Jason Smith, Ron Chichester, Michael Peck 2013-01-26 04:08:26
Keeping Client Data and Your Law License Secure The practice of law has changed dramatically since the days of carbon paper, fax machines, and dusty libraries. Today, an attorney’s computer contains everything needed to manage a law firm’s entire business including the confidential and proprietary data of the firm and its clients, the equivalent of complete file rooms and libraries of documents and data. With laptops, attorneys travel everywhere with thousands of file drawers of information. Unfortunately, power and portability provide opportunities for loss of client data. This article will highlight the facts and figures of data breaches, the data and information impacted, the ethics and attorney duties to protect the information, the penalties for disclosure, and some practical tips on protecting the information. In 2010, almost 600 corporate data breaches were reported,1 each affecting an average of more than 31,000 records. At an average cost of $204 per record, the estimated hard cost of these breaches was more than $6.5 million, and only for those breaches that were reported. Of course, the potential soft cost of these breaches is immeasurable. On Nov. 1, 2009, the FBI issued an advisory warning2 to law firms that they were being singled out by hackers. In 2011, more than 80 firms reported security breaches.3 In addition to cases of identity theft from family law, probate, and tax firms, the biggest threat appears to be corporate espionage targeting firms that represent companies on securities, intellectual property, and mergers and acquisitions deals. Firms are being specifically targeted because hackers realize that law firm computers typically house the most high-value data of its client companies — and not in a corporate-secure data center. Worse, today’s hackers are usually professionals sponsored by sovereign states.4 ETHICS AND DUTIES While a company’s responsibility for protecting data is governed by general business principles and their financial implications, an attorney’s responsibilities are governed by both state statutes and disciplinary rules. Texas is among 46 states that impose a duty to notify on any person who conducts business in the state, when there is an unauthorized disclosure of personal information. Chapter 521 of the Texas Business and Commerce Code establishes a reasonableness requirement for the procedures that companies must take to avoid disclosure of sensitive personal information of customers and clients. Initially, notification was required to be given to any “resident of the state” but effective in September 2012, the statute was changed to require notification to “any individual” affected — regardless of jurisdiction. So far, Texas has not yet followed the five New England states that have added a duty to notify the state’s attorney general during law-enforcement investigations. Texas Disciplinary Rule 1.05 governs “confidential” information, which is defined as privileged and unprivileged client information. Presently, there is a scienter requirement in the disciplinary rule that imputes liability only for “knowingly” disclosing the information. There remains exceptions for inadvertent disclosure, intercepted communications, and compliance with court orders. However, exceptions do not exist for an attorney who loses an electronic device or for a device confiscated by the government. Seizures of travelers’ computers at U.S. international borders5 have resulted in unfettered searches of laptop contents, attorney privilege be damned. No probable cause is necessary at the border. If your seized computer is not retrieved because of cost or time, the government may dispose of your unclaimed laptop by public auction — contents included — to any thirdparty willing to pay. PENALTIES Texas’ breach/notification law affords the attorney general injunctive relief and painful fines for law firms that lose sensitive personal information. Failure to take adequate action can result in loss of your law license, with aggrieved clients exacting their own revenge. PROTECTING THE INFORMATION Protecting your electronic data doesn’t have to involve underground bunkers patrolled by armed guards. Simply encrypting your information using free encryption software available on the Internet can be enough. One of those free tools is TrueCrypt. TrueCrypt allows you to create secure password-protected “containers” (think of a safe in which you store your valuables) of any size and security level. You could create a “container” to fill an entire hard drive on a laptop, protecting everything stored therein, or you could create a “container” small enough to send a handful of files via email or to store on a thumb drive. TrueCrypt is flexible and can provide more than adequate protection. SUMMARY Bottom line, law firms are being targeted because they house highvalue data in less-secure, consolidated locations. Lawyers have a duty (ethically and by statute) to protect client information. Notification statutes are forcing data breaches to become public knowledge causing serious financial and reputational harm. Simple, cost-effective tools exist to increase data protections and prevent your name being in the style of the first U.S. Supreme Court case on this topic. FEELING INSECURE? Join the Computer & Technology Section at the State Bar Annual Meeting in Dallas in June for a live presentation on this topic during the Adaptable Lawyer Legal Innovation track. This will include a handson workshop where thumb drives preloaded with mobile apps and TrueCrypt will be provided to attendees along with step-by-step instructions on creating encrypted files. For information on booking this session for your own event, please contact Council@sbot.org. NOTES 1. The New Law Firm Challenge: Confronting the Rise of Cyber Attacks and Preventing Enhanced Liability, ABA Law Practice Today, David Mandell and Karla Schaffer, March 2012. 2. Preventing Law Firm Data Breaches, Texas Bar Journal, Vol. 75, No. 5, John W. Simek and Sharon D. Nelson, Esq. 3. Mandell and Schaffer, supra. 4. China-Based Hackers Target Law Firms to Get Secret Deal Data, Bloomberg.net, Michael A. Riley and Sophia Pearson, Jan. 31, 2012. 5. United States v. Arnold, 523 F.3d 941 (9th Cir. 2008). Jason Smith is director of legal management consulting for Duff& Phelps, L.L.C., in Houston, where he focuses on technology strategy and implementations for corporate legal departments. He is chair of the State Bar of Texas Computer & Technology Section and is on the Website Committee for the State Bar of Texas Corporate Counsel Section. Reach him at Jason.Smith@DuffandPhelps.com. Ron Chichester is a sole practitioner in Houston. He focuses on electronic discovery, cybersecurity, intellectual property, and electronic commerce. He is a past chair of the State Bar of Texas Computer & Technology Section. Reach him at Ron@TexasComputerLaw.com. Michael Peck practices in Houston and is chair of the Houston Bar Association International Law Section and also past chair of the State Bar of Texas Computer & Technology Section. Reach him at email@example.com TECHGEAR Lenovo’s upcoming Horizon 27-inch table PC (starting at $1,699) can operate like a desktop or lay flat to allow a group to gather around it and collaborate on a document or play games on its 1920 x 1080-pixel touchscreen. WEBLINKS TRAVIS NORMAND graduated from South Texas College of Law in May 2011 and was admitted to the Texas Bar the following November. Normand currently is a contract attorney in Houston for an oil and gas company. He maintains two blogs, OnePointSafety.com and LOACBlog.com. Dr. Saturday’s Blog at Yahoo Sports (sports.yahoo.com/blogs/ncaaf-dr-saturday) Dr. Saturday’s blog is one of the best places to go for random, yet informative, college football news. OutKickTheCoverage.com OutKickTheCoverage is written by Clay Travis, a Nashville attorney who is now a full-time college football writer. Travis mostly covers the Southeastern Conference, and he does it well. SolidVerbal.com The Solid Verbal is a twice-a-week podcast covering all-things college football. LawFareBlog.com I visit this site daily and it is my primary source for national security-related news. Some of my biggest areas of legal interest are the Law of Armed Conflict (LOAC, or International Humanitarian Law), National Security Law, and Counterterrorism Law. Infographics (http://infogr.am) If you have a website, blog, or anything else that could use some sprucing-up, you will love Infographics. This site allows you to easily turn your stats and/or data into charts and graphs that are interactive and eye-catching.
Published by State Bar of Texas. View All Articles.
This page can be found at http://mydigimag.rrd.com/article/Technology/1295972/144064/article.html.