Due diligence is at the core of a lawyer’s daily activities and responsibilities, and clients are aware of this.
Yet attorney-client privilege has been increasingly threatened, and legitimately jeopardized by law firms failing to integrate the right measures to protect their clients – namely by mishandling confidential data, using unsecured technology, and not having a firm-wide BYOD policy to deal with this.
Hackers aren’t the only ones to blame. Just like leaving a client’s confidential file on the seat of a busy train, letting it pass through the hands of strangers for anyone to exploit is exactly what happens when you work with a client’s information on an unsecured personal mobile device, or use unsecured servers and networks.
All Hands In
42% of law firms (2015 ABA Legal Tech Survey) say that their technology has been infected with some form of virus, spyware, malware, with this mostly occurring in firms of 10- 49 staff (52%). Regardless of firm size, it only takes one weak link to jeopardize the security of an entire team. Universal participation and compliance is essential.
Identify limitations, permissible use, and deal breakers.
It’s essential to remember that the purpose of a BYOD policy is for security, and not employee monitoring. It should in no way be intrusive and overbearing – but practical and easy to enforce. If you’ve got past the first step and have the universal buy-in of team members, this should be inherent.
- Encourage employees to set up separate personal and professional logins on their devices
- Be vigilant in using unsecured internet access to process client information
- Draw the line on a few extremely clear boundaries, such as banning downloads from suspect sites to devices on which client PII is stored
Start with the basics
- Set up phone and laptop encryption, stronger passwords, and Google two-factor authentication
- Separate personal and professional accounts on different devices
- Frequently back up data stored on devices to your Clio, Dropbox or other cloud-computing account
- Create a data loss / theft reporting protocol
- Allow only use of secure servers – especially in countries vulnerable to hackers e.g. China, Russia.
Set a standard, and maintain it
The standard of practices for modern lawyers can typically be measured by California Rule of Professional Conduct 3-100 “It is the duty of an attorney to do all of the following:
(e)(1) To maintain inviolate the confidence, and at every peril to himself to preserve the secrets, of his or her client”. How technologically dependent will lawyers become to comply with this standard? This will largely depend on the ability of the firms to ensure compliance with protecting client information. Yet as a starting point:
- Ensure your employee signs the BYOD policy at time of employment along with other contractual agreements
- Ensure your employee has a full understanding of what it entails, how they can abide by it, and provide any additional information and technical assistance
- Nominate a Chief Information Security Officer to oversee compliance
- Frequently review processes for accessing, and maintaining client information, and how to securely dispose of files after the closing of a case
It is always going to be difficult to gauge how vulnerable you, your devices, or your firm are at any given time. You’re a lawyer, not an IT professional, and may not even be aware you’ve been hacked until you feel the repercussions! Take the appropriate steps to be in compliance with the legal ethics and security standards that ensure attorney-client confidentiality and secure the success of your legal practice.