Are Attorneys Protecting Client Information?

Information Security

Attorney’s compliance is lagging four years after a sweeping Massachusetts data protection regulation passed.

There is growing concern regarding the protection of client confidential data in Massachusetts.  The Massachusetts Data Law passed in 2010 makes clear both the requirements to protect every Massachusetts resident’s personal and financial data and the consequences for not doing so.   This applies to firms in every state that hold Massachusetts residents’ information in their files and those that email that information.  However, few attorneys nationally have been proactive in taking reasonable steps to protect client data.

When using email to communicate, more than three-quarters of all lawyers treat their clients’ confidential information with all the care you’d expect from a teenager posting to Facebook.

Paul McNamara expressed his opinion (above) in a NetworkWorld piece dated June 2, 2014.  His critique followed release of the May survey by LexisNexis – Business of Law InsightsAmong other findings, the survey results showed:

  • Only 22 percent of firms claim to use encryption to protect email transmissions and file attachments
  • 77 percent of firms rely solely on a Confidentiality Disclaimer within the email as “protection”

Understanding the Law

Many states require specific security measures for personal information. However, Massachusetts regulation promulgated in 2010 is known as the most comprehensive. M.G.L. chapter 93H requires any persons who own, license store or maintain confidential personal information, as defined, about a resident of the Commonwealth of Massachusetts are required to develop implement and maintain a comprehensive information security program. The security requirements include: Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly and encryption of all personal information stored on laptops or other portable electronic devices such as DVDs, CDs, Flash-drives, etc.

Understanding the Ethical Obligations

Law firms have an ethical duty to secure client information under Model Rule of Professional Conduct 1.6 (c) to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

In August of 2011 the ABA issued Formal Opinion 11-459, describing a lawyer’s “Duty to Protect the Confidentiality of Email Communications with One’s Client.”   The rule states when complying with data laws like the stringent Massachusetts data law one should take additional steps.  The comments to the opinion indicate, “It may additionally require that the client be advised about the availability of more secure modes of communication such as encrypted email.” Since 2011, the affordability, simplicity and availability of email encryption solutions certainly makes it a “reasonable” tool to protect client data. The security requirements of the Massachusetts law include: encryption of all transmitted records and files containing personal information that will travel across public networks and encryption of all data containing personal information to be transmitted wirelessly, and encryption of all personal information stored on laptops or other portable devices.

The State Bar of California, in Formal Opinion 2010-179, said more directly that “encryption email may be a reasonable step for an attorney to take … when the circumstances calls for it, particularly if the information at issue is highly sensitive and the use of encryption is not onerous.”

Technical and economic barriers to encryption are no longer an issue. There are solid low cost technologies available which makes encryption a “reasonable step” in securing client data.

The Cobbler’s Children have no Shoes

The origin of this phrase is not known but clearly it is used to highlight that there are certain “professionals’ that are so busy working for their customers or clients that they neglect using their own professional skill to help those close to them or even themselves. Despite the clear requirements to protect client data outlined above, a recent survey by Lexus Nexus reveals some alarming statistics.

An excerpt from the article follows below:

The message from the legal establishment and law enforcement in Massachusetts is quite clear, but firm behavior has been very slow to change.  While 90% of firms use email to send files and privileged information, more than 3/4 of them are simply hoping nothing bad will happen.

Unfortunately this study merely scratches the surface of how law firms are falling short of protecting client data. As a solutions provider for law firms here are some of the most basic questions I ask which are often met with a blank stare:

  1. Do you have a WISP (written information security plan)
  2. Do you encrypt confidential personal information client data?

What’s a WISP?

Since March of 2010, compliance requires the answer to these questions to be YES. See 201 CMR 17.00. However, one would be surprised how many lawyers respond, “What’s a WISP”? when asked. To date, the highest profile stories about data breaches have been about banks, large corporations and retailers (J.P. Morgan / Chase, TJX, Target, Dairy Queen, AT&T). However, it is only a matter of time before the Attorney General will be asking a law partner these simple questions after a breach of his firm’s confidential files. Please don’t put yourself in that position.

A quick review of the consequences for non-compliance and potential penalties should incentivize all Law Firms to tend to their own legal matters swiftly. Failure to comply with 201 CMR 17 can be costly. There’s a possible penalty of up to $5,000 per incident and up to $50,000 per failure to report the incident.

At least two companies have already been fined in relation to this regulation. The first was a Massachusetts restaurant chain, The Briar Group LLC, who had to face a $110,000 penalty. The second was Belmont Savings Bank, who received a $7,500 civil penalty.

But civil penalties are only one element of the cost of security breaches. The cost to notify clients of a breach can be significant, as well as the possible requirement to provide financial monitoring of each client’s credit and identity history for a minimum of one year following the breach.

In 2013, there were 1,821 breaches reported to MA Government agencies, affecting 1,163,643 MA residents. The statistics showed a 50% increase in breaches reported, and 850,000 more individuals affected compared to the prior year. It can happen, and will happen to those who aren’t prepared. It’s just a matter of when.

Complying with the law requires some new technology and there are associated costs, most of which have gone down significantly in the last 4 years. In 2014, given the relatively low cost of solutions that effectively enable compliance with the law, there are no longer any acceptable excuses for not deploying such solutions.  As a matter of best practices, compliance with the law, and our ethical obligations, there is little reason not to have a secure communication system in place for your clients.

Here at StenTel we offer simple, affordable solutions that will prevent the embarrassment of telling clients that their confidential private information was taken because there was no encryption in use. It will prevent a finding that the law firm is not in compliance with the legal and ethical obligations required of their practice . For further information, contact us at:

Dean Whalen Esq. is In House Counsel as well as the Compliance officer for Catuogno Court Reporting and StenTel Transcription, Inc. located in Massachusetts and Rhode Island

There are risks and cost to action. But they are far less than the long range risks of comfortable inaction.

– John F. Kennedy, 35th President of the U.S.