Law firms, by their very nature, are one of the most vulnerable types of businesses in regard to handling sensitive data. The entire industry is built upon litigation, and as such, massive attention, unlike the attention focused on other groups or professions, illuminates both the successes and the failures under great magnification.
As such, one of the great security hurdles to deal with for many law firms is the concept of client information generation, protection, and erasure. Properly disposing of client information ensures legal compliance, client safety, and protection from litigation regarding improper data handling.
In this piece, we’re going to look at some of the legal challenges law firms face when dealing with client information, as well as some unique technical limitations built into the system due to the nature of litigation. We’ll discuss some specific tactics for negation of these issues, as well as some caveats that law firms need to keep in mind.
An aside - we are not lawyers, and this is not legal advice.
First and foremost, it must be said that client information is controlled by some very specific and direct legal edicts. The American Bar states that “there are [...] parallel common law duties defined by case law in the various states. The restatement (3rd) of the Law Governing Lawyers (2000) summarizes this area of the law.”
This area of the law is pretty specific - these aren’t generalities that can be interpreted one way or another, they are specific protections for clients when their data is handled. Ignoring for a moment the contractual obligations of client protection, such as when clients are in regulated industries such as healthcare, education, or government, there are also state and federal statutes which augment the common law requirements, mandating protection of “defined categories of personal information”.
To make this matter even more important, at least 10 states in the US, and many countries in the European Union, have specific security and personal information laws that require “reasonable measures” to protect personal information.
What are these reasonable measures? While they change in specifics from legal implementation to legal implementation, they are broadly akin to the following specific edicts:
- Client information is to be generated, stored, and used only in a way as directed by the client or in a way that helps the effort which a client has requested;
- Data cannot be shared with unauthorized parties, and specifically cannot be shared with opposing legal forces unless ordered through discovery or court order;
- Client data must be reasonably protected, with many statutes legally requiring some form of data encryption and secure storage;
- Data must be disposed of once it is no longer legally needed, irrelevant to the case at hand, or by request of the client (assuming it meets all other legal requirements).
While there are some stringent legal requirements on such data, perhaps the greater requirement is the moral one. As legal counsel, there are a number of thoughts on this subject, but the most specific is the fact that a lawyer “owes” proper action and representation to their client. As part of this, failure to properly secure data is not owing up to the lawyer’s requirement to properly represent their client.
There is, of course, the other ethical argument that, morally speaking, failure to protect client data is essentially as bad as handing the data off yourself - that inaction, specifically, is just as bad as negative action when it results in negative consequences. While this can be argued ad nauseum, there is certainly something to be said for responsibility over what occurs to client data that has been generated by a lawyer, yet not protected by that lawyer is negligence.
This is a strange area of the law, as well. Ethical non-compliance may not have direct legal repercussions, but regardless, can still result in disbarment if the legal issuing authority, such as the US Bar Association, decides you have acted immorally or unethically resulting in damage to the client which you represented. Because of this, while legal compliance is obviously most important, ethical (and moral) compliance needs to be considering in setting up a data management plan.
Caveats and Extra Requirements
Part of what makes this topic so difficult is the unique challenges represented by storing legal information in a legal practice.
- Data must be shareable - in the case of discovery or court order, data must be able to be quickly catalogued and shared with many other legal practices who also are legally and ethically required to secure such data;
- Data must be limited - legal firms must only collect the data they need, and in certain legal cases, where firms collect “everything possibly related” and sift through later, this might mean mass data destruction and verification (more on this later);
- Data must be documentable - the entire process of data generation, storage, and deletion must be documented without disclosing the contents of the file for privacy reasons, often resulting in a paper form of “telephone”, whereby the description must match as close as possible but often drifts into other descriptive terminologies.
As complicated as this subject is, there are thankfully a great deal of solutions that can be applied by legal firms. Because law compliance and ethical compliance are generally in line with one another, we can tackle this by general subject matter, rather than specific situational requirements.
- Data must be shareable - while data is required to be shareable, it must be encrypted. Public key encryption does this well, allowing only trusted partners to access this data, but the most important process in this consideration is actual encryption on the drives. Encrypt important data with highly secure encryption, and track access by all legal fellows and partners, documenting access and revisions as they occur.
- Data must be limited - collect only what is necessary, and collate related files. Encrypt these files in related “caches” when necessary, and when data is no longer necessary, properly document their destruction and use a solution like Clarabyte to permanently destroy it. This destruction is incredibly important, and is discussed below.
- Data must be documentable - document, document, document. The entire process from data creation to storage, and later to destruction is essentially like keeping receipts as a small business - they prove what you’ve done, and can help to ensure law firms are protected from compliance issues.
All of this is null, of course, unless we properly dispose of data. With properly destroyed data, law firms can increase their legal protections while adhering to compliance issues. Clarabyte has a great solution known as Clarawipe that can help do this in a pretty fantastic way.
ClaraWipe is a complete data destruction solution, meaning that not only does it erase the data, it ensures it was properly erased, providing a line of defense against data breaches and guaranteeing data security.
Because ClaraWipe meets or exceeds all major regulatory and technical standards, it provides an almost universal coverage of legal implications for law firms. ClaraWipe adheres and exceeds the following standards, representing a massive, diverse field of possible legal cases and data types:
- Sarbanes-Oxley Act (SOx)
- HIPAA & HITECH
- The Fair and Accurate Credit Transactions Act of 2003 (FACTA)
- US Department of Defense 5220.22-M
- CSEC ITSG-06
- Payment Card Industry Data Security Standard (PCI DSS)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- EU data protection directive of 1995
- Gramm-Leach-Bliley Act (GLBA)
- California Senate Bill 1386
- and others.