Lawyers may be way behind and losing ground at effectively coping with storage, maintenance and use of client confidential data and fulfilling significant ethical obligations regarding data leakage prevention/protection (DLP). Data leakage prevention is a system designed to detect potential data breach/data ex-filtration transmissions and prevent them by monitoring, detecting and blocking sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).
Would you consider the following to be “secrets” of your clients? The take-over strategy for a public company? A trade secret formula you are litigating? A client’s bottom line acquisition terms in negotiations for an office building? Details of an approaching public offering of securities? Of course you would. So would your clients.
Before the widespread use of desktop computers in business and law (less than 30 years), lawyers could secure such secrets in locked filing cabinet drawers, in a locked office, in a building that had security guards and sleep peacefully knowing we had complied with our ethical duties. Hypersensitive information, say an actual government classified document or a patentable idea, typically required further steps similarly based on physical, mechanical steps such as putting documents in a locked vault inside a secured facility. Before the widespread use of the Internet in business and law (less than 20 years), what was inside computers was similarly secured through physical access restriction.
Today almost all “secret/confidential” information is stored somewhere on the law firm’s computer systems, and for some firms in the “cloud.” That information may be password protected; it may be encrypted; it may be user access limited; but it can still be accessible and transportable through cyberspace.
California Rule of Professional Conduct 3-100 addresses our ethical obligations for handling confidential client information. That rule mandates that “(A) A member shall not reveal information protected from disclosure by Business and Professions Code section 6068, subdivision (e)(1) without the informed consent of the client, or as provided in paragraph (B) of this rule [which deals with the prevention of criminal acts].” But Section 6068 is a potential nightmare when considered in relation to a client’s computer-stored information in your law firm’s possession. The section provides: “It is the duty of an attorney to do all of the following:
(e)(1) To maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client.” (Emphasis added.)
Moreover, a member's duty to preserve the confidentiality of client information involves public policies of paramount importance. In Re Jordan, 12 Cal. 3d 575, 580 (1974). Preserving the confidentiality of client information contributes to the trust that is the hallmark of the client-lawyer relationship. Thus, paragraph (A) of Rule 3-100 recognizes a fundamental principle in the client-lawyer relationship, that, in the absence of the client's informed consent, a member must not reveal information relating to the representation. See, e.g., Commercial Standard Title Co. v. Superior Court, 92 Cal. App. 3d 934, 945 (1979).
Do you imagine that the standard of care we will be held to for measuring compliance with Rule 3-100 and Section 6068 is the “locked drawer” paradigm of the 1970s, or the best available technological solutions of the second decade of the 21st century? What will clients expect and require, as a condition to the law firm being awarded a work assignment? Will clients increasingly require proof of the capability of the firm’s system to protect confidentiality of client data before it is entrusted to the law firm? The answers are self-evident.
(Full text of article available below, please click on download preference for pdf format)
(Reprinted with permission of The Daily Journal Corp, copyright 2013)