Taking Out The Digital Trash
Alexa is listening.
The next time you speak with a client, think about where your Alexa device is stored. Is it in your home office? Your bedroom?
After Amazon admitted they had voice recordings on file to improve the user experience, knowing where the device is is essential to ensure your conversations are not within ear’s reach.
This is just one example of how third-party providers can hold your client’s sensitive information and what lawyers need to know. The recent CLE webinar, “Beyond The Trash Bin: Proper Disposal Of Electronic Data” explored this timely topic and how attorneys can safely and ethically remove unwanted data.
Prof. Michael L. Fox, (Mount Saint Mary College & Columbia University School of Law) said, “Privacy and security is becoming a hot-button issue with data breaches and loss of information. There are ethical concerns regarding privileged, confidential information with clients.”
“Some sources of data are fairly obvious; some are not,” said Parth N. Chowlera (Greenfield Stein & Senior). He explained that emails may be stored on your local device, but these are also downloaded by a centralized server. “Bear that in mind,” said Chowlera.
Fox described cloud storage as “basically the electronic storage of material that is not on your hard drive. You have to use some kind of network connection.” It’s not simply things that are in your laptop, desktop, hard drive or your flash drive, he said. “It’s off-network storage.”
As an example, a photo taken on an iPhone can now be viewed on a Macbook and an iPad. He said that it became an issue after the September 11th attacks and hurricanes where material on local servers was lost.
Moderator Alison Arden Besunder (Goetz Fitzpatrick) said, “It strikes me that everything we do with technology, there is an inverse proportion to security and convenience. So of course we need to embrace technology particularly now but that we are all constantly chronicling in real time and real life everything that we are doing in ways that we cannot even anticipate and in a way that there all sorts of ways that that information may be used for better or for worse whether that is in a litigation, which is usually what we are focused on, but also in terms of fraud if somebody really wants to find out things about you.
Chowlera noted that many social media posts tag the location of the post’s origin, as well as the time. He said that even if the location isn’t necessarily displayed within your social media, the photograph is geotagged using the device’s internal GPS system. It’s similar with emails. It can tell you from where the email was sent and the time. Attachments may contain metadata that can be derived.
On July 26, 2019, New York’s governor signed the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act, requiring businesses to implement safeguards for the “private information” of New York residents and broadening New York’s security breach notification requirements. The SHIELD Act applies to lawyers and law firms of all sizes. The security requirements took effect on March 21. The Attorney General can sue for data breaches of failure to comply with cybersecurity requirements.
“We, as attorneys, could collect personal data on clients and others and then we store it. So now, when we both store it and dispose of it, the SHIELD Act applies to us,” explained Fox. “If there’s a breach, there’s a heightened requirement of having to report that. So we have these issues that tie in from practice and law into ethics.”
Fox also said that lawyers must supervise those who act on a lawyer’s behalf, including paralegals, social media providers and cloud storage providers, when it comes to data disposal. “We have a supervisory obligation to make sure that they are living up to our ethical requirements, because they are basically operating as our agents on our behalf just as we are the agent for the client who is the principal.”
When storing information in the cloud, you don’t have to explicitly ask for a client’s permission, if your firm has gone paperless. However, it should be clearly stated in the retainer agreement how you plan to use and store your client’s data.
“Ultimately, it’s their info,” said Fox.