Left to right: Randy Evans and Shari Klevens, Dentons partners ()
In the modern practice of law, arguably nothing is more important to an attorney than her laptop. With the rise of electronic document management systems, the laptop can act as the equivalent of an entire office building of documents and allow the attorney to work from virtually anywhere.
However, with this new technology comes new challenges. Specifically, when confidential information can be accessed from anywhere and from so many sources, law firms have greater challenges in assuring compliance with ethical and professional rules, including the duty to maintain a client’s confidential information as set forth in Rule 3-100 of the California Rules of Professional Conduct.
This issue is especially significant when attorneys depart for another law firm. Gone are the days of late-night raids of the file room; departing attorneys can typically get all the files they need with a single click. Thus, protecting client information is not as simple as making sure that the physical doors to the law firm are locked.
Control over electronic client information is critical for law firms in fulfilling their obligation to protect client confidences. Yet law firms need to strike an appropriate balance, because making access to information overly burdensome could undermine the law firm’s ability to efficiently provide services to clients.
To find this balance, some law firms have shifted their focus from physical possession of client information to “virtual” control. This control can be aimed at having sufficient protections to fulfill the ethical and professional obligations owed to clients without so much control that it hinders the law firm’s ability to bill and collect fees.
The Ownership of Data
When dealing with tangible assets, possession is often described as nine-tenths of the law. But when dealing with intangible assets such as computer data, the law can be more complicated.
In most cases, the law firm will purchase laptops and other devices for use by attorneys in their work. However, while there usually is no question that the law firm owns the hardware, there can be a significant dispute with respect to who owns the information stored on the laptop.
An attorney’s laptop will often contain three types of information. First, there is significant intellectual property in the form of the work product created on behalf of the law firm and its clients. While clients may own their confidential information, the ownership of work product created by attorneys in servicing clients can be less clear.
To avoid uncertainty, law firms may choose to specify in the law firm’s partnership agreement, employment agreements, or other policy who owns the information and work product not owned by the client.
Second, an attorney’s laptop likely contains a wealth of client contact information. Generally, the law firm is deemed to own client relationships, a right that arises out of the fiduciary obligations that attorneys owe to their fellow partners and to the firm.
Because client contact information can also be a valuable asset, law firms may likewise address the ownership of such information in partnership and employment agreements or other policy. By codifying the ownership, law firms can protect themselves from the misappropriation of these assets as well.
Finally, of course, a laptop provides access to all client files. Until terminated by the client, law firms generally have the right and duty to control client files. To avoid uncertainty in this regard, law firms can confirm their custodial control over client documents in the engagement letter or fee agreement.
If the client agrees in writing that the law firm shall retain exclusive custodial control over client files until the client gives instructions otherwise, the law firm has the ability to assert and maintain that control. Departing attorneys violating this agreement could then risk claims arising out of their improper possession of files, in addition to potential ethics grievances for violating client confidences and secrets. Of course, for such information that is fairly the property of the client, the client may direct the law firm to release files or data to the custody of the departing attorney or the departing attorney’s new firm.
With such provisions in place, law firms can hope to dissuade departing attorneys from attempting to improperly take client information by removing any doubt that it is the law firm in control of the information.
Protocols for Protecting Data
Because information security has become such a pressing issue for all businesses, there has been a corresponding rise in technology aimed at securing data. Law firms thus can explore the options available for protecting client information to ensure that their systems provide sufficient protections. In addition to fulfilling ethical and professional confidentiality obligations, such technology can provide the firm with protection against cyberattacks, which have also become increasingly sophisticated.
In determining the appropriate technology, law firms may choose to hire specialists or consultants with expertise in the protocols, practices, and procedures for protecting information. These specialists can assist the law firm in designing a system that is able to confirm data integrity. Whether the risk is a departing attorney unauthorized to access information or a cyberattacker, a firm having the ability to determine if data has been downloaded, by whom, to where, and when is invaluable.
In addition, specialists or consultants can assist the firm in implementing regular password and/or passcode updates for all firm hardware. Time limited passwords and passcodes can, at a minimum, limit the duration of risk. Once the current password or passcode expires, then access is usually terminated.
Take Prompt Action
When a law firm suspects that its information has been appropriated, it is helpful to act as quickly as possible. The more time that passes, the greater the risk that a court would find that the law firm waived its rights.
Indeed, the fact that a law firm documented its rights in the partnership/employment agreements and engagement letters is best supported through the firm’s enforcement of its rights. By establishing protocols and acting on those protocols, law firms can provide the greatest protection possible for the valuable information stored on firm devices.