By William L. Taylor and Steven J. O’Dorisio
(originally published in @Law – Summer 2009)

The purpose of information security is to protect the confidentiality, integrity, and availability of information.  This is especially important for those who possess, transfer, store, license, or otherwise use sensitive information belonging to, or relating to, others.  Lawyers and law firms are entrusted with some of people’s most sensitive and confidential information, whether it is clients’ or other parties’ information.

This article will discuss a legal professional’s obligations to protect information, potential consequences for failing to do so, and some steps a legal professional can take to mitigate risk.

Obligations

A lawyer (and thus a legal professional working with that lawyer) has a duty to protect the confidentiality of a client’s information.  This duty is found in the ethical rules of professional conduct as well as other sources of law.

Ethical Obligations

The ethical rules of professional conduct that govern a lawyer’s actions are found in each state and within the American Bar Association’s Model Rule of Professional Conduct.  For example, ABA Model Rule 1.6 prohibits a lawyer from revealing information relating to the representation of a client without the client’s informed consent.  Comment 16 under Rule 1.6 requires a lawyer to “act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.”  Comment 17 under the same Rule requires a lawyer to take reasonable precautions to prevent information relating to the representation of a client from falling into the hands of an unintended recipient.  In addition, Rule 1.15 requires lawyers to “appropriately safeguard” property of clients or third parties that is in the lawyer’s possession.

Such obligations also apply to other legal professionals.  For example, Section 1.5 of the National Federation of Paralegal Associations, Inc.’s Model Code of Ethics and Professional Responsibility and Guidelines for Enforcement requires paralegals to protect and preserve confidential information.  In addition, Canon 7 of the Code of Ethics and Professional Responsibility for the National Association of Legal Assistants requires legal assistants to “protect the confidences of a client” and “not violate any rule or statute now in effect or hereafter enacted controlling the doctrine of privileged communications between a client and an attorney.”

Failure to comply with the ethical obligations could result in disciplinary actions against the legal professional, which may include suspension or revocation of the professional’s association with the governing organization.  In the case of attorneys, the ultimate disciplinary sanction is disbarment, but lesser sanctions also threaten an attorney’s livelihood.

Legal Obligations

In addition to the ethical rules described above, legal professionals may have implied or express legal obligations to protect the confidentiality, or overall security, of certain information.  Failure to secure confidential information or data could lead to a breach of such obligations.

Implied Obligation

State data breach statutes (enacted in 44 states at the time of this article) generally require organizations that use, store, license, or transmit personal identifiable information (PII) to notify persons affected by the breach of confidentiality of such information.  The process to investigate a data breach and to send notification letters to each individual affected can mount quickly.  In cases of mass data breaches, notification costs can run in the hundreds of thousands of dollars.  Every breach costs, however, because upset clients may decide to take their business elsewhere.  While lawmakers may claim that data breach notification laws are designed to help mitigate the damages and potential losses relating to identity theft by notifying individuals of the breach of PII, such laws often serve as a “scarlet letter” designed to “encourage” organizations to better protect PII.

The duty to protect certain information relating to individuals is also implied in state and federal laws prohibiting unfair business practices.  For example, the failure to adequately safeguard consumer information may be deemed an “unfair” business practice under state consumer protection laws and the Federal Trade Commission Act.  Under these same laws, failure to comply with an organization’s own stated policies regarding privacy and confidentiality may be deemed a “deceptive” business practice.  While these laws do not expressly require organizations to implement specific information security controls, such measures are implied in that failure to do so could result in stiff penalties, fines, or civil causes of action.

Express Obligation

Some states have begun adopting laws that expressly require organizations that use, store, license, or transmit PII to implement specific information security controls.  For example, Nevada recently passed a law requiring organizations to use encryption when transmitting PII via external data networks.  In addition, Massachusetts adopted a data security regulation that will require organizations that own, license, store, or maintain PII about a resident of Massachusetts to implement certain information security standards, including the encryption of all transmitted PII and PII contained on laptops and other portable devices.  While the consequences for failing to comply with the Nevada law are somewhat unclear, violation of the Massachusetts regulation likely falls within the state’s unfair competition statute, which includes civil penalties and recovery for costs of the investigation and attorneys’ fees.

Privilege

The attorney-client privilege protects confidential communications between a client and the attorney for the purpose of providing legal advice.  If the attorney or the client reveals the confidential information to third parties, such privilege may be waived.  This can occur from deliberate or inadvertent disclosure of the confidential information.  To protect the privilege, legal professionals should implement reasonable safeguards to prevent disclosure of confidential information.  Failure to act accordingly could result in a waiver of the attorney-client privilege and lead to other adverse consequences.

Malpractice

Failure to protect the confidentiality of a client’s information may result in malpractice or tort, breach of contract, fraud, or breach of fiduciary duty claims.  Generally, such claims can lead to monetary damages or return of fees paid to the legal professionals.  These claims often hinge on whether the legal professional violated some standard of care or duty, which may come from any of the sources of law described above.  Certain information security control measures, such as password protection or even encryption, can be stipulated in malpractice insurance policies or published practice standards.

Risks

In our experience working with lawyers and law firm clients, we have seen certain risks more often than others.  Most common are accidental or inadvertent disclosures of confidential information; less common (but still high in occurrence) are intentional or malicious breaches of information security.

Inadvertent Disclosures

Most disclosures of confidential information occur by accident or mistake.  Factors contributing to such inadvertent disclosures include a continuing increase in the volume of information, time constraints placed on legal professionals, a lack of understanding by legal professionals of information security risks and practices, and a trend in information management practices that increasingly places responsibility for information security on the end user.

Inadvertent disclosures of confidential or privileged information often occur in large document review efforts involving other parties.  For example, litigation involving electronic discovery requires each litigant to identify and produce to their opponent all information that is relevant to the dispute; likewise, business transactions involving due diligence require each party to the deal (mostly the seller) to identify and produce information relevant to the deal.  In both situations, the increasing volume of electronic information increases the likelihood that some privileged, or otherwise confidential, information is mistakenly disclosed to the adverse party.  Such disclosures can put a client and counsel at a severe disadvantage in litigating a case or negotiating a deal.

Inadvertent disclosures of confidential information also can occur in day-to-day communications.  For example, there are many cases throughout the United States involving the inadvertent disclosure of confidential or privileged information in metadata.  Metadata is hidden data that is contained within an electronic document.  Such information may include comments or changes from other attorneys or clients who collaborated in the creation of the document.  The ABA and some state ethics committees (e.g., Colorado Formal Opinion 119) have ruled that the recipient of a document containing metadata is permitted to review the metadata; while other state ethics committees have ruled that metadata should not be reviewed.  Either way, the inadvertent disclosure of confidential or privileged information is a concern among many in the legal profession.

Malicious or Intentional Breach

Intentional or malicious breaches of confidentiality can occur from internal or external sources.  Internal breaches can be perpetrated by employees, agents, representatives, experts, or subcontractors who have access to confidential or privileged information.  These are the people the legal professional and client trust, and therefore, situations involving internal persons are often the most difficult to identify, prevent, and remediate.  Most information security safeguards are designed to protect against external attacks, such as those by hackers, crackers, and industrial saboteurs.  While the threat of malicious or intentional breach of confidentiality by external persons is real, resources often are allocated to protect against external threats when the more common and likely threat of a data breach comes from within.

Recommendations

To meet their obligations and to protect against the risks discussed above, legal professionals should consider implementing information security practices that include establishing accountability for information security efforts, assessing information security risks, and establishing policies, processes, and procedures to mitigate information security risks.

Establish Accountability

Legal professionals should identify some person or group of persons who will be responsible for establishing and overseeing an information security program.  This can be done by simply appointing a single person to serve as an information security officer or a committee can be formed to collectively address information security matters.

Risk Assessment

It is unreasonable to expect legal professionals to protect against every possible threat that may exist; therefore, the legal professional should conduct organized risk assessments to identify, prioritize, and plan information security efforts.  Such risk assessments can also serve to indicate the legal professional’s exercise of due care and diligence in implementing “reasonable” safeguards to protect confidential and privileged information.  Generally, risk assessments require the legal professional to:  (i) identify threats to confidentiality of privileged or confidential information; (ii) determine the likelihood of such threats occurring; (iii) estimate the severity of such threat occurring; (iv) identify safeguards or measures to mitigate each threat; and finally, (v) conduct a cost-benefit analysis to select “reasonable” safeguards.

Again, not every threat can be mitigated using reasonable efforts.  For example, it is unreasonable to expect a legal professional to monitor every email or communication of each employee to ensure the employee is not inadvertently or intentionally disclosing confidential or privileged information.  On the other hand, it may be reasonable to initiate training that teaches employees how to prevent the disclosure of confidential or privileged information and to identify when their colleagues may be inadvertently or intentionally making such disclosures.

Policies, Processes & Procedures

Many of the risks identified above can be mitigated significantly by establishing policies, processes, and procedures.  For example, inadvertent disclosures occurring during document review efforts involving high volumes of data may be reduced by implementing a policy that requires that electronic discovery or due diligence efforts include the involvement of attorneys or other legal professionals who have experience in such efforts to oversee the process.  Such a policy should clearly define how information will be identified, preserved, protected, and eventually shared with other persons.  In addition, the policy should define how legal professionals should respond if inadvertent disclosures or intentional breaches are discovered.

Summary

In summary, legal professionals need to be aware that applicable statutes and ethical provisions may require them to take specific steps to protect confidential information entrusted to them.  Failure to do so could lead to liability or professional discipline.  Knowing what data one has and preventing foreseeable threats to information systems’ integrity is the first, best step to preventing the preventable.  Forewarned is forearmed.

Technical control measures can be implemented to protect internally held data from loss or theft.  For example, data or file encryption is available off-the-shelf, provides serious data protection, and may exempt a legal professional from applicable data breach notification laws under safe harbor provisions built into the statute.

| @Law |

William L. Taylor and Steven J. O’Dorisio are attorneys at the Denver office of Holland & Hart, LLP.  Mr. Taylor is a member of Holland & Hart’s white collar and government investigations practice group, specializing in corporate internal investigations, white collar defense, and complex commercial litigation.  Prior to joining Holland & Hart, he served as Chief of the Major Crimes Section for the United States Attorney’s Office, District of Colorado.  As a federal prosecutor, he led investigations and prosecutions of public corruption, healthcare fraud, mail, wire, securities, and bank fraud, bankruptcy fraud, false claims, immigration and customs violations, U.S. passport fraud and other identity theft and threat offenses, firearms, and narcotics violations.  Mr. Taylor also served as the Office’s Criminal Health Care Fraud Coordinator, and led a task force of state and federal agencies investigating emerging transnational criminal organizations engaged in complex frauds, money laundering, and cyber crime.  He can be reached at wltaylor@hollandhart.com.

Mr. O’Dorisio’s practice includes working with both emerging companies and established corporations to address the challenges of information management and technology, including risk management, procurement and outsourcing, information security, data privacy, and protection of company assets and intellectual property.  In addition to advising clients on planning and compliance with information security and data privacy legal requirements, Mr. O’Dorisio has assisted clients in incident and data breach response.  Mr. O’Dorisio is a Certified Information Privacy Professional (CIPP).  He can be reached atsjodorisio@hollandhart.com.”