There is no denying the natural tendency of lawyers to hoard information. Whether our own or others’ – everything worth writing down at some point is worth keeping, just in case. But there is also an undeniable pull now towards a cleaner data footprint that is being felt within the legal community. Here is why.
As legal professionals, we are in a position of power over massive amounts of sensitive information that clients entrust us with. But our duty to safeguard our clients’ secrets comes at a time when highly-sensitive data and communications are under constant attack, including the information law firms and in-house teams hold in confidence. And while in the past the worst that could happen was the information about our legal strategy or clients’ personal details getting leaked to the opposing side, today, the stakes are much higher.
In the recent Deloitte breach, hackers obtained access to the email system of one of the largest private consulting firms advising the world’s top banking, pharmaceutical and media corporations and government agencies. As a result, confidential communications and proprietary “plans of some of its blue-chip clients” were compromised. That same week, the reports came out that the US Security and Exchange Commission’s nonpublic filings were intercepted seemingly when transmitted through non-secured personal email accounts. Again, sensitive information may have been strategically used by hackers in illicit stock trading. And these are only two of countless high-profile incidents that the public actually knows about.
The bottom line is that sensitive communications are now the go-to target for those looking to gain access and exploit valuable proprietary information for strategic, financial, or political gains. And as lawyers, we are ideally positioned to be a great entry point to our client’s information, often because we are indeed an easy target: we store it all, rarely delete data (even after it’s no longer needed), often deploy substandard security measures, and have access to the most sensitive information one can imagine. That, in combination with legal teams now operating in a staccato mode, sharing files and responding to clients’ messages on the go and using the tools most accessible to our clients, explains why there is pressure within the legal community to get smarter about information security.
As a general counsel at an information security company where we live and breathe privacy and security, it still took a little time to appreciate what’s really at stake. And I am now beginning to see my colleagues across industries rapidly wake up to the idea that the risks associated with over-saving valuable information now far outweigh the risks of letting that information go to ensure it cannot be breached.
Just this May, in its Formal Opinion 477, the American Bar Association stated that “cybersecurity recognizes a world where law enforcement discusses hacking and data loss in terms of ‘when,’ and not ‘if.’” It went further to explain why law firms have become ideal targets:
- “they obtain, store and use highly sensitive information about their clients while at times utilizing safeguards to shield that information that may be inferior to those deployed by the client,”
- “the information in their possession is more likely to be of interest to a hacker and likely less voluminous than that held by the client.”
Formal Opinion 477 also clarified the requirements of Model Rule 1.6(c) that lawyers take reasonable efforts to protect against unauthorized access to client information stating that “in the electronic world, “delete” usually does not mean information is permanently deleted, and “deleted” data may be subject to recovery.” The ABA has emphasized that “lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters” and that certain communications may be so sensitive as to require additional protections such as high-level encryption or personal delivery.
These duties outlined by the ABA are squarely in line with Model Rule 1.1 that lawyers “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”
Interestingly, the ABA is not the first to recognize this growing tension between our tendency to store all communications at all times and the increasingly sophisticated security risks against them. In its Principles on Electronic Document Production and Retention, the Sedona Conference advanced the idea of lawyers as stewards of proprietary communications and data stating that we “should take reasonable steps to safeguard electronically stored information, the disclosure or dissemination of which is subject to privileges, work product protections, privacy obligations, or other legally enforceable restrictions”.
Echoing the need for defensible data deletion as a means to protect client information in its white paper, the Center for Democracy and Technology, one of the top research think tanks, wrote: “we believe there comes a point when the value of data has been extracted and the costs (both operational costs and potential for liability) of retaining data outweigh the potential benefits of keeping it.”
So while many in the legal profession err on the conservative side of storing everything – useful or not, sensitive or trivial – others, including the next generation of lawyers, are turning to ‘shadow IT’ to ensure they have the tools required in today’s security and communications environments. This means that many tools, including instant messaging and ephemeral communications apps that haven’t made their way into organizations officially due to red-tape, are nonetheless there and are actively used by teams to enable collaboration, whether we agree to it or not.
As a community of lawyers responsible for clients’ confidential information, we have a responsibility to build strong policies around why and what we retain, and also proactively address when and how we should dispose of unnecessary data.
After all, the Sedona Principles argue, “the burden of preserving, reviewing, or producing deleted, shadowed, fragmented, or residual ESI, or ESI that is otherwise not readily apparent, is normally outweighed by any resulting benefit.” And “absent a showing of special need and relevance, a responding party should not be required to preserve, review, or produce deleted, shadowed, fragmented, or residual electronically stored information.”
And while making our digital footprint lighter may seem counter to our nature at the moment, defensible deletion of data supported by the well-thought-out information governance policies is indeed a fair trade-off over the business-threatening prospect of becoming a conduit to compromising clients’ interests.
Of course, in regulated environments or in the event of a litigation hold, the operational practices may shift to require centralized and targeted retention for encrypted communications.
However, even then, an ability to enforce stronger digital hygiene on our individual end-user devices can go a long way in protecting our clients’ information. Lawyers turn to ephemeral communications in so many areas where the risks of retention are far greater than the risks of deletion such as board communications, strategic acquisitions, intellectual property discussions, incident response. Ultimately, while some conversations with clients and among legal teams are meant for e-mail, others require the security of a face-to-face conversation. And that level of security can only be afforded by strong end-to-end encryption and ephemerality to ensure that what is not stored cannot be compromised.
Here is an interesting resource to see a growing list of breaches in California