As is widely recognized, the attorney-client privilege is one of the most important fundamental principles in the legal profession. Every attorney has an obligation to protect his or her clients’ information and to keep attorney-client communications confidential. Of course, this principle applies to in-house counsel as well as outside counsel. Accordingly, it is crucial for both corporate legal departments and law firms to adopt and implement safeguards in order to protect client information. Although all lawyers presumably know that they have a duty to protect privileged client communications and information, many do not know how to do so. This article will briefly introduce the complex related topics of data privacy and security and provide some helpful initial steps that in-house and outside counsel should take in developing a plan to safeguard client information.
In this digital era, massive amounts of data are stored and transmitted electronically across a sea of systems and devices. In almost every kind of matter involving an organization, in-house and outside counsel have access to clients’ and employees’ personal information. It is no longer sufficient for in-house and outside counsel to rely solely on a company’s or a law firm’s IT department to handle cyber security issues. Indeed, many large companies, particularly in the financial services sector, are now conducting audits of their law firms’ data security protocols. A comprehensive data security plan needs to be developed in every organization and law firm by one or more lawyers in conjunction with the IT Department or an IT consultant and other stakeholders, if any, as described below.
1. Statutes and Regulations
•The very first step that in-house and outside counsel should generally take on behalf of their client organization with regard to data privacy is to determine the governing state statutes and regulations regarding data privacy and security protection. Some states have data privacy laws that require companies to develop written policies and procedures to provide administrative, physical, and technological safeguards for sensitive client information. By way of example only, here are a few statutes and regulations that counsel charged with participating in the development of cyber security policies and practices should be mindful of:
•Statutes that Protect Social Security Numbers: New York, New Jersey, Connecticut, and Michigan have statutes that require written policies to limit access to employees’ Social Security numbers. In Michigan and Connecticut, companies need to maintain and publish a specific corporate policy in order to require Social Security numbers from customers.
•Comprehensive Data Security Program Requirements: An increasing number of states, such as California, Connecticut, Florida, Illinois, Indiana, Massachusetts, Maryland, Oregon, and Texas, require companies to take affirmative actions to protect personal information that belongs to the residents of those states, including driver’s license numbers, bank account numbers, Social Security numbers, and medical information.
•Payment Card Industry Data Security Standards: Many corporations receive payments from clients and therefore have access to clients’ credit card information. These corporations need to make sure that they comply with the Payment Card Industry Data Security Standards.
•Breach Notification Requirements: All but three states require companies to provide notice when there has been a breach of “personal information” accessible to the organization.
2. Identify Personal Client Information
•State statutes and regulations should be just the starting point in seeking to ensure data privacy protection. In-house and outside counsel should consider, for instance, the types of personal client information to which the organization in question has access; whether the organization maintains such personal information indefinitely; whether the organization sponsors or provides services to health care plans; and whether the organization has a comprehensive plan to respond to data privacy breaches.
3. Establish Internal Group to Coordinate Data Privacy Issues
•Virtually every legal department should consider establishing an internal group to coordinate data privacy issues. This group should generally include personnel from the IT Department, the Accounting Department, the Human Resources Department, and the Legal Department—the areas where client personal information is often accessed the most. The group should be empowered to establish detailed steps to protect client data. For example, the group should consider:
•Identifying all hardware, software, and devices such as laptops and cellphones that could store client information;
•Classifying all digitally stored information by levels of sensitivity;
•Determining which departments and which employees are most likely to have access to sensitive client information and how the information flows through the organization;
•Identifying vendors and other third parties who maintain confidential client information; and
•Reviewing existing agreements which require the organization to safeguard client information.
4. Protocol for Data Breach Response
•Counsel should also develop a protocol for responding to data breaches, including, among other things, who will lead the response teams, and which templates to use for various types of data security-related communications.
•Law firms and legal departments should provide periodic training for employees who have access to client information and keep them informed about state regulations and charges in the company’s data privacy policies. In-house and outside counsel need to be thorough and thoughtful in helping their organizations identify, maintain, and safeguard all client information that their organizations maintain.
It is essential for in-house and outside counsel to take the foregoing steps in order to protect client information. Since individual and business clients increasingly demand heightened privacy protection, companies and law firms that fail to implement comprehensive data security policies will risk losing competitive advantage in the marketplace. In-house and outside counsel should share a leadership role with IT and other personnel in developing and implementing detailed internal policies and procedures for collecting, using, and disclosing the information that is needed to provide the services that their organizations render.