Protecting clients’ privacy has become a bit more complicated in this digital age.
Web-based apps and cloud storage can be exploited by hackers. Employees can overshare on any number of social media outlets. Important documents can be accessed from any personal electronic device.
In short, there are many ways your clients’ confidential information can be compromised.
Although you’ve always had an ethical obligation to keep client information safe from digital threats, lawyers increasingly have legal obligations to do so, as well. It’s no longer acceptable to plead ignorance about technological privacy threats.
But digital tools aren’t always the problem. In fact, sometimes they’re the solution. Firms that have gotten used to leveraging digital tools for things like marketing and networking may find that certain tools can also help protect client privacy.
Here are four ways that law firms can better protect client privacy.
1. Comprehensive Document Management (And Records Management) Policies
A good document management system will cover a lot about how your staff should handle client information, from its creation to its deletion.
Here are things to include in a document management policy:
- How hard copy files should be stored and organized, and how electronic files should be stored and organized, either on-site or remotely (and possibly how to structure a “knowledge management database” to quickly retrieve relevant data)
- How and under which circumstances information should be destroyed or deleted (these are called “file retention policies”), and a procedure for how to handle client information once that client relationship ends (for example, procedure may necessitate returning the files)
- How to respond to government requests for information
- How to make sure documents and important information are securely backed up
These days you may even want to check out legal document management software that was created specifically to deal with law firms’ document-sharing needs.
However, the use of any third-party system or other cloud-based storage will require due diligence.
Lockton Affinity, an insurance broker that works with law firms, explains it this way on their blog:
“While many attorneys conceptually understand that information stored in a cloud is stored off site, many have no idea that depending upon the vendor, cloud data could be stored internationally, governed by foreign law, and subject to search and seizure. Further, if an attorney places data in the cloud that is subject to state or federal privacy laws, the client should first provide their informed and written consent for such storage (adding this item to the engagement letter may be an option). Finally, the attorney should check with the bar association for their respective state’s ethical opinions that govern cloud storage.”
2. Social Media Policies
It’s becoming increasingly common for people to share info from their personal lives online. But as helpful as social media can be for things like marketing and networking, it’s also notorious for accidentally disclosing privileged information.
Most competent attorneys understand their duty to keep client information private, but there is always room for confusion. For example, lawyers may think they’re off the hook if they keep their account private or use general terms (“I settled a big case today!”). Non-lawyer employees may be under the impression that the confidentiality rules don’t apply to them, or that because it’s a private account, it doesn’t still reflect on the firm.
That’s why an official policy that spells out these responsibilities is so important. It clarifies the rules for your staff, and also shows clients that you’re taking their privacy seriously.
In this Big Law Business article, Jacob Rooksby of Gonzaga University School of Law says firms are facing more instances of social-media-related ethics violations. Some of the violations include little-known, state-specific ethical rules.
South Carolina, for example, prohibits lawyers from participating on websites where non-lawyer users post legal questions and attorneys who answer them are described as “experts.” Similarly, New York bars lawyers from listing their practice areas under the heading “specialties” on social media sites unless they are actually certified as specialists.
“A single lapse in judgment can have devastating consequences. Before every post, an attorney should ask, “Is this information I would feel comfortable announcing publicly at a bar-related event?” he says.
3. Electronic Communications Policies
Establish rules specifically around how your employees communicate with clients and with the public.
Email may comprise the bulk of electronic communications, but a communications policy should also address any digital messages, such as ones sent through apps, websites, or electronic file transmission.
Best practices may include explaining that employees must double check recipients’ identities for accuracy before they send any message, include an official confidentiality disclaimer in every professional email sent, and avoid interacting with any suspicious emails. (Anti-phishing training can be helpful in this area.)
One of the biggest threats to the security of your employees’ electronic communications is the security of their devices.
Have your tech team make sure that firewalls, spam filters, and software are all updated. Thoroughly vet any third-party software used.
Require that your employees use strong passwords. This American Bar Association article sums up a few best practices for passwords:
- 12 or more characters
- Changed at least every 30 days
- Never used more than once
- Not re-used elsewhere
- Not stored on computers or written down near the computer
An electronic communications policy may also explain the risks of using unsecured devices and unsecured wireless connections, and the risks of installing software or downloading files onto devices that handle confidential information.
As this column explains, have a procedure in place to monitor and/or remotely wipe devices that have been lost or stolen. Employees need to understand the importance of reporting any missing devices right away.
4. Secure Visitor Check-In
Despite all the digital threats we just discussed, there are plenty of ways that old-fashioned paper messages can expose your clients’ personal information and lead to a breach in confidentiality.
Improperly filed information can end up in the wrong hands. Post-it notes stuck to computer screens can betray passwords. And paper visitor logs can show anyone who walks into your lobby who has been in your office lately.
A good first step is to get rid of the paper visitor log and replace it with a secure, modern, tablet-based solution, such as The Receptionist.
Visitor management software does more than boost security. It gives your front desk staff the tools they need to expedite check-in and stay vigilant and on-task. Keeping the lobby area secure keeps potential unwanted visitors and criminals away from your sensitive data, and also prevents even well-meaning visitors from wandering in and inadvertently overhearing sensitive information.
Share this Post