As is widely known, many technological advancements have been integrated into the legal industry in recent decades. Maintaining an electronic record of all information is standard operating procedure at large and small companies and law firms. Another major development, in the last half dozen or so years, in particular, has been the dramatic increase in the number of employees who telecommute one or more days a week and in many instances full time. Indeed, there are now virtual companies and law firms which maintain limited, if any, office space. These parallel developments necessarily raise questions concerning the ability of companies and law firms alike to maintain the confidentiality of proprietary information.
At the risk of stating the obvious, working from home or from other remote locations allows attorneys and other personnel to maintain a flexible schedule and eliminate commute time. With a click of a button on a remote device, in-house and outside counsel are able to access a confidential document from off-site locations, often as one or more colleagues are working on the exact same document. However, this increased flexibility and the possibility of maintaining a better work-life balance brings with it increased challenges in ensuring the confidentiality of client information.
Cyber Security and Confidentiality
Remote Access to Electronic Files
Of course, lawyers often handle very sensitive client information which must remain confidential. Questions have arisen in recent years as to whether the use of remote access violates a lawyer’s duty to preserve client confidences under Rule 1.6 of the Model Rules of Professional Conduct. In accordance with that rule, a violation occurs when one:
1. knowingly reveals confidential information; or
2. does not exercise reasonable care to prevent the compromise of confidential information while the lawyer or the service utilized by the lawyer has access to the confidential information.
The New York State Bar Association Committee on Professional Ethics has stated that, in addition to being prohibited from disclosing confidential information, a lawyer is also obligated to take reasonable care to affirmatively protect his or her client’s information (NYSBA Comm. on Professional Ethics, Formal Op. 842, 2010).
It is acceptable to use standard methods of transmitting or accessing information so long as there is a reasonable expectation of privacy. For example, confidential information may generally be sent by an unencrypted email. However, if there is a greater risk of interception due to the particular circumstances, the lawyer is obligated to take appropriate security measures bearing in mind the technology that is available at a reasonable cost (NYSBA Comm. on Professional Ethics, Formal Op. 709, 1998). The lawyer must also ensure that any security or storage service provider she plans to use has an enforceable obligation to preserve confidentiality. Any known risks in a security system must be disclosed to a client before the lawyer may obtain a client’s consent to access confidential information remotely to ensure that the consent is an informed one.
Use of Cloud Storage for Storing Client Information
When using a cloud for data storage, a lawyer must ensure that the storage system is password protected and that the stored data is encrypted (NYSBA Op. 842). Due to the rapid changes in technology and continually emerging threats to the security of stored data, a lawyer should also periodically confirm the effectiveness of the security measures provided by the service she or he uses. If there is evidence of a potential or actual lack of security, the lawyer must discontinue use of the service until the potential or actual problem is remediated by the service provider. Like the standard regarding remote access described above, a lawyer must affirmatively protect his client’s information. The American Bar Association and many state bar associations have issued opinions approving the use of cloud storage so long as reasonable care is taken to confirm the effectiveness of the security measures that are in place.
The success of the virtual workplace model in law, however convenient and liberating for many lawyers, is contingent on having an encryption system for protecting confidential information and having the means to securely store and transmit information while working from a remote location. If a virtual workplace model is tested by a court or otherwise, in-house and outside counsel must be able to demonstrate that they are affirmatively protecting their clients’ information by staying informed about technological advances and potential risks to data security. Taking reasonable care boils down to individual attorneys maintaining proper work protocols, such as choosing strong passwords, remotely accessing information from a secure Wi-Fi network, and communicating with the service provider regarding any potential security breaches.