What Lawyers Should Know About Data Privacy
Your law firm may be relying more on new technology to meet the demands of practicing law in the 21st century. The need for remote work options, client expectations, convenience, and costs contribute to this push towards legal tech. While these new ways of practicing law come with benefits, attorneys should be mindful of how they impact data privacy.
Why Is Data Privacy Important in Law?
Data privacy has always been an important issue for attorneys and their clients. During a representation, attorneys and clients will exchange countless pieces of sensitive data. This data may include personal information (e.g., social security numbers and financial data), trade secrets, and other sensitive data. Generally, attorneys have an ethical duty of confidentiality to protect a client’s data by not revealing it to a third party without the client’s permission.
Decades ago, data privacy meant having a physically secure space to store paper files and other client information. Now, attorneys increasingly rely on computers, software, and internet systems to store and share client-sensitive data. These technological advancements provide many benefits for law practice (e.g., faster communication, flexibility, and reduced costs).
However, those benefits may come at the cost of greater risk for the breach or loss of a client’s data through cyberattacks. Law firms, like financial institutions and other organizations, remain
popular targets for hackers and cybercriminals because of the sensitive data they possess. Additionally, risks may also exist for inadvertent transmissions of client data by attorneys and their staff without proper safety measures in place.
Ethical Obligations for Law Firms and Data Privacy in the Computer Age
The legal profession’s adoption of new technology has led to related ethical opinions from the American Bar Association (ABA). In
Formal Opinion 477R, the ABA Standing Committee on Ethics and Professional Responsibility added a new requirement for lawyers to take “reasonable efforts to prevent the inadvertent or unauthorized disclosure… of information relating to the representation of a client.” In addition, an amendment was made to address additional security measures. To help ascertain when security measures are required, the Committee outlined factors such as:
- The odds of disclosure without added protections
- The cost of available protections
- The difficulty of implementing the protections
- The level of adverse effects the protections may have on the attorney’s representation of the client
Additionally,
ABA Opinion 483 imposes an ethical obligation on lawyers to notify clients about their data breaches under the obligation of keeping clients informed about the status of a matter. The state bar association where you practice may also have its own standards and obligations for attorneys and law firms regarding data breaches and/or protecting client information.
Other industry regulations may also impose data privacy obligations on attorneys who possess protected information because of the nature of their clients (e.g., HIPAA for healthcare institution clients). In short, data privacy is a top concern for solo practitioners and firms of all sizes.
Key Issues When Investing in New Technology for Your Firm
Internet and cloud software services create new ways for firms to store documents, manage client information, and communicate. Because of the COVID-19 pandemic, these services became even more important for law firms to continue their practice. Products like Zoom and Dropbox are now standard features that clients may expect from their attorneys for convenience.
Keeping data privacy obligations in mind, law firms may want to develop a rigorous methodology for evaluating the risks of adopting new technology. Before implementing new tech into your practice, you may want to understand the risks of the service and how they align with current
best practices. Below are some concepts that may help you and your firm when assessing technology options:
- Carefully review the terms of Software as a Service (SaaS) contracts. Many software companies rely on the ability to access data from your use of their product for quality assurance and future improvements. You may want to look for any waivers of your rights or authority given to software providers to access data or allocations of risk in the event of a cyber-attack.
- Work with your IT staff to evaluate the cyber risks. Seeking support from IT professionals may help when it comes to auditing new software. They could give assurances about a product or input on how to use the product safely to mitigate chances of a cyber
-attack (e.g., passwords, two-factor authentication, etc.)
- Look for comments from state bar associations. You may find publications or other information from state bars about the safe use of technology in your practice. Periodic monitoring for updates from these bodies can clarify your risk levels when using internet systems and software.
Safeguards for Protecting Data
Law firms may also benefit from developing internal safety measures and training to further protect client data from phishing scams and other malware. The depth and frequency of these measures may depend on your firm’s demographics, the nature of your clients, and the types of technology you use. In many cases, training on the proper use of email and internet browsers may be a necessity.
Best practices for using email to transmit client information may include procedures such as:
- Verifying email addresses
- Avoid using links from unknown sources
- Create strong filters to block or send unwanted messages to trash folders.
Attorneys must often rely on internet web browsers for legal research, accessing government databases, and other client activities. Safe web browsing may require the use of firewalls to limit access to potentially insecure websites. Firms can also set up procedures for safely downloading documents and programs from an internet source.
Adding Cyber Liability Insurance to Your Data Privacy Plan
Despite the available resources for safely using technology in your practice, data breaches from cyber-attacks may always be a threat. The financial and business fallout from a breach of your law firm’s data may be costly.
One way to help protect against that risk is to purchase a
cyber liability insurance policy. A policy may provide coverage for the third party and first party losses of a cyberattack. This might include defense costs, damage payments, and costs for any regulatory fines for third-party claims. You may also be able to recover first party losses such as lost income from business interruptions or from cyber extortion.
Get a Cyber Liability Insurance Quote Today
Like other industries, the practice of law is constantly changing and improving because of the technology available. For risk-conscious attorneys, this creates a tension between adopting that technology for greater efficiency and the inherent risks of cyberattacks on your client’s data. Your firm may move forward into this new age of legal practice with the security of a cyber liability policy.
Contact Aon Attorneys Advantage to get a quote today on a cyber liability insurance policy for your law firm.
This information is provided for general informational purposes only and is not intended to provide individualized advice. All descriptions, summaries or highlights of coverage are for general informational purposes only and do not amend, alter or modify the actual terms or conditions of any insurance policy. Coverage is governed only by the terms and conditions of the relevant policy.