Are you covered when it comes to client confidentiality? It might be more complicated than you think, especially in the digital age.
Lawyers can’t simply lock their office door when talking to clients and expect information to remain private and confidential. They need to have safeguards against data breaches. They need to make sure they’re following increasingly complex privacy rules for lawyers—and privacy rules for their clients as well.
And, they need to make sure they’re not inadvertently breaching their duty in client confidentiality via their personal social media accounts.
Below is an edited and condensed transcript of our webinar, Client Confidentiality in the Digital Age, presented by Joshua Lenon, Clio’s lawyer in residence (along with Alli Gerkman, director of Educating Tomorrow’s Lawyers).
Below, Joshua speaks in detail about why client confidentiality is getting more complicated, and about what lawyers need to do to ensure they’re keeping client information confidential.
This session is part of our series, The Whole Lawyer: Skills Every Lawyer Needs, presented together with IAALS, the Institute for the Advancement of the American Legal System.
Edited and condensed transcript
A growing lack of privacy
Within our modern day environment, there is a growing lack of privacy. Just in October, the U.S. Chamber of Commerce, with their Institute for Legal Reform, held a Legal Reform Summit, and they issued a report on Americans’ expectations when it comes to privacy.
There were some pretty shocking numbers in it—nearly half of all Americans have been notified that their information could have been affected by a breach. If you have one of those notifications sitting in your inbox, you are in that 45 percent. So your information, in some way or some form, has gotten leaked out.
Now, what I think is even more distressing is that almost three-quarters of people say that they worry about the security of their personal information while shopping online. This is an increase by ten percentage points from a 2014 study done by a separate organization.
The survey goes on to find that the vast majority of those surveyed think that data breaches are inevitably going to affect major companies. Seventeen percent say that it is inevitable, while another 63 percent say that it will probably happen. Only 16 percent say that data breaches will only happen to companies which are negligent or incompetent in handling their information.
A growing number of data breaches
The Identity Theft Resource Centre (ITRC) keeps a running tally on reported breaches. This is a compilation of data breaches from various media sources and notification lists published by state governmental agencies. It stretches all the way back to 2005. And so, you can see in 2005, there really weren’t a lot of data breaches, but as we operate more and more in an online and public environment, the number of data breaches grows considerably.
The total number of breaches reported in 2015 was 6,789 breaches, covering over 886 million records.
What’s defined as a breach? The ITRC defines a data breach as an incident in which an individual name plus a social security number (or a driver’s license or medical records or financial records, which includes credit and debit cards) is potentially put at risk for exposure.
So, if you’re thinking to yourself, “I’ve had that situation happen to me, where my credit card has been exposed and my bank has had to cancel it and replace it,” or “I’ve gotten a notification that some of my information may have been leaked online,” congratulations, you’re part of this chart. And it’s only a matter of time until the rest of us become part of this chart in the future, I think, because we’re seeing that these breaches are becoming bigger and bigger as we go forward.
For example, if you’re interacting with a company like Yahoo!, who unfortunately had a breach in 2013 that affected at least 500 million user accounts (and potentially up to a billion user accounts), you may be getting more and more notifications that your privacy has been violated. What’s interesting to me, though, is the trust given to these companies, even when close to 80 percent of people think that a failure is going to happen. That doesn’t necessarily correlate to the trust that people put in lawyers.
Trust me, I’m a lawyer
Lawyers are the third most trusted source amongst professionals across the board.
Now, we’re not as high as doctors or teachers, but as the third highest, we see that the public trusts lawyers to tell the truth.
According to a survey done annually by the U.K. Legal Services Board, lawyers have dipped briefly in the past four years. Normally, around 47 to 50 percent of the public believe that we tell the truth, and we’re dropping a little bit.
I think it’s because most people don’t necessarily know that lawyers are duty-bound to keep information confidential. And that’s what we’re going to dive into next—a lawyer’s duty of privacy in confidentiality.
Client confidentiality and privacy: Beyond the basics
I think there are four considerations that lawyers need to know about when it comes to confidentiality and privacy, and these are:
- Evidentiary concerns
- Ethics concerns
- Statutory requirements
- Technology and your approach to it
Want a quick reference checklist to make sure you’re covered when it comes to client confidentiality? We’ve put all the key points onto a single page. Get your copy here:
Download confidentiality checklist now
When it comes to evidentiary concerns, we’re going to go all the way back to law school for some of you. And that is definitely being mindful of attorney-client confidentiality and the work-product doctrine.
Attorney-client confidentiality is one of the longest running recognized privileges within the American legal system. It “encourage[s] full and frank communication between attorneys and their clients.” The idea behind it is, if you cannot tell your attorney all the details about your various legal issues, you may not be able to get full, diligent representation.
This can be a problem. If you watch the innumerable lawyer TV shows out there, this almost always happens—a client is embarrassed about some fact, doesn’t tell you about it, and then you have to adjust. It’s the standard plot trope.
Fortunately, in the real world, we have attorney-client privilege to help us drive clients toward being honest with us. But there are some limitations you should know about.
First of all, it’s limited to communication between client and attorney. There are lots of other things that may pass back and forth that may not be deemed communication.
Also, be mindful that the privilege rests with the client and can sometimes continue even beyond the grave. Anyone who’s read Swidler & Berlin versus the United States will know what I’m talking about. It actually may have impacted this last presidential election. The client can definitely waive this privilege.
But, inadvertent disclosure by a client is not necessarily waiver.
If the disclosure is inadvertent—if it’s not intentional—privilege can survive. If the holder of the privilege or protection took reasonable steps to prevent it—for example, if they weren’t necessarily blurting it out at a public restaurant, and they had a reasonable expectation to privacy, and they took reasonable steps to rectify the error—privilege could survive an unfortunate utterance.
That makes client confidentiality different than privacy, in that it is repairable, in many instances, but is not inexhaustible.
There was a recent court case where actor James Wood believed that he was being presented in a bad light by an anonymous account on Twitter. He’s been taking legal action against the account holder, a John Doe, for quite a period of time.
Recently, the attorney for this John Doe said that the holder of the Twitter account had passed away. The court had said that attorney-client privilege does not extend to the unmasking of this individual, and that the attorney will have to put forth the identity of the account holder.
So we’re seeing that attorney-client privilege, while linked to communication, isn’t necessarily linked to facts. This is one of the things that you, as a lawyer, are going to have to balance as you move forward.
You’re probably familiar with the work-product doctrine which refers to the fact that documents prepared in anticipation of litigation are not discoverable.
Now this, again, is an evidentiary rule. It means that opposing counsel cannot request—and you can refuse to provide—certain types of documents in the course of litigation.
However, there are always exceptions to these types of things. These materials may be discovered if there is a substantial need for the materials to prepare their case. And so, you, while wanting to keep information private on behalf of your client, may not necessarily be able to do so within the rules of civil procedure and the case law that surrounds privilege.
That doesn’t mean you have full scope to disclose anything and everything else outside of litigation, however. Once we think about that, you’re bound by the ethics rules that relate to client confidentiality.
Everybody should be familiar with the Rules of Professional Conduct. You probably have used a similar version of these in any jurisdiction that’s out there. So we know that they’ve been mostly adopted by all 50 states (California is the exception). And analogous versions of these exist in every jurisdiction where Clio customers practice.
So we’ll focus on the model roles of professional conduct. If we take a look at Rule 1.6, it says, “A lawyer shall not reveal information relating to the representation of a client, unless the client gives informed consent.”
Now, there’s a whole bunch of different types of grievances on what informed consent is. There are some exceptions built in automatically, whether it’s to prevent harm (or a crime), to mitigate harm or an injury, to establish a claim for the lawyer if you’re getting sued for malpractice, or to comply with another court order. While it seems like an inexhaustible rule, there are quite a number of exceptions.
I think there’s also an important standard that’s established under section (c) of this, which is that a lawyer shall make reasonable effort to prevent the inadvertent or unauthorised disclosure of client information.
That standard reasonableness, I think, is changing. It’s becoming more about competency when it relates to technology and substantive law relating to privacy. It is not something that can just be taken care of because you lock your office, and you haven’t talked about cases at the bar.
You’re going to need to go farther than that. And I think that farther standard is still kept in mind in California, which does not use the Model Rules for Professional Conduct, but instead uses their own business and professional code, which states that a business professional shall “maintain inviolate the confidence, at every peril to himself or herself, to preserve the secrets of his or her client.”
We’re getting to the point where there’s almost no excuse for a breach of confidentiality. It doesn’t mean that it’s not repairable, but that you should be prepared and work to prevent as many types of inadvertent disclosure as possible.
Privacy is mostly created by statute. There are some judicially created types of privacy, but what we’re going to focus on are the regulatory concerns with keeping information private. Most of these focus on what’s called “personally identifiable information,” or PII.
Personally identifiable information is information that can distinguish or trace an individual’s identity, or that is linked or linkable to an individual.
There are a whole host of different types of rules and regulatory environments and laws that impact whether or not something is deemed personally identifiable information.
One of the oddest examples, to me, is the idea that your mobile phone’s identification number may actually be personally identifiable information.
A case that happened just in 2016, Yershov versus Gannett, dealt with the fact that USA Today was using an embedded video play in their Android app, and was recording the Android ID, the GPS data of the Android ID user at the time of the video viewing, as well as what video they were watching. In the course of this lawsuit, it was deemed that collecting and storing that information, without consent, was a violation of the Video Privacy Protection Act of 1998.
And this was a law that, for the most part, focused on stores like Blockbuster, where you could go and rent movies. It was deemed to be a little embarrassing that most people go and rent, well, let’s face it, really bad comedies or other types of movies. And so, that’s been deemed private information under statute. It’s a federal law. Collecting this information is enough to reidentify an individual, and as such, needs to be kept private.
Now, there is a lot that is starting to be deemed private. This is governed by geography, by subject matter, and by even business area privacy laws.
And so, there’s this whole overlapping environment when it comes to what you need to keep private as a business in your law firm, as a representative of your clients. We’re going to see that a lot of this responsibility is being pushed down onto us by business area privacy laws that affect our clients.
Pay attention to business privacy laws
When you start thinking about these rules, you need to start thinking broadly. It’s not just your location you need to worry about, but the locations of all of your PII and all of your clients and contacts. So right now, we have 47 different states that have notification breach laws. And the U.S. Chamber of Commerce is now calling for a national standard for notification breach laws.
Essentially, they’re asking that businesses that leak PII, or have a breach, must notify all affected parties. They may have a reporting duty to regulators—and that’s normally not your bar association or your court, but actually, the Secretary of State or another government body.
And sometimes, we’re starting to see a Right of Action for impacted individuals. Massachusetts and California, for example, are toying with those. It’s important that you are aware of these and have the ability to meet the standards, even though you may have a very diverse set of information stored within your case files. Remember, it’s not just you and your client that privacy might impact, but any witness that you record, and any related parties, even for opposing council. All of this may include information that could be deemed PII that you need to keep private.
It’s not just the U.S. that is imposing these types of laws. A lot of international laws are being applied to this area as well.
There are laws that impact government’s ability to store and disclose information, as well as the ability of private companies to store and disclose information. So it’s up to us to figure out what laws are applicable to us and our clients and apply that substantive knowledge going forwards in our practice. And it’s becoming quite a challenge, especially when we’re starting to see that laws that affect our clients are being imposed upon law firms.
This is an article that came out last year, taking a look at New York financial security laws that have been pushing forward rules on the fact that banks need to have better security when it comes to storing their customers’ information.
What’s interesting about that law is it also forces the banks to have proof of insurance and potentially audit any third-party services or vendors that may have access to that same information.
Banks rely very heavily on the services of law firms—so this New York law affecting banks is starting to be pushed down the vendor chain onto law firms. Law firms are starting to have to live up to these security standards that do not necessarily name law firms specifically, but do name their clients. We’re going to have to work to live up to those standards.
When we think about various standards that are out there, there are some that just immediately come to mind. There is the financial information area, where we’ve got the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act for law firms that do collections, Accurate Credit Transaction Act, and Red Flag Rules when it comes to certain types of fund transfers.
When it comes to health care, if you represent doctors, insurance companies, nursing homes, you need to be aware of HIPAA, the Health Insurance Portability and Accountability Act. If you are an education lawyer or work for schools or startups that deal with children, you need to be aware of COPPA and FERPA for storing information when it relates to minors. And if you do real estate, the Consumer Finance Protection Board Bulletin 2012-03 is still in force right now, so long as the CFPB sticks around.
You can even have these types of rules imposed upon you for things like prosecuting attorneys, who store information that may be shared with them by the FBI, and as such, are subject to the Criminal Justice Information Services’ division rules. All of these impose different types of privacy and security requirements upon lawyers, and they can have some hefty consequences if you’re not living up to them.
For example, HIPAA can have maximum penalties of $50,000 per violation or $1.5 million when it comes to certain types of records. And that’s a lot for a small law firm to handle.
Technology, and your approach to it
I think there are three types of safeguards that you need to think about as reasonable for maintaining privacy within your law firm:
Administrative safeguards mean that you have control over who has access to your records and can report quickly and easily on that. And while physical safeguards are the type of security that you probably already have—you lock your office, you have a password on your phone (you do have a password on your phone, right?) you don’t leave things in the back of taxis (because you don’t take things in the back of taxis)—it’s the technological security issues that are tripping up a lot of businesses and can trip up a lot of lawyers.
Technological competence is key for maintaining privacy
For example, there was the large hack of Anthem. While they were storing information in what was deemed to be a HIPAA-compliant manner, they didn’t encrypt that information. And because that information was leaked by an insider—they had a phishing breach where an insider gave access to outsiders—they actually leaked a large volume of personally identifiable information in the form of medical records, and, quite frankly, opened themselves up to some potentially large fines.
So it’s not just that you’re meeting the minimum standard, but that you understand the technology and know when to apply it further.
And I’ve got to say, lawyers aren’t great. When we take a look at the International Legal Technology Association’s tech survey, we see that most lawyers haven’t enabled encryption. They can’t really detect or prevent an intrusion system. They have never had an outside security assessment.
That’s going to change. You’re going to see more and more of those required by your clients. Very few use two-factor authentication, and only five percent have server logs, which is the ability to go back and see where things go off the rails.
These lawyers could very quickly and easily jump over to tools that give them things like standard cloud computing security—things like encryption of data, third-party verified data centres (with a redundancy of information stored in more than one location) and the administrative and physical controls that we talked about earlier, including, sometimes, business area compliance. (Find out how Clio keeps your information safe on our Security and Reliability page.)
With technology, it’s easy to get up to these standards, but not every lawyer is doing it. So I want to give you some tips to help you make sure that you have the strongest possible security settings.
Tips for keeping your law firm secure
Use confirmed technology
And that’s very important, because, while a lot of lawyers use public Wi-Fi, very few of those lawyers make sure that they have an encrypted connection as a part of that service. So always be looking for “https” in front of each web address when logging onto your tools online. If it’s not there, your vendor isn’t necessarily providing you with confirmed security. So for that, make sure you’re controlling data access sensibly.
Set permissions, use two-factor authentication
Make sure that your tools have the ability to provide permissions. You should be able to limit access only to those people who need it.
And make it hard to unlock. This is one thing that I think so many people fail to do when it comes to securing confidentiality and privacy with their own tools—they don’t use something like two-factor authentication or separate passwords for each tool.
Right now, we give you the ability to require two-factor authentication with Clio, using the Google Authenticator tool. When you log into Clio and you have that setting enabled, you then open this app on your mobile device, and it gives you a brief, time-sensitive code.
If you enter that code within that time period, then you get to log in. If you don’t have access to that time-sensitive code, even if you have the email and password, you can’t log in. It is the surest way to protect your accounts that I know of, and everybody should turn it on right at the end of today’s presentation.
Making it hard to unlock your information actually prevents a lot of people from being able to access it. But you still have to double check. Make sure that you’re using tools that give you the ability to see who is logging in, where they’re logging in from, and what was the last accessed date. You can use this information in Clio, actually, to revoke access. So if I find out that I’m seeing Don Draper logging in from a couple of suspicious locations, I can quickly force a reset on that password. I can prevent them from logging in in the future, and then I can go back and see what they’ve changed using Clio’s Firm Feed tool.
Use secure communication channels
I also think you should be pushing security onto your clients. And that means using secure communication channels. So things like a client portal—where you share information over encrypted connections, including documents—are key for creating privacy and confidentiality. It’s also a good idea to use tools like Signal, an encryption app that’s very similar to WhatsApp, but that has much better security and a much better track record of fighting subpoenas for that information. These are all tools that you should be building into or adjusting as part of your practice.
Clients expect discretion. Very famously, discretion is the better part of valour; caution is preferable to rash bravery.
Write those words on a Post-It note right now, because there are many ways to be indiscreet when it comes to being a lawyer.
I’m going to give you a couple of examples to show you how easy it is to slip up. Here’s a famous example that happened just in November: Kris Kobach, who is a lawyer out of Kansas, famously met with Donald Trump on proposals for the Department of Health and Human Services. He took a photo with Trump, and in the photo was the agenda for his proposals. Some savvy photographer rotated the picture and blew it up, and you can read everything that was discussed in those private meetings.
And it’s not just in politics where this happens. All the way back in 2009 a very famous law firm, Pillsbury, actually had a partner on the train discussing very loudly on his mobile phone who was going to be laid off. They laid off about 20 different lawyers.
When managing your firm
Discretion doesn’t just apply to politics and protecting your client. It applies to how you run your law firm, as well.
There is a new standard that’s emerging. It is the report put out by the National Institute for Standards in Technology (NIST), and this report is called An Introduction to Privacy Engineering and Risk Management in Federal Systems. This is a report that applies to federal agencies. It’s a new standard that’s coming up.
But if we take a look at how the FTC is imposing consent decree standards onto businesses, and businesses are imposing those reasonable standards onto their lawyers, I think it’s very interesting to see. This is probably going to be another instance of reasonable precautions being defined outside of the legal space and now being adopted within the legal space. What’s interesting about this report that came out on January 15 is that instead of taking a look at the bare minimum that needs to be done to be compliant—and I’ve given you lots of different laws and rules and ethics and evidentiary standards that you need to meet to be compliant—this report flips that all on its head and says, “Take a look at what threatens users.” Remember how 75 percent of Americans now think that they’re going to suffer a breach?
Instead of thinking about the bare minimum needed to meet your legal requirement for confidentiality, start thinking about what’s important from your client’s point of view. What’s going to be embarrassing for them to have out there, even if they waive their privilege? What’s going to be necessary to protect their identities if James Wood or another actor comes to sue them? How are you acting with competence when it comes to things like covering your papers when you’re out in public, or locking your phone, so that nobody can accidentally see a client file when you loan them the phone to make a phone call?
In your personal life
Most importantly, make sure that you take a look at starting to adjust your personal habits. We live very public lifestyles right now, posting lots of things on Facebook, Twitter, and other social media. It’s becoming rapidly apparent that we need to use our professional judgment to know when to post and what to post and things that you should not post.
It’s going to be a shift, but if you get these three bits down, you will have discretion, and you will have the first foundation of being a successful lawyer.