♫ Further on up the road baby,
things gonna change… ♫
— Music and lyrics by J.L. Hooker, C. Thompson, C. Santana; recorded by Santana.
The State Bar of California’s Committee on Professional Responsibility and Conduct has just issued Formal Opinion No 16-0002. It looked at a lawyer’s ethical obligations with respect to unauthorized access by third persons to electronically stored client confidential information in the lawyer’s possession. In some ways it parallels what is set forth in s. 10-4 Security of Records of the Rules of the Law Society. What is illustrative is that “the Committee adopted an approach that posed questions lawyers should consider in order to comply with the duties of competency and confidentiality. In light of ever-changing technology, the Committee concludes that an on-going engagement with that evolving technology, in the form of security issues to consider and re-consider, was preferable to a “bright line” or “categorical approach.”
The Committee looked at four scenarios: An attorney’s laptop is stolen; an attorney’s smartphone is left in a restaurant overnight; a firm is infected by Ransomware and a lawyer’s laptop was accessed while the lawyer was using an unsecured public Wi-Fi network. Hypothetically the Committee looked at the factors to consider in each scenario.
The requirement to make reasonable efforts to protect client information from unauthorized disclosure or destruction was affirmed. California went further, however, and stated that: “Given the obligation to preserve client confidences, secrets and propriety information, it is appropriate to assume that reasonable clients would want to be notified if any of that information was acquired or reasonably suspected of being acquired by unauthorized persons.” In BC, we have an obligation to notify the Executive Director of the Law Society but the Rules and Code are silent on the duty to notify a client if the firm lost control or custody of any of the lawyer’s records [10-4 (a)] or if anyone had improperly accessed or copied any records [10-4 (b)].
California also affirmed the American Bar Association formal opinion of 18-483 that holds: “lawyers with managerial authority within a law firm must make a reasonable effort to establish internal policies and procedures designed to protect confidential client information from the risk of inadvertent disclosure and data breaches as the result of technology use, which includes monitoring the use of technology and office resources connected to the Internet and external data sources.” They also held that a law firm should: “consider preparing a data breach response plan so that all stakeholders know how to respond when a breach occurs.”
This opinion, I believe, foreshadows what could be eventually adopted in other jurisdictions. Prudent firms may wish to examine the formal opinion with a view to revamping their policies and procedures to reflect this evolving thinking because further up the road, I believe, the thinking is gonna change.
As a First Step Towards Greater Security
Check if you have adequate insurance to protect yourself against various losses, including data breaches, cyber-losses, cyber-extortion and social engineering (phishing) fraud scams.
The Law Society
has a good breakdown of the coverages that are available that the Law Society insurance does not cover.
The Sedona Conference Canada
has prepared a commentary on privacy and information security for legal service providers — Principles and Guidelines (Aug 2020) that is well worth reviewing.
The Sedona Conference
has also prepared a Commentary on a Reasonable Security Test (Sept 2020). This Commentary begins with a brief summary of the importance of having a test, the reasoning behind a cost/benefit approach for the test, and what issues the test does not address. Part I sets out the proposed test and the explanation of how it is applied. Part II provides review and analysis of existing resources that offer guidance on how “reasonable security” has been defined and applied to date and explains how they bear upon the test.
Create a data breach plan
before you are hit with a breach that will allow you to deal quickly and decisively with any possible data breach. Lawyers Mutual of North Carolina has published a Data Breach Incident Response Plan Toolkit by Tom Widman, founder, president and CEO of Identity Fraud, Inc.
Inside your data breach plan
Sharon Nelson, David Ries, and John Simek have written “Be Prepared — Planning for When Your Law Firm Suffers a Data Breach.” This article is a nice compact review of the issues to consider placing inside your data breach plan.
Protect personal information and data breaches
The Office of the Privacy Commissioner of Canada and The Office of the Information and Privacy Commissioner of Alberta has published “Security Personal Information — A Self-Assessment Tool for Public Bodies and Organizations.” This comprehensive tool is an incredible resource for any organization seeking to examine their systems and procedures to protect personal information and data breaches.
DLA Piper
has summarized Canadian privacy statutory data breach obligations.
The Canadian Bar Association
has published an article in 2015 written by Jeffrey Kaufman entitled, “Law Firm Privacy Compliance in 10 Steps.”
(c) 2022 David J. Bilinsky.
(originally published in PracticeTalk and TechTips, in the Canadian Bar Association’s BarTalk magazine:
https://www.cbabc.org/BarTalk/Articles/2020/December/Columns/Evolving-Views-on-How-to-View-Security
https://www.cbabc.org/BarTalk/Articles/2020/December/Columns/As-a-First-Step)