Keeping access to the recent cybersecurity threats will be one ounce of prevention in protecting your information—as well as that of your staff and clients.
By Jennifer Saunders, Malpractice Attorney
There are those who never touch the computer sitting on their desk, instead delegating all tasks to staff or associates. There are those who regularly perform basic tasks using programs on a computer or mobile device, such as email. Then there are those who have and use the latest digital devices, from tablets to smartphone watches. While attorneys cover this broad spectrum of information systems users, they are all governed by the same regulations and obligations, and therefore face the same professional and legal ramifications when they authorize the interaction between their practice of law and their electronic device(s). The legal profession has been moving toward technology by becoming “paperless” through the use of various types of devices and software. What does this trend pose in terms of risks to lawyers, particularly in areas of practice such as family law where financial data, while considering issues of support and property disposition, are at the forefront? This article will provide a broad overview of an attorney’s obligations and what considerations need to be addressed.
Cybersecurity Threats and Regulations
National and statewide regulations, policies, rules, and opinions have been emerging for several years. In 2014, the National Institute for Standards Technology (NIST) created a flexible list of standards, best practices, and guidelines which were followed by a special publication in 2015 providing guidance for federal agencies to ensure that sensitive information remains confidential when stored outside of federal systems. The result is an emerging ‘standard’ by which a commercial company’s cybersecurity reasonableness can be measured. Being aware of these standards and maintaining access to the most recent cybersecurity threats will be one ounce of prevention in protecting your information as well as that of your staff and clients.
In California, there are at least three areas lawyers must be aware of relating to computer-generated or stored information: those relating to obtaining credit card information for payments; those relating to ethical obligations in using electronic devices; and those relating to notifications. Attorneys who obtain credit card information for payment of their services or costs is governed, at least in part, by the Song-Beverly Credit Card Act, California Civil Code Section 1747.08(a)(2), which prohibits businesses from requesting that customers provide personal identification information, such as email addresses, during credit card transactions. Therefore, if you are accepting payment of your services by a relative or other third party on behalf of a client, careful compliance with the requirements of the Act are imperative.
As lawyers, our obligations are also guided by the California Rules of Professional Conduct and the Business & Professions Code. Section 6068(1) of the Business & Professions Code provides that the attorney has an express duty “to maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client.” Additionally, Rule 3-110(A) of the California Rules of Professional Conduct prohibits a member of the bar from intentionally, recklessly or repeatedly failing to perform legal services with competence. Therefore, no matter what form the information of the client is in, or what form the information is kept, these duties remain the same. Six years ago, California’s Standing Committee on Professional Responsibility and Conduct issued a formal opinion relating to the attorney’s use of technology and provided members of the bar with some guidance on how to handle client information, noting that these are prerequisites:
“Before using a particular technology in the course of representing a client, an attorney must take appropriate steps to evaluate: 1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client’s instructions and circumstances, such as access by others to the client’s devices and communications.”
A Los Angeles County Bar Association Formal Opinion determined that attorneys have a reasonable expectation of privacy using email. When read in conjunction with the 2010-179 Opinion, does the attorney have a duty to use some form of encryption before sending email to a client and what is meant by “reasonable precautions”? ABA’s Model Rule 1.6 at Comment  expounds that “[f]actors to be considered in determining the reasonableness of the lawyer’s efforts” include “the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).”
All these regulations, statutes and rules can be daunting and frightening. So what are some of the things attorneys should consider in tackling this ever-changing landscape? First and foremost, take action and ask yourself the following questions:
1. Do you have a reliable, astute and well-informed technology person and is that person periodically or regularly monitoring all of your systems for security? Consider verifying the credentials of your IT person and documenting your regular review of systems with that IT person which provides evidence of the “reasonable” steps taken to protect the confidentiality of your client(s) information in the event a question is raised in the future.
2. Do you include any language in your retainer agreements about your security policies and do you follow through with those policies?
3. Do you include any language in your retainer agreement(s) about the use of mobile devices, emails and/or text messaging and do you follow through with those policies? For instance, if you provide in your retainer agreement that for security reasons you do not communicate with your clients through text messaging, it may be wise not to provide your client with your mobile numbers or block text messaging so you do not invite a form of communication which your retainer agreement addresses. [It could be difficult or impossible down the road to retrieve those text messages if the need arises.]
4. Do you use public wi-fi, e.g. in hotels, airports, coffee shops? Perhaps you want to invest in a jetpack or simply avoid any public wi-fi system to avoid the possibility of being directed to a fake wi-fi portal set up by hackers to obtain passwords and encrypted information.
5. Do you use or permit the use of mobile devices for the practice of law? If so, a system of remote wiping of those devices should be a consideration so as to address the potential such devices could be lost or stolen.
6. Are you educating all individuals who have access and use of your computer systems to the appropriate use of and protection of the information in your systems?
7. Do you have a comprehensive plan in place to address the steps to take in the event of any form of possible data breach? Consider working with your technology person to prepare such a plan, which not only you but others in your practice, can easily follow in earnest.
8. Do you have any insurance coverage covering any data breach expenses or potential civil liability? The insurance industry is grappling with coverage issues covering the cyber environment so it is recommended that care be taken to know what coverage you have, what coverage may be available to you and then carefully decide what coverage you desire to implement for your practice.
It’s important to note that no system or method is infallible to a breach but keeping your head above water on the issues can prevent a domino effect on the future of your business and career.
Jennifer K. Saunders is a partner at the California full-service law firm of Haight Brown & Bonesteel LLP. Certified in Legal Malpractice Law by the State Bar of California, she has more than 25 years of experience in representing lawyers in professional liability claims.
 https://www.nist.gov; http://csrc.nist.gov/publications/PubsSPs.html#SP 1800
 This obligation is also found in California Rules of Professional Conduct, Rule 3-100(A).
 California Formal Opinion 2010-179
Mitigating the Risks of the Cloud
The cloud makes storing files, communicating promptly with clients, and working on the go much easier – but is your clients’ information really safe when synced across mobile devices, emailed back and forth, and stored online?
Entrusting others to collect information for your case means you need to be aware of the possible violations of the law.