Leonard DeutchmanHow Well Are Law Firms Protecting Their Digital Information?
I have been writing this monthly column for well over a decade now, and each month I have provided what I believe to be answers to questions brought into the legal realm by the ascendance of digital media and communications.
September 27, 2018 at 12:30 PM
9 minute read
I have been writing this monthly column for well over a decade now, and each month I have provided what I believe to be answers to questions brought into the legal realm by the ascendance of digital media and communications. For this month's column, however, I am posing a question to which I have no answer: Do law firms do what they should to protect digital media and communications from being vulnerable to hacking, a virus or some other form of adverse intrusion by a third party so as to avoid being the target of litigation by clients should any such firm find itself having been so victimized? I am raising the issue because I have not seen much discussion on it and would rather raise it before it becomes, and to help avoid it becoming, a widely discussed problem.
|Background
It is fundamental to our jurisprudence that communications to and by a law firm, as well as documents—whether digital, on paper or in some other media—are protected by attorney-client privilege. This protection cuts two ways (at least). Third parties, such as an opposing party, law enforcement or some other governmental entity, news media, people generally, etc., have no right to demand any such protected communications or documents. As well, the protection creates an obligation on the part of lawyers not to reveal any protected communications or documents to any third parties except as required by law or after determining that such revelation is in the best interest of the client.
The protection has generated considerable discussion. In the wake of the digital revolution, there have been innumerable opinions issued by federal and state courts regarding whether, when and under what conditions, if any, a lawyer or law firm must disclose digital media to opposing counsel or a third party. As well, innumerable contracts between law firms or their clients and the vendors who provide e-discovery and other IT services to said firms and clients (many of which contracts I have written or reviewed) contain language rendering the vendors responsible not to disclose or allow disclosure of any such media—digital or otherwise—in the vendors' possession (save at the direction of counsel or clients), and obligating the vendors to protect such media from hacking, viruses, or any other efforts by third parties to gain access to the media or in any way change or destroy it.
The aforementioned contracts have arisen because, in the digital world, attorneys need the assistance of e-discovery and other IT vendors, even if firms have brought those services “in house,” i.e., they have purchased and set up the servers and applications needed to ingest, review, produce and store e-discovery, and have personnel on staff to implement these processes. These in-house firms will, invariably, want to house data for all of the aforementioned processes in two locations: within the law firm; and, in a “co-location” (or “colo,” in the well-accepted shorthand), provided by a third party. The exact same services being provided through the firm's in-house applications and on its server(s) will be simultaneously replicated on the colo's server(s), so that if for some reason the firm's IT or applications cease functioning, the user will immediately cut over to the colo. In this manner, if a problem with the firm's IT holds up any digital processes, there will be no delay, and if such problem results in the loss of data by the firm, the data in the colo will provide a backup.
Colo's, of course, must also be secure from intrusion by third parties. As well, it is a standard practice to make sure that the colo is in a location not subject to the same weather as is the firm, and unlikely to be affected by a destructive event such as an earthquake should the firm's office be so stricken. These practices make it highly likely that if either the law firm's or the colo's IT is damaged significantly or destroyed such that digital media is rendered inaccessible, the same natural events leading to that destruction will not destroy the backups, and vice versa.
As I mentioned above, over the years I have read and drafted many contracts under which e-discovery and IT providers must agree not to disseminate the communications and digital media of law firms, and to provide insurance should such provisions be offended. I have also read and drafted contracts obligating e-discovery and IT providers to provide protection for such firms' communications and digital media by requiring the service provider to enter into agreements with its colo also not to disseminate the communications and digital media entrusted to it (i.e., the same law firm communications and digital media) and to provide insurance should such provisions be offended. I have also read many news stories and columns discussing these obligations. As we shall discuss below, typically these stories involve how the provider is subject to an accepted security protocol, how that protocol is enforced by, inter alia, having security firms inspect the provider, and whether the provider violated the protocol.
What I have never read is a news story or opinion piece about a law firm being subject to a security protocol, even though the law firm will hold, on its premises, a large volume of privileged digital media and communications. Thus, the question that arises is whether law firms should be so obligated.
|Law Firms and ISO 27001
“ISO 27001” is a well-accepted protocol for information security management created by the International Organization of Standardization (ISO). As the protocol has been revised over the years, its title has changed from ISO 27001:2005 to ISO 27001:2013, for example, but it is generally simply referred to as “ISO 27001.”
The ISO protocol involves all manner of potential security risks. In addition to testing hardware and software to determine whether it has the latest defenses to hackers, viruses and other threats, it has standards, for example, for doing criminal background checks on employees and applicants and not allowing those with criminal records to access data; how to protect data physically, in ways ranging from locking areas with computers that have access to sensitive data, whom to let into such areas and how to supervise those who are provided access to those areas (guests, building cleaning staff, etc.); how and how often ISO-certified inspectors should inspect offices, determine whether the security there is ISO-compliant and, if security is lacking, provide suggestions as to how to make it compliant and arrange for a re-inspection to determine whether to list the facility as not compliant, and so on. ISO tries to check for threats to security in a world of people, which means looking at bad habits, bad work environments and other person-centered issues as well as the digital threats that most people think of when the subject of data security arises.
In the past few years there have been reported data intrusions of law firms. Despite this fact, I have seen and heard very, very little discussion with regard to the application as to law firms of information security protocols such as ISO and others. In the last few years, I have read only a couple of commentaries of the subject. As well, a quick perusal of websites for law firms, large and small alike, will fail to turn up much discussion as to ISO compliance by the firms.
Given the voluminous public discussions of the general need to protect against data intrusions, the silence on the subject in public discussions as it regards law firms is curious. It is, by definition, impossible to know whether this silence results from law firms not adhering to the ISO or any other well-accepted security protocol, or from some other reason. The argument could be made, for example, that firms remain silent for fear that advertising security steps on websites could be a version of “Me thinks the law firm doth protest too much,” i.e., by answering questions regarding security that other firms silently dismiss, the answering law firm may be punished for its candor by inadvertently suggesting to the potential client that the firm has security problems other firms do not share, and so discouraging the potential client from engaging the answering firm.
I have no facts to support any interpretation of the silence on the subject. My experience tells me that, for example, when one considers how much work counsel has to do, how often counsel will take that work home or do it on the train, in the hotel room, etc., and how counsel accesses the digital documents involved in that work (copying them to a thumb drive and accessing them from the drive or copying them from the drive to counsel's PC, accessing them from the law firm's server using the train's or the hotel's wireless connection, etc.), one must wonder how such work can be accomplished while adhering to ISO's or any other credible security protocol. Such questioning, however, does not mean that any given firm is not adhering to a proper security protocol.
|Analysis and Conclusion
Law firms have the same responsibility as any other party entrusted with confidential information to keep that information confidential. Indeed, given that the information is legally privileged, the importance to the legal system of maintaining privilege, and the important role the legal system plays in maintaining the proper functioning of our government and the freedoms of our society, it is not hyperbole to state that the protection of confidential information by law firms is of the highest importance to our society.
The best way now known to protect confidential information is to adhere to the ISO protocol or a similar standard. Law firms, who expect their vendors to so adhere with great vigilance, should expect the same from themselves. Whether they choose to advertise their adherence on their websites or simply agree to it with clients, they should do it. Whether they are doing it now is hard to know.
Leonard Deutchman is a consultant regarding electronic discovery, digital forensics, and criminal and civil legal matters. Before that, he was vice president, legal for KLDiscovery, which he helped found, and a chief assistant district attorney at the Philadelphia District Attorney's Office, where he founded the Cyber Crime Unit and conducted and oversaw hundreds of long-term investigations involving cybercrime, fraud, drug trafficking and other offenses. Contact him at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Federal Judge Allows Elderly Woman's Consumer Protection Suit to Proceed Against Citizens Bank
5 minute read
Judge Leaves Statute of Limitations Question in Injury Crash Suit for a Jury
4 minute read
Supreme Court's Ruling in 'Students for Fair Admissions' and Its Impact on DEI Initiatives in the Workplace
6 minute read
Membership Has Its Privileges: Bankruptcy Court Examines LLC's Authority to File Bankruptcy
8 minute readTrending Stories
- 1Litera Acquires Document Automation Startup Offices & Dragons
- 2Patent Trolls Come Under Increasing Fire in Federal Courts
- 3Transforming Dispute Processes in Law: The Impact of Large Language Models
- 4Daniel Habib to Serve as Next Attorney-in-Charge of NY Federal Defender Appeals Unit
- 5Protecting Attorney-Client Privilege in the Modern Age of Communications
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
