PHILADELPHIA – When the International Consortium of Investigative Journalists (ICIJ) began publishing data based on more than 11 million leaked files from a Panama law firm's information and communications system this spring, it highlighted the threats and liabilities law firms face when confronted with cyber-security threats, a Philadelphia attorney says.
Leaked legal and financial records from Panama City's Mossack Fonseca law firm revealed the names of politicians, celebrities and comparatively obscure super-rich individuals, along with alleged organized crime figures and accused despots for which the firm's attorneys had opened and maintained offshore corporate entities and banking accounts in Panama and tax havens the world over.
The Mossack Fonseca data security breach "puts more of a focus on the fact that law firms are targets," Wilson Elser attorney and partner William F. McDevitt told the Pennsylvania Record.
¨We know there are various actors out there looking for data and probing networks for weaknesses, but it's difficult to know just what they're doing, what they're looking for, and who they're targeting.¨
The ethical obligation of attorney-client confidentiality means that all data and communications between attorneys and clients need to be considered confidential, he elaborated.
"Protocols and processes should be in place to ensure data is secure and protected," McDevitt said.
Law firms "should be aware of how all their data is being managed, and that their systems and client data are secure at all times as part of their obligations of confidentiality and competence."
Data security is especially difficult given continuous evolution of network and IT services and cyber-threats, however.
"The environment is changing all the time, but attorneys need to know that whatever type of platform they're using enables them to meet their ethical and professional obligations," McDevitt said.
That includes being well-versed when it comes to "how their systems work – what protections are in place, the nature and likelihood of potential threats, that issues are addressed promptly, and that they are notified immediately should there be any problems."
Continuous evolution of cyber-security threats and online security technology -- growing use of cloud-based services platforms and applications, for instance -- also means that attorneys and law firms need to stay current on the wide range of relevant issues.
"When data security breaches, like Mossack Fonseca's, are reported in the media, in legal publications or in alerts from software companies and service providers, you may find out a certain platform or security software has flaws that hackers can exploit," McDevitt pointed out.
One key aspect of any professional relationship attorneys or law firms enter into with a computer services provider is ensuring that provisions are in place whereby they are notified of any network or systems security threats or breaches immediately. That includes being advised if their computer services provider receives legal process, he emphasized.
"Say, for example, the law firm is based in Pennsylvania but contracts with a computer services provider in Nevada," McDevitt said. "You need to know immediately if your services provider receives a subpoena to gain access to client records... One of the things we're seeing with Mossack Fonseca is that they're being hauled into courts based on subpoenas that were issued in a variety of jurisdictions.
"Whether your computer services provider is located in the same state or somewhere else, attorneys and law firms need to have clear, regular communications with their computer services providers as per their obligation of competence and confidentiality."
Whatever its nature or source, all digital data is stored electronically in sequences of bits and bytes. In that sense protecting the confidentiality of law firm clients' data is no different than protecting sensitive private and personal data contained in government services' databases or patient records stored in doctor's offices or hospitals.
"If you want to look at a model that attorneys can use for contracting and communicating with computer services providers, you could familiarize yourself with Business Associate Contracts that health care entities use to comply with federal HITECH (Health Information Technology for Economic and Clinical Health) or HIPAA (Health Information Portability and Accountability Act)," McDevitt explained.
In addition, every year the Pennsylvania Bar Association's Professional Liability Committee presents lectures on avoiding legal malpractice, which includes a discussion of the Duty of Competence under Rule of Professional Conduct 1.1 and Confidentiality under Rule 1.6. The committee also provides information on data security for lawyers, which includes a checklist titled "Choosing an IT Person," compiled by one of its members.
Determining your specific needs and finding a services provider that meets them is an essential first step, McDevitt elaborated.
"If you're a solo practitioner, you might not need to use a cloud-based platform, for instance," he said.
Fulfilling the duty of competence doesn't require attorneys to make use of a specific computer services model, but it does require that they understand how their system works and the implications vis-a-vis data security and client-attorney confidentiality, he continued. That includes knowing where and how data is stored, uploaded, downloaded and can be accessed.
Some email services, such as Gmail's free, non-business accounts, scan client emails in the regular course of doing business, he pointed out. Even though the results may be anonymous and aren't reviewed by a human being, using an email service that scans your or your clients' emails "isn't strictly in keeping with attorneys' obligation of client confidentiality."
That said, there's a trend among email services providers, Google included, to encrypt emails in order to shield them from hackers and cyber-criminals. Furthermore, large corporations, including health care services providers, routinely use encrypted email services and secure communications portals, and they may require their attorneys and outside legal counsel to make use of them exclusively, McDevitt continued.
Use of encryption "is becoming more of a standard inside the legal industry, but attorneys aren't required to encrypt client communications in every situation, at least not yet," he said. At some point, "it may be that all internet users wind up using encryption," however.