I’ve blogged often on tech competence and the duty to safeguard client data. In short, lawyers have a duty to take reasonable precautions against the inadvertent disclosure of or unauthorized access to confidential client information.
So, people often ask “what are reasonable precautions?”
Nobody likes that answer. But it’s correct.
For instance, do you mean “what are reasonable precautions when it comes to cloud storage?” Or, are you asking whether a lawyer has a duty to encrypt e-mail? Wait, maybe you’re talking about your duties when crossing the border? No, no, I get it now: you’re asking if a lawyer has a duty to disable auto-complete. Oh my gosh, no – you’re referring to the hallmarks of trust account scams.
No matter the mode of communication, no matter the place that information is stored, a lawyer must safeguard client information. And, as I explained here, it makes perfect sense not to get into the habit of re-evaulating a lawyer’s duty with every new technology. Whatever the next new thing is, a lawyer’s duty will remain the same: to take reasonable precautions against the inadvertent disclosure of or unauthorized access to client information.
But, as this post in the ABA Journal points out, lawyers and law firms aren’t sailing into uncharted waters. There are lessons to be drawn from other professions. Per the post, those lessons include:
- Encryption is important. I’d even venture to opine that if it isn’t already, we aren’t long for the day when the failure to encrypt is tantamount to a failure to take reasonable precautions.
- Partners and more senior lawyers have to follow the same rules as everyone else. “I don’t do tech” isn’t reasonable. It’s no different from saying “I don’t do ‘protecting client information.’ “
- Employees and 3rd party vendors need to be trained on the importance of data security.
There’s a great quote in the article. It’s from Michael Mason, chief of security for Verizon Communications: law firms should foster, grow, and ” ‘develop a culture of security.’ ”
A culture premised on “we hope it doesn’t happen to us” is not a culture of security.
With “it” being a breach, the dreaded “it” has happened not just to lawyers and law firms, but to many other professions. As the ABA Journal suggests, lawyers would be wise to take heed of the lessons learned by those other professions.