When using email to communicate, more than three-quarters of all lawyers treat their clients' confidential information with all the care you'd expect from a teenager posting to Facebook, according to a new survey.
Only 22 percent claim to use encryption. And a full 77% cop to relying solely on "confidentiality statements," otherwise known as virtually nothing.
Robert Ambrogi, an attorney, writes of such "protection" on his LawSites blog:
If I were to leave a document on a table entitled, "My Deepest, Darkest Secrets," under which I wrote, "Please do not read this unless you are someone I intended to read this," how securely would you think I'd protected myself?
That, effectively, is all the majority of lawyers do to protect confidential documents they share with clients and colleagues, according to a LexisNexis survey published this week.
Ambrogi answered a few of my questions via email:
Are there any applicable rules, standards or guidelines that lawyers are supposed to follow when handling client data?
The rules vary somewhat by state, but the general rule is that lawyers have an ethical obligation to protect the confidentiality and security of client information. A number of state ethics bodies have issued advisory opinions on what this obligation means for cloud computing. I just compiled a list of these opinions at my blog:
These opinions are fairly unanimous in saying that lawyers may ethically use the cloud to store client documents, provided they exercise due diligence to ensure that the cloud provider has adequate security measures in place. Several of these opinions include checklists of questions a lawyer should ask about a provider. A minority of states -- Massachusetts among them -- have said that a lawyer should obtain express client consent before using a cloud service.
Also, I've posted to my blog a presentation I gave last September on Ethics and Security of Cloud Computing for Lawyers. It includes highlights from some of the key ethics opinions and discusses some of the measures lawyers should take to protect their clients:
Are you aware of any cases where this failure to handle data more securely has hurt a client in any way?
As for whether clients have been hurt, the NYT just had a piece making the point that it's hard to know, because firms are reluctant to report such breaches: My presentation above talked about a notorious case out of Canada where Chinese hackers trying to derail a major corporate acquisition were able to get access to the files of seven of Canada's largest firms.
And, in your opinion, who should do what to fix this problem?
As for what lawyers should do, it all comes down to taking reasonable security precautions. A good start is to encrypt email, vet cloud providers, and use secure file sharing.