The Florida Bar

Florida Bar Journal

Attorneys Must Protect Clients’ Sensitive Data

Executive Directions

John F. Harkness Jr.

Open up any newspaper and you will not have to read far to find a headline on the latest security breach. Privacy Rights Clearinghouse reports that between 2005 and March 2016, there have been 4,766 reported data breaches exposing 898,458,364 records. In the first quarter of 2016, there have been 60 data breaches exposing 2,482,360 records.

Attorneys cannot afford to sit idle and assume that their information is secure. The FBI has reported that they are seeing law firms increasingly targeted by hackers, and one report noted that 80 percent of the 100 largest law firms have been hacked since 2011.

Law firms are high-value targets for hackers because they hold highly confidential and sensitive data. The legal and ethical obligations that law firms have to their clients demand this sensitive data be protected through the development and implementation of strong and comprehensive cyber security programs.

The ethical standards to ensure attorneys and firms maintain the confidentiality of all information relating to the representation of a client are well known. ABA Model Rule 1.6(c) requires that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

The Florida Bar has several similar ethical provisions in place. The Florida Bar Board of Governors voted in July 2015 to approve the addition of the following language to the comment of Florida Bar Rules of Professional Conduct 4-1.1:

“Competent representation may also involve the association or retention of a non-lawyer advisor of established technological competence in the field in question. Competent representation also involves safeguarding confidential information relating to the representation, including, but not limited to, electronic transmissions and communications.”

The comment also added language that lawyers should have “an understanding of the benefits and risks associated with the use of technology.”

In order for a security initiative to be a success, it must have the full cooperation of all firm personnel: technical and nontechnical staff. This requires that all staff are aware of 1) the information that requires protection; 2) the nature and extent of the risks to that information; 3) the firm’s risk appetite, including an understanding of the risk level to confidential information the firm is willing and legally permitted to tolerate; and 4) the amount of resources the firm is willing and able to commit to ensure that level of risk.

Security involves thorough analysis and frequently requires balance in determining what risks and safeguards are reasonable; there is often a trade-off between security and usability. Strong security often makes technology very difficult to use, while easy-to-use technology is frequently insecure. The challenge is to find the correct balance among all of these competing factors.

Determining what constitutes “competent and reasonable measures” can be difficult. The ethics requirements should be seen as the bare minimum. Anything less is a violation of an attorney’s professional duties. Attorneys should always strive for stronger safeguards to protect their clients and themselves. In determining what is reasonable, attorneys can look to The Florida Bar’s Practice Resource Institute (PRI) for guidance. PRI regularly publishes materials and provides educational programs on information security.

Attorneys have ethical and common law duties to take competent and reasonable steps to protect information relating to their clients. Compliance with these duties requires the development, implementation, and maintenance of a comprehensive information security program. Important considerations for attorneys include understanding limitations in their knowledge and experience, obtaining appropriate, qualified assistance, continuing security training, and ongoing review and updates as technology, threats, and available security evolve over time. Particularly important is constant security awareness by all users of technology at all times.

For assistance with developing your firm’s security program, contact PRI to speak with a practice management advisor. PRI can be reached from 8 a.m. to 5:30 p.m., Monday through Friday, via telephone at (866) 730-2020, email at [email protected], or live chat via the PRI website.