This blog post is for informational and educational purposes only. Any legal information provided in this post should not be relied upon as legal advice. It is not intended to create, and does not create, an attorney-client relationship and readers should not act upon the information presented without first seeking legal counsel.
Much of the discussion on law firm security has focused on data encryption. The idea of “encryption” can generally be broken down into two types, encryption in motion and encryption at rest. Encryption in motion refers to the process of securing data while the data is sent and received so that the data cannot be intercepted. Encryption at rest refers to the practice of securing the data itself so that, even if intercepted, the data is unreadable.
Law firms are undoubtedly attractive targets for hackers because of the information law firms typically store. Corporate law firms often store information about a company’s financials, investments, business strategies and intellectual property. Law firms that handle non-corporate matters like real estate, personal injury, or trusts and estate matters may often times store medical information, billing information, social security numbers, insurance information, driver’s license information, and other valuable information about individuals. Indeed, depending on the size and scope of a law firm’s practice, certain aspects of the same law firm may be subject to a greater risk than others. As such, both aspects of encryption are important for law firms seeking to ensure that their information remain secure and confidential.
As the costs of off-site storage for law firm data decrease and the availability of cloud-based practice management tools increases, law firms moving aspects of their practice to the cloud should pay particular attention to how a vendor encrypts a law firm’s data both in motion and at rest for both legal and monetary reasons. In addition to state or federal laws that may mandate security requirements for personal data and responses in the event of a breach, ethics rules generally require that an attorney strive to ensure that client information is kept confidential. Even more specifically, ABA Model Rule 1.1 and its state equivalents require attorneys to provide “competent representation” which includes staying up to date with the benefits and risks of technology. Law firms in certain sectors may also be subject to additional information security requirements. For instance, law firms that handle cases for hospitals and other covered entities in the healthcare space are required by the Health Information Portability and Accountability Act (HIPAA) to maintain certain information security safeguards as Business Associates of the covered entity. Similarly, under the Gramm-Leach-Bliley Act, law firms that work with clients in the financial sector also must maintain certain security practices.
Importantly, encryption technologies and security threats change over time. As such, law firm security protocols that have not been kept current do little to ensure security of law firm data as time progresses. Keeping abreast of new security threats and technologies and implementing changes in security systems is a costly endeavor in terms of both time and money. A law firm can rely on its vendor to ensure up-to-date security systems are protecting its data, if the data is stored with the vendor.
Many law firms address security of their client and firm information by hosting it with cloud providers. Cloud business models often comprise data security protocols audited by third-parties. Yet, many hosting providers require the law firm to encrypt data at rest, since the provider often has access to the firm’s data infrastructure and the provider’s risk management protocols require that be encrypted so that there is little risk of damages if the infrastructure is breached.
Ensuring that law firm information is secure and remains confidential requires more than an understanding of encryption in motion and at rest. Internal procedures for creating, storing and transmitting data are essential to a law firm information governance environment that meets ethics and other rules. These protocols should be prepared and thoroughly vetted by the firm to assure that they comport with the firm’s practice areas and organizational culture. More than that, though, it is good business for a law firm to assure that information received from or created for clients is maintained and exchanged securely. In an age in which over eighty percent of business documents are in electronic format and less than ten percent of them are ever printed, electronic security for law firms is a paramount consideration.
By Kenneth N Rashbaum Esq. and Jason M. Tenenbaum of Barton, LLP.