Q: How can my attorney avoid a data breach like the massive Yahoo breach in late 2016?
A: In late 2016, Yahoo was the subject of two massive data breaches and hacks affecting more than 1.5 billion users. The compromised data included names, birth dates, passwords, and security questions and answers. Many individuals, including attorneys, still use email providers such as Yahoo, AOL, and MSN’s Hotmail. Unfortunately, these providers have not taken adequate security measures to prevent the sort of breach that Yahoo has faced. To avoid such a data breach, your attorney should ideally be using a secure email provider such as GMAIL.
Q: What if my attorney has been using a Yahoo account and has stored my private information on it?
A: Your attorney should at least ensure that the Yahoo account is no longer compromised. Your attorney should also take the following steps to ensure that your data (and that of other clients) is protected: 1) change his/her email address; 2) change password and security questions and answers; 3) enable two-layer protection, which requires two levels of authentication before a user is officially logged into the account. Your attorney should also understand that the risk of hacking is not so much an “if” but a “when.”
Q: I am meeting with a new attorney about drafting a will. Is it appropriate to ask her what email provider she uses?
A: Yes. You are well within your rights to ask what email provider your attorney uses, because ultimately, she will be handling your confidential information.
Q: How does a lawyer handle my confidential information?
A: A lawyer must “act competently to safeguard information relating to the representation of a client,” according to Model Rule 1.6, which governs attorneys’ ethical practices. Today, lawyers must have the most updated security settings enabled through their email provider; updated anti-virus and anti-malware protection; a continuous external backup of all confidential information to a secured server or external hard drive; and they must understand how cloud computing works to competently comply with this obligation. With any cloud or virtual online storage hosting of client data, your lawyer should enter into a Service Level Agreement (SLA) that dictates how client data and files are to be kept secure. The law office should use firewalls and data encryption to further ensure that a client’s data is kept confidential. Many firms use cloud-computing, but attorneys must be smart about how and why they use it.
Q: Must my lawyer follow any standards to safeguard my confidential information?
A: Yes. Anyone who has Federal Taxpayer Information (FTI) must follow standards set by the Internal Revenue Service (Regulation 1075). This regulation provides guidelines and procedures not only for computer use but also for storing and destroying physical files containing FTI. While this regulation is probably “overkill” for the average law office, it is an excellent guide for law firms to follow. For example, law offices should have written policies regarding remote access to their computer systems and for the use of thumb drives. Internet use by employees on computers housing client’s information should be regulated and monitored.
Q: Should my attorney’s law office employees be allowed to work remotely with my client data?
A: If there is a proper system in place, this may be acceptable, as long as the employee always adheres to your attorney’s profession obligations. You may want to question your attorney about the firm’s plan for protecting your client information at all times. For example, you might ask your attorney: Will any of your staff members work on the firm’s laptop or their home computers? Is the firm’s computer or external storage device password protected? Do staff members work on files remotely and email them to the office? There are many ways a law firm can address these concerns by using various encryption options. These options are now standard on most word processing programs and .pdf files, but the encryption only works if a password is sent by separate email to the person receiving the information. Passwords should be changed daily, using a randomized password that nobody can memorize.
Q: Should I send information to my attorney through Instant Message, Facebook, or Instagram?
A: No. You cannot expect your attorney to safeguard your information when you submit it through an unsecure platform. Your attorney’s law office likely spends time and money to understand every aspect of the proper storage, transmission and destruction of your client information. Law offices also must train support staff and third-party vendors on the firm’s best practices. If you open the door for a data breach, however, none of your attorney’s safeguards will protect your information.
This “Law You Can Use” column was provided by the Ohio State Bar Association. It was prepared by Dayton attorney Gregory M. Gantt. Articles appearing in this column are intended to provide broad, general information about the law. Before applying this information to a specific legal problem, readers are urged to seek advice from an attorney.