David Bilinsky - Thoughtful Legal Management

♫ Further on up the road baby,
things gonna change… ♫

— Music and lyrics by J.L. Hooker, C. Thompson, C. Santana; recorded by Santana.

The State Bar of California’s Committee on Professional Responsibility and Conduct has just issued Formal Opinion No 16-0002. It looked at a lawyer’s ethical obligations with respect to unauthorized access by third persons to electronically stored client confidential information in the lawyer’s possession. In some ways it parallels what is set forth in s. 10-4 Security of Records of the Rules of the Law Society. What is illustrative is that “the Committee adopted an approach that posed questions lawyers should consider in order to comply with the duties of competency and confidentiality. In light of ever-changing technology, the Committee concludes that an on-going engagement with that evolving technology, in the form of security issues to consider and re-consider, was preferable to a “bright line” or “categorical approach.”

The Committee looked at four scenarios: An attorney’s laptop is stolen; an attorney’s smartphone is left in a restaurant overnight; a firm is infected by Ransomware and a lawyer’s laptop was accessed while the lawyer was using an unsecured public Wi-Fi network. Hypothetically the Committee looked at the factors to consider in each scenario.

The requirement to make reasonable efforts to protect client information from unauthorized disclosure or destruction was affirmed. California went further, however, and stated that: “Given the obligation to preserve client confidences, secrets and propriety information, it is appropriate to assume that reasonable clients would want to be notified if any of that information was acquired or reasonably suspected of being acquired by unauthorized persons.” In BC, we have an obligation to notify the Executive Director of the Law Society but the Rules and Code are silent on the duty to notify a client if the firm lost control or custody of any of the lawyer’s records [10-4 (a)] or if anyone had improperly accessed or copied any records [10-4 (b)].

California also affirmed the American Bar Association formal opinion of 18-483 that holds: “lawyers with managerial authority within a law firm must make a reasonable effort to establish internal policies and procedures designed to protect confidential client information from the risk of inadvertent disclosure and data breaches as the result of technology use, which includes monitoring the use of technology and office resources connected to the Internet and external data sources.” They also held that a law firm should: “consider preparing a data breach response plan so that all stakeholders know how to respond when a breach occurs.”

This opinion, I believe, foreshadows what could be eventually adopted in other jurisdictions. Prudent firms may wish to examine the formal opinion with a view to revamping their policies and procedures to reflect this evolving thinking because further up the road, I believe, the thinking is gonna change.

As a First Step Towards Greater Security

Check if you have adequate insurance to protect yourself against various losses, including data breaches, cyber-losses, cyber-extortion and social engineering (phishing) fraud scams.

The Law Society
has a good breakdown of the coverages that are available that the Law Society insurance does not cover.

The Sedona Conference Canada
has prepared a commentary on privacy and information security for legal service providers — Principles and Guidelines (Aug 2020) that is well worth reviewing.

The Sedona Conference
has also prepared a Commentary on a Reasonable Security Test (Sept 2020). This Commentary begins with a brief summary of the importance of having a test, the reasoning behind a cost/benefit approach for the test, and what issues the test does not address. Part I sets out the proposed test and the explanation of how it is applied. Part II provides review and analysis of existing resources that offer guidance on how “reasonable security” has been defined and applied to date and explains how they bear upon the test.

Create a data breach plan
before you are hit with a breach that will allow you to deal quickly and decisively with any possible data breach. Lawyers Mutual of North Carolina has published a Data Breach Incident Response Plan Toolkit by Tom Widman, founder, president and CEO of Identity Fraud, Inc.

Inside your data breach plan
Sharon Nelson, David Ries, and John Simek have written “Be Prepared — Planning for When Your Law Firm Suffers a Data Breach.” This article is a nice compact review of the issues to consider placing inside your data breach plan.

Protect personal information and data breaches
The Office of the Privacy Commissioner of Canada and The Office of the Information and Privacy Commissioner of Alberta has published “Security Personal Information — A Self-Assessment Tool for Public Bodies and Organizations.” This comprehensive tool is an incredible resource for any organization seeking to examine their systems and procedures to protect personal information and data breaches.

DLA Piper
has summarized Canadian privacy statutory data breach obligations.

The Canadian Bar Association
has published an article in 2015 written by Jeffrey Kaufman entitled, “Law Firm Privacy Compliance in 10 Steps.”

(originally published in PracticeTalk and TechTips, in the Canadian Bar Association’s BarTalk magazine:

https://www.cbabc.org/BarTalk/Articles/2020/December/Columns/Evolving-Views-on-How-to-View-Security

https://www.cbabc.org/BarTalk/Articles/2020/December/Columns/As-a-First-Step)




Categories 30 Questions for Busy Lawyers (15) Adding Value (160) Budgeting (48) Business Development (135) Change Management (244) Cheap is Good but Free is Better! (10) Dave's Top 10 Lists (4) Firm Governance (162) Fraud and theft (36) humour (68) I'm a Mac (38) Issues facing Law Firms (324) Law Firm Strategy (266) Leadership and Strategic Planning (253) Legal Education (1) Make it Work! (84) personal focus and renewal (141) Technology (229) Tips (184) Trends (346) Archives September 2022 August 2022 July 2022 June 2022 May 2022 April 2022 March 2022 August 2020 July 2020 February 2020 November 2019 October 2019 June 2019 February 2019 December 2018 November 2018 March 2017 January 2017 December 2016 September 2016 August 2016 May 2016 April 2016 March 2016 February 2016 January 2016 December 2015 November 2015 October 2015 September 2015 August 2015 July 2015 June 2015 May 2015 April 2015 March 2015 February 2015 January 2015 December 2014 November 2014 October 2014 September 2014 August 2014 June 2014 May 2014 April 2014 March 2014 February 2014 January 2014 December 2013 November 2013 October 2013 September 2013 July 2013 June 2013 May 2013 January 2013 December 2012 November 2012 October 2012 September 2012 August 2012 July 2012 June 2012 May 2012 April 2012 March 2012 February 2012 January 2012 December 2011 November 2011 October 2011 September 2011 August 2011 July 2011 June 2011 May 2011 April 2011 March 2011 February 2011 January 2011 December 2010 November 2010 October 2010 September 2010 July 2010 June 2010 May 2010 April 2010 March 2010 February 2010 January 2010 December 2009 November 2009 October 2009 September 2009 August 2009 July 2009 June 2009 May 2009 April 2009 March 2009 February 2009 January 2009 December 2008 November 2008 October 2008 September 2008 August 2008 July 2008 June 2008 May 2008 April 2008 March 2008 February 2008 January 2008 December 2007 November 2007 October 2007 September 2007 August 2007 July 2007	« Digital Transformation: Moving Past the Present Ways to Best Manage Your Time… » Evolving Views on How to View Security March 28th, 2022 ♫ Further on up the road baby, things gonna change… ♫ — Music and lyrics by J.L. Hooker, C. Thompson, C. Santana; recorded by Santana. The State Bar of California’s Committee on Professional Responsibility and Conduct has just issued Formal Opinion No 16-0002. It looked at a lawyer’s ethical obligations with respect to unauthorized access by third persons to electronically stored client confidential information in the lawyer’s possession. In some ways it parallels what is set forth in s. 10-4 Security of Records of the Rules of the Law Society. What is illustrative is that “the Committee adopted an approach that posed questions lawyers should consider in order to comply with the duties of competency and confidentiality. In light of ever-changing technology, the Committee concludes that an on-going engagement with that evolving technology, in the form of security issues to consider and re-consider, was preferable to a “bright line” or “categorical approach.” The Committee looked at four scenarios: An attorney’s laptop is stolen; an attorney’s smartphone is left in a restaurant overnight; a firm is infected by Ransomware and a lawyer’s laptop was accessed while the lawyer was using an unsecured public Wi-Fi network. Hypothetically the Committee looked at the factors to consider in each scenario. The requirement to make reasonable efforts to protect client information from unauthorized disclosure or destruction was affirmed. California went further, however, and stated that: “Given the obligation to preserve client confidences, secrets and propriety information, it is appropriate to assume that reasonable clients would want to be notified if any of that information was acquired or reasonably suspected of being acquired by unauthorized persons.” In BC, we have an obligation to notify the Executive Director of the Law Society but the Rules and Code are silent on the duty to notify a client if the firm lost control or custody of any of the lawyer’s records [10-4 (a)] or if anyone had improperly accessed or copied any records [10-4 (b)]. California also affirmed the American Bar Association formal opinion of 18-483 that holds: “lawyers with managerial authority within a law firm must make a reasonable effort to establish internal policies and procedures designed to protect confidential client information from the risk of inadvertent disclosure and data breaches as the result of technology use, which includes monitoring the use of technology and office resources connected to the Internet and external data sources.” They also held that a law firm should: “consider preparing a data breach response plan so that all stakeholders know how to respond when a breach occurs.” This opinion, I believe, foreshadows what could be eventually adopted in other jurisdictions. Prudent firms may wish to examine the formal opinion with a view to revamping their policies and procedures to reflect this evolving thinking because further up the road, I believe, the thinking is gonna change. As a First Step Towards Greater Security Check if you have adequate insurance to protect yourself against various losses, including data breaches, cyber-losses, cyber-extortion and social engineering (phishing) fraud scams. The Law Society has a good breakdown of the coverages that are available that the Law Society insurance does not cover. The Sedona Conference Canada has prepared a commentary on privacy and information security for legal service providers — Principles and Guidelines (Aug 2020) that is well worth reviewing. The Sedona Conference has also prepared a Commentary on a Reasonable Security Test (Sept 2020). This Commentary begins with a brief summary of the importance of having a test, the reasoning behind a cost/benefit approach for the test, and what issues the test does not address. Part I sets out the proposed test and the explanation of how it is applied. Part II provides review and analysis of existing resources that offer guidance on how “reasonable security” has been defined and applied to date and explains how they bear upon the test. Create a data breach plan before you are hit with a breach that will allow you to deal quickly and decisively with any possible data breach. Lawyers Mutual of North Carolina has published a Data Breach Incident Response Plan Toolkit by Tom Widman, founder, president and CEO of Identity Fraud, Inc. Inside your data breach plan Sharon Nelson, David Ries, and John Simek have written “Be Prepared — Planning for When Your Law Firm Suffers a Data Breach.” This article is a nice compact review of the issues to consider placing inside your data breach plan. Protect personal information and data breaches The Office of the Privacy Commissioner of Canada and The Office of the Information and Privacy Commissioner of Alberta has published “Security Personal Information — A Self-Assessment Tool for Public Bodies and Organizations.” This comprehensive tool is an incredible resource for any organization seeking to examine their systems and procedures to protect personal information and data breaches. DLA Piper has summarized Canadian privacy statutory data breach obligations. The Canadian Bar Association has published an article in 2015 written by Jeffrey Kaufman entitled, “Law Firm Privacy Compliance in 10 Steps.” (c) 2022 David J. Bilinsky. (originally published in PracticeTalk and TechTips, in the Canadian Bar Association’s BarTalk magazine: https://www.cbabc.org/BarTalk/Articles/2020/December/Columns/Evolving-Views-on-How-to-View-Security https://www.cbabc.org/BarTalk/Articles/2020/December/Columns/As-a-First-Step) Tweet This entry was posted on Monday, March 28th, 2022 at 7:00 am and is filed under Change Management, Firm Governance, Fraud and theft, Issues facing Law Firms, Law Firm Strategy, Leadership and Strategic Planning, Technology, Trends. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. Leave a Reply Name (required) Mail (will not be published) (required) Website Δ
Site Design: Skunkworks Creative Group