The ability to access files and communicate from anywhere brings a host of security concerns for law firms entrusted with their clients’ personal data. But it doesn’t take a full-time IT department to prevent confidential information from falling into the wrong hands.
Maryland has no express ethics rule pertaining to the duty of attorneys to safeguard clients’ data stored and transmitted electronically, but portions of the Rules of Professional Conduct can be read to place certain responsibilities on everything from hard drives to email.
Most ethics opinions from around the country say the responsibility to protect client data derives from rules that have been around for decades, including those pertaining to competence, communication and confidentiality, according to Bernard Eydt, attorney and CEO of Maryland-based Pryvos, a cybersecurity consulting firm.
“It’s gotten more attention,” he said. “It’s probably more likely that as attorneys get hacked, they recognize these issues.”
According to Towson attorney and self-described “tech guy” Adam M. Spence, the rule is “reasonable care” when dealing with client data.
Basic steps can be taken by attorneys from small or large firms to avoid becoming an easy target for a hack, according to Spence, who recommends having unique passwords for every program and device with a login as well as not using public wireless networks to access confidential documents.
The vast majority of hacks are initiated through email scams, Spence said, so having a firm policy in place against clicking links and opening attachments from unfamiliar sources can also go a long way to prevent an attack.
“Unless it’s from a trusted source that you’re expecting, don’t open it,” said Spence of Spence|Brierley PC. “If there is doubt, then you don’t do it… You can shut down your system.”
Eydt said the biggest change in recent years for attorneys is the growing need to encrypt email as the reasonable expectation of privacy in such communications decreases.
“Today there’s not a requirement, but as more and more people have access to unencrypted email and unencrypted data, some people could say you’ve breached your professional responsibility,” he said.
Spence said there are websites that offer a secure interface for email as well as software, though both sides need to have the software installed. For additional security, documents can be protected with one or multiple passwords.
One thing to remember is to communicate with clients about these issues, Spence said.
“If a client doesn’t want you to store their data online because they’re worried about hacks, then don’t do it,” he said.
Strategies for small-firm budgets
One problem faced by small firms and solo practitioners is the lack of tools designed for them, according to Eydt.
“Larger firms are going to have much more capabilities to have consistent encryption across all of their attorneys,” he said. “[It’s] just the nature of the way tools are marketed.”
Small firms do not have access to enterprise technology, and even tools that are available are not made to be implemented on one or two computers without operating systems designed for corporate use, he said. BitLocker, for example, is a full-disk encryption feature which is only available on Microsoft Windows’ professional editions.
Placing your cybersecurity needs in the hands of a large, cloud-based storage company which also has an interest in avoiding a breach can also prevent disaster, according to Spence.
“Big names” like Google, Dropbox and Microsoft are going to have security built into their cloud-based storage, which constantly adapts to changes in technology, he said, and information is available about the security certifications of the various services.
“I’m a small firm,” he said. “I don’t have a multimillion dollar budget for security. Microsoft does. Dropbox does.”
A good rule of thumb is to see if a document retention service is HIPAA-compliant, according to Spence. Because healthcare information is so heavily regulated with an emphasis on privacy and security, HIPAA is the gold star standard.
“I think that as lawyers we want to hold ourselves to the highest standard of security,” he said.