User menu

Ethics: Ethical Responsibilities to Prevent Data Breaches

Fri, 03/23/2018 - 14:47 -- admin25

by Stephen Andrew Kennedy

Cloud computing offers an attorney the ability to access email and client data seamlessly on phones, tablets, laptops and even one’s watch. One can dictate privileged email and text messages to clients using services like Amazon’s Alexa or Google’s Personal Assistant. The client’s privileged communications can be read back to an attorney out loud or displayed on a host of devices. Smart TVs can automatically display new emails or texts from clients at the bottom of the screen while watching a movie or television program. But with these conveniences follows a host of risks and accordant responsibilities for the cloud-connected Texas lawyer.

The Disciplinary Rules require that an attorney “keep a client reasonably informed about the status of a matter and promptly comply with reasonable requests for information.” DR 1.03(a). A lawyer is precluded from “knowingly . . . reveal[ing] confidential information of a client or a former client to . . . anyone . . . other than the client, the client’s representatives, or the members, associates, or employees of the lawyer’s law firm.” DR 1.05 (b). Tex. Ethics Op. 608 expressly allows an attorney to send privileged communications by email, while Ethics Op. 572 allows an attorney to give access to privileged information to contractors, such as a copy service.

Since the time Ethics Opinions 572 and 608 were released, however, technology has changed, and the parade of announced data breaches from companies like Yahoo and Equifax is alarming. We learned in 2016 that every email hosted by Yahoo was compromised to the point that people’s names, login IDs, passwords, home addresses and other identifying information was distributed to hackers in the dark web. In 2017, we learned that Equifax, a prominent credit reporting agency, was hacked, exposing credit card information, credit scores, social security numbers, and home addresses of at least 145.5 million people. Amazon, Google, and Apple are among the targets for hackers hungry for more private data. One of these companies could easily be making the next big data-breach announcement in 2018.

Using third-party email and data hosting services expands the boundaries of an attorney’s obligation to maintain confidentiality under DR 1.05. Ethics Opinions 608 and 572 should not be a basis for the lawyer to do nothing to further protect privileged client communications given that data breaches and clever hacks are exposed every day.

Email that provides end-to-end encryption for privileged information is the best option to protect communications. An alternative is to use a Word or PDF document to express the privileged communication, encrypt the document with a password known to the attorney and the client, and then send the encrypted document as an attachment to the email. If your firm has its own email and data servers, confirm that the servers adopt standard protocols for protecting data. An attorney should inform clients about email services that use end-to-end encryption to protect out-bound electronic communications for confidential information.

The storage of client data in the cloud presents additional responsibilities. Many third-party licensing agreements include terms that the third party “owns the data” stored on its servers. Access to client confidential information could be terminated, and the data deleted, due to failure to pay the Licensor. Transferring ownership of client confidential information to a third-party cloud provider will be considered a knowing disclosure of privileged information and a direct violation of DR 1.05. The attorney should conduct due diligence on the third-party hosting company before entering into an agreement and confirm that no transfer of data ownership occurs through the terms and conditions of the license agreement.

Put simply, the cloud-computing attorney has ethical obligations of due diligence, including an obligation to know the terms and conditions of third-party agreements for storage of data in the cloud before transferring client information to the provider. The attorney must also take adequate precautions to protect electronic email communications with clients.

Stephen Andrew Kennedy is the Managing Partner of Kennedy Law, L.L.P. He can be reached at skennedy@saklaw.net.

Back to Top