Attorneys are an interesting bunch. You have to be smart, dedicated, and work hard to successfully navigate the path to becoming a licensed attorney. It begins with a desire to uphold and practice the law, but requires a college degree, good LSAT scores, law school and taking and passing the bar in each state you wish to be licensed to practice. There’s no rest once licensed either, as continuing education requirements keep attorneys sharp and current. Attorneys can branch out into many different types of law — criminal, civil, family, intellectual property, and others. So, after all of this, what is one thing that can really spoil all of your hard work? A black mark on your reputation.
The Lawyer Creed
The Washington State Bar Association oath states, “I will maintain the confidence and preserve inviolate the secrets of my client.”
California has similar language in its oath: “To maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client.”
The State Bar of Michigan has an almost a word for word copy of Washington State’s oath: “I will maintain the confidence and preserve inviolate the secrets of my client.”
You get the picture. Client confidentiality is one of the core tenets of practicing law. It’s so ingrained that it’s sometimes assumed to be in place in all legal processes. But in today’s highly networked environment that includes e-mail, smartphones, and social networks, there are a lot of places one can slip up.
The Problem Statement
Has this happened to you? You were working on an e-mail and accidently hit “send” before you finished it, or worse, you started entering the e-mail address of your recipient and the e-mail program’s auto-complete feature selected the wrong person and you sent it out without noticing. You’re not getting it back. Your troubles are even worse if you have private or confidential client information embedded in the e-mail or a sensitive document attached to the message. That’s why the ubiquitous confidentiality clause is in the footer of every e-mail. But does that really help? You can put all the legal jargon you want at the bottom of an e-mail, but when the horse is out of the barn, the damage is done.
Another problem area involves large files. These files may also contain sensitive information, and leaking this data to the wrong people can be not only embarrassing, but can also compromise a case. Litigation support departments involved in sharing large amounts of information with co-counsel, opposing attorneys, and clients, are highly susceptible to data breaches. Most systems in place today that can handle ballooning files that include video, audio, scanned images, testimonies and evidence, are not adequately protecting this information. Setting up FTP servers to transfer these large files can be tedious and complex, take multiple days to prepare, and have very little true data protection right out of the box. One careless slip could open up your documents and files to the wrong person, and even the most meticulous person setting up an FTP site is not immune to mistakes. Keep in mind, too, that FTP is a 30-year-old technology that should not be expected to meet the more stringent demands for privacy and data security that we require today.
Overnight delivery services have similar security problems, not to mention that even a 24-hour delivery window is considered unacceptable when an electronic delivery only takes seconds. But think about how careful the delivery person is when he hands over a package or document bundle. I’ve been asked to sign for deliveries as I’ve waited in another company’s lobby. Delivery people do lose packages en route — some high-profile losses you may have read about, there are probably many more that you haven’t. And for high volumes of deliveries, costs can rise quickly.
Compliance requirements today are starting to significantly impact the way existing processes must be changed to satisfy new requirements. Job titles such as chief compliance officer or chief information security officer are prevalent in today’s firms. They are responsible for ensuring a firm’s process is following the policies that maintain compliance. The new Health Information Technology for Economic and Clinical Health Act (HITECH Act), which extends HIPAA requirements to business associates of covered entities (including law firms), was put into effect at the end of 2009 to protect the privacy and confidentiality of a patient whose protected health information (PHI) is being transmitted electronically. HIPAA violations can result in both civil and criminal penalties. Civil penalties alone can reach $250,000, and if repeated or left uncorrected, can balloon to $1.5 million. You will have to notify clients of any data breaches, and depending on the size of the breach, you may also have to notify the department of Health and Human Services. Remember the comment about reputation? There is an upside — competing firms will enjoy hearing about your breach.
Two important criteria are becoming “must haves” for law firms — electronic data security and visibility into the process of sharing the data. Information is power, information is money, and information is leverage. In the wrong hands, information has exactly the same advantages, but just not for you anymore. In the HIPAA world, relevant patient information can be perused and reviewed, and it can also be shared by people who are directly involved in treating the patient. Similarly, like a hospital, not every person in a law firm should have access to that PHI. A study by research analysts at IDG showed that many data breaches are actually internal, and not necessarily malicious. Yet IDG also found that IT administrators felt least protected from these accidental breaches. Accidental exposure of sensitive information is especially easy when content is left unprotected. When an attorney or paralegal needs to send information in the form of a computer file or electronic document to a client or co-worker, the two most common methods, e-mail and FTP, are both vulnerable. After making the effort to secure your information, visibility becomes important. With a good tracking and reporting mechanism, you can verify that only intended recipients have accessed the confidential data. You can also proactively discover improper access. Security and visibility go hand in hand.
Deploying technology to solve these two issues actually is not as hard as it sounds. But to maximize the chance of a successful implementation, you must keep in mind the big-picture reason you’re planning on modifying your attorneys’ current processes — to help uphold the client confidentiality oath. The two most common reasons a solution fails in law firms — and most other companies for that matter — are drastic changes to existing user behavior and insufficient training. To that end, Web-based secure file transfer solutions are easy to use (similar to Web-based e-mail), and recipients do not need specialized client software to retrieve their secure messages and files — any Web browser will do. Tying into your e-mail client such as Outlook, supporting drag-and-drop functionality, and integrating with a firm’s authentication system, can further minimize changes to user behavior and ease adoption.
In addition to the technology, a well-conceived and comprehensive security policy, preferably one that is written and shared with all employees, is critical to a successful program. Establishing a security policy shows that the firm has recognized the importance of keeping confidential information secure. Not being an infallible species, even with the best security policy in place, people make mistakes and a data breach may occur. But having a documented process in place (a.k.a. a “good story”) goes a long way when the civil penalty is being calculated. You do not want to be that firm with no policy in place — you will most likely be levied the maximum fine.
Bob Dylan’s song “The Times They Are a-Changin’” can be aptly applied to today’s legal compliance environment. New compliance requirements to protect personal information from many different legislative bodies, both at the state and federal levels, have recently passed. More are sure to follow. The ways people can share information with others are plentiful, with new methods continuing to emerge. Expectations for better and faster access to information are increasing, with or without security measures in place. If your firm has already implemented solutions to address privacy and confidentiality concerns, you’re ahead of the game. But it’s never too late to start protecting your information. Your oath depends on it. •
William Ho brings more than 20 years of experience in the technology fi eld as vice president of Internet products at Biscom, a company in Chelmsford, Mass., specializing in secure file transfer and fax server technology. Prior to joining Biscom, Ho was founder and CEO of vVault, an award-winning software application that pioneered Web-based document storage and management. He has also held positions at CNET and Oracle.