With offices shuttered and stay-home orders still in place across much of the country due to the COVID-19 pandemic, the task of providing legal services means working from home for nearly everyone, including attorneys and support staff. Even clients are working from home.
The consequence of all this remote work is that proprietary and confidential client information is now frequently transmitted from unsecure environments, across unsecure networks, and via unsecure digital devices. The danger that a lawyer will violate the ethical duty to safeguard confidential client information—either through carelessness or through intrusion from hackers and other third parties—is significant. With increased remote operations, the danger is greater than ever.
This blog post summarizes critical steps lawyers should take to secure their clients’ confidential information during these challenging times.
The Lawyer’s Ethical Obligations Regarding Client Data
Before taking up the electronic information trouble spots in work-from-home environments, it’s useful to note where the lawyer’s duty to competently safeguard electronic information comes from.
The lawyer’s obligation to safeguard a client’s confidential information arises from several provisions in the legal profession’s code of conduct. Although the rules vary slightly from state to state, the American Bar Association’s Model Rules of Professional Conduct provide a close approximation of the applicable rules in every jurisdiction.
Rule 1.4 creates a duty for lawyers to communicate with clients and to comply with reasonable client requests for information. In other words, a law firm operating from outside its usual office space has no choice but to communicate with clients.
Rule 1.6(c) requires that lawyers “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Rule 1.6(c) applies to all forms of electronic information, which includes text messages, shared files, email messages, telephone calls and voicemail, and, of course, all of the videoconferences now substituting for in-person communications regarding client matters.
Comment 8 to Rule 1.1 creates the so-called “duty of technological competence,” requiring lawyers to be knowledgeable about “the benefits and risks associated with relevant technology” used in the practice of law. This comment, adopted by the ABA in 2012, is now part of the code of conduct in 38 states.
Finally, Rule 5 requires law firm management to take steps to ensure that all lawyers (Rule 5.1) and non-lawyer support staff (Rule 5.3) comply with electronic data security obligations as well.
Taken together, these ethical rules oblige all lawyers to comprehensively review their firm’s data operations and take reasonable measures to prevent the loss or unauthorized disclosure of confidential client information.
Remote Work Trouble Spots
Not surprisingly, information security dangers are pervasive in a modern law office, particularly when 100 percent of operations are moved online and every employee becomes a new, and potentially unsecure, access point. Every aspect of the firm’s data operations—from email to file-sharing to videoconferences—must be scrutinized.
Meetings via Videoconference
Widespread videoconferencing is likely the biggest change in law office operations during the COVID-19 epidemic. No ethical rules prohibit the use of videoconferencing, either for client communications or for remote hearings. Courts and bar regulators are currently encouraging wider use of videoconferencing to provide legal services.
However, lawyers must take steps to ensure that videoconferences are secure, meaning that unauthorized participants are not joining them and that client confidential information is not inadvertently shared with unauthorized individuals during the videoconference.
People are typically the weakest link in security posture, so learning how to use the videoconferencing software and adopting best practices go a long way toward creating the safest environment for that kind of communication. Consult the security recommendations published by your videoconference provider. For example, three popular providers, GoToMeeting, Webex, and Zoom (PDF), all offer best practices to properly secure videoconferences.
Common security safeguards recommended for videoconferences include:
- Password-protecting the videoconference
- Allowing only signed-in users to participate
- Prohibiting or tightly controlling screen-sharing capabilities
- Locking the meeting to prevent access after the meeting starts
- Using a randomly generated meeting ID
These measures will protect your videoconferences from outside intruders. Lawyers should consider inside intruders as well. Client confidentiality can be lost if third parties are in the same room with videoconference participants. Some attorneys have advised that voice assistants like Alexa and Siri (which record all voices within listening distance) be turned off during videoconferences and telephone calls.
Broadband routers can be a weak point in the security of data going into and out of the home. At a minimum, lawyers doing client work at home should:
- Change the default network name and password that came installed with the router
- Ensure that data transmissions from the router to computing devices in the home are encrypted with the strongest possible protocols
- Ensure that the router has a firewall to guard against intrusions and ensure that the firewall is activated
Computers at Home
Lawyers and support staff who do not have firm-issued laptops will in most cases be forced to use personal devices while working remotely. Firm management should take care to ensure that these devices have the latest security updates installed and that they are robust enough for all intended uses. Computers used for remote work should be secured with two-factor authentication and loaded with anti-malware protections. Two-factor authentication should also be utilized when accessing email communications and cloud-based file-sharing services, if that is an option.
Client confidentiality can be lost if third parties view sensitive information on a computer screen or overhear conversations discussing client matters. Lawyers and staff working from home should consider establishing a dedicated, private space for use when communicating with each other and with clients.
Virtual Private Networks
A Virtual Private Network (VPN) hides internet browsing activity by forcing all data transmissions through an encrypted tunnel for access to private network servers. Law firm management should employ VPN access with split-tunneling disabled (no access to local network) for remote workers to use when accessing confidential client information.
Cloud-based file-sharing services are in wide use within the legal profession, but law firm management must take steps to ensure that remote workers use only approved service providers and that best practices are followed in the configuration and deployment of those services.
Text messaging is a convenient form of communication, especially outside the office. Lawyers considering increased use of text messaging with clients should take steps to ensure that they are able to retain a copy of text messages. Also, texting software can be susceptible to intrusion by unauthorized parties, so lawyers might want to consider using messaging software that will encrypt messages during transmission when communicating with clients.
Untrained Employees and Remote Rookies
None of the foregoing data security measures will be effective unless all law office personnel working from home understand how to use them and have adopted those behaviors. This means that everyone must be trained how to use all software, cloud computing services, and videoconferencing platforms according to best practices. Everyone must be advised of the firm’s expectations regarding the security of client confidential information.
Getting Started With Data Security
If the sudden need to work remotely has caught your firm off guard, a good place to begin addressing these issues is the ABA Standing Committee on Ethics and Professional Responsibility’s 2017 opinion outlining an attorney’s duty to protect electronic communications with clients. The committee advises that lawyers should first learn about information security threats, then inventory client data that is at risk, and finally take steps to protect that data.
The committee’s suggested approach looks like this:
- Understand the nature of the threats
- Understand how client confidential information is transmitted and stored
- Identify and label client confidential information
- Decide how electronic communications should be protected
- Train lawyers and non-lawyer staff in technology and information security
- Conduct due diligence on all information technology vendors
If you haven’t done so yet, now is a good time to refresh your understanding of the ethical rules governing client confidential information in place in your state. There’s a good chance that local regulators have issued additional guidance in recent weeks spelling out how the legal profession’s ethics code applies to information security for lawyers operating during the age of COVID-19.