Q: How does a lawyer handle my confidential information?
A: A lawyer must "act competently to safeguard information relating to the representation of a client," according to Model Rule 1.6, which governs attorneys' ethical practices. Today, a lawyer must understand how cloud computing works in order to competently comply with this obligation. With any cloud or virtual online storage hosting of client data, your lawyer should enter into a Service Level Agreement (SLA) that dictates how client data and files are kept secure. The law office should use firewalls and data encryption to further ensure that a client's data is kept confidential.
Q: Does my lawyer have to follow any standards to safeguard my confidential information?
A: Anyone who has Federal Taxpayer Information (FTI) must follow standards set by the Internal Revenue Service (Regulation 1075). This regulation provides guidelines and procedures not only for computer use but also for storing and destroying physical files containing FTI. While this regulation is probably "over kill" for the average law office, it is an excellent guide for law firms to follow. For example, law offices should have written policies regarding remote access to their computer systems and for the use of thumb drives. Internet use by employees on computers housing client's information should be regulated and monitored.
Q: Should my attorney's law office employees be allowed to work remotely with my client data?
A: If there is a proper system in place, this may be acceptable, as long as the employee always adheres to your attorney's profession obligations. You may want to question your attorney about the firm's plan for protecting your client information at all times. For example, you might ask your attorney: Will any of your staff members work on the firm's laptop or their home computers? Is the firm's computer or external storage device password protected? Do staff members work on files remotely and email them to the office? There are many ways a law firm can address these concerns by using various encryption options. These options are now standard on most word processing programs and .pdf files, but the encryption only works if a password is sent by separate email to the person receiving the information.
Q: How can my attorney avoid a data breach like those I've heard about in the news?
A: If Target, Home Depot, celebrity iCloud accounts, and many others can experience a data breach, then so can your attorney. Forty-three percent of companies have experienced a data breach in the last year according to USA Today, and that is likely a conservative estimate, since many data breaches are not reported. Your attorney may not be able to avoid a data breach, but a law office that expects to be hacked is more likely to provide office policies addressing confidential information, including safeguards for hardware and software. Your attorney and staff should be trained on cyber and physical security of confidential client information. Whether using the Cloud, a smartphone or the office paper shredder, your attorney has a duty to competently safeguard your information.
Q: I've seen the paper shredder at my attorney's office. That's a good sign I'm protected, right?
A: Maybe, but if your attorney opens up the shredder and you can still read anything on the scraps, then your documents may as well have been crumbled into balls and thrown away. At a minimum, a paper shredder must cross-cut, diamond-cut or pulverize documents. If your attorney uses a third-party vendor to dispose of your confidential documents, then your attorney must be familiar with that company's policies and procedures for disposal. Your attorney's duty to you not only extends to his or her employees, but also to any third-party vendors the firm may use.
Q: Should I send information to my attorney through Instant Message, Facebook, or Instagram?
A: You cannot expect your attorney to safeguard your information when you submit it through an unsecure platform. Your attorney's law office likely spends time and money to understand every aspect of the proper storage, transmission and destruction of your client information. Law offices must also train support staff and third-party vendors on the firm's best practices. If you open the door for a data breach, however, none of your attorney's safeguards will protect your information.Enter your text here ...
This "Law You Can Use" column was provided by the Ohio State Bar Association. It was prepared by Dayton attorney Gregory M. Gantt.