4 Types of Data Law Firms Must Protect

/

By now we all should have realized that cyber-related risks are not going to disappear. Technology is here to stay and so are risks associated with using technology. Data breaches, ransomware and phishing attacks are a daily occurrence and constitute some of the risks of using technology.   

But don’t despair. We face and manage risks in our everyday activities such as riding in cars. Rather than avoid transportation, we wear our seatbelts and follow traffic laws to reduce the risks associated with riding in cars. Risks associated with technology can be reduced in the same manner; apply safety features and follow the rules.

A law firm’s exposure to risk depends on the type of data processed and stored by the firm. It also depends on the type of technology the firm uses.

Lawyers have obligations to maintain confidentiality, competence, and safe-keep information belonging to clients. Information subject to lawyers’ obligations should be protected. Depending on the lawyer’s practice area, the law firm may also handle medical records, financial information, and other personal information subject to regulation. Consider whether or not you handle information that falls into a regulated category, and learn the regulatory requirements for treatment of such information.

Essentially you can categorize information as follows:

1.       Confidential

2.       Privileged

3.       Client Property

4.       Regulated

Not all information is created equal. If the information does not fall into one of the above categories, it might not require as much security. For example, it is unlikely you need to stash your news subscription password in a secret vault. 

Once you identify which information requires protection, you must apply the appropriate security measures. To do so, you need to understand the technology you are using and how to secure it.

For instance, the door to your office has a lock and maybe a security code as the chosen security measures. Tape would not work. It also unlikely that a “do not enter” sign would keep people out. Much like you understand the various methods of securing a door, you should understand the various methods of securing technology. How do you secure cloud access? How do you secure email? Think about where you store data that fits into one of the 4 categories mentioned above. After you identify the location of your data, consider each access point. Can you access your email from only one laptop? Or can you access email by logging in from a browser on any device? How do you access your data?

For each access point, research different security measures. Find the appropriate locks and know that there are people and resources out there who can help you properly protect your data.

Why Lawyers Should Adapt to Technology & How

/

Lawyers must adapt to technology. The saying “if it’s not broke, then don’t fix it” does not apply to technology. Ethical obligations and client demand are driving forces that demand lawyers adapt to technology.

The Professional Rules of Responsibility require lawyers to be competent, maintain confidentiality. Lawyers have a duty to understand the technology available to help clients. and are expected to use technological advances to zealously advocate for clients. 

Clients are using technology. They expect the lawyers to integrate almost as effortless as the rest of the world. Clients also understand cyber risk. Small to large companies face cyber liability. These clients expect the lawyers to understand these challenges just as well as they understand other civil and criminal liability. If a company is using a computer, it is highly likely they are exposed to cyber liability.

If you understand the need to adapt, you may be wondering how to adapt. I suggest approaching technology like any other lifestyle change. Slowly introducing new technology to your daily life, while reading the news. There is a plethora of information out there about technology and cyber liability. Join the conversation; subscribe. If you need more guidance, reach out to a technology organization. The Texas State bar and the American Bar Association have special interest groups that cater to technology and law. Check online videos for how-to’s. Ask members of your local bar for help.

You don’t want to be left behind.     

Prepare for New Required Skills in Technology Responsibility

/

Will all businesses eventually need to be in the business of technology?  Will a user be liable for his or her actions or inactions with regard to technology?  As data protection laws are created and impose duties on users, it seems that a technology responsibility course could become part of education’s core curriculum:  math, science, language arts, social studies and technology responsibility (tech res). Once upon a time, technology was an elective; these days, it seems like a necessity.   

Using technology responsibly is about risk management and acting reasonably. 

Who needs-to-know?

You might wonder who really needs to know about technology. The answer to this question used to be something along the lines of “leave it to the IT department”.  These days, the correct answer to the question is, “everyone”.  I am confident that everyone is using a computer or smart phone to access data. Thin about all of the Word documents, PDFs and emails you have access to.  “Data” is a broad category and includes information that is personal, confidential, related to the company and/or used for entertainment.  In the past, even if this information might have been accessible to people, it was not so easily accessed and shared.  Entering a filing room to pull a confidential file still required more steps than selecting “send as attachment” or “post” or “tweet” or……you get the point.  Basically, everyone is using technology in some form and should know something about the technology they are using. At a bare minimum, users should know about the major risks and liabilities.  Unfortunately, in practice, many people ignore warnings about risks and liabilities by scrolling down and clicking “accept”.  Blind acceptance could result in the release of rights to your photos, agreeing to share your list of contacts or numerous other things.  It wouldn’t hurt for everyone to be more informed before they select “accept”.  Hence why “everyone” is included in the need-to know category.         

Who needs to care?

Who needs to know is slightly different than who needs to care

As individuals, most people aren’t going to care who shares their vacation photo or who sees their grocery list.  For the most part, if individuals have any information worth worrying about, a breach of information, while unfortunate, would be miniscule and likely only harm that individual.  Besides, most individuals willingly divulge information regularly via social media.  No one is wondering what’s on your grocery list because we all saw pictures of your meals for the past few weeks.

Then there is the camp of individuals guarding their credit card and social security numbers. Such individuals would be correct that these pieces of information are important, but on a small scale.  Credit card companies are great about finding fraudulent charges. Everyone should be monitoring their bank account anyway. Maybe this is harsh, but no matter how many selfies you take, you probably aren’t as important as you would like to think.  Of course, feel free to care, but know that you probably do not make the cut for the “need-to-care” group.     

Those that really need to care about responsibility using technology are typically those in possession of other people’s information.  Don’t get me wrong, it is a great habit for an individual to be cautious and protect his or her own information.  This is sort of like locking your doors.  It’s your house. 

If you lock the doors, great for you.  If you don’t lock the doors and someone steals your belongings, I might feel sorry for you, but my belongings are still safe. 

However, if you are holding a lot of my belongings and fail to lock the doors, I will be very upset if my stuff is stolen.  The same concept applies to the data.  If you have the information or access to data, you have a responsibility to provide security.  The people who really need to care are those involved with business.  Businesses tend to have information including contact information, financial information and confidential information.  I use the term “business” very broadly because all types of businesses are included. This even includes non-profits, education, consumer goods, healthcare, sales, services, etc.  Do not assume you are exempt.  Businesses must have security in place to protect the information of others.  Think of it as if your house is holding their valuables.  YOU, the business, should ensure that the doors are locked.

Businesses should care, but who is the business?

For fear of a tragedy of the commons, an elaboration about who within the business should be accountable for caring about data protection. 

The structure is flexible and could include a variety of different models depending on what works best for your business.  If there is a board of directions, the responsibility could begin with them.  If there is a partnership, the partners could be accountable.  The important point is that someone is made accountable for monitoring and implementing protection.  What you don’t want to happen is that everyone assumes someone else is dealing with it. (A tragedy of the commons.)  You don’t want to assume that your partner password-protected his computer.  As a business owner, it is your duty to think through these issues and plan ahead.  Either monitor things yourself or assign the duty to another person or to an entire department.  Perhaps hire a technology expert to report back to you.  Create a policy and follow a particular procedure.  Educate each of your employees about what is expected and precisely how they can follow protocol.  As a partner in a business, ask questions and raise concerns if you do not see these policies in place.  Regularly check to see if the policies are being executed correctly.  After all, just because a door has locks doesn’t mean people are always using them.

With breach requirements at the state level and new legislation incentivizing the disclosure of breaches to the federal government, it is only a matter of time before required duties arise demanding a proactive approach.  Similar to requirements for book-keeping to help protect against future problems, we will eventually see requirements for safe-guarding data. 

Reasonable care standards are already being incentivized, if not implemented.  It would be wise to create good habits now.  If tech responsibility is eventually added to the elementary school curriculum, it is only a matter of time before a failure to use basic protections will constitute gross negligence, from which there will be little insulation from liability.

You should care earlier rather than later.