Today, security is top of mind for many in the legal profession. The EU’s GDPR, now one-year-old, certainly grabbed our attention and California’s similar CPPA, set to take effect early next year, has increased awareness. While the news has extensively covered major data breaches, it is easy for lawyers, law firms, in-house counsel, and their staffs to dismiss exposure to those occurrences because we typically do not collect large volumes of data in our day-to-day practices.
What is often overlooked, however, are the large volumes of documents and forms containing sensitive client information living on our networks, whether on-premises or in the cloud. We have a legal and ethical duty to protect that sensitive information, regardless of firm size or practice area.
It comes as no surprise that each day millions of documents are filed with courts and other agencies and most if not all, contain at least some sensitive client information. From Personally Identifiable Information (PII) to employment records to confidential business and trade secrets, unless this sensitive content is secured, once filed, the data becomes public and is available to anyone with the inclination to research it.
One need look no further than a recently reported case in which a law firm’s very own confidential information was made public by documents filed by the opposition. As reported by Charles Toutant in the New Jersey Law Journal, the unprotected information included law firm partner’s personal information, the firm’s trust account information and full signatures for the account. The lawsuit alleges that while the confidential information was subsequently removed there is no way of knowing if it had been viewed, downloaded, or is available on the dark web.
David Ries in his recent Legal Intelligencer article, clearly lays out the ethical obligations and points his readers to several cybersecurity resources. The ethical obligation exists, yet very little specific guidance or enforcement has been set in place by state bar regulators, leaving most of us to wonder what to do, and if what we’re doing is right, wrong, or enough?
Certainly, there is a flurry of proposed legislation at the state and federal levels to implement protections. But on closer examination, most proposed data security legislation is targeted at businesses with large volumes of structured data (think database) and given the current state of politics in the U.S. is likely to be hung up for years. And even if passed, it probably will not pertain to most legal practices.
So, what is the legal professional to do? We operate in a profession that is steeped in precedent and not particularly forward thinking. But in this case, we can’t wait for someone else to be the ‘guinea pigs’ or to provide us with the ‘magic pill’ that will solve all of our security concerns. Rather, we need to start taking proactive steps, beginning with an analysis/audit of the types of documents we have in our systems, learning where those documents are stored (workstations, email servers, file servers and other devices) and learning how to truly protect the sensitive information contained in those documents, wherever they exist and for as long as they exist.