The relationship between technology and the practice of law is a paradox at best. Computers, tablets, cell phones, and other forms of technology provide an enormous benefit by permitting the creation, storage, transmission and retrieval of large quantities of information from virtually anywhere. Lawyers and clients could hardly work efficiently without them now. But, digital information can also become the source of chaos and unsettling tension. It seems that nearly every day we hear about a data breach at some large company; recent data breaches include Equifax, Yahoo, LinkedIn, Target, E-Sports Entertainment, Intercontinental Hotels Group, Verizon. These are the breaches that we all heard about on the news; however, the list of data breaches spans all areas of industry, including the law firm DLA Piper. A security breach can damage a firm’s reputation, and also has a high economic impact. The average cost of a data breach in 2016 was estimated at $4 million. While this figure is mostly associated with large companies, there is no doubt that a law firm or solo practitioner can face significant costs associated with a data breach.
As with any assessment of a company’s business process, the first step is to identify common risks. In the cyber world those risks come from many angles and from many potential points of entry. Specifically, most lawyers not only work on desktop computers, but also work remotely with laptop computers, tablets, and cell phones. Non-legal staff may also do work remotely. Whether working in the office or working remotely we are usually connected to a wireless network, which allows us to access files and emails. This potentially leads to the introduction of malware or other malicious computer code. There is also the potential for lost or stolen devices to allow unscrupulous individuals access to a lawyer’s network or to sensitive client information. There is also the potential inadvertent disclosure of sensitive information to the wrong recipient.
Law firms present a potential gold mine of sensitive information for hackers. Whether you belong to a firm representing a multinational corporation or you are a single practitioner representing personal injury clients, there is a great deal of information that is maintained on a network. Such information includes social security numbers, credit card numbers, health information, other personal information, trade secrets, customer lists, and other sensitive business documents. This leads to the question that all lawyers should be asking themselves: Can I be sued for legal malpractice or face disciplinary charges resulting from a data breach, and what can I do to prevent it?
The Rules of Professional Conduct, while not specifically mentioning technology, can readily be interpreted to apply to today’s technological environment. Rule 1.1 of the Rules of Professional Conduct states that, “[a] lawyer shall provide competent representation to a client,” which includes “the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.” This ethical obligation can be interpreted to mean that lawyers must be competent not only in the use of technology, but also in the protection of that technology.
Rule 1.6 of the Rules of Professional Conduct imposes a duty of confidentiality. It states, “[a] lawyer shall not reveal information relating to the representation of a client, including information protected by the attorney-client privilege under applicable law, unless the client gives informed consent.” This duty has been interpreted to apply to electronic information to the same extent as information contained on paper or exchanged verbally.
Because most lawyers either work in association with other lawyers or have assistance in the way of paralegals, secretaries, and clerks, Rules 5.1 and 5.3 also become applicable. These Rules require partners and supervisory lawyers to take reasonable actions and precautions to ensure that subordinate lawyers or non-lawyer staff comply with the requirements of the Rules of Professional Conduct, which would include Rules 1.1 and 1.6. Importantly, the American Bar Association is currently working on updates to the Rules of Professional Conduct to specifically reference the application of the Rules to the use of technology.
While it is impossible to safeguard against every potential source of data breach, lawyers, whether in a law firm or a solo practitioner, should take reasonable steps to safeguard the technology that is being used. Steps to be taken include addressing people, policies, and processes. First, all employees, including attorneys and staff, should receive training on the safeguarding of information. Second, it is important to have written policies regarding the use of technology and safeguarding of information. Third, the technology process should be safeguarded through the use of security software and monitoring of security systems. Fourth, lawyers should consider the need for a specific cybersecurity insurance policy.
Ultimately, the reasonableness of the actions taken by the lawyer or law firm will determine whether an ethical violation has occurred, and will also determine whether that individual or law firm is exposed to a possible lawsuit for legal malpractice. Consideration should be given to the nature of the lawyer’s work, again whether it involves a multinational corporation versus a personal injury client, as well as to the cost of adding safeguards to whatever system is already in place and the difficulty of implementing additional safeguards.