The Security of Clients’ Information and What Attorneys Need to Know
“The Security of Clients’ Information and What Attorneys Need to Know.” That is the subject of this ACTEC Trust and Estate podcast.
This is Susan Snyder, ACTEC fellow from Chicago. Do practicing lawyers have ethical and legal duties associated with the use of technology in the practice of law? To learn more about this topic you will be hearing today from ACTEC Fellows Tom Overbey of Fayetteville, Arkansas and Michael Simon of West Palm Beach, Florida. Welcome Tom and Mike.
Thank you Susan. This is Tom Overbey. Michael is going to give you some new rules to chew on in a few minutes. One of the things that I try to tell people in this area is to not get overwhelmed with the fact that it’s technology. You do have to know something about the technology–the wires, the devices, the software. You do have to figure out in your law firm how you are going to manage that technical stuff and so forth. So that’s the second element: knowing the technology, managing the technology. And the third element, in my book, is the most important, and that’s managing the people, because no matter how big your firewall is, if the people don’t pay attention to what they’re doing, you will end up catching ransomware. Michael, what do you think?
Well, Tom, I agree, we have a new normal in the practice of law. Technology has advanced at a dizzying pace. In fact the ABA just came out with a new Formal Ethics Opinion, which is 477R. That’s a great read and provides an excellent overview of the ethical obligations that lawyers have related to technology. And the ABA has told us this is not a results-oriented analysis, it’s process-driven. So lawyers just need to pay attention to the process. In almost every state, there is an ethical requirement that lawyers keep up with advances in technology. So, at this point, there are a few things that lawyers need to know in order to run their practices and meet their duties to their client, especially with the element of confidentiality of client information.
Michael, I agree with you wholeheartedly. 477R is a nice road map. We don’t usually like being told what to do, but in this case, I think the way it was issued and worded, we’ve got seven guidance points: they cover some distinct areas; they help the lawyers subject to the rules to understand; you know, they use words like “reasonableness” and rather than have cliffs you can jump over, they give you guidance points.
That’s true, and, Tom, I think to understand the significance of this issue, it helps to look at life before and after technology. Before technology, a lawyer might walk out of his office with a thousand pages of paper in his briefcase. Now, with an iPhone and 128 gigabytes, you can put 87 million text pages in your pocket. That’s a lot of confidential information to be walking around with. And so there are some things that lawyers need to know if they are walking around with 87 million pages of client documents in their pockets. The first one is: we are fiduciaries and we have duties to our clients. And the second one is that there are rules that apply – like the Duty of Competence under Model Rule 1.1, the Duty of Confidentiality under Model Rule 1.6, and the Duty to Supervise under Model Rule 5.3.
Exactly. You know, I sort of break this down in my mind into two areas to think about, and that’s internal and external. Internal being your law firm, the lawyers, the equipment. External being of course the clients and the public. On the internal side, things that are hard to do is to work with the lawyers and the staff to say, “You know what, we have all this technical stuff out there; we’ve got these IT folks helping us; we’ve bought these special routers with APT codes and all these technical things that nobody in the firm understands but a few people.” But here are some things that everyone needs to know. You know, you’ve got to look out for your email; you’re got to be careful; you’ve got to watch out, every individual in the law firm is a guardian of our security; and as such, you’ve got to pay attention to what comes across your desk. You need to have put up with the pain of what we call two-factor authentication so that the email is better protected and you should do that with your personal email. You should put a code on all your cell phones and your iPads and computers and everything so that if it gets picked up it takes an access code to get into it. You know security is a very important thing – paying attention to passwords, using those devilish, complex passwords is the way to go. Simple things, like when you travel, put your laptop in your trunk of your car and lock it, don’t leave it out on the seat for a thief to spot and steal. These things are very important as the internal.
Well, Tom, I agree. And two things that are really important and are probably the most helpful are fairly simple. One, like you said, is passwords. Passwords are scary to some people; we’re on password overload. In fact 58% of adults have 5 or more unique passwords and, according to this Janrain study, 38% of adults think it would be easier to solve world peace than remember all their passwords, and 40% would rather scrub toilets than have to remember another password. But, that’s important. So like on your phone, instead of just having a 4-digit password, up it to 8 characters and mix in the alphabet, numbers, and maybe symbols. And you can go from maybe 10,000 possible combinations to tens of millions of possible combinations – much harder for someone to crack your code and access your information.
The second thing is, watch out for theft or loss of your information. Your thumb drive, your phone, your laptop. Theft or inadvertence is a huge problem for protecting confidentiality and most phones and laptops are stolen because their owners simply leave them sitting someplace. Your clients aren’t going to be very sympathetic when you lose your phone and their confidential information.
Absolutely Michael. And, you know, some simple things in looking at the reasonableness standard of this ABA opinion, you know, if you have a device that can be stolen simply – which is really anything these days because even the largest computers we tend to use these days, other than desktops, are very portable – you need to not only put those special codes on it, like you just mentioned, but you also need to go through the trouble to set it up so you can locate your device remotely, and you can wipe everything on the device remotely. Those features are available on almost all software these days and computers. Takes a little bit extra time to set it up and a little extra time to know where it is when you need it, but if you need it, you should be able to find it. And that is something that could very well be a matter of doing it correctly or not correctly in terms of handling these devices that hold all this data that you just referenced.
Well, Tom, let’s talk about the bookends to this analysis. When do your duties begin, and when do they end? Let’s talk specifically about your devices that hold client information. So your duties begin when you acquire the device and put sensitive client information on it; I think we can all understand that. When do your duties end? Well, your duties end when you properly dispose of that device. You can’t just turn it in to a recycle place or give it to your nephew or one of your kids. You have a duty to make sure that device is properly disposed of, which may mean physical destruction. Simply pressing delete isn’t enough to secure your client information. So, a lawyer needs to make sure they either have a professional help them with that or physically destroy the device so that their information doesn’t fall into the wrong hands.
That’s a great point. OK, that’s internal – that’s the lawyers, the staff, the law firm – now let’s talk about the clients. They’re the ones whose information we need to protect. There’s a couple things at least to consider doing with the client – one is talk to them. When a new client comes in the door, you’re getting to know them, part of getting to know them is to get to know how they operate and how they wish to operate. There’s a big difference between a client who is sitting in a thousand-person business that they work in and have a business email, and, as we all know, a business email is not protected or private; that email system and content belongs to the employer. So, you need to discuss this with the client, “Do you want me to use your business email, or do you have a personal email that you prefer?” I’ve been doing this with all new clients for some period of time, and it’s interesting, the lightbulb goes off and they go, “You know what, I do have a personal email I would like for you to use.” So, we’ve got to have those discussions. We’ve got to have discussions about their information that we’re going to protect and tell them anything that’s got account numbers and so forth we’re going to protect. We’re going to talk to them about encryption, that, while it’s a little difficult, we will be sending them stuff that, if they allow us to use email, that will come in a method through a system that the firm uses that will protect that information. So I think the discussion is very important.
Yeah, and, Tom, sort of as we wrap up here, I think we need to know, we have a duty to have those conversations with our clients and a duty to warn them about these dangers. And the measures we take inside and outside with our internal folks and with our clients. Those things just have to be reasonable and they also have to be functional, so with relatively benign information, you don’t have to go to great lengths; with highly sensitive information you may have to spend some money and go through some extra efforts to protect that information. And those things are the types of things you need to talk to your clients about and get their buy-in and have some agreement on how you’re going to handle this sensitive information.
Yes, and that agreement, Michael, I think you and I emphatically agree, has to be in the form of an Engagement Letter that you should be sending out anyway. The bar associations, the ethics committees, and your malpractice carriers are all, if not demanding, they’re close to demanding, that you have an engagement letter with every client, it varies between some states. And in those engagement letters that’s the perfect opportunity you can talk about your fees all you want and what you are going to do about file retention and so forth, but you talk about email, you identify what you’re going to protect, how you’re going to protect it. And you send it to the client at the beginning of the relationship. It makes for a smoother, better relationship.
Well, Tom, it sounds real scary and like it’s a lot to know, but with a few simple tips and some effort and a little bit of education we can all manage this new normal.
I agree wholeheartedly.
Thank you Mike and Tom for helping us understand the ever-changing technology that affects our practices.
If you have ideas for a future ACTEC Trust & Estate Talk topics, please contact us at ACTECpodcast@ACTEC.org.
Latest ACTEC Trust and Estate Talk Podcasts
Understand ways to amend an irrevocable trust under the Uniform Trust Code (UTC), including a decanting transaction from a trust and estate expert.
Hear guidance for clients moving from a common law to a community property state, how to avoid common mistakes, and differences between community property states.