Tag: In-House and Outside Counsel

Data Privacy and Security: An Introduction for In-house and Outside Counsel by Richard Friedman

Data Privacy and Security: An Introduction for In-House and Outside Counsel

As is widely recognized, the attorney-client privilege is one of the most important fundamental principles in the legal profession. Every attorney has an obligation to protect his or her clients’ information and to keep attorney-client communications confidential. Of course, this principle applies to in-house counsel as well as outside counsel. Accordingly, it is crucial for both corporate legal departments and law firms to adopt and implement safeguards in order to protect client information. Although all lawyers presumably know that they have a duty to protect privileged client communications and information, many do not know how to do so. This article will briefly introduce the complex related topics of data privacy and security and provide some helpful initial steps that in-house and outside counsel should take in developing a plan to safeguard client information.

In this digital era, massive amounts of data are stored and transmitted electronically across a sea of systems and devices. In almost every kind of matter involving an organization, in-house and outside counsel have access to clients’ and employees’ personal information. It is no longer sufficient for in-house and outside counsel to rely solely on a company’s or a law firm’s IT department to handle cyber security issues. Indeed, many large companies, particularly in the financial services sector, are now conducting audits of their law firms’ data security protocols. A comprehensive data security plan needs to be developed in every organization and law firm by one or more lawyers in conjunction with the IT Department or an IT consultant and other stakeholders, if any, as described below.

1. Statutes and Regulations

The very first step that in-house and outside counsel should generally take on behalf of their client organization with regard to data privacy is to determine the governing state statutes and regulations regarding data privacy and security protection. Some states have data privacy laws that require companies to develop written policies and procedures to provide administrative, physical, and technological safeguards for sensitive client information. By way of example only, here are a few statutes and regulations that counsel charged with participating in the development of cyber security policies and practices should be mindful of: 

•Statutes that Protect Social Security Numbers: New York, New Jersey, Connecticut, and Michigan have statutes that require written policies to limit access to employees’ Social Security numbers. In Michigan and Connecticut, companies need to maintain and publish a specific corporate policy in order to require Social Security numbers from customers.

•Comprehensive Data Security Program RequirementsAn increasing number of states, such as California, Connecticut, Florida, Illinois, Indiana, Massachusetts, Maryland, Oregon, and Texas, require companies to take affirmative actions to protect personal information that belongs to the residents of those states, including driver’s license numbers, bank account numbers, Social Security numbers, and medical information.  

•Payment Card Industry Data Security Standards: Many corporations receive payments from clients and therefore have access to clients’ credit card information. These corporations need to make sure that they comply with the Payment Card Industry Data Security Standards.

•Breach Notification Requirements: All but three states require companies to provide notice when there has been a breach of “personal information” accessible to the organization.

2. Identify Personal Client Information

State statutes and regulations should be just the starting point in seeking to ensure data privacy protection. In-house and outside counsel should consider, for instance, the types of personal client information to which the organization in question has access; whether the organization maintains such personal information indefinitely; whether the organization sponsors or provides services to health care plans; and whether the organization has a comprehensive plan to respond to data privacy breaches.

3. Establish Internal Group to Coordinate Data Privacy Issues

Virtually every legal department should consider establishing an internal group to coordinate data privacy issues. This group should generally include personnel from the IT Department, the Accounting Department, the Human Resources Department, and the Legal Department—the areas where client personal information is often accessed the most. The group should be empowered to establish detailed steps to protect client data. For example, the group should consider:

Identifying all hardware, software, and devices such as laptops and cellphones that could store client information;

Classifying all digitally stored information by levels of sensitivity;

Determining which departments and which employees are most likely to have access to sensitive client information and how the information flows through the organization;

Identifying vendors and other third parties who maintain confidential client information; and

Reviewing existing agreements which require the organization to safeguard client information.

4. Protocol for Data Breach Response

Counsel should also develop a protocol for responding to data breaches, including, among other things, who will lead the response teams, and which templates to use for various types of data security-related communications.

5. Training

Law firms and legal departments should provide periodic training for employees who have access to client information and keep them informed about state regulations and charges in the company’s data privacy policies. In-house and outside counsel need to be thorough and thoughtful in helping their organizations identify, maintain, and safeguard all client information that their organizations maintain.

CONCLUSION

It is essential for in-house and outside counsel to take the foregoing steps in order to protect client information. Since individual and business clients increasingly demand heightened privacy protection, companies and law firms that fail to implement comprehensive data security policies will risk losing competitive advantage in the marketplace. In-house and outside counsel should share a leadership role with IT and other personnel in developing and implementing detailed internal policies and procedures for collecting, using, and disclosing the information that is needed to provide the services that their organizations render.  

Richard B. Friedman
Richard Friedman PLLC
830 Third Avenue, 5th Floor
New York, New York 10022
TEL: 212-600-9539
FAX: 212-840-8560
rfriedman@richardfriedmanlaw.com
www.richardfriedmanlaw.com
www.richardfriedmanlaw.com/blog
Connect with me on Linkedin
Confidentiality Obligations of In-House and Outside Counsel in the Virtual Workplace by Richard Friedman

Confidentiality Obligations of In-House and Outside Counsel in the Virtual Workplace

As is widely known, many technological advancements have been integrated into the legal industry in recent decades. Maintaining an electronic record of all information is standard operating procedure at large and small companies and law firms. Another major development, in the last half dozen or so years, in particular, has been the dramatic increase in the number of employees who telecommute one or more days a week and in many instances full time. Indeed, there are now virtual companies and law firms which maintain limited, if any, office space. These parallel developments necessarily raise questions concerning the ability of companies and law firms alike to maintain the confidentiality of proprietary information.

Working Remotely

At the risk of stating the obvious, working from home or from other remote locations allows attorneys and other personnel to maintain a flexible schedule and eliminate commute time. With a click of a button on a remote device, in-house and outside counsel are able to access a confidential document from off-site locations, often as one or more colleagues are working on the exact same document. However, this increased flexibility and the possibility of maintaining a better work-life balance brings with it increased challenges in ensuring the confidentiality of client information.

Cyber Security and Confidentiality

Remote Access to Electronic Files

Of course, lawyers often handle very sensitive client information which must remain confidential. Questions have arisen in recent years as to whether the use of remote access violates a lawyer’s duty to preserve client confidences under Rule 1.6 of the Model Rules of Professional Conduct. In accordance with that rule, a violation occurs when one:

1. knowingly reveals confidential information; or

2. does not exercise reasonable care to prevent the compromise of confidential information while the lawyer or the service utilized by the lawyer has access to the confidential information.

The New York State Bar Association Committee on Professional Ethics has stated that, in addition to being prohibited from disclosing confidential information, a lawyer is also obligated to take reasonable care to affirmatively protect his or her client’s information (NYSBA Comm. on Professional Ethics, Formal Op. 842, 2010).

It is acceptable to use standard methods of transmitting or accessing information so long as there is a reasonable expectation of privacy. For example, confidential information may generally be sent by an unencrypted email. However, if there is a greater risk of interception due to the particular circumstances, the lawyer is obligated to take appropriate security measures bearing in mind the technology that is available at a reasonable cost (NYSBA Comm. on Professional Ethics, Formal Op. 709, 1998). The lawyer must also ensure that any security or storage service provider she plans to use has an enforceable obligation to preserve confidentiality. Any known risks in a security system must be disclosed to a client before the lawyer may obtain a client’s consent to access confidential information remotely to ensure that the consent is an informed one.

Use of Cloud Storage for Storing Client Information

When using a cloud for data storage, a lawyer must ensure that the storage system is password protected and that the stored data is encrypted (NYSBA Op. 842). Due to the rapid changes in technology and continually emerging threats to the security of stored data, a lawyer should also periodically confirm the effectiveness of the security measures provided by the service she or he uses. If there is evidence of a potential or actual lack of security, the lawyer must discontinue use of the service until the potential or actual problem is remediated by the service provider. Like the standard regarding remote access described above, a lawyer must affirmatively protect his client’s information. The American Bar Association and many state bar associations have issued opinions approving the use of cloud storage so long as reasonable care is taken to confirm the effectiveness of the security measures that are in place.

The success of the virtual workplace model in law, however convenient and liberating for many lawyers, is contingent on having an encryption system for protecting confidential information and having the means to securely store and transmit information while working from a remote location. If a virtual workplace model is tested by a court or otherwise, in-house and outside counsel must be able to demonstrate that they are affirmatively protecting their clients’ information by staying informed about technological advances and potential risks to data security. Taking reasonable care boils down to individual attorneys maintaining proper work protocols, such as choosing strong passwords, remotely accessing information from a secure Wi-Fi network, and communicating with the service provider regarding any potential security breaches.

Richard B. Friedman
Richard Friedman PLLC
830 Third Avenue, 5th Floor
New York, New York 10022
TEL: 212-600-9539
FAX: 212-840-8560
rfriedman@richardfriedmanlaw.com
www.richardfriedmanlaw.com
www.richardfriedmanlaw.com/blog
Connect with me on Linkedin