I have been writing this monthly column for well over a decade now, and each month I have provided what I believe to be answers to questions brought into the legal realm by the ascendance of digital media and communications. For this month’s column, however, I am posing a question to which I have no answer: Do law firms do what they should to protect digital media and communications from being vulnerable to hacking, a virus or some other form of adverse intrusion by a third party so as to avoid being the target of litigation by clients should any such firm find itself having been so victimized? I am raising the issue because I have not seen much discussion on it and would rather raise it before it becomes, and to help avoid it becoming, a widely discussed problem.
It is fundamental to our jurisprudence that communications to and by a law firm, as well as documents—whether digital, on paper or in some other media—are protected by attorney-client privilege. This protection cuts two ways (at least). Third parties, such as an opposing party, law enforcement or some other governmental entity, news media, people generally, etc., have no right to demand any such protected communications or documents. As well, the protection creates an obligation on the part of lawyers not to reveal any protected communications or documents to any third parties except as required by law or after determining that such revelation is in the best interest of the client.
The protection has generated considerable discussion. In the wake of the digital revolution, there have been innumerable opinions issued by federal and state courts regarding whether, when and under what conditions, if any, a lawyer or law firm must disclose digital media to opposing counsel or a third party. As well, innumerable contracts between law firms or their clients and the vendors who provide e-discovery and other IT services to said firms and clients (many of which contracts I have written or reviewed) contain language rendering the vendors responsible not to disclose or allow disclosure of any such media—digital or otherwise—in the vendors’ possession (save at the direction of counsel or clients), and obligating the vendors to protect such media from hacking, viruses, or any other efforts by third parties to gain access to the media or in any way change or destroy it.
The aforementioned contracts have arisen because, in the digital world, attorneys need the assistance of e-discovery and other IT vendors, even if firms have brought those services “in house,” i.e., they have purchased and set up the servers and applications needed to ingest, review, produce and store e-discovery, and have personnel on staff to implement these processes. These in-house firms will, invariably, want to house data for all of the aforementioned processes in two locations: within the law firm; and, in a “co-location” (or “colo,” in the well-accepted shorthand), provided by a third party. The exact same services being provided through the firm’s in-house applications and on its server(s) will be simultaneously replicated on the colo’s server(s), so that if for some reason the firm’s IT or applications cease functioning, the user will immediately cut over to the colo. In this manner, if a problem with the firm’s IT holds up any digital processes, there will be no delay, and if such problem results in the loss of data by the firm, the data in the colo will provide a backup.
Colo’s, of course, must also be secure from intrusion by third parties. As well, it is a standard practice to make sure that the colo is in a location not subject to the same weather as is the firm, and unlikely to be affected by a destructive event such as an earthquake should the firm’s office be so stricken. These practices make it highly likely that if either the law firm’s or the colo’s IT is damaged significantly or destroyed such that digital media is rendered inaccessible, the same natural events leading to that destruction will not destroy the backups, and vice versa.
As I mentioned above, over the years I have read and drafted many contracts under which e-discovery and IT providers must agree not to disseminate the communications and digital media of law firms, and to provide insurance should such provisions be offended. I have also read and drafted contracts obligating e-discovery and IT providers to provide protection for such firms’ communications and digital media by requiring the service provider to enter into agreements with its colo also not to disseminate the communications and digital media entrusted to it (i.e., the same law firm communications and digital media) and to provide insurance should such provisions be offended. I have also read many news stories and columns discussing these obligations. As we shall discuss below, typically these stories involve how the provider is subject to an accepted security protocol, how that protocol is enforced by, inter alia, having security firms inspect the provider, and whether the provider violated the protocol.
What I have never read is a news story or opinion piece about a law firm being subject to a security protocol, even though the law firm will hold, on its premises, a large volume of privileged digital media and communications. Thus, the question that arises is whether law firms should be so obligated.
Law Firms and ISO 27001
“ISO 27001” is a well-accepted protocol for information security management created by the International Organization of Standardization (ISO). As the protocol has been revised over the years, its title has changed from ISO 27001:2005 to ISO 27001:2013, for example, but it is generally simply referred to as “ISO 27001.”
The ISO protocol involves all manner of potential security risks. In addition to testing hardware and software to determine whether it has the latest defenses to hackers, viruses and other threats, it has standards, for example, for doing criminal background checks on employees and applicants and not allowing those with criminal records to access data; how to protect data physically, in ways ranging from locking areas with computers that have access to sensitive data, whom to let into such areas and how to supervise those who are provided access to those areas (guests, building cleaning staff, etc.); how and how often ISO-certified inspectors should inspect offices, determine whether the security there is ISO-compliant and, if security is lacking, provide suggestions as to how to make it compliant and arrange for a re-inspection to determine whether to list the facility as not compliant, and so on. ISO tries to check for threats to security in a world of people, which means looking at bad habits, bad work environments and other person-centered issues as well as the digital threats that most people think of when the subject of data security arises.
In the past few years there have been reported data intrusions of law firms. Despite this fact, I have seen and heard very, very little discussion with regard to the application as to law firms of information security protocols such as ISO and others. In the last few years, I have read only a couple of commentaries of the subject. As well, a quick perusal of websites for law firms, large and small alike, will fail to turn up much discussion as to ISO compliance by the firms.
Given the voluminous public discussions of the general need to protect against data intrusions, the silence on the subject in public discussions as it regards law firms is curious. It is, by definition, impossible to know whether this silence results from law firms not adhering to the ISO or any other well-accepted security protocol, or from some other reason. The argument could be made, for example, that firms remain silent for fear that advertising security steps on websites could be a version of “Me thinks the law firm doth protest too much,” i.e., by answering questions regarding security that other firms silently dismiss, the answering law firm may be punished for its candor by inadvertently suggesting to the potential client that the firm has security problems other firms do not share, and so discouraging the potential client from engaging the answering firm.
I have no facts to support any interpretation of the silence on the subject. My experience tells me that, for example, when one considers how much work counsel has to do, how often counsel will take that work home or do it on the train, in the hotel room, etc., and how counsel accesses the digital documents involved in that work (copying them to a thumb drive and accessing them from the drive or copying them from the drive to counsel’s PC, accessing them from the law firm’s server using the train’s or the hotel’s wireless connection, etc.), one must wonder how such work can be accomplished while adhering to ISO’s or any other credible security protocol. Such questioning, however, does not mean that any given firm is not adhering to a proper security protocol.
Analysis and Conclusion
Law firms have the same responsibility as any other party entrusted with confidential information to keep that information confidential. Indeed, given that the information is legally privileged, the importance to the legal system of maintaining privilege, and the important role the legal system plays in maintaining the proper functioning of our government and the freedoms of our society, it is not hyperbole to state that the protection of confidential information by law firms is of the highest importance to our society.
The best way now known to protect confidential information is to adhere to the ISO protocol or a similar standard. Law firms, who expect their vendors to so adhere with great vigilance, should expect the same from themselves. Whether they choose to advertise their adherence on their websites or simply agree to it with clients, they should do it. Whether they are doing it now is hard to know.
Leonard Deutchman is a consultant regarding electronic discovery, digital forensics, and criminal and civil legal matters. Before that, he was vice president, legal for KLDiscovery, which he helped found, and a chief assistant district attorney at the Philadelphia District Attorney’s Office, where he founded the Cyber Crime Unit and conducted and oversaw hundreds of long-term investigations involving cybercrime, fraud, drug trafficking and other offenses. Contact him at firstname.lastname@example.org.