Ce diaporama a bien été signalé.
Le téléchargement de votre SlideShare est en cours. ×

Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know About Privacy Law

Chargement dans…3

Consultez-les par la suite

1 sur 30 Publicité

Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know About Privacy Law

Télécharger pour lire hors ligne

No matter what kind of law practice you have, you need to comply with privacy laws generally and lawyers' ethical duties with respect to privacy, specifically. In this presentation, legal ethics counsel Sarah Banola (Cooper, White and Cooper, LLP) and employment and privacy attorney Diana Maier (Law Offices of Diana Maier) deliver a primer on privacy law and teach you the key areas of privacy law and associated ethical obligations.

No matter what kind of law practice you have, you need to comply with privacy laws generally and lawyers' ethical duties with respect to privacy, specifically. In this presentation, legal ethics counsel Sarah Banola (Cooper, White and Cooper, LLP) and employment and privacy attorney Diana Maier (Law Offices of Diana Maier) deliver a primer on privacy law and teach you the key areas of privacy law and associated ethical obligations.


Plus De Contenu Connexe

Diaporamas pour vous (20)

Similaire à Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know About Privacy Law (20)


Plus récents (20)

Privacy Best Practices for Lawyers: What Every Law Practice Needs to Know About Privacy Law

  1. 1. Sarah Banola, legal ethics counsel to lawyers and law firms, Cooper, White & Cooper, www.cwclaw.com Diana Maier, Employment Attorney and IAPP Certified Information Privacy Professional/US/EU, www.dianamaierlaw.com Privacy Best Practices for Lawyers What Every Law Practice Needs to Know About Privacy Law Presented by: Diana Maier & Sarah Banola
  2. 2. 2 WHAT IS PRIVACY LAW? • Laws that deal with the regulation, storage and use of personal information about individuals. • Generally, expectation of privacy is a key factor. • Privacy laws can be broadly classified depending on the kind of data: Sensitive personal information Personal information Non-personal information
  3. 3. 3 WHAT IS PRIVACY LAW? Specific privacy laws that are designed to regulate specific types of information. Some examples include: • Communication privacy laws (e.g. TCPA) • Financial privacy laws (e.g. FCRA) • Health privacy laws (e.g. HIPAA) • Online privacy laws (e.g. COPPA; CalOPPA)
  4. 4. 4 Internet and the digitization of data has created higher stakes: • Millions of people are sending off private and sensitive information. If you break into the right network, you have access to millions of people’s sensitive information. • Last year, John Mulligan, Target's chief financial officer, said the retailer was “deeply sorry” for a breach that affected both payment data of 40 million customers and the personal data, such as phone numbers and addresses, of as many as 70 million people. WHY IS PRIVACY LAW SO HOT RIGHT NOW?
  5. 5. 5 Internet and the digitization of data has created higher stakes: • Internet means private information that you chose to share (sometimes thinking only a few people will see it) can be viewed by countless. • Increasing amount of communications as we are more interconnected. New resentments by consumers about how those communications occur. Pressure on legislatures to regulate. (Think CAN-SPAM act for email; Do Not Call list for phone calls.) WHY IS PRIVACY LAW SO HOT RIGHT NOW?
  6. 6. 6 • Onset of “Big Data” means increasing volumes of information. Private companies already collect, mine, and sell as many as 75,000 individual data points on each consumer, according to a Senate report. • This has ethical/moral/legal implications, so government regulation is implemented to deal with it. WHY IS PRIVACY LAW SO HOT RIGHT NOW?
  7. 7. 7 Follow FTC Fair Information Privacy Principles • Government agencies in the United States, Canada, and Europe have studied how entities collect and use personal information -- their “information practices” -- and the safeguards required to assure those practices are fair and provide adequate privacy protection. • The result has been a series of reports, guidelines, and model codes that represent widely accepted principles concerning fair information practices. HOW DO WE PRACTICE GOOD PRIVACY?
  8. 8. 8 Common to all of these documents are five core principles of privacy protection: 1. Notice/Awareness; 2. Choice/Consent; 3. Access/Participation; 4. Integrity/Security; and 5. Enforcement/Redress. HOW DO WE PRACTICE GOOD PRIVACY?
  9. 9. 9 Always consider the following: • How does your business collect, use, share and store information (of clients or employees)? Do you have a lawful or legitimate basis for doing so? • Where is the data stored/where is it going? (cross-border transfers, vendor to sub processor) • How is information collected used and shared? What are the business purposes for each? (data minimization, reasonable business purpose) • Who has access to the information collected, and is there a less intrusive way to collect/process/store? ISSUE SPOTTING FOR PRIVACY VIOLATIONS
  10. 10. 10 • How are the Fair Information Practices met? • What do your vendor contracts (if any) say about privacy and confidential information, particularly of your clients? • What does your privacy policy say, where is it posted, and do you truly follow it? • What are user expectations about your website/email system, etc? ISSUE SPOTTING FOR PRIVACY VIOLATIONS
  11. 11. 11 Why are privacy practices so important? • Most laws apply to law firms just as they would to other types of businesses  International data protection requirements  Cross-border data transfer restrictions  Patchwork U.S. requirements  Hundreds of state and federal privacy laws  Section 5 of the FTC Act  Security breach notification requirements PRIVACY PRACTICES FOR ATTORNEYS
  12. 12. 12 From a legal perspective, the risks are substantial • FTC enforcement authority: Section 5 of the FTC Act • Most FTC privacy enforcement actions result from security breaches Dave&Buster’s, CardSystems, Petco, ChoicePoint, Tower Records, DSW, Barnes & Noble.com, BJ’s Wholesale Club, Guess.com, Inc. • Division of Privacy and Identity Protection at the FTC • Contractual liability • Civil and criminal penalties or fines (particularly in the EU) • Reputational harm PRIVACY PRACTICES FOR ATTORNEYS – THE RISKS OF NONCOMPLIANCE
  13. 13. 13 • Privacy issues have become ubiquitous for all businesses • Law firms are no exception; in fact, they face unique challenges:  Must comply with evolving privacy requirements  Varying client requests and sensitivity of data  Also must comply with ethical obligations LAW FIRMS ARE NOT IMMUNE
  14. 14. 14 • Personally identifiable information (PII) is routinely collected • Necessary to provide legal services in some matters e.g., Mergers and Acquisitions, Employment, Health Care, Trust & Estates, Immigration, Information Security Patents, trade secrets, religion, national origin, political affiliation, criminal background, SSNs, financial account information, medical history SENSITIVE CLIENT DATA COLLECTION BY FIRMS
  15. 15. 15 • Storage of both hard-copy and electronic records creates risk Mobile devices particularly risky and BYOD policies important Breaches Storage of data in the cloud has become commonplace  Provides the ability to leverage economies of scale, geographic distribution, and automated systems to drive down costs  BUT, must consider the privacy, information security issues and ethical obligations. STORAGE OF PERSONAL INFORMATION
  16. 16. 16 Data retention • How long must you keep personal information in the client files context? Secure destruction of personal information • Legal requirement at both state and federal level Cross-cut shredding, degaussing Consider state bar ethics opinions (Oregon State Bar Formal Ethics Op 2005-141: law firm may contract with recycling service to dispose of documents that may contain information relating to the representation of a client.) DATA RETENTION & DESTRUCTION
  17. 17. 17 • ABA Model Rules and California Rules of Professional Conduct Rule 1.1, CRPC 3-310 – Competence Rule 1.6, CRPC 3-100, Bus. & Prof. C. 6068§(e)(1) – Confidentiality Rule 1.4, CRPC 3-500 – Communication Rule 1.15, CRPC 4-100 – Client Property and Recordkeeping Rules 5.1-5.3, Discussion to CRPC 3-310 – Supervision ETHICAL OBLIGATIONS
  18. 18. 18 DUTY OF CONFIDENTIALITY — CALIFORNIA LAW • California Business & Professions Code § 6068(e)(1) (duty of attorney “[t]o maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client.”) • Lawyers must take reasonable measures to safeguard confidential client information and may need to consult with someone who possesses the requisite technical knowledge. See Cal. State Bar Formal Opns. 2010- 179 & 2012-184.
  19. 19. 19 DUTY OF CONFIDENTIALITY — MODEL RULE 1.6 • Paragraph (c) requires lawyers to undertake reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or access to, confidential client information. • Comment [18] addresses safeguarding confidential client information and includes the duty to prevent unauthorized disclosure by staff.
  20. 20. 20 DUTY OF CONFIDENTIALITY AND USE OF SOCIAL MEDIA • Don’t discuss confidential client information in public social media forums (e.g., listservs, blogs, LinkedIn). • Attorney should monitor and advise client re: social media profiles, websites, and blogs. See Pennsylvania Bar Ass'n Form. Ethics Opn. 2014-300; New York County Ethics Opn. 745 (2013). • Lawyer may advise client to change profile to “private.” Philadelphia Bar Ass'n Professional Guidance Committee Opn. 2014-5; New York State Bar Ass'n Social Media Guidelines (March. 18, 2014) at p. 11.
  21. 21. 21 DUTY OF COMMUNICATION • Duty to keep the client “reasonably informed about significant developments” and “to promptly respond to reasonable requests for information.” CRPC 3-500 • Revised Comment [4] to Rule 1.4 reflects changes in communication technology and requires a lawyer to promptly respond to or acknowledge client communications. • Client instructions
  22. 22. 22 Security of Confidential Information, Cal. State Bar Formal Opn. 2012-184 • Reasonable steps are required • Factors to consider: Level of security offered by particular device Legal consequences for unauthorized use or access Sensitivity of information Potential impact to client of inadvertent disclosure Urgency of the situation Client directions and circumstances ETHICS OPINIONS
  23. 23. 23 Arizona State Bar Ass’n Ethics Opinion 09-04 “It is important that lawyers recognize their own competence limitations regarding computer security measures and take necessary time and energy to become competent or alternatively consult experts in the field.” ETHICS OPINIONS
  24. 24. 24 • To what extent may a lawyer respond to negative online review by the lawyer’s ex-clients? Los Angeles County Bar Association Formal Opinion No. 525 San Francisco Bar Association Formal Opinion No. 2014-1 ETHICS OPINIONS
  25. 25. 25 • If third parties will access personal information on the firm’s behalf, there is risk. • Consider getting the client's consent to use of cloud computing services, particularly with highly sensitive data. • Adequately vet providers: Credentials/Expertise in the industry Security measures utilized/Who will have access to the information Resources available to the vendor How the vendor will transmit client information CLOUD COMPUTING
  26. 26. 26 • Mitigate risk through: Due diligence Protective privacy and information security contract language  Maintain PII in strict confidence  Use PII only for your company’s benefit  Comply with all applicable laws, industry standards and the company privacy policy  Develop, implement and maintain reasonable security procedures to protect PII from unauthorized access, destruction, use, modification and disclosure Ongoing monitoring PRIVACY PRACTICES FOR ATTORNEYS - SERVICE PROVIDER MANAGEMENT
  27. 27. 27 Ethics violations • Waiver of attorney-client privilege • Malpractice or breach of fiduciary duty • Fee dispute or disgorgement • Consequential damages, such as replacing hacked client trust funds • State bar discipline, including reprimand, suspension, disbarment PRIVACY PRACTICES FOR ATTORNEYS – THE RISKS OF NONCOMPLIANCE WITH FIDUCIARY DUTIES
  28. 28. 28 • Inventory personal data maintained by the firm and devices used • Conduct risk assessment considering at least:  Employee training, policies and mobile device management  Secure information systems design and information processing, storage, transmission, and disposal  Responding to and preventing attacks, intrusions, and systems failures  Breach notice requirements • Fix vulnerabilities identified through the risk assessment • Oversee vendors • Monitor and manage information security program and policies CHECKLIST
  29. 29. 29 • ABA’s “Information Security for Lawyers,” available at http://www.abanet.org/abastore/index.cfm • FTC’s “Protecting Personal Information, A Guide for Business” available at http://www.ftc.gov/infosecurity/ • IAPP’s “Information Privacy” handbook, available at http://www.iapp.org • “Protecting and Securing Confidential Client Data,” by Anthony Davis and Michael P. Downey at http://www.law.com/jsp/lawtechnologynews/PubArticle L TN.jsp?id=1202474447879&slreturn=1&hbxlogin=1 • NYSBA Social Media Ethics Guidelines, available at http://www.nysba.org/socialmediaguidelines/ • For suggested BYOD terms, see ACC Top 10 Tips, available at http://www.acc.com/legalresources/publications/topten/tttfmtbyodttwe.cfm RESOURCES
  30. 30. 30 DISCLAIMER: The information contained in this presentation has been prepared by the Law Offices of Diana Maier and Cooper, White & Cooper LLP (collectively, the “Firms”) and is not intended to constitute legal advice. The Firms have used reasonable efforts in collecting, preparing, and providing this information, but do not guarantee its accuracy, completeness, adequacy, or currency. The publication and distribution of this presentation are not intended to create, and receipt does not constitute, an attorney-client relationship. COPYRIGHT © 2016, Diana Maier and Sarah J. Banola. All rights reserved. THANK YOU FOR LISTENING

Notes de l'éditeur

  • *The increasing use of cloud computing has led to a loss of privacy expectation as individuals post sensitive data online and data mining companies extract, analyze and sell data.
    *Expectation of privacy is also critical to issues involving waiver of the attorney-client privilege, as I will discuss later.
  • *Just in the past 2-3 years, Sony, Target, HD, PF Chang’s, Evernote, Living Social and US Government were targets of cyber attacks.

  • Example: Target identified a teenage girl’s pregnancy (via analyzing mass data) and sent her mailers before her father even knew. 

  • *When stored in cloud, the laws of a foreign jurisdiction may apply and affect privacy protection and privilege.

  • Diana, I will discuss vendor contract issues later so you may want to reference.
  • Sarah to start . . .
    In fact, many report law firms are the weakest link and digital security at many law firms generally remains below the standards for other industries. Refer to surveys.

    Recent WSJ report that 40% increase in publicly disclosed breaches since 2011. Cybersecurity firm Mandiant reports that at least 80 of the 100 biggest firms in the country, by revenue, have been hacked since 2011. In 2012, Bloomberg reported that the large Washington firm Wiley Rein was targeted by hackers linked to China’s military in connection with a trade dispute it was handling for a maker of solar panels.

    Since at least 2009, the FBI, the U.S. Secret Service, and other law enforcement agencies have warned the managing partners of big U.S. firms that their computer files are targets for cyberspies and thieves in China, Russia, and other countries, including the U.S., looking for valuable information about potential corporate mergers, patent and trade secrets, litigation plans, and more.

    Many clients, especially banks, are conducing audits requesting law firms stop putting files on portable thumb drives, emailing them to nonsecure iPads or working on computers linked to shared networks in China and Russia where hacking prevalent; FBI meetings with managing partners to top law firms in major cities to highlight problem of computer security.

    RPCs do not keep pace with evolving technologies.
  • Reasonable to expect law firms will be targets of attacks by foreign governments and hackers because they are repositories for confidential data on corporate deals, patents, trade secrets and business strategies
  • For example as more attorneys work remotely, stolen laptop computers with unencrypted hard drives. As more and more data is hosted on the cloud, firm may be able to mitigate loss by wiping laptop externally. Also, cyberattacks and attorneys falling for email hoaxes. Recently, our IT director alerted us to a hoax in which a hacker was posing as the IT director to try to gain access.

    Cloud Computing- efficiencies and decreased costs. Law firms, like other businesses, rely on cloud computing for file-sharing, software, billing support, client management, e-discovery and database management.
    At outset, should consider sensitivity of data collected and risk tolerance of client.

    From a legal ethics standpoint, the use of such technology poses the question of whether lawyers may utilize cloud storage and services while still complying with their ethical obligations. The answer, as we have seen from a variety of ethics opinions (in CA and across the country) is that the use of cloud computing services by lawyers is ethically permissible. (See, for example, California State Bar Formal Opinion No. 2012-184). HOWEVER, complying with your ethical obligations may be more challenging in a cloud based format.

  • Consider factors such as statute of limitations, requirements under particular laws, engagement agreement provisions regarding retention post-termination.
    [Degaussing = demagnetizing/destroying data on magnetic storage tapes]

    As long as Law Firm makes reasonable efforts to ensure that the recycling company’s conduct is compatible with Law Firm’s obligation to protect client information, the proposed contract is permissible. Reasonable efforts include, at least, instructing the recycling company about Law Firm’s duties pursuant to RPC and obtaining its agreement to treat all materials appropriately.
  • RPC as basis for discipline versus common law standard of care.

    New CRPC in process of being drafted and estimated date of completion by March 31, 2017.

    California lawyers may also look to the Model Rules and ethics opinions for guidance.

    In August 2012, the ABA approved recommendations by the Ethics 20/20 Commission to amend the ABA Model Rules to address lawyers’ use of new technology.
    Revised Comment [8] to Rule 1. 1 confirms that the duty of competence includes "keeping abreast of . . . the benefits and risks associated with relevant technology.”
    New Comments [3]-[4] to Rule 5.3 clarify a lawyer's duties when outsourcing legal work to non-lawyer service providers. This would include cloud providers.

    In California, the duty of competence includes "the duty to supervise the work of subordinate attorney and non-attorney employees or agents." Discussion to CRPC 3-110. Remember: you CANNOT displace your obligation of competence onto the client or a third party vendor.

    California State Bar Formal Opn. 2010-179: Actions an attorney must take to preserve confidentiality and supervise vendors are “governed by the duty of competence.”

  • Keep in mind that this is a more stringent standard than under Model Rules and fewer exceptions.

    Remember: the duty of confidentiality is “broader” than the attorney-client privilege. It covers information that is not necessarily privileged.

    It is so broad in fact that it even applies to information that is otherwise publicly available if the disclosure of such information would be detrimental or embarrassing to the client.

    Ethics opns: Mastery not required, but attorneys must have at least a basic understanding of electronic protections afforded by the technology used in their practice.
  • Advise clients that they may have no reasonable expectation of privacy, even with "private" sections of sites. Advise clients to change setting to private, which will decrease risk that private sections will be discoverable. Many courts turn on whether party has some evidence from publicly available portion to show relevancy of social media postings.

    Advice should cover material already posted, future postings and third party comments. Provide advice before and after suit filed.

    Advice should include credibility. Example-widower husband hot mama postings on FB.

  • Some state bar ethics committees have considered whether cloud computing itself is a significant development that must be communicated to your client and most opine no in light if the ubiquitous use of cloud services by businesses and law firms.

    Breach notification – internal and external.

    Reporting lost or stolen devices
    Remote locking or wiping
    Enabling "find my phone" or similar applications

    The lawyer’s duty of communication requires client notification: "If lawyer's conduct of the matter gives the client a substantial malpractice claim against the lawyer, the lawyer must disclose that to the client." Restatement (Third) of the Law Governing Lawyers §20, cmt. c (2000)
  • Level of security [including how particular technology differs from other media use-postal mail and email present similar risks of unauthorized review according to ethics opinions of most bar associations; whether reasonable security measures may be taken to increase the level of security-passwords, encryption; limitations on who is permitted to monitor use and on what grounds-ensure outside vendors safeguard information]

    Legal consequences for unauthorized use or access [for instance, fact that a third party could be subject to criminal charges or civil claims for intercepting or accessing confidential client information favors an expectation of privacy with respect to the technology (Electronic Communications Privacy Act of 1986, Computer Fraud and Abuse Act etc.]

    Sensitivity of information [if highly sensitive, should obtain client's informed consent before using particular devices]

    Potential impact to client of inadvertent disclosure of privileged or confidential information or work product [waiver of privilege and evaluation of security precautions]

    Urgency of the situation [if particular technology needed to address imminent situation and no reasonable alternatives are available]

    Client directions and circumstances [or if attorney is aware that others have access to the client's electronic devices or accounts. Attorney should warn clients not to communicate confidential information from company's email account. See ABA Formal Ethics Opn. 2011-459 .] Also, should warn clients to be careful when using mobile phones that are subsidized by law firm and subject to monitoring.

    Keep in mind that it is not just external hacking concerns, but also disgruntled employees and ignorance (using a post-it note on laptop as reminder for password or sending information that is not encrypted).

  • CUT?

    An interesting example of how the duty of confidentiality can be implicated in various forms of social media was addressed recently in two separate ethics opinions in California (one from the San Francisco Bar Association and the other from the Los Angeles Bar Association).

    How many a lawyer respond to a former client’s negative review of the lawyer on an online site such as Yelp?

    Both opinions concluded responding to such a post is not “per se” improper. However: if you respond, you must do so in a manner that does not violate the duty of confidentiality. You need to remember: that even publicly available information is a confidence or secret if it would be detrimental or embarrassing to the former client. So the mere fact information you want to use in the response might otherwise be available publicly, does not mean that it is not confidential.

    Recently, Colorado Supreme Court suspended an attorney for 18 months for e-shaming former clients and disclosing highly sensitive information in response to online complaints.

    A few practical tips:

    Avoid the gut reaction to respond right away.

    If do decide to respond, say something like – “while I disagree with various statements contained in the review, professional and ethical considerations prohibit me from responding more directly to the statements.”

    Also consider practical consideration of whether response will just draw more attention to the review.

    *** [If time, discuss, below]

    Central Question: Is there a “self-defense” exception that would permit disclosure of otherwise confidential information so the lawyer can defend him or herself? No

    Unlike ABA Model Rule states: California does not have a "self-defense" exception to its rule of professional conduct regarding confidentiality

    Instead: We have Evidence Code section 958, which is an exception to “privilege.”

    (It provides: "There is no privilege under this article as to a communication relevant to an issue of breach, by the lawyer or by the client, of a duty arising out of the lawyer-client relationship.")

    The stated purpose of the Evidence Code exception is:

    ("It would be unjust to permit a client either to accuse his attorney of a breach of duty and to invoke the privilege to prevent the attorney from bringing forth evidence in defense of the charge or to refuse to pay his attorney's fees and invoke the privilege to defeat the attorney's claim.")

    It is doubtful the exception would apply in the context of responding to a negative public on-line review. The exception has generally been restricted to formal proceedings (malpractice or fee dispute) or official inquires (such as a State Bar inquiry). Even where the exception is applicable, a lawyer must limit any disclosure of information to that necessary to respond to the client's claim and to minimize prejudice to the client – Is it really necessary to respond to a negative on-line review, no claim is actually pending?

    [Los Angeles Bar Association Opinion No. 519 – make the point that Evidence Code section 958 is not premised on the concept of waiver, of the attorney-client privilege; rather, it is an "exception" to privilege, the statute provides that "there is no privilege" under the limited circumstances set forth in 958.]
  • NY State Bar Ass’n Ethics Opn. 842 (2010) –Attorneys may ethically use cloud storage for client confidential information provided they take “reasonable care to ensure that the system is secure and that client confidentiality is maintained.” Duty to “stay current” with “technological advances applies to a lawyer’s contemplated use of an online data storage system.”

    NYSBA guidelines suggests including provision in engagement agreement re: cloud storage.

    PA-consent may be necessary depending on scope of representation and sensitivity of data. See also NH State Bar Ass’n Advisory Ethics Opn. 2012-13/4 (Feb. 21, 2013)-If the info is highly sensitive, consent of the client to use cloud computing may be necessary.

    Also, think about:

    The technology that will be utilized

    Whether the vendor has backup provisions for information it will handle and store

    What measures are in place to prevent lapse in services, such as an earthquake, or prompt return of data if provider goes out of business or when you close account.

    Should your cloud provider receive a litigation hold notice? Can you require compliance?

    Find out whether your professional liability policy covers data breaches; if not, assess whether separate coverage is appropriate

  • Pay attention to the terms of the service level agreement and make sure they adequately protect confidential information.

    Obligation to comply with preservation requests.

    Watch out for indemnity provisions in user agreements – often the lawyer will have to indemnify the vendor in the event of a breach of security.

    And consider the extent to which you will be able to adequately supervise the vendor. Auditing by third parties may be limited by outside vendor cloud providers, but most will provide own audits and provide report. If fail to do so, red flag.
  • See NC State Bar Ethics Comm. Form. Op. 2015-6. Obligation to restore funds when hackers break in to computer network and steal client money if lawyer failed to take reasonable steps that could have prevented the theft.

    Safety measures include strong passwords policies and procedures, use of encryption and security software, hiring a technology expert for advice and making sure relevant firm members and staff are trained on security procedures.

    Beware of spoof emails! Email with wiring instructions from seller in real estate transaction requests that lawyer wires funds (instead of mailing check as previously arranged). The email address is the same as sellers with one different letter. The lawyer wires the funds without calling seller first to confirm. Opined that lawyer did not take reasonable security measures by calling the sender at the phone number listed in the lawyer’s file and confirming the seller’s email address.

    In event of theft, notify clients, take protective steps and report theft to State Bar.
  • Many Wall Street banks, including Bank of America and Merrill Lynch, typically require law firms to fill out up to 20-page questionnaires about their threat detection and network security systems. Some clients are even sending their own security auditors into firms for interviews and inspections.

    Determine whether the firm can support all types of devices being used by attorneys and staff.

    Involvement of IT staff or consultants, but attorneys must manage the security policies and practices. You can’t just tell IT manager to enter into cloud vendor contract with no oversight. You must stay involved and do some diligence.

    Training and Policies (Social Media, BYOD)

    Employee departure procedures [remote wiping, removal of access to server and email access]

    Implement data encryption, Secure Socket Layer (“SSL”) industry standard to confirm that communication is encrypted and secure from interception. Firewalls, passwords and strength. Data backup (require save documents on firm/company server)

    Incident Response Plan/Disaster Recovery. The firm should have in place a procedure for reporting lost or stolen devices, remote locking or wiping, enabling "find my phone" or similar applications.

    Breach Notification.

    Document dd efforts, including employee training and oversight of vendors.

    **Bottom line-reasonable due diligence is required.