Lawyers routinely deal in confidential information. Indeed, one mainstay of the profession is attorney-client privilege, meant to foster candid and informative discussions between attorney and client, to help clients understand their rights and obligations and conform their conduct to the law.
The lawyer’s duty to maintain confidentiality generally requires that he or she take reasonable precautions to protect confidential information. In an era of technological change, data explosion, and ever-greater reports of hacking and other data security breaches, however, standards for “reasonable” precautions to protect information may change.
Recently, an American Bar Association commission proposed an amendment that would expand lawyer data protection obligations. The ABA Commission on Ethics 20/20 was established to review the Model Rules of Professional Conduct in the context of rapid technological growth. In its recent report, the Ethics 20/20 Commission focused on the responsibilities of a lawyer to take steps to protect a client’s confidential information when communicating via electronic technology. (See Commission on Ethics 20/20, Report to the House of Delegates, May 7, 2012, www.americanbar.org.)
Previously, the ABA and other state bar ethics bodies had ruled that the use of unencrypted email comports with a lawyer’s duty to maintain client confidentiality. (See ABA Formal Opinion No. 99-413, Protecting the Confidentiality of Unencrypted E-Mail, www.abanet.org.)
The opinions recognized the risk of unauthorized interception and disclosure of client information in the use of email, but concluded that it is not reasonable to “require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination is a violation of law." The ABA and other opinion writers, however, noted that there are some types of information, and some types of technological configurations, that may require heightened security.
The recent Ethics 20/20 Commission report pushed the data security point to a new level. The report suggested that lawyers must “keep abreast” of changes in technology, “including the benefits and risks” of using specific tools. Further, the report specifically warned against the dangers of “unauthorized access by third parties” (e.g., “hacking”) and the potential need to adopt additional “safeguards” to protect information, depending in part on its “sensitivity.” Finally, the report reminded lawyers that other state and federal laws, such as data breach notification laws and data privacy regulations, may affect the lawyer’s obligations.
The Ethics 20/20 Commission thus confirms that the “pervasive use of technology” has affected every aspect of society, including the legal profession. The Commission has proposed, among other things, creation of a new ABA Website to provide additional guidance regarding the “evolving security risks” associated with new technology.
[NOTE: The author is a partner in the New York City offices of Jones Day. Samuel Goldstein, a summer associate at the firm, assisted in the preparation of this article. The views expressed are solely those of the author, and should not be attributed to the author’s firm or its clients.]
=" There is (as they say in the academic literature) "much more work to be done.""
as I have noted ocassionally: you cannot build a castle on a foundation of sand.
this means getting things on a solid footing before starting work on the castle, and in the area of security this requires that we address the problem of un-authorized programming aka "malware"
there was an old "just for grins memo" that used to circulate. I'll post a copy of it here just for grins:
It is difficult for the ABA (or any bar group) to set definitive standards in this area. The circumstances of lawyers and law firms vary widely. The technology keeps changing. The ABA Commission has, helpfully, raised the profile of the issue within the profession. There is (as they say in the academic literature) "much more work to be done."
Duke:=" Find a way to make email encryption both easy and universal, and the world will beat a path to your door, whether a committee says it's relevant or not."
Encryption is available and easy to use. Check into Outlook with PGP\Desktop, or if you like open source: Try Thunderbird with ENIGMAIL and GnuPG
the "universal" bit comes rather a good bit harder: we need learners and teachers...
PGP provides all 3 key elements of security
authentication
integrity
security
Authentication: allows you to verify who you are talking to
Integrity: allows you to verify that the message you are reading has not been altered in-transit
Secirity: allows you to be reasonably sure no one other than the intended recipient(s) can read the plain text of the message
I absolutely agree with that. and hopefully IEv is helping, at least some
I would like to note however that this hacking problem has been festering for quite some time
too, a lot of folks have made every effort available to them to addresss the issue
my point is that in order to obtain a satisfactory resolution we will need stronger action and this will need to be in the form of rules for OEM software makers, and product liability rules to act as persuaders, as well as requirments and regulations to establish limits on liability
basically a computer holding a commercial certification should pass a software audit. if it does the ball is in the user(s) court, if not the O/S OEM is responsible for cleaning out the malware. this should make things manageable on both sides of the ball: each side, user and OEM, will be responsible for those aspects of security he\she can understand and control.
e.g.
you: use the encryption software
OEM: make sure malware does not bypass the encryption software.
Between lawyers, at least, there are some ethical obligations regarding mis-directed communications. A lawyer may be required to notify an adversary when something obviously has been misdirected, and may also be required to return or destroy the message. (That, in part, is the purpose of the reminder notes that many lawyers attach to their emails). But those ethical obligations do not solve the general problem of data security. And there are plenty of means for loss and intrusion into data, in the law firm setting.
Just to put the other side of the case: when I worked in a legal environment, fax machines were a notorious security risk. Confidential documents would be left on fax machines, faxed to the wrong number, or faxed to a supposedly right number which turned out to be a machine sitting in a corridor, with dozens of people walking past every five minutes.
The particular danger with faxes is that quite simple human error could lead to a document being faxed to attorneys on the other side of a case. I recall faxes being sent to an attorney at a meeting at the other side's law offices.
Email doesn't seem to me to be any worse than faxes. The real danger, as with faxes, is inadvertently addressing the email to someone concerned with the matter who shouldn't see it.
The general vulnerability of emails doesn't seem to me to be the issue here - because most emails between attorneys and clients are of no value or interest to third parties, unlike, for example, bank account info.
An interesting point, just how far must law firms go in protecting their confidential info from prying eyes? I can see suits now by clients proposing the lawyer's files got out over the internet, and the lawyer is now liable for damages.
There will undoubtedly be firms specializing if internet theft sometime in the near future, as the digital "Willie Suttons" go where the money is, stealing info over the internet.
Willie Sutton (famous criminal of the last century) once said that he robbed banks because "that's where the money is." Today, law firms and other major institutions have become targets of data security attacks because "that's where the information is." The ABA Ethics 20/20 report is, at least, a wake-up call to the profession, that this issue will not magically go away. Awareness is the first step toward action.
SCB:=" there are different levels of data security, and security technologies attuned to those different levels."
that is a very good point
I would add that each of us should feel obliged to effect "due diligence" in protecting both provider and client information
we should regard this as a business obligation that would apply to vendors as well as to customers for communications systems
due diligence then should extend beyond attaching a confidentiality note to e\mail messages to insisting on general improvement in the over-all environment
IEv is one effort in this regard but there is a wide assortment of weblogs that deal with security efforts
but reporting problems is not enough: our electronic communications services require corrective service: action must be taken.
i think an industry council is needed to guide the FTC in writing Security Rules. These rules should define requirements and assign liabilities so that it becomes everone's best interest to attend to security.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
A recent Michigan case -- Ahmed v. Finley's Mfg. Co. -- concerned the settlement of class action claims that "halal" products offered at fast food restaurants in Dearborn did not comply with Islamic dietary restrictions.
The United States has no single national privacy protection agency. Over the past 20 years, however, the Federal Trade Commission (FTC) has taken a leading role in education, outreach to consumer and industry groups, and enforcement in the area of privacy and data security. The FTC’s Division of Privacy and Identity Protection, within its Bureau of Consumer Protection, enforces several federal statutes, regarding “unfair or deceptive” practices, fair credit reporting, and confidentiality of financial information. Further, the FTC takes principal responsibility for enforcement of the Children’s Online Privacy Protection Act (COPPA), which aims to place parents in control over what information is collected from their young children online.
The advancement of digital technology opens unprecedented avenues for e-commerce, aided by digital currency systems. In addition to online credit cards and other forms of payment, technology has developed to the point where individuals can carry digital wallets within their smartphones and complete transactions with near-instantaneous payment. This Forbes India article provides a description of digital wallet systems.
Social media platforms have greatly transformed personal interactions in the work environment. But the trend toward daily use of social networks, at work and elsewhere, has generated legal controversy as to what is protected worker activity and what is grounds for termination.
How do you recognize an Internet bubble when you see one? Saunders explains how all bubbles have four symptoms in common – and takes a swipe at Google and Twitter into the bargain.
The very low-tech "scrum" project technique introduces "crowd talking" to projects and also sets the entire crowd to problem solving. So far, these new social-media-style meetings appear to have supercharged project execution.
Yahoo's new CEO can't go back to what Yahoo was; that's how it got to what it is! Instead she has to look at something that Yahoo has always rejected, which is a relationship with the telcos and cablecos. They'd love a partner in creating service applications.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
