As usual, when something like this happens, people start freaking right the hell out.  However, when viewed through the lens of the already-existing obligations that attach to lawyers’ management of their clients’ data, the opinion does not lump any more responsibility upon law firms than that which already exists.  Essentially, the publication serves as a gentle reminder, to start walking the line, for lawyers who have not heeded the trend line of the new technology competence angle attached to Model Rule 1.1 (and the states’ heavy adoption of it) and the updates to Model Rule 1.6.

At this point, every state has a data security law.  Lawyers are not exempt from those laws; neither should they be.  If there are universal principles of those laws, they are as follows: (1) Make reasonable efforts to secure your clients’ data.  (2) Use encryption for particularly sensitive data categories, e.g. — social security numbers, financial account numbers.  (3) ‘Reasonable’ efforts are determined based on business-specific factors.  (4) Vet vendors who will retain your data.  (5) Determine vulnerabilities and address solutions, preferably in written format; update the risk assessment from time to time.  The new ABA opinion basically adopts these requirements.  So, if you’re following your state law covering data protection already, you’re likely to be at, or above, where the ABA wants you to be.

Of course, the majority of solo and small firm attorneys do not meet state requirements for data protection, in part because they are (perhaps ironically), taking a calculated risk — there have not been many high-profile data breach investigations made against or penalties imposed upon solo and small firm lawyers.  Now, that doesn’t mean there won’t be.  And, now that the ABA is highlighting, and offering tacit approval of, state law requirements, the less compliant your law firm is, the more likely you will be exposed to state- and bar-imposed penalties.

The ABA opinion also addresses a fact scenario in which a lawyer and a client have agreed to approach data security in a certain way.  The advice is that the lawyer should follow the terms of that agreement.  . . . Well, thank you, Captain Obvious.  Some state bars are more specific about this, and recommend that the genesis of that discussion derives from inside the fee agreement — the Massachusetts Bar Association has done so — and, I think that is the better approach; every lawyer knows or should know that her first obligation is to follow-through on promises made to clients.  The ABA opinion noses around suggesting such a fee agreement clause, but never quite gets there.  And, in the real world, it’s the rare instance where small firm lawyers and their clients are settling up a specific data security program for a particular client’s case.  Clients expect that lawyers will, and lawyers should, dictate the terms of that arrangement — which, yes, must represent a reasonably secure approach.

The ABA is also more generic than state law in determining what specific types of information are particularly sensitive, thus warranting a higher level of protection — some state laws also prescribe specific protection mechanisms and levels of protection.  Of course, the ABA is stacking generalities intentionally.  Lawyers lust after generalities, because as soon as you start defining down, you construct loopholes.  If ten items are included in a list, there are tens of thousands of items that could conceivably be excluded from that list.  It also makes good sense not to drill too deeply, given the pace of technological change in the legal industry; there is the risk of legislating against something that will become passé in three months’ time.  However, this is not just a philosophical choice.  The fact is that those who most frequently utilize ethics opinions (malpractice attorneys, bar overseers, bar associations) are ill-equipped to engage high-level discussion of the specifics of technology applications, including in the realm of data security.  A broad application allows those folks a larger sandbox in which to play, and reduces the technical knowledge outside of substantive law that they must bring to bear.

The Bottom Line

So, here’s the deal:

Formal Opinion 477 actually changes very little about your practical responsibilities as a law firm in terms of managing your clients’ data.

If you follow your state’s laws respecting data protection and/or strive for ‘best practices’ rather than ‘minimum competency’, you should be good not only in terms of your ethics and malpractice obligations, but also in terms of your clients’ belief in your ability to secure their data, and your own belief that you are doing everything you can to safeguard your client’s data.

Many solo and small firm lawyers complain about encryption because their clients complain about encryption, as evidenced in the comments to Bob’s post.  But, there are myriad ways to manage encryption, and also to educate clients on, not only the importance of data security, but also about how convenience often butts against security. Even so, delivering encrypted matter to clients is getting ever simpler; and, probably the easiest current market solution is the use of a client portal available through a law practice management system — which is a solution that the opinion itself alludes to on page 7.

Things I Like and Do Not Like

The problem with ethics opinions like these is that they almost always read like they were written by your Grandma(ma).  On page 5 of the opinion, reference is made to the purported fact that some information is so sensitive that it should not be transmitted electronically at all.  But, that’s a virtually impossible solution for a modern practice, and cuts against a lawyer’s ability to keep electronic records, which is essential in resolving malpractice disputes.  On page 5, there is also discussion of the potential for issues related to ‘message boards’.  And, let me tell you: message boards, chat rooms — they have been proxy harbingers of disasters lurking in ethics opinions since at least the mid-90s.  The problem is that there’s little to no definition about what these are, and how they work in a modern environment.  There are public communication tools (Reddit) and there are private communication tools (invite-only listservs); there are internal communication tools (Slack) and external communication tools (limited access client portals).  I think most attorneys are aware that you don’t directly solicit clients via ‘message boards’, and that you don’t post in public fora information about the case you’re working on.  For real, wake me up when someone writes an ethics opinion about Reddit.

That being said, I do think that, as far as ethics opinions go, there is a solid chunk of good, practical detail that is addressed.  For example, there is a great discussion at the end of page 7 about when and how privilege may be waived; for example: when clients communicate with their attorneys via their work-issued devices.  The application of disclaimers to email, as referenced at the top of page 8, is interesting, insofar as it will trigger the recipient lawyer’s responsibilities under Rule 4.4 — with respect to data security, most people think only of the obligation of the sender; but, lawyers are a special case.  I also like that there is an admission that it is not a measure of weakness for lawyers to ask for help on matters of data security, as outlined at page 9: ‘Any lack of individual competence by a lawyer to evaluate and employ safeguards to protect client confidences may be addressed through association with another lawyer or expert, or by education.’   (I mean, you could hire a law practice management consultant for that, if you wanted.  Just sayin’.  . . .  AHEM.)  Finally, and not for nothing; but, in attempting to write for an entire nation of lawyers, where various jurisdictions may expand on the principles outlined in this opinion, it’s probably better to go broad anyway.

Encore

Ultimately, even if a pronouncement like ABA Formal Opinion 477 is more sound than fury, it will hopefully serve as a jolt to those solo and small firm attorneys who don’t care a fig for data security, and provide them incentive to step up their respective games.  In turn, it will also be interesting to see whether a proclamation like this will empower bar ethics staff to more aggressively deter technology incompetence perpetrated by lawyers, where state laws have not been used to address issues present in the legal vertical.

We shall see what results.

. . .

Liner Notes

‘Luxury Liner’ by Emmylou Harris

Emmylou Harris had a siiiiiick backing band back in the day — Albert Lee is just an animal.  If the audio quality was better on my link, you would be hard-pressed to pick up the fact that this was a live show.

Also, replicable.

If you’ve watched Amazon’s excellent ‘The Man in the High Castle’ (or read the book it’s based on), you’ll know that an examination of alternatives will not always yield a palatable option.  The fact is, cloud security is relative.  Take the time to analyze it against the operations of a traditional law office, and accessing a remote server suddenly seems a whole heck of a lot safer.

Think about some of the obvious ways that law firms compromise their own data security.  Files are left out on desks.  Staff and clients and others walk around, with scant monitoring, while sensitive data is visible, and susceptible to theft.  There is no formal tracking system for files.  Strings of passwords are written on sticky notes, in plain view.  Devices with sensitive information saved to them can be lost, or stolen.  Dozens of emails are sent, across multitudes of servers to various parties, in order to capture revisions to one document.  Devices and drives are unencrypted.  I could go on; but, I tire of this game.

The truth of the matter is that a traditional law office operating in the modern world is far more prone to data breach than a virtual law practice, or something close to it.  An effective cloud array serves to eliminate paper, could reduce your passwords to a memorable few, removes software and files from the devices you use, promotes collaborative document management and offers feasible encryption options.

At this point, just about every one of the United States has on its books a data protection law.  The way those laws are written, the use of cloud-based technology that features encryption and security updates will pass muster, assuming a documented vetting process has taken place.  Managing a system, or systems, in the cloud is a far more practical way to secure data than attempting to close various, gaping loopholes present in traditional paper-based or hybrid paper file/electronic file office settings.

So, as it turns out, managing a cloud-based technology platform makes law firms more efficient and more secure.

Who knew?  (Well, I did; but, that’s beside the point.)

. . .

Liner Notes

I usually try to throw down some back catalogue gems here; but, I have to say, there is much love in the Red Cave for a mainstream jam every now and then.

‘Kind and Generous’ by Natalie Merchant

I’ve been listening to a lot of Natalie Merchant lately.  So, sue me.

10,000 Maniacs had a lot of hits you remember, okay.