Talking to Clients About Their Data: How To Prepare Your Practice, Minimize Risks & Have Better Communications
How does your engagement letter discuss your uses of technology? Are lawyers obligated to disclose whether they use Outlook or Gmail for their email service or Dropbox or Google Drive for data storage?
No, but it may make legal and business sense to do so, as clients become more aware of the risks of cyber hacks and data breaches.
This was the assessment of panelists on the CLE Webinar, “Finding The Balance: Data Security, Privilege, Disclosure & Malpractice Liability In The Age Of The Clouds (recording available), which explored specific engagement letter language and best technology practices by attorneys.
Ronald C. Minkoff, (Frankfurt Kurnit Klein & Selz) said that people are much more conscious of the risk of hacking now.
Scott L. Malouf (Law Office of Scott L. Malouf) said, “Remember, this is a moving target. As you hear about more data breaches, we all become more conscious of the issue and that applies to our clients, whether they are an individual or a Fortune 500 Company.”
Disclosure and ethics
On July 26, 2019, New York’s governor signed the “Stop Hacks and Improve Electronic Data Security” (SHIELD) Act, requiring businesses to implement safeguards for the “private information” of New York residents and broadening New York’s security breach notification requirements. The SHIELD Act applies to lawyers and law firms of all sizes. The security requirements took effect on March 21, 2020. The Attorney General can sue for data breaches or failure to comply with cybersecurity requirements.
The American Bar Association Formal Ethics Opinion 477R (May 22, 2017) declared that lawyers are required to make reasonable efforts to ensure their communications are secure and not subject to inadvertent or unauthorized cyber security breaches.
If client data is transferred to third parties, the lawyer may wish to discuss that process with clients. Some common technologies that might prompt discussions are: cloud or onsite/offsite data storage; email and fax security; online portals and encrypted communications; and more advanced technology, such as voice recognition software.
Disclosures from firms about cloud computing should be easy to read, disclose the specific vendors, address attorney liability and ethics compliance, and discuss practices used to maximize data protection. Obtaining consent for use of services is recommended; phrases such as “due care” are not, as they may expose attorneys to extra liability. Panelists offered specific examples of engagement letter language.
Practice management systems have become more affordable for solo practitioners and small firms, said Alexander Paykin (The Law Office of Alexander Paykin). Often, they provide better protection than non-platform services.
Cloud computing means data that is stored on no particular server that you can identify, Paykin explained. It is typically a third-party service such as Dropbox, Google Drive or One Drive. Free versions will provide a “modicum of protection” while more premium or paid versions are more secure and often Health Insurance Portability and Accountability Act compliant.
He suggested lawyers contact their malpractice insurance carrier about proposed language for engagement letters, which should be tailored to the client and assess the risks presented to the client. Loss mitigation departments might have guidelines that could be helpful.
Minkoff said lawyers cannot pass general technology overhead fees to clients, unless clients demand specific programs or software for their representation. “That’s something you can talk to the client about whether or not that is case-specific that you can try and charge off to them.”
Malouf recommended that an attorney test any system under consideration by, for example, obtaining a variety of documents and file types to ascertain whether an eDiscovery system will work best for the lawyer’s needs. That will help an attorney vet vendors and determine the best fit. He encouraged lawyers to ask colleagues in their practice areas or region to find out what software they’re using. “You can get a lot of bang for your buck by doing that early.”
A social media lawyer, Malouf said lawyers who work with data should always assume that there is three times as much data available than one first thought. “It is not going to be where you think it is and it can be expensive to get it. Understand that upfront and have that discussion with the client.”
He advised that lawyers not only put in their engagement letters, but tell clients directly not to create any new data. “Whatever you create may be discoverable. Stop creating it, if at all possible.”
Emails to clients should limit technical jargon and be clear about attorney-client privilege; clients may not otherwise understand what is protected under it. Consider bullets and short sentences for the most important points, recommended Malouf.
Paykin noted that most practice management systems use encryption to protect confidentiality of messages. “If you can get your clients to cooperate with encrypted messages, that should really be the best practice for private emails as well because encrypted messages are really the way we should be going especially with all of the data security issues out there.”
Minkoff acknowledged that clients push back on the extra steps required, but that a younger generation might be more willing to put up with the extra steps and be more comfortable with messaging in an online portal. Consider an opt-in/out for clients on encrypted communications.
Malouf joked that perhaps using Snapchat for communications is the way to go since all messages disappear.