What are some considerations for a lawyer to think about when trying to protect client confidential information?
As discussed in a prior article (“Guarding Clients’ Digital Information,” Wisconsin Lawyer,September 2017), the ABA’s Standing Committee on Ethics and Professional Responsibility identified several considerations for a lawyer who is looking to exercise reasonable efforts to protect client confidential information. In the recent Formal Opinion 477, the committee identified the following considerations:
Understand the nature of the threat.
Understand how client confidential information is transmitted and where it is stored.
Understand and use reasonable electronic security measures.
Determine how electronic communications about client matters should be protected.
Label client confidential information.
Train lawyers and nonlawyer assistants in technology and information security.
Conduct due diligence on vendors providing communication technology.
Each of these considerations must be looked at separately to ensure that the lawyer is taking reasonable steps to protect client information. Several of the considerations are addressed below, and others will be addressed in a future article.
Understand the Nature of Potential Threats. First, the lawyer must understand the nature of any potential threat to the client information in the lawyer’s possession. This means that the lawyer must consider the sensitivity of the client information and whether the matter the lawyer is working on is subject to a higher risk of potential attack by an outside party.
Many lawyers believe that the matters they are working on are not subject to any real threat from an outsider gaining access to obtain the information relating to the representation. Any type of representation that involves financial information or industry trade information could be subject to an attack if it could result in benefit to a third person.
Understand How Client Information is Transmitted and Stored. Second, the lawyer should understand how client information is transmitted and where it is being stored. This requires the lawyer to have some information regarding transmission and electronic storage of information. Lawyers must understand where there are potential weaknesses that a third party could exploit to attack the storage of the client information, to access and use the information.
Lawyers also must recognize that they use multiple devices to communicate with clients or to access client information, so lawyers should understand the protections and the weaknesses for each device that the lawyer uses. This is an area about which the lawyer might consult with technology experts to understand how information is communicated either over the web or through a cloud-based system and then better understand whether there are attack points that could be used by a third party to access the information.
Lawyers use multiple devices to communicate with clients or to access client
information, so lawyers should understand the protections and the weaknesses
for each device the lawyer uses.
Understand Security Measures for Electronic Devices. Third, the lawyer must understand and use reasonable security measures for the electronic devices and electronic storage of client information. Here are some examples: 1) use secure passwords that are changed periodically and up-to-date malware or antivirus software on all devices; 2) keep abreast of necessary updates and security patches; and 3) ensure that information is protected or can be deleted if a device is lost. A “poison pill” that automatically allows elimination of client secure data is an important tool that lawyers must use to protect client information.
Other considerations that a lawyer must assess when taking reasonable steps to ensure the protection of client information, especially when being transmitted through electronic devices, including by cell phones, will be addressed in next month’s article.