Wisconsin Lawyer
Vol. 84, No. 5, May 2011

Identity theft has garnered much attention in recent years. As a result of thefts of personal identifying information (identifiers) from a wide variety of institutions, many businesses have altered their practices to better safeguard sensitive information. Has your business done so? Law firms, much like medical practices, have unique ethical obligations with regard to the confidentiality of client information. Having a client’s personal information stolen can constitute the ultimate “unauthorized disclosure,” and lawyers should be alert to the risk of identity theft in a law practice setting. How far does the ethical obligation extend, and practically speaking, what can a lawyer do to ensure that risk to clients’ identifiers is minimized? This article examines law firms and their obligations to clients in the context of a world in which identity theft is committed on both the high end and the low end of the technology spectrum, and by random strangers and trusted employees alike.

• An unknown person walks into your law firm’s empty reception area and steals a stack of client files that were left on a desk for filing while the receptionist was at lunch.

• You return to your office at 8 p.m. to finish a project and discover a maintenance worker rummaging in a file drawer in a partner’s desk.

• Your bookkeeper is on vacation and your secretary comes down with the stomach flu. The letter carrier hands you the day’s mail, and you notice a credit card statement that bears the name of an elderly client.

• You receive a call from a detective who advises you that he has recently interviewed three local victims of identity theft – all three of them recently divorced – and all three of them represented by your firm.

• You leave your laptop unattended while you run up to the café window to get a coffee refill, and when you return you discover your computer is missing. You minimized your client’s financial disclosure form, and you turned your back for only a second.

What could possibly go wrong?

“Law firm clients’ files filled with personal data left in six dumpsters on street, I.D. thief’s gold,” ran a headline in a New York newspaper on May 8, 2009. A story like that has the potential to instill fear in the hearts of most attorneys. Any breach of sensitive client information is bad for business, but when a large quantity of sensitive information is left on a busy city street, it can shake client confidence to the core. Liability issues may arise if clients’ identities are stolen and fraud is then committed. Loss or theft of client information can also violate ethical obligations attorneys have to maintain client confidentiality, one of the core aspects of the attorney-client relationship. SCR 20:1.6 addresses confidentiality, and ABA comment 16 states that attorneys “must act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.”

Analysis of SCR 20:1.6 in the context of identity theft prevention raises questions as to exactly how far attorneys must go to safeguard client information, particularly a client’s personal identifiers. The availability of basic information such as dates of birth and Social Security numbers can fuel the commission of identity theft and have far-reaching effects for victims. Attorney files also often contain other sensitive information such as bank account and credit card information and personal identifiers belonging to clients’ family members. Identity theft has become easier for criminals to commit, and crimes occur as a result of breaches of both paper files and electronic files. Both types of files must be safeguarded to prevent disclosure and theft of client information.

Maintaining control over client information is vital to reducing risk. Although most attorneys wouldn’t dream of tossing closed client files into a dumpster behind an office building, it surprises me as a law enforcement officer how casually paper information is treated within some offices. Last year, the U.S. Postal Inspection Service office in Chicago traced a large-scale identity theft ring to a custodian who cleaned offices at night at a medical center. Because health care professionals and lawyers adhere to similar standards of privacy for their respective clientele, it is clear how relevant this case is to law firms. In this case, the offices were locked, but the files were not. The sensitive information contained within paper files was readily removed, copied, and replaced, leaving no immediate trace of the theft. Several individuals connected to the custodial employee then used the stolen identifiers to obtain credit and merchandise. More than $300,000 in fraudulent credit was obtained using information obtained from “confidential” files.

Access controls can prevent breaches of this type. In any size law practice, from a large firm to a solo practitioner’s office, something as simple as a lock on a file cabinet can keep intruders away from sensitive information. If anyone other than law firm employees has access to an area of the firm, files containing personal identifiers should be inaccessible or left locked. Even bonded and insured companies can inadvertently hire identity thieves, so be aware that anything left unlocked or out in the open can be copied, photographed, or outright stolen if offices are cleaned after hours. Paper files should be shredded when they no longer are required, and if the volume exceeds the capacity of the office shredder, companies can come on site to do your shredding. The ethical obligation of the attorney to maintain confidentiality continues even after representation terminates, pursuant to SCR 20.1.9. Treating the information in closed files the same as you do open ones is the safest way to maintain the integrity of client information.

The same philosophy can be applied to digital files. Any computers or monitors in an area visible to the public, including reception desks or offices adjoining reception areas, should be positioned in a manner that prevents them from being readily viewed by nonemployees. Information technology (IT) basics such as password protection and timed screen savers also help protect client confidentiality. While much of this seems like common sense, identity thieves can take advantage of the simplest opportunity to steal information. It only takes a moment to snap a photo with a cell phone camera or write down a date of birth or Social Security number.

Protecting sensitive information is, in large part, within the control of any firm. Placement of access controls on file cabinets and other storage areas, physical layout of reception areas, and placement of restrooms and any other areas of the firm accessible to clients or the general public can make a difference. Where does your firm place its incoming mail for distribution? What about outgoing mail that is picked up by a letter carrier? If the mail contains any sensitive information, sits in a basket on a reception desk in a lobby, and is ever left unattended … well, you know where this is going.

Some practical suggestions for maximizing the physical security of client files include the following:

• Invest in locking file cabinets, and if you use keyed locks instead of combination locks, ensure that the keys are kept in a separate area and are not readily accessible.

• If you have a lot of in-and-out traffic through your firm, security cameras strategically placed at entrances and exits can serve as a deterrent to a would-be thief.

• Keep incoming and outgoing mail away from public access, not in a basket on a reception desk or similar location.

• Keep files containing sensitive client information in access-controlled locations whenever possible.

• Affix locking cables to stationary computer equipment to prevent easy removal in the event of a burglary.

• Ensure that phone calls during which staff might discuss sensitive information with clients are conducted outside of publicly accessible areas such as a reception area. Even merely repeating a credit card number out loud can trigger a theft.

• Ensure that the physical layout of the office is such that nonemployees have limited or no access to work space containing client files.

Some practical suggestions for maximizing digital security of client files, suggested by Leon Chambers, an information systems specialist with the U.S. Postal Service, include the following:

• Use software programs (such as SecureDoc, for example) to encrypt passwords and protect workstations from unauthorized log-ons. Choose a program that locks out the attempted user after a limited number of attempts and protects a physical hard drive from being accessed with external devices.

• Encrypt all thumb drives or flash drives used by employees to store any sensitive information.

• Encrypt all emails containing personal identifiers, and when reassurance is needed that data has not been altered, use a PDF format for attached files.

• Lock workstations when they are not in use, and power them down at the end of the day.

• Back up data onto an encrypted external hard drive and store it in a separate, secure location.

• Limit access to sensitive data based on employees’ need to know and level of responsibility.

• Limit employees’ personal use of and access to public websites to reduce the likelihood of threats such as viruses or “key loggers” who can gain unauthorized access to terminals.

• If employees are allowed to gain remote access to the firm’s network, ensure that VPN tokens or specific means of remote access are properly encrypted.

• Periodically check on the firm’s computers to ensure that security has not been compromised, viruses inadvertently downloaded, or unauthorized access obtained.

• Stop terminated, retired, and deceased employees’ access to computer systems as quickly as possible.

“Law Firm Employee Charged with Stealing Clients’ Identities” (ABA Journal, April 9, 2010) is a headline that probably caused attorneys nationwide to cringe. That, and another headline two months later, “Former Beckley law office manager gets two years for identity theft” (West Virginia Record, June 3, 2010), raise the question, “Who are these people?” I’m sure clients of both law firms also asked, “Who hired these people?”

In fairness to law firms, any law enforcement agency that investigates identity theft can attest to the fact that the crime can be committed by anyone, from random strangers to long-term employees. As such, there is no “one-size-fits-all” answer for how to prevent identity theft from happening in your law firm. If you take security measures to protect your client’s personal identifiers, extend those measures to your staff. Most hiring practices are tailored to the specific firm’s size and resources, but it is important to realize that limiting your firm’s risk starts from within.

Because the Rules of Professional Conduct governing attorneys also extend to “other persons who are participating in the representation of the client,” a higher degree of scrutiny is warranted for employees who have access to sensitive client data. In small firms with few employees, it is common to allow all or most employees access to sensitive client information. Conversely, larger firms often have more access controls in place, commensurate with the level of interaction an employee needs to have with this information for performance of his or her specific work function. There exists a societal presumption that attorneys conduct some level of screening before hiring employees at even the smallest of law firms. If this were not generally the case, the result would be a breakdown in the confidence that clients have in the unique, privileged relationships they enjoy with their attorneys. That is why identity thefts committed by law firm employees may disturb people more than identity thefts committed by employees of other types of businesses. Lawyers are in the business of confidentiality. The theft of personal identifiers by someone who works for an attorney and is, by default, trusted with those same items can result in devastating consequences for both the client and the law practice.

There is no guarantee that a large firm with established hiring protocols and a human resources department is less at risk than a solo practitioner who hires one person to perform all of his or her office work. Longevity in a position, likewise, is not a guarantee that an employee will not breach client information. Substance abuse, gambling addictions, credit problems, and other financial stressors such as a spouse’s layoff are factors that can cause trusted long-term employees to engage in identity theft. Employers do not always know what is going on in employees’ lives. The best defense to employee-initiated identity theft is access control, maintaining the highest standard of security as is reasonable for the type of firm you operate. In smaller offices, a system of checks and balances can be put in place to ensure that no one employee maintains dominion and control over the firm’s finances and bank accounts. Regular but unannounced inspections of the firm’s bank accounts, checkbooks, receivables and payables, and incoming mail may deter potential criminal conduct. Additionally, periodic updating of background checks on employees can alert a firm to major changes in employees’ lives. Additionally, even basic training on the safe handling of personal identifiers can demonstrate to employees a firm’s awareness of identity theft. While none of these things will totally prevent a client’s identifiers from being compromised, breaches are less likely to occur in an environment in which the message is consistent and awareness is heightened.

All the scenarios posed at the outset of this article demonstrate the possibility of a relationship between identity theft and client information. Clients whose information has been compromised should be notified immediately so that they or the law firm can take steps to protect the clients’ financial interests. If a theft occurs, the firm should notify a law enforcement agency but must be cautious about revealing client information. The issue of disclosure is most simply handled if the client authorizes the attorney to disclose information that may be necessary to conduct a thorough and complete investigation. As outlined in Dean Dietrich’s “Exceptions to the Client Confidentiality Rule” (Wisconsin Lawyer, December 2010), some exceptions under SCR 20:1.6 permit “discretionary disclosure.” The purpose of these exceptions is “to prevent conduct (not just of the client) that could result in death, substantial bodily harm, or substantial injury to the financial interest or property of another.”

Does a potential identity theft pose the threat of “substantial injury to the financial interest” to the client whose information was compromised? There are some instances when information is compromised but is not used for the commission of a crime. In other situations, information is compromised and used quickly before the victims discover the breach. The potential for substantial injury exists, but the totality of the circumstances needs to be evaluated when a breach of personal identifiers occur. For example, if the client’s information was compromised but not necessarily used, firms may advise clients to monitor their credit and accounts and notify the credit bureaus of the potential for fraud, and the need for disclosure of client information to law enforcement thus decreases. The Federal Trade Commission website, www.ftc.gov, has many resources for businesses and consumers who are either actual or potential victims of identity theft. If an actual identity theft is identified from a compromise of client information, more information may be needed by law enforcement to conduct a thorough investigation. Clients who have been actual victims of identity theft should be the ones reporting the crime to law enforcement because the clients have the most thorough access to their own credit and account information. Law firms and clients both may be considered victims when identity theft occurs, however, depending on the type of theft and how it occurs.

Situations involving employee-initiated theft can be difficult for firms to navigate. If an employee has total access to all clients’ sensitive information, every client could be considered a potential victim of identity theft even if only one client’s information is breached internally. Notifying all clients of a breach may be embarrassing and bad for business; however, the consequences could be worse if clients are not notified and a few of them end up being victimized by the thieves. Having an established protocol for handling client notifications may be an effective strategy in damage control – for both the client and the firm – if a breach occurs. Notifying clients and involving them in reporting to law enforcement may avoid ethical dilemmas and, additionally, provide valuable assistance to the most vulnerable clients.

While no prevention strategy is guaranteed to be 100 percent effective, clients may be reassured somewhat if they perceive that firms have measures in place to safeguard their information, and policies in place to assist them in the event of the worst breach of all … identity theft.

Wisconsin Lawyer