fbpx

Oklahoma Bar Journal

Ethical Considerations and Practical Guidance for the Storage and Transfer of Digital Client Data

By Lauren Watson

NicoElNino | #399631816 | stock.adobe.com

Lawyers are, among their numerous other roles, stewards of information who collect, process and store large amounts of confidential data on a daily basis, regardless of their area of practice. Personal injury attorneys, for example, may collect and hold a significant amount of their clients’ medical information. Employment lawyers may receive information related to their clients’ employees, like Social Security numbers. Given the sensitivity of this data, maintaining client confidentiality is a cornerstone of legal ethics and a fundamental duty of every attorney.

While lawyers should generally be aware of the ethical duties associated with the confidentiality of client information, those duties take on additional nuance when client data is stored, used and shared electronically. This article will serve as a refresher on the ethical duties applicable to digital client data and discuss how attorneys can meet their ethical obligations through the use of technology, the development of appropriate policies and procedures, and disaster planning.

LEGAL AND ETHICAL DATA PRIVACY OBLIGATIONS

In the United States, data privacy obligations associated with collecting personal data are governed by a combination of federal and state law. Lawyers and law firms are generally not excepted from these laws. Depending on the amount of personal data held by the lawyer or firm, the jurisdiction of residence of their clients and, in some cases, the amount of revenue they generate annually, attorneys and firms may be required to implement a number of potentially onerous and specific technical obligations with respect to collecting, storing and using personal data. For example, if a law firm acts as a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA), it will be expected to adhere to the security requirements detailed in the HIPAA Security Rule to protect the confidentiality, integrity and availability of the electronically protected health information in its possession. Law firms that are subject to state comprehensive privacy laws, such as the California Consumer Privacy Act (CCPA) and its implementing regulations, will be expected to provide for enumerated data subject rights, including the rights to access, correct and delete personal data.

In addition to these statutory and regulatory requirements, lawyers have an ethical duty to provide appropriate privacy protections for client information, stemming from the attorney ethics rules of their jurisdiction(s), like the Oklahoma Rules of Professional Conduct (ORPC). For example, compliance with Rule 1.1 of the ORPC, which requires lawyers to provide competent representation to their clients, necessitates that lawyers develop and maintain an understanding of the benefits and risks associated with relevant technologies. Lawyers also have obligations under Rule 1.6(c) of the ORPC to protect client confidentiality by taking steps to prevent “the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Comment 16 to that rule goes further by suggesting that this obligation is not limited to merely avoiding disclosures of client information. It can also be understood to impose an affirmative obligation on lawyers to implement reasonable procedural and technological safeguards designed to prevent inadvertent or unauthorized access to or disclosure of client data. Comment 17 to Rule 1.6 of the ORPC similarly requires lawyers to take reasonable precautions to protect client information in transit. While these obligations are specific to Oklahoma, the ORPC – like the rules of professional conduct of many other U.S. jurisdictions – are based on the ABA Model Rules of Professional Conduct, and these obligations have been reiterated by numerous American Bar Association (ABA) ethics opinions, including Formal Opinion 477R[1] and Formal Opinion 483.[2]

The reasonableness of the precautions a lawyer takes will generally be determined in connection with the sensitivity of the information involved, the likelihood of the disclosure in the absence of the safeguards, the cost of the safeguards, the difficulty of their implementation and the degree to which the use of the safeguards negatively impacts the lawyer’s ability to represent their clients. With respect to communications and other intentional disclosures of client data, lawyers should also consider whether the communication is subject to statutory or regulatory privacy standards or another confidentiality agreement. Although the sufficiency of a lawyer’s safeguards should be assessed on a case-by-case basis, there are several broadly applicable effective approaches all lawyers can employ.

PRACTICAL CONSIDERATIONS FOR STORING AND MANAGING CLIENT DATA

Regardless of the nature of their practice, all lawyers receive confidential client data. As such, careful consideration should be given to how, where and for how long this data will be stored. In practice, this means lawyers should carefully weigh the risks and benefits of on-premises and off-premises (cloud-based) data storage. In general, storing data on premises means storing data on a server hosted within the law firm’s infrastructure and controlled, administered and maintained by the firm or its IT partner. This often means storing the data onsite at the firm itself. On-premises storage can offer greater control over client data and the infrastructure that stores it, potentially higher security for sensitive legal information and, in some circumstances, the ability to access data and operate without internet connectivity. However, on-premises storage can be pricey and requires continuous maintenance, monitoring and security management, which can be resource intensive.

For this reason, some lawyers choose to use cloud-based storage, wherein an outside service provider hosts their data. In this scenario, the cloud provider identifies, installs and maintains the infrastructure necessary to store the data, which may provide for cost savings and take some of the burden off the lawyer to monitor potential risks to the data and to identify and implement some of the updates necessary to secure the data. Nevertheless, there are numerous considerations associated with the use of third-party vendors, like cloud storage providers. Lawyers considering transitioning their data from on-premises to off-premises storage should conduct appropriate due diligence with respect to each third-party vendor under consideration. While the level of diligence required varies depending upon the sensitivity of the data being processed by these vendors, the vetting process may include requesting third-party cybersecurity and/or compliance certifications or audit reports; reviewing the vendor’s policies, procedures, internal controls and training materials; and reviewing their privacy and data security history, including regulatory actions, litigation and data breaches. Ultimately, any vendor selected should have a clear technical and procedural ability to protect the data in its possession and a demonstrated history of doing so.

Once a vendor has been identified, lawyers will want to carefully review and, if necessary, incorporate risk-mitigating terms into their agreements with the vendor. This may include provisions requiring the vendor to provide annual proof of appropriate cybersecurity insurance coverage as well as terms requiring the vendor to indemnify and/or reimburse the lawyer for cybersecurity and other related violations. To the extent the lawyer is subject to one of the comprehensive state privacy laws discussed earlier, they may also wish to ensure the contract contains the requisite “processor” or “service provider” contractual restrictions on data processing and data use, as well as specific and enumerated data safeguards as may be required by applicable data privacy laws. After retaining a cloud-storage vendor, lawyers should also be careful not to become complacent and should consider performing annual reviews of their vendor’s practices, such as by requesting the results of any annual third-party audits or compliance certifications obtained by the vendor.

Regardless of where the data is stored, there are additional steps all lawyers should take to protect the client data in their possession. For example, lawyers should consider restricting access to client data on the system. This entails ensuring all system users have unique accounts and are authenticated (including through the use of multi-factor authentication) before they access client information on any device or application on which it is stored. They also should conduct regular security audits and risk assessments, including penetration testing and security control audits, to identify new risks and vulnerabilities to their systems and the data stored therein. All subsequent findings should be promptly and completely addressed.

Additionally, lawyers should consider taking steps to ensure client data is encrypted both in transit and at rest. Back up data according to a regular schedule to ensure systems can be restored and operations resumed in the event of a data incident or other disaster. At least one frequently backed-up set of data should be stored offline, and lawyers should evaluate ways to confirm that the backed-up data can be restored. Once client data is no longer needed (such as when the retention period applicable to the client file has passed), securely and completely delete the data, including from backups.

APPROPRIATE SAFEGUARDS WHEN USING AND TRANSFERRING CLIENT DATA

When it comes to transferring client data, lawyers must balance the convenience and efficiency of electronic communication and data transfer methods with their paramount duty to protect client confidentiality. Lawyers should carefully assess the sensitivity of client data transferred and always err on the side of caution. Where the data being transferred by a lawyer is sensitive, they should even more carefully evaluate the security of the communication channels they intend to use to ensure any data transferred is sufficiently protected. To protect client data and minimize the risk of interception or inadvertent disclosure, lawyers can do things like use encrypted emails and secure file transfer protocols and virtual private networks (VPNs) as appropriate. Public Wi-Fi networks and other unsecured communication channels should be avoided, and clients should be appropriately advised of the transfer methods the attorney will employ to share their personal data in all instances.

In addition to more traditional methods of transferring and sharing client data, lawyers should also exercise caution when using artificial intelligence tools. In particular, there are a number of ethical pitfalls associated with the use of generative artificial intelligence – a subset of artificial intelligence focused on creating new, original content or data using advanced algorithms and learning techniques. Commonly used forms of generative artificial intelligence include ChatGPT and DALL-E2. Artificial intelligence tools specific to the practice of law are, likewise, coming into broader use. Because these tools use large data sets (including, in some instances, data inputted by users) to train and develop their models, lawyers must understand that any information they submit to artificial intelligence tools is likely not private or confidential and may be visible to others, incorporated into responses that are generated for others or even used to train the model itself. Moreover, they should assume that any data, regardless of its nature, that is inputted into an artificial intelligence tool cannot be deleted or otherwise removed from the tool. As such, lawyers should decline to input confidential or proprietary data, including client data, into outside artificial intelligence tools that have not been thoroughly vetted to ensure they meet legal and ethical privacy and confidentiality standards.

CONCLUSION

The rapid evolution of technologies available to aid lawyers in their practices is a boon to both individual lawyers and the legal field as a whole. Nevertheless, capability comes with duty, and as the tools available to lawyers increase, so too do lawyers’ obligations to protect the confidentiality and security of their clients’ confidential data. Lawyers who: 1) develop and implement comprehensive data protection policies – including privacy policies, information security policies and incident response plans – to codify appropriate data security and confidentiality practices as discussed herein; 2) clearly communicate their data protection policies and practices to employees and train them on the same; and 3) stay current with technological advancements and legal requirements, then evaluate and revise their data protection policies and practices accordingly, will be well positioned to meet their legal and ethical obligations to their clients.


ABOUT THE AUTHOR

Lauren Watson is a cybersecurity and privacy attorney at Ogletree Deakins. She dedicates her practice to assisting clients with matters including data security incident and data breach response, preparation of privacy policies and notices, negotiation of data protection agreements and other aspects of compliance with privacy and cybersecurity laws and regulations, such as comprehensive state privacy laws, sectoral privacy laws and laws regulating biometric data and employee monitoring activities across the country.

 

 

 


ENDNOTES

[1] ABA Formal Opinion 477R: Securing Communication of Protected Client Information, aba_formal_opinion_477.pdf (americanbar.org).

[2] ABA Formal Opinion 483: Lawyers’ Obligations After an Electronic Data Breach or Cyberattack, https://bit.ly/3AjhxOY.


Originally published in the Oklahoma Bar JournalOBJ 95 No. 10 (December 2024)

Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff.