Tuesday, October 30, 2012

Going Paperless, Part II: Securely Storing the Client's Electronic File

Introduction

As described in this previous post, advances in technology have made storing the client file (and other documents and information) in electronic format a reality for many attorneys and law firms. Of course, widespread technology adoption and the interconnection of networks, organizations, and people also make protecting the client file more complex.  However, the obligations to maintain the confidentiality of the client file and to safeguard that file apply to whatever form in which documents and data are kept.  

In considering how to continue to meet ethical and legal obligations with respect to an electronic file, a perfectly reasonable response is to look to a technology product or service.   In other words, technology brought us these "problems", so let technology "solve" them.

However, protecting the electronic file is not primarily a matter of adopting technology products or services (although technology certainly plays a role), but one of 1) identifying and understanding what you have and want to protect, 2) identifying the risks that could threaten the confidentiality of the client file or compromise its security; 3) creating policies and processes that protect the client file; 4) implementing those policies and procedures throughout the firm.   

An Attorney's Confidentiality and Security Obligations under the South Carolina RPC

The obligation to protect the client's information and property has long been a cornerstone of the practice of law.  These obligations to protect client information and property are found in Rule 1.6 (“Confidentiality of Information”) and Rule 1.15 (“Safekeeping Property”) of the South Carolina Rules of Professional Conduct (RPC).  In summary, keep it confidential and keep it secure.

Before the digital era, these rules required attorneys to protect documents with locked doors, appropriate permissions, and an understanding throughout the office of how to maintain appropriate confidentiality and security.  Now firms have to protect against new threats from outside (e.g. hackers), and inside the firm (unauthorized access and transfer of documents and information).  Additionally, cheap storage and high-powered mobility create new challenges in keeping client information safe when it leaves the office on a laptop, tablet, smartphone, or USB drive.

Securing the Electronic Client File is Not a "Technology Problem"

As previously discussed here, and borrowing from Andrew Adkins the challenges law firms typically describe as “technology problems” are more often human policy and process failures.  It is important to keep in mind that “behind every error blamed on computers there are at least two human errors, including the error of blaming it on the computer.”  These concepts are particularly apt when discussing confidentiality and security.  No technology product alone will manage information for you—and no technology will shoulder the responsibility when you have mismanaged information and thereby failed to meet your confidentiality and security obligations.  Similarly, as discussed here, federal courts have little patience for a claim that "technology" caused an attorney to miss a filing deadline.

Create Policies and Processes to Protect the Client File (and All Your Data)


Computer security specialist Bruce Schneier observed that "security is not a product, it's a process."  Managing your information requires various processes, memorialized in written policies and other documents – for appropriate preservation, maintenance, use, recovery, and destruction of client (and other valuable) information.

Before any such policy can be created and put into place, you are going to have to determine what you have that you need to protect, what risks threaten that information, and how to minimize those risks.  The process of identifying these risks is commonly known as a security vulnerability assessment, and it covers not just technology, but also the people, processes and procedures involved in securing and managing documents and data.  If your firm is hesitant to take the time, effort, and resources to undertake this process, consider the costs of performing such an assessment after a security breach takes place.  The State of South Carolina is learning this lesson right now.  Put it this way: how would you feel about notifying each one of your clients that their file had been compromised?

An assessment is not an easy task, and this post could not begin to describe all the considerations that go into a comprehensive policy.  For an invaluable resource on this topic, I highly recommend every attorney and law firm read Locked Down: Information Security for Lawyers when going through the process of developing appropriate policies.    


However, no resource however comprehensive can provide you with policies that will work for you "out-of-the-box" or "off the shelf."  Effective policies must be tailored to your firm and its culture, and articulate what information you maintain and protect and the proper use of that information.  Similarly, no effective policy can remain on the shelf, but must be updated as circumstances warrant.  Very importantly, policies must be communicated regularly to appropriate personnel (and to clients).  And they must be implemented.



As a result, policy implementation will most certainly require the adoption and use of checklists, and the introduction of best practices, training, and other methods to turn prescriptive documents ("you shall") into actual compliance ("we are").  As an example, a policy requiring employees to change their passwords on a periodic basis is a crucial part of keeping a network secure, but meaningless unless the organization has considered how to make password changes part of a routine or standard practice.  In other words, can you achieve a “culture of compliance” that matches the compliance you describe in your policies? 



For more on this (admittedly broad) topic, I also recommend Atul Gawande’s The Checklist Manifesto: How to Get Things Right.  (For previous posts on the benefits of checklists, see here, here, and here).
 

Understanding and Implementing Technology is (a Part of) the Solution

Of course, implementing policies and processes does not minimize the importance of understanding technology- doing so merely helps define technology’s proper role in your organization.  Because your organization stores, creates, and shares information electronically, you simply cannot manage that information without understanding it. 

The American Bar Association House of Delegates recently amended the comment to Model Rule 1.1 “Competence” to include technology: “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.” (new language in italics).  (The language without the italics is found in Comment 6 to Rule 1.1 of the South Carolina RPC.

This does not mean that every lawyer must learn to write software code, or understand exactly how RAM works.  But you do have to know what you don’t know.  Bob Ambrogi offered a very succinct explanation of this point:

Fortunately, the ABA rule does not require that we all run out and enroll in advanced courses at MIT. We can understand the “benefits and risks” of technology without understanding its most-intricate inner workings. I have long believed that a key to technological competence is knowing what you don’t know. Lawyers don’t have to be IT professionals or engineers — but they need to know when they need one. 

A thorough understanding of how information flows within (and without) your firm, and having a plan to manage it (policies and processes) will put you in a better position to “know what you don’t know.”

Conclusion

Protecting the electronic file may be more complicated, but no less important for attorneys.  Consider processes, policies, technology, and the people who use and implement them in order to continue to meet your obligations under the RPC.