mobile, and it aids you in meeting the ever-increasing demands of clients. However, this same technology can be your worst nightmare if you haven't taken adequate precautions in the use of that technology. Major questions have arisen regarding:
- How these new technologies impact the practice of law
- The implications for attorneys
- Attorneys' ethical obligations to protect clients' confidential information and preserve clients' records and files
- Attorneys' obligations to provide competent representation? (Mayfield 2007)
In the prior scenario alone, there are many "holes" that could expose the attorney, firm, and client and make them vulnerable to attack or misuse their data. For example, was the e-mail encrypted? Could it have been intercepted? Was the attorney on a wired or wireless network? Was it secure? Does the attorney use his wife's name as his network password? Did the attorney encrypt the data that he or she stored on the thumb drive? Was the drive at least stored in a safe place? What if the attorney inadvertently left his laptop at the airport by mistake; was it encrypted or at least password protected? Was the cloud provider safe; had that service been thoroughly vetted? If there were additional support staff assisting from the office, do they know what procedures and policies are required to interact with this data?
These are all questions that are coming to light as technology moves front and center in our practices. There are real threats out there, both internal and external, and attorneys need to be aware of steps they must take to help protect their relationships with their clients.
Here are some facts:
- The FBI says that cyber-attacks against law firms are on the rise. Firms house large repositories of critical data, whether it's related to health-claims and e-discovery or M&A or intellectual property. (Mintz 2012)
- Some firms have, or are considering, cyber-liability insurance to cover them for security-related events, such as the failure to provide access or prevent access to client data, and the failure to protect the confidentiality and privacy of client data. (Reed 2010)
- The ABA has weighed in with their ABA Commission on Ethics 20/20, which outlines how technology has changed the practice of law and how the regulation on lawyers should be updated to reflect these changes. (ABA 2012)
- Privacy laws such as HIPAA, HITECH, Sarbanes-Oxley, Graham Leach Bliley, as well as a host of state-sponsored privacy laws, all emphasize the need to protect electronic data and electronic communications. (Mintz 2012)
- Since 2009, over 80 major law firms in the United States have had their systems hacked. (Jones 2012)
It is widely known that attorneys' files are not well-protected from cyber attacks and it is generally easier for a hacker to break into a law firm's network to steal client data than it is to hack into the clients' networks to steal the data. (Mintz 2012) Attorneys and firms, in many cases, are their own worst enemies. Even the FBI has pointed out that the culture of law firms and the power of partners can make them an easy target. (Smith 2012) Partners insist on mobility and escalated rights within their environments; they want to be able to review important documents at home, on the road, from a hotel, etc. All of these scenarios increase risk. If the attorney can get to it, the possibility that an unintended party could gain access increases as well.
So what should an attorney do? Well, it's not clear-cut. Different states have different guidelines, and as mentioned before, the ABA has derived a set of guidelines of its own. One thing is clear: an attorney must show due diligence and have a clear understanding of the technology he or she is using and the related risks.
Cloud computing offers many conveniences and can provide significant cost savings to firms. Few if any jurisdictions have ruled out the use of cloud computing; accordingly, it has one of the fastest rates of adoption. Unfortunately, cloud services can also present some of the greatest vulnerabilities. With your data in the cloud you lose control of your environment. You no longer control updates or maintenance, and you generally have minimal insight into the infrastructure / architecture itself, including security. It's the firm's responsibility to be vigilant up front and obtain information and set expectations, including possible security tests. (Trope) What do you consider to be acceptable down-time? Be careful, as there may be fine print with respect to how that is actually calculated. What happens if the site goes down and you are unable to access important client information to comply with a court deadline? Does this put you in contention with your obligation to provide competent representation? It might, if you take into consideration that most cloud providers, even large, reputable ones like Google and Amazon, have had major unplanned outages. (Trope) And what happens if the site is hacked and client information is stolen, or if the data is "lost" in the cloud? These scenarios have implications for an attorney's ethical obligations. They could lead to a breach of client privacy, or in the last instance, you may have breached your responsibility to protect your clients' files and records.
Mobility and Wireless Computing
Mobility is essential in today's work environment. Our clients are global and our firms are global. Attorneys need to be able to work 24/7, but they can't possibly be in the office all of the time. As a result, the demands for mobility and wireless computing have grown. Attorneys want to be able to work from home, from the airport, from the hotel—from their pockets. Smartphones, iPads, net books, and laptops have all paved the way for greater mobility. Unfortunately, this great convenience has also lead to security concerns that impact an attorney's ethical responsibilities. Once outside of the confines of the firm's network, these devices can pose significant threats. What if they are lost? Precautions need to be taken. The devices should be encrypted and they should be backed up. Many of these devices have the ability to be wiped remotely, but that's assuming it isn't too late. Of course, the beauty of most of these devices is their ability to connect via Wi-Fi to the Internet and back to your firm. Are you using public Wi-Fi or Wi-Fi offered by your hotel? These are not safe connections; they transmit your information in a format that can easily be intercepted and read. What about at home? If you haven't taken the necessary precautions when setting up your personal Wi-Fi in your home, you may be no more secure there.
Similar to the convenience of the other technologies, mini drives and thumb drives greatly facilitate your ability to carry around large volumes of data. Remember those large brief bags? They could be a thing of the past. You can now fit virtually all of your client files for all of your cases on a couple of thumb drives. Unfortunately, unless you take the necessary precautions, losing that drive is like handing someone the keys to your law office. Make sure the drive is encrypted, and if you're using the drive for client data, you probably shouldn't store your family vacation photos on it. Once again, you need to take into account your obligation to protect your clients' records and you need to maintain their privacy.
In the end, technology is a double-edged sword. Technology makes our lives easier and allows us to be far more productive; however, technology also brings with it risks that we often fail to consider. There's no doubt in anyone's mind that technology is essential, and there is an expectation from peers and clients alike that attorneys will be able to make use of the latest tools that will help them be more efficient and better informed. (ABA 2012) Technology permeates every aspect of lawyering from legal research to e-discovery, from court filings to client billing, and from communications to conflicts checking. There is no step-by-step guide for how an attorney can optimize the use of these technologies while still upholding their ethical obligations to their clients, but the ABA and different states are beginning to formulate guidelines, and the one sentiment that seems to be consistent is that attorneys need to be actively engaged and aware of the technologies that they use. They need to do their due diligence to understand the inherent risks and they need to know what can be done to mitigate those risks. Obviously, the answer is not to turn off all electronics and pull the network cables, but attorneys need to know where the point of compromise is. Traditionally, attorneys are not tech savvy, but they do adopt the technologies they need to get the job done. Under new guidelines, attorneys need to take a more active role in truly understanding the technologies that they are using, and they need to be aware of the inherent risks associated with those technologies.
ABA Commission on Ethics 20/20 (2012, August). ABA Commission on Ethics 20/20. American Bar Association. Retrieved September 10, 2012.
Jones, L. (2012, May 11). Bar groups try to keep up with the cloud. Thomson Reuters News and Insight Legal: Legal News, Information and Analysis. Retrieved September 10, 2012.
Mayfield, A. (2007) Decrypting the Code of Ethics: The Relationship between an Attorney's Ethical Duties and Network Security. 60 Okla. L. Rev. 547, Oklahoma Law Review, Fall 2007.
Mintz, M. (2012, March 19). Cyber-attacks on Law Firms-a Growing Threat. martindale.com Blog by Martindale-Hubbell. Retrieved September 10, 2012.
Reed, D. (2010, August). Wisconsin Lawyer August 2010: Managing Risk: New Trends in Professional Liability Risk | State Bar of Wisconsin. Home | State Bar of Wisconsin. Retrieved September 10, 2012.
Smith, J. (2012, June 28). Lawyers Get Vigilant on Cyber-security - WSJ.com. Business News & Financial News - The Wall Street Journal - Wsj.com. Retrieved September 10, 2012.
Trope, R. L., & Ray, C. (n.d.). The Real Realities of Cloud Computing: Ethical Issues for Lawyers, Law Firms and Judges. Documation logo HTML5. Retrieved September 10, 2012.
Back to Contents