Keeping Client Data and Your Law License Secure
2
103 Texas Bar Journal • February 2013 texasbar.com Lenovo’s upcoming Hori- zon 27-inch table PC (starting at $1,699) can operate like a desktop or lay flat to allow a group to gather around it and col- laborate on a document or play games on its 1920 x 1080-pixel touchscreen. In 2010, almost 600 corporate data breaches were reported, 1 each affecting an average of more than 31,000 records. At an average cost of $204 per record, the estimated hard cost of these breaches was more than $6.5 million, and only for those breaches that were reported. Of course, the potential soft cost of these breaches is immeasurable. On Nov. 1, 2009, the FBI issued an advisory warning 2 to law firms that they were being singled out by hackers. In 2011, more than 80 firms reported secu- rity breaches. 3 In addition to cases of identity theft from family law, probate, and tax firms, the biggest threat appears to be corporate espionage targeting firms that represent companies on secu- rities, intellectual property, and mergers and acquisitions deals. Firms are being specifically targeted because hackers The practice of law has changed dramatically since the days of carbon paper, fax machines, and dusty libraries. Today, an attorney’s computer con- tains everything needed to manage a law firm’s entire business including the confidential and proprietary data of the firm and its clients, the equiv- alent of complete file rooms and li- braries of documents and data. With laptops, attorneys travel everywhere with thousands of file drawers of infor- mation. Unfortunately, power and porta- bility provide opportunities for loss of client data. This article will highlight the facts and figures of data breaches, the data and information impacted, the ethics and attorney duties to pro- tect the information, the penalties for disclosure, and some practical tips on protecting the information. TECHGEAR TRAVIS NORMAND graduated from South Texas College of Law in May 2011 and was admitted to the Texas Bar the following November. Normand currently is a contract attorney in Hous- ton for an oil and gas company. He main- tains two blogs, OnePointSafety.com and LOACBlog.com. Dr. Saturday’s Blog at Yahoo Sports (sports.yahoo.com/blogs/ncaaf-dr-saturday) Dr. Saturday’s blog is one of the best places to go for random, yet informative, college football news. OutKickTheCoverage.com OutKickTheCoverage is written by Clay Travis, a Nashville attorney who is now a full-time college football writer. Travis mostly covers the Southeastern Confer- ence, and he does it well. SolidVerbal.com The Solid Verbal is a twice-a-week pod- cast covering all-things college football. LawFareBlog.com I visit this site daily and it is my primary source for national security-related news. Some of my biggest areas of legal interest are the Law of Armed Conflict (LOAC, or International Humanitarian Law), National Security Law, and Coun- terterrorism Law. Infographics (http://infogr.am) If you have a website, blog, or anything else that could use some sprucing-up, you will love Infographics. This site allows you to easily turn your stats and/or data into charts and graphs that are interactive and eye-catching. WEBLINKS TECHNOLOGY Keeping Client Data and Your Law License Secure BY JASON SMITH, RON CHICHESTER, AND MICHAEL PECK
Transcript of Keeping Client Data and Your Law License Secure
103 Texas Bar Journal • February 2013 texasbar.com
Lenovo’s upcoming Hori-zon 27-inch table PC (starting at $1,699)can operate like a desktop or lay flat toallow a group to gather around it and col-laborate on a document or play gameson its 1920 x 1080-pixel touchscreen.
In 2010, almost 600 corporate databreaches were reported,1 each affectingan average of more than 31,000 records.At an average cost of $204 per record,the estimated hard cost of thesebreaches was more than $6.5 million,and only for those breaches that werereported. Of course, the potential softcost of these breaches is immeasurable.
On Nov. 1, 2009, the FBI issued anadvisory warning2 to law firms that theywere being singled out by hackers. In2011, more than 80 firms reported secu-rity breaches.3 In addition to cases ofidentity theft from family law, probate,and tax firms, the biggest threat appearsto be corporate espionage targetingfirms that represent companies on secu-rities, intellectual property, and mergersand acquisitions deals. Firms are beingspecifically targeted because hackers
The practice of law has changeddramatically since the days of carbonpaper, fax machines, and dusty libraries.Today, an attorney’s computer con-tains everything needed to manage alaw firm’s entire business includingthe confidential and proprietary dataof the firm and its clients, the equiv-alent of complete file rooms and li-braries of documents and data. Withlaptops, attorneys travel everywherewith thousands of file drawers of infor-mation. Unfortunately, power and porta-bility provide opportunities for loss ofclient data. This article will highlightthe facts and figures of data breaches,the data and information impacted,the ethics and attorney duties to pro-tect the information, the penaltiesfor disclosure, and some practical tipson protecting the information.
TECHGEAR
TRAVIS NORMANDgraduated from SouthTexas College of Lawin May 2011 and wasadmitted to the Texas
Bar the following November. Normandcurrently is a contract attorney in Hous-ton for an oil and gas company. He main-tains two blogs, OnePointSafety.comand LOACBlog.com.
Dr. Saturday’s Blog at Yahoo Sports(sports.yahoo.com/blogs/ncaaf-dr-saturday)Dr. Saturday’s blog is one of the bestplaces to go for random, yet informative,college football news.
OutKickTheCoverage.comOutKickTheCoverage is written by ClayTravis, a Nashville attorney who is nowa full-time college football writer. Travismostly covers the Southeastern Confer-ence, and he does it well.
SolidVerbal.comThe Solid Verbal is a twice-a-week pod-cast covering all-things college football.
LawFareBlog.comI visit this site daily and it is my primarysource for national security-related news.Some of my biggest areas of legalinterest are the Law of Armed Conflict(LOAC, or International HumanitarianLaw), National Security Law, and Coun-terterrorism Law.
Infographics(http://infogr.am)If you have a website, blog, or anythingelse that could use some sprucing-up, youwill love Infographics. This site allows youto easily turn your stats and/or data intocharts and graphs that are interactiveand eye-catching.
WEBLINKS
TECHNOLOGY
Keeping Client Data andYour Law License SecureBY JASON SMITH, RON CHICHESTER, AND MICHAEL PECK
realize that law firm computers typi-cally house the most high-value dataof its client companies — and not ina corporate-secure data center. Worse,today’s hackers are usually profession-als sponsored by sovereign states.4
ETHICS AND DUTIESWhile a company’s responsibility for
protecting data is governed by generalbusiness principles and their financialimplications, an attorney’s responsi-bilities are governed by both statestatutes and disciplinary rules.
Texas is among 46 states that imposea duty to notify on any person whoconducts business in the state, whenthere is an unauthorized disclosure ofpersonal information. Chapter 521 ofthe Texas Business and CommerceCode establishes a reasonableness re-quirement for the procedures thatcompanies must take to avoid disclo-sure of sensitive personal informationof customers and clients. Initially,notification was required to be givento any “resident of the state” but effec-tive in September 2012, the statutewas changed to require notification to“any individual” affected — regard-less of jurisdiction. So far, Texas hasnot yet followed the five New Eng-land states that have added a duty tonotify the state’s attorney general dur-ing law-enforcement investigations.
Texas Disciplinary Rule 1.05 gov-erns “confidential” information, whichis defined as privileged and unprivi-leged client information. Presently,there is a scienter requirement in thedisciplinary rule that imputes liabilityonly for “knowingly” disclosing theinformation. There remains exceptionsfor inadvertent disclosure, intercept-ed communications, and compliancewith court orders. However, excep-tions do not exist for an attorney wholoses an electronic device or for adevice confiscated by the government.Seizures of travelers’ computers at U.S.international borders5 have resultedin unfettered searches of laptop con-tents, attorney privilege be damned.
texasbar.com/tbj Vol. 76, No. 2 • Texas Bar Journal 104
No probable cause is necessary at theborder. If your seized computer is notretrieved because of cost or time, thegovernment may dispose of yourunclaimed laptop by public auction— contents included — to any third-party willing to pay.
PENALTIESTexas’ breach/notification law affords
the attorney general injunctive reliefand painful fines for law firms thatlose sensitive personal information.Failure to take adequate action canresult in loss of your law license, withaggrieved clients exacting their ownrevenge.
PROTECTING THE INFORMATIONProtecting your electronic data
doesn’t have to involve undergroundbunkers patrolled by armed guards.Simply encrypting your informationusing free encryption software avail-able on the Internet can be enough.One of those free tools is TrueCrypt.TrueCrypt allows you to create securepassword-protected “containers” (thinkof a safe in which you store your valu-ables) of any size and security level.You could create a “container” to fillan entire hard drive on a laptop, pro-tecting everything stored therein, oryou could create a “container” smallenough to send a handful of files viaemail or to store on a thumb drive.TrueCrypt is flexible and can providemore than adequate protection.
SUMMARYBottom line, law firms are being
targeted because they house high-value data in less-secure, consolidatedlocations. Lawyers have a duty (ethi-cally and by statute) to protect clientinformation. Notification statutes areforcing data breaches to become pub-lic knowledge causing serious finan-cial and reputational harm. Simple,cost-effective tools exist to increasedata protections and prevent yourname being in the style of the firstU.S. Supreme Court case on this topic.
FEELING INSECURE?Join the Computer & Technology
Section at the State Bar AnnualMeeting in Dallas in June for a livepresentation on this topic duringthe Adaptable Lawyer Legal Innova-tion track. This will include a hands-on workshop where thumb drivespreloaded with mobile apps andTrueCrypt will be provided to atten-dees along with step-by-step instruc-tions on creating encrypted files. Forinformation on booking this sessionfor your own event, please [email protected].
NOTES1. The New Law Firm Challenge: Confronting the
Rise of Cyber Attacks and Preventing EnhancedLiability, ABA Law Practice Today, DavidMandell and Karla Schaffer, March 2012.
2. Preventing Law Firm Data Breaches, Texas BarJournal, Vol. 75, No. 5, John W. Simek andSharon D. Nelson, Esq.
3. Mandell and Schaffer, supra.4. China-Based Hackers Target Law Firms to Get
Secret Deal Data, Bloomberg.net, Michael A.Riley and Sophia Pearson, Jan. 31, 2012.
5. United States v. Arnold, 523 F.3d 941 (9th Cir.2008).
Jason Smith is director of legal management con-sulting for Duff & Phelps, L.L.C., inHouston, where he focuses on tech-nology strategy and implementationsfor corporate legal departments. He ischair of the State Bar of Texas Com-
puter & Technology Section and is on the Website Com-mittee for the State Bar of Texas Corporate CounselSection. Reach him at [email protected].
Ron Chichester is a sole practitioner in Houston.He focuses on electronic discovery,cybersecurity, intellectual property,and electronic commerce. He is apast chair of the State Bar of TexasComputer & Technology Section.
Reach him at [email protected].
Michael Peck practices in Houston and is chair ofthe Houston Bar Association Inter-national Law Section and also pastchair of the State Bar of Texas Com-puter & Technology Section. Reachhim at [email protected].
TECHNOLOGY
