Protecting Client Data in Today’s Technology-Driven World

Driven World O n January 1, 2014, the State of Texas issued, at the time, the largest statewide e-filing mandate in the country. 1 This required all attorneys to file their documents (i.e., original petitions, service of process, motions, orders, etc.) electronically with the courts instead of standing in line to file physical documents at the clerk’s office. The mandate to electronically file in Texas started with the state’s ten most populous counties, which included Bexar, Collin, Dallas, Denton, El Paso, Fort Bend, Harris, Hidalgo, Tarrant, and Travis counties. The remaining counties were required to comply with the mandate by 2016. Although some attorneys were accustomed to e-filing in federal courts, many attorneys who only practiced in state lower courts were not ready for the sudden change the mandate required. Some attorneys retired early to avoid learning the new e-filing process, while others were able to foresee potential issues relating to data protection (i.e., client’s data).

At its core, the practice of law does not require an advanced knowledge of technology, unless you are an intellectual property attorney with a focus on software and network-related patents. Generally, the practice of law requires a keen sense of the law and how it applies to the facts of your case – neither of which requires the knowledge of how cloud-based or encrypted data works. Historically, attorneys would simply maintain their clients’ confidential and sensitive information in file folders and storage bins. The State of Texas’s mandate to e-file all civil cases was the catalyst that forced an arranged, and seemingly unwanted, relationship between lawyers and technology.

Under the Texas Disciplinary Rules of Professional Conduct, 2 lawyers are required to protect their clients’ confidential information. Protecting clients’ data was relatively simple prior to the advent of technology. Sensitive information was not stored in remote servers or cloud-based systems but was stored in file folders locked in a storage closet. Requiring attorneys to e-file forced attorneys to scan and store their clients’ data on electronic storage systems (i.e., servers or desktop computers). This created data security risks most attorneys were not (and mostly are still not) prepared to manage. This is problematic because attorneys manage some of the most sensitive information about individuals, and storing that data in electronic storage systems makes the data susceptible to hackers.

To reduce the risk of exposing confidential and sensitive information, all law firms (including solo attorneys) should be familiar with these three areas of technology: Data Storage, Data Retention, and Data Communication. The following basic steps will ensure that your clients’ data is protected.

1. Data Storage First, an attorney should consider the method by which his or her clients’ data is stored. “Data storage” is a general term for archiving data in electromagnetic or other forms for use by a computer or device. 3 There are many types of data storage devices to consider. An attorney should never use a mobile device, such as a smartphone, laptop, or tablet as a storage device for clients’ confidential and sensitive data. Although mobile devices can be password protected or encrypted, those protective measures are moot if the mobile device is lost or stolen.

Your clients’ confidential and sensitive data should be stored on a secure system and remote system. At a minimum, your clients’ data should be stored on a server or desktop computer configured as a server. The server should be password protected with a strong password (i.e., numbers, letters, special characters) and should only be accessible by at most two trusted people. In situations where a solo attorney is incapacitated, measures should be in place such that a trusted thirdparty can access the server and retrieve the confidential data.

There are exceptions for trial attorneys. For example, trial or hearing documents

may be temporarily stored on your remote device, but they should be password protected and encrypted. However, those documents should be removed from the mobile device once the hearing or trial is completed or the documents are no longer needed. USB storage drives (a.k.a. jump drives) should not be considered as a storage device and should only be used for transferring a file from one computer to another. USB storage drives have limited life spans and can fail at any given moment. 2. Data Retention Second, all attorneys should have a method for retaining their clients’ confidential and sensitive data on the data storage device. “Data retention” is an organization’s policy or protocol regarding the saving of data for regulatory or compliance purposes or the disposal of it when no longer needed. The policy highlights how data or records need to be formatted and what storage devices or systems to use, as well as how long to keep the information. 4 Simply rephrased, all attorneys should have a back-up system for situations where the data is lost or needed.

Power failures, hard drive failures, and intentional security breaches are some ways data can be lost or become inaccessible. Not having access to or a means of restoring data can cripple most law firms. Consider for a moment the devastation your firm would endure if you did not have access to your clients’ confidential and sensitive data, your case file, or your documents. Further, consider for a moment how long you can operate without having access to your data. Retention is critical.

All attorneys should consider at least two separate and distinct methods of data retention. One method may include having a tape or disk backup system connected to your server that saves your files to a separate disk once every four to eight hours. Another method to consider is having a cloud-based system that remotely stores your files.

In September 2018, the Professional Ethics Committee for the State Bar of Texas considered whether Texas lawyers may use cloud-based data storage systems. The Committee determined that a lawyer may use a cloud-based system; however, a lawyer must take reasonable precautions in the adoption and use of cloud-based technology for client document and data storage or the creation of client-specific documents that require client confidential information. 5 Both methods should have the capacity to “restore” data if it is lost.

Note, it is also important to retain billing data, emails, and software configurations. You should consider investing in “ghosting” software. Ghosting software will clone your computer and store the clone in a secure location. The clone file can be used ‘‘ At its core, the practice of law does not require an advanced knowledge of technology, unless you are an intellectual property attorney with a focus on software and network-related patents.”

to restore your computer settings (and all of your program configurations) if your computer becomes corrupt or inoperable from a virus or malware.

3. Data Communication Finally, attorneys should be cautious of how information is electronically communicated or transferred. “Data communication” is defined as the process of using computing and communication technologies to transfer data from one place to another, and vice versa. 6 Prior to the advent of technology, attorneys communicated through courier service, which subsequently advanced to facsimile. Although these forms of communication are still used today, most attorneys now transfer information through email.

All attorneys should be conscious of the potential security risks when using email to transfer information. Preventative measures should be taken to avoid inadvertently exposing confidential and sensitive information. For example, before sending any information to an opposing attorney for the first time, send a test email to the attorney and

have that attorney confirm receipt of the test email. You should also confirm and verify any email you receive from an attorney with whom you correspond for the first time. In addition, you should avoid opening any attachments you receive from an unknown source without first verifying the source. All attorneys should also have separate email accounts for their personal email and their professional email. Further, attorneys should never transfer confidential or sensitive information in the body of the email. Instead, attorneys should send sensitive information in password protected PDF documents or redact sensitive information.

4. Hiring a Technology Security Company To mitigate these potential risks, many attorneys have taken the additional step of either hiring a technology security company or installing client-management software on their systems. Technology security companies specialize in data protection, are up to date on new threats, and are equipped to prevent a breach of your system. In addition, these companies are constantly monitoring your network traffic and can react quickly if suspicious activity occurs. When hiring a technology security company, an attorney should ask the following questions: a. Where is the data stored and secured? b. How is the data accessed? c. How quickly can you restore the data to the system if lost due to a breach, system failure, or damaged equipment? d. What software, if any, do you use to protect data from breaches?

The attorney should also independently research the company and determine the quality of its customer service, hours of operations, physical location, and whether there is an assigned personal representative. Further, a technician should be accessible 24 hours a day. If budget is an issue, the attorney should implement practices that limit, when practical, the amount of sensitive data that is stored on a system that can be remotely accessed. hire a technology security company. Keep in mind, however, that the ultimate responsibility of protecting your clients’ data is yours. One benefit of installing client-management software is that, in most cases, the software stores your clients’ data on encrypted databases that are only accessible by the software itself, thus making it difficult for hackers to penetrate the data. These applications are either installed locally on the attorney’s computers or are accessed remotely through a cloud-based system (i.e., website portal). There are many types of client-management software (e.g., MyCase, Clio, AppColl) that can manage and secure your clients’ data. All software has its pros and cons, and it would be advantageous to conduct independent research prior to purchasing software (hint: take advantage of free trial periods). The goal is to determine how best to protect your clients’ sensitive data from breaches and exposure and whether the software helps you manage your firm’s daily tasks. Here are the areas to consider before purchasing clientmanagement software:

A. The Type of Law You Practice First, consider the type of law you practice. All law is not the same, and thus all clients’ data is not the same. Information gathered from a defendant in a criminal case may be different from the information gathered in a probate case. Some information may be of public record, whereas other information is privileged. The easiest way to answer this question is to divide the data into three categories– client’s personal data, client’s case data, and docket management data.

Client’s personal data may include the client’s full name, address, telephone numbers, spouse’s information, social security number, date-of-birth, and driver’s license number, for example. Any reputable clientmanagement software can store and manage this type of information. However, do you need all this information to handle your client’s case? Could you manage your client’s case without knowing the client’s social security number? The attorney needs to consider what information is critical and what information is unnecessary to effectively handle the case. If, for example, you require your client’s social security number to conduct a background search, protocol should be implemented such that the social security number is used for that single purpose and then discarded from the system. Although all your clients’ information should be protected, care should be taken when managing non-public sensitive information. When choosing the best software for your practice, be sure to know exactly what information you need to store. Do not purchase more than you need, and limit the type of information you store in the software.

Clients’ case information is contingent on the type of law you practice. For example, a personal injury attorney may have each client’s medical records, mental health records, police reports, and photographs of the client’s injury. Whereas, a trademark attorney may only have images of clients’ business logos or brand names, which may already be available to the public. Again, most software has the capacity to upload files and images into the database such that it is encrypted and only accessible through the software. If you prefer to upload your clients’ case information into a client-management software database, be sure to purchase software that allows you to upload password protected PDF documents.

Docket management is not as critical to the client as it is to the attorney. Many attorneys manage court hearings, submission dates, and deadlines using an Outlook calendar, Google Calendar, or other similar platforms. Fortunately, most client-management software has features that allow integration between an attorney’s calendar and the client’s case. Protecting this information is not as critical as protecting the attorney’s clients’ personal information and case information, but it requires attention and accuracy nonetheless.

B. How You Practice Are you a trial attorney who is in court every day or a transactional lawyer who is in the office every day? Trial attorneys should consider purchasing client-management software that is cloud-based, which may require a monthly or annual licensing fee. Cloudbased systems store data on remote servers,

giving you remote access to your clients’ data from any device. Again, if you decide to use cloud-based client-management software, be cautious of what information is stored on the software and what measures are in place if connection fails.

Although, transactional attorneys will benefit from a cloud-based system, they are not necessary for transactional attorneys. A transactional attorney can store their clients’ data on an offline server, giving the attorney more control in accessing it and protecting it from breaches. Regardless of what software you use, be sure to have protocol in place if your cloud-system is not accessible or when your local system fails.

C. How Your Data Is Exported Finally, you should consider how your data is exported from the software. To put this concern into context, consider the following scenario. You purchase and use a cloud-based client-management system to manage your clients’ information, clients’ data, and your calendar. You successfully use the software in your practice for three years and have over 200 clients updated in the software. Suddenly, you receive notice that the vendor who provides and supports the cloud-based software is going out of business soon, thus requiring you to export and transfer your data. This process can be overwhelming and stressful. One tip is to be sure that your data can be exported to a CSV, XLS, or another similar file type. Those types of files are easier to transfer from and to an Excel spreadsheet or other database. Once exported, this file can easily be transferred to another client-management software. Regardless of the exporting features, all attorneys should keep either hard copies or electronic PDF copies of the clients’ information in a secure location separate from the cloud-based software.

There are many other preventative methods and alternatives one can use to protect a client’s confidential and sensitive information. One way to assure that you are consistently diligent in protecting your clients’ information is to protect their data with the same tenacity you protect your bar license.

Darryl E. Scott is an intellectual property attorney and is registered to practice before the United States Patent and Trademark Office (USPTO). He has a Bachelor of Science degree in Mechanical Engineering and has 20 years of information technology experience. For any additional questions, you may reach him at dscott@darrylscottlaw.com.

Endnotes 1. See Press Release, Texas Office of Court Administration, Largest Statewide E-Filing Mandate in the Country Begins in Texas Courts (Jan. 1, 2014), available at http://efiletexas.gov/media-kit/01-01-14_Press_

Release.pdf. 2. See TEX. DISCIPLINARY RULES OF PROF’L CON

DUCT R. 1.05 (1989), available at www.legalethicstexas. com/Ethics-Resources/Rules/Texas-Disciplinary

Rules-of-Professional-Conduct.aspx 3. See Data Storage, TECHOPEDIA, www.techopedia. com/definition/23342/data-storage (last visited Feb. 24, 2020). 4. See Data-Retention Policy, TECHOPEDIA, www. techopedia.com/definition/31812/data-retentionpolicy (last visited Feb. 24, 2020). 5. See Tex. Ctr. For Legal Ethics, Op. 680 (Sept. 2018), available at https://www.legalethicstexas.com/Ethics

Resources/Opinions/Opinion-680. 6. See Data Communications (DC), TECHOPEDIA, https://www.techopedia.com/definition/6765/datacommunications-dc (last visited Feb. 24, 2020).