Is Your Law Firm Private Enough? As technology grows more sophisticated, firms need to revisit privacy laws
Christopher Wolf Legal Times 02-28-2005
Technology allows businesses to collect, store, manipulate, use and share vast amounts of personal information. So it is not surprising that with the advent of new and increasingly sophisticated information technology, privacy law is a booming area of practice.
New laws (and increased enforcement of old laws) governing how personal information is handled have businesses rushing to their lawyers for advice and representation. In our information society, legislatures have created protections for kids who may be asked to give information online, for patients whose health information is stored in vast computer networks, for financial information, and for consumers to protect them from intrusions of "spam" e-mail and unwanted phone solicitations.
There are various kinds of privacy laws: Some laws require a clear notice to consumers of what personal information is being collected and how it is being shared, along with an opportunity for people to "opt out" of sharing or use for other than the original reason the information was submitted. Other laws strictly enforce promises that businesses make regarding how personal information may be used. One law in California requires notice of computer security breaches that may result in disclosure of private information to unintended recipients.
Recently, privacy laws have become more specific and more sophisticated. All of these laws are being enforced by governmental regulators (like the Federal Trade Commission and state attorneys general) as well as by individuals and class action attorneys.
For businesses, the risk of being a target of a privacy lawsuit is greatly increased by the use of technology. For no matter how high-minded a privacy promise may be, if there are "leaks" in the technology -- if computers are subject to hacking or there are inadequate safeguards on who may access private information stored electronically -- then lawsuits for breach of privacy may follow.
Some lawyers think that privacy laws apply only to their business clients but not to them or to their firms, even though lawyers and law firms collect and store huge amounts of confidential personal information. These lawyers need to think again: Many privacy laws apply to the business of law, and lawyers are attractive targets. Like the cobbler's children in need of shoes, many lawyers need to look at their own privacy practices to make sure they are complying with the same laws governing their clients.
A 2003 ruling from the federal District Court here in Washington, D.C., exempting law firms from the reach of the privacy provisions of the Gramm-Leach-Bliley Act governing "financial institutions," New York State Bar Association v. FTC, 276 F. Supp. 2d 110 (D.D.C. 2003) (currently on appeal), may have given some lawyers a false sense of security. True, the attorney-client privilege imposes a privacy obligation on all lawyers -- a focus of the dispute in the Gramm-Leach-Bliley case -- but the existence of the privilege does not necessarily mean that lawyers are exempt from all privacy regulations. Privacy laws involve unique obligations that may go beyond the strictures of the attorney-client relationship.
The safe approach for lawyers, therefore, is to follow the lead of their clients, who have generally assumed that privacy laws will be rigorously enforced. Lawyers should particularly focus on three of the most common ways they interact with their clients: through Web sites, via e-mail, and by telephone. But the lesson here is that all privacy laws should be considered in the context of lawyers collecting personal information.
A TANGLED WEB
California has passed several other privacy laws in recent years. One requires businesses to reveal any breach of security that may have allowed unauthorized access to the personal information concerning a California resident. Another requires businesses to provide consumers with a list of all companies to which they have transferred personal information that is used for marketing purposes. Law firms with California connections will need to be prepared to respond appropriately.
BUT WHAT IS SPAM?
Perhaps the most widely publicized privacy law on the books is the "Controlling the Assault of Non-Solicited Pornography and Marketing Act," or CAN-SPAM, a federal law that took effect on Jan. 1, 2004. CAN-SPAM does not impose an outright ban on "spam" e-mail. Rather, it imposes certain requirements on unsolicited commercial e-mail messages. For example, all such messages must contain "clear and conspicuous" identification that the message is an advertisement or solicitation; they must contain a valid reply e-mail and postal address; and they must provide a mechanism for opting out of future e-mails.
Law firms might not consider themselves to be spammers, but CAN-SPAM applies to any unsolicited e-mail having a commercial "primary purpose." An e-mail does not have to be part of a bulk advertising blitz to fall under the provisions of the act; even a single unsolicited commercial e-mail must comply. This broad definition may be interpreted to include some of the e-mail that lawyers typically send to past, present, or prospective clients.
For example, an unsolicited e-mail promoting a new law firm subsidiary or alliance may be construed by an aggressive regulator to serve only a commercial purpose and therefore trigger the requirements of CAN-SPAM. In contrast, e-mail messages related to a transaction already conducted with the recipient, or related to an existing business relationship with the recipient, are exempt. The line dividing the two types of messages may not be a bright one.
Complying with CAN-SPAM is thus no simple exercise. Many of the unsolicited e-mails law firms send out, such as updates on recent developments in the law, are not easily categorized as having either a commercial "primary purpose" or a so-called transactional or relationship primary purpose. Updates, for example, can serve both an educational and marketing purpose. In addition, firms traditionally distribute unsolicited e-mails to existing clients as well as to potential clients, thereby testing the boundaries of the "transactional or relationship" standard. Because of this, the distinction between commercial and transactional or relationship messages will be critical.
THE PHONE CALL
Law firms typically do not consider themselves to be telemarketers, either. Yet, as with the CAN-SPAM Act, under telemarketing laws and regulations, a single unsolicited telephone call to sell services to a potential or former client could be considered telemarketing, subject to restrictions.
The FTC and the Federal Communications Commission have both adopted telemarketing regulations. The most well-known, and most onerous, provision requires almost all businesses conducting "telemarketing" to subscribe to a national "Do-Not-Call" (DNC) registry, and to "scrub" any consumers' phone numbers on the DNC list from their own calling lists. Fortunately, however, there are exceptions to both regulations. The FTC rule does not apply to "[t]elephone calls between a telemarketer and any business" -- only calls to individuals are covered. The FCC rule applies only to calls made to residential telephone subscribers, and does not apply to calls made to persons with whom the business has an Established Business Relationship (EBR), defined as any transaction within the past 18 months, or an inquiry or application within the past three months. The FTC rule also exempts calls to individuals with whom the business has an EBR. Even then, the business must still subscribe to the DNC list.
Lawyers who do business with individuals should therefore pay close attention to the telemarketing rules. Under the FTC's rule, for example, any lawyer who calls individuals to solicit the purchase of legal services must subscribe to the DNC list, even if the only persons called have an existing business relationship. Under the FCC's rule, calls to residential telephone subscribers who have not purchased legal services within the last 18 months are also subject to the rule, requiring the lawyer to subscribe to the DNC list and meet several other requirements.
Other privacy laws may require firms to enhance the security of client information. For example, firms may be impacted by the privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996, or HIPAA. Although employers technically are not covered under HIPAA, some firms may be required to ensure their compliance with HIPAA data security requirements because they sponsor "group health plans."
Other firms may be asked by their health care industry clients to sign "business associate" agreements. Such agreements should be reviewed carefully before they are signed, because they may require that the firm institute technological controls it does not currently have, or that the firm destroy all patient information at the end of the representation, a requirement that may be at odds with its professional obligations.
Law firms should also keep in mind the trend toward legal and regulatory liability for privacy breaches in securing client information, particularly information in digital form. Firms should take the same reasonable security precautions other businesses do, such as protecting computer networks and laptops, and avoiding the unnecessary transmission of confidential client information by unencrypted e-mail.
Admittedly, it may seem redundant to apply privacy rules to lawyers, whose profession requires as one of its bedrock principles the confidentiality of client information. Nor is there any evidence of a regulatory threat; to date, no enforcement actions have been brought by state or federal authorities against a law firm for violation of one of the new privacy rules. However, at least one federal agency, the FTC has taken the position that lawyers and law firms are subject to the same privacy rules as everyone else.
While the lawyers' professional code of ethics may in some circumstances operate to supersede privacy obligations imposed on businesses generally, whether lawyers' ethical obligations give them a special status that sets them apart or whether law firms should be treated just like any other business is by no means settled.
Until this conflict is resolved, lawyers may want to follow the example of many of their clients and assume that every provision in the recent flurry of privacy legislation will ultimately be enforced against them.
Christopher Wolf is a litigation partner in the Washington, D.C., office of Proskauer Rose and chairs the firm's privacy law practice group. Proskauer represented the New York State Bar Association in the successful District Court challenge to the FTC's attempt to apply the Gramm-Leach-Bliley Act to lawyers, mentioned in this article. Bruce Boyden and David Rappaport assisted with this article.
If you are interested in submitting an article to Law.com, please click here for our submission guidelines.