Summary: Attorneys have a Duty of Confidentiality and of competence to clients. Information accessed by unauthorized parties due to misuse of technology is increasing – consulting with an expert to understand the best practices with technological use is required.
In the rapidly evolving digital landscape, where information is a valuable currency, law firms find themselves at the crossroads of technology and confidentiality. With the increasing reliance on digital tools and platforms, the importance of securing, encrypting, and protecting privileged data has been addressed by the California State Bar, approximately 14 years ago. Endsight’s expertise and technological solutions allow for compliance with this formal opinion.
In CA 2010-179, the California State Bar addresses the need to protect data commensurate with the sensitivity and confidentiality of the data, as well as the medium being used to store/transmit it. Essentially, we see that as “If you’re meeting a client for coffee, it is completely fine to send them an email from a Starbucks Wi-Fi with an invitation. If you’re sending them privileged information on a matter, that information must be properly secured and encrypted, both on the storage medium (a computer, server, or cloud), and via the transmission method.
Encryption myths and facts
Email is not encrypted. This comes as news to many people. Sending an email out of your computer system is not a secure way to transmit data. There are ways to encrypt data, of course, and one of Endsight’s standards is to enable and train on encryption. Though the Bar does specifically state that the expectation of privacy in email versus postal mail is similar (and thus email is an acceptable way to transmit privileged information), insecure Wi-Fi is not. In plain language: attorneys are free to email privileged information, but not from insecure networks. From the opinion: “Encryption is encouraged, but not required”.
Computers, by default, are not encrypted either (mobile phones typically are). This means a stolen or lost laptop with privileged information is a possible vector for liability concerns – and that’s a common issue we see today. Endsight, of course, has encryption as a standard, and we’d encourage all other providers to follow suit in the modern threat landscape.
Knowledge of the Situation
Attorneys are legal experts, not technologists (with some exceptions, of course). The Bar knew this, and in the opinion, it directly states:
“Many attorneys, as with a large contingent of the general public, do not possess much, if any, technological savvy. Although the Committee does not believe that attorneys must develop a mastery of the security features and deficiencies of each technology available, the duties of confidentiality and competence that attorneys owe to their clients do require a basic understanding of the electronic protections afforded by the technology they use in their practice. If the attorney lacks the necessary competence to assess the security of the technology, he or she must seek additional information or consult with someone who possesses the necessary knowledge, such as an information technology consultant.13/ (Cf. Rules Prof. Conduct, rule 3-110(C) [“If a member does not have sufficient learning and skill when the legal service is undertaken, the member may nonetheless perform such services competently by 1) associating with or, where appropriate, professionally consulting another lawyer reasonably believed to be competent, or 2) by acquiring sufficient learning and skill before performance is required.”].)”
Building Client Trust and Reputation
In an era where news of data breaches and cyber-attacks dominates headlines, clients are increasingly discerning about the security practices of the entities they engage with, including law firms. Demonstrating a commitment to safeguarding privileged data not only instills confidence in existing clients but also becomes a powerful marketing tool. A law firm with a reputation for stringent data protection practices is more likely to attract and retain clients who prioritize the security of their sensitive information.
What does my firm need to do?
Effectively the CA Bar is saying “You must take reasonable precautions with privileged information. This means encrypting it during storage and educating yourself and your staff on the risks of the various methods of transmission, as well as protecting client data in general with people, process, and technology commensurate with the level of sensitivity in the data.”
Endsight can assist with this. Our security team has a great deal of experience recommending process, technology, and training for law firms of all sizes, at budgets appropriate for data with varying classification levels. In short, we’re well versed in protecting data without breaking the bank or burdening firms with significant additional process or training requirements.
We even have free training that qualifies for 1 CLE credit hour in California – the second Tuesday of every month, over Zoom. That, along with a bit of process and technology, helps our clients keep data safe and their reputations intact.