security-client-confidentiality

As lawyers increasingly explore and adopt cloud-based (online) applications, fear and confusion about security, privacy, and client confidentiality often go along for the ride. Caution is, of course, prudent, and researching the technical and ethical issues is essential, but let’s do away with the fear and confusion.

Baseline security and privacy requirement

Just about all of the popular online (cloud computing) applications offer 128-bit encryption (httpS), redundant backups in multiple locations, data ownership policies, data isolation (keeping your information out of the wrong hands), and other privacy and security measures. These are baseline “reasonable care” standards lawyers should look for when managing clients information in the cloud.

Below, we’ll examine additional “reasonable care” standards that lawyers may use to protect sensitive client information.

Technological Competence in the Digital Age

But first, a look at the ethical mandate for technological competency.

The ABA Model Rule 1.1 directs lawyers to have an awareness and understanding of developments in technology that affect the way they handle cases and their law practice:

“To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”

As the author of a paper on Ethics, Technology, and Attorney Competence, noted:

Incompetence in this regard is not merely a disadvantage that may lose a present-day case, but it is a violation of the law in several states, remedied by a series of increasingly harsh penalties ranging from temporary to permanent disbarment.

Got it. Attorneys must keep pace with technological advancements to meet their “duty of competence” to clients.

Now that we’ve established the mandate for technological competence, let’s take a look at the cause of uncertainty for some: using reasonable care in keeping clients’ information confidential and secure online.

Client-Confidentiality and Reasonable Care

The ABA Model Rule 1.6(c) is where the rubber meets the road. It states that lawyers must:

“make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

The key here, of course, is “reasonable efforts,” or as it’s sometimes referred to: “reasonable precautions” or “reasonable care.” We’ll refer to it here as “reasonable care.” What exactly is “reasonable care”?

The State Bar of Wisconsin, in its Wisconsin Lawyer magazine, spelled it out beautifully:

Lawyers should consider a number of factors when determining whether his or her efforts are reasonable. These factors include:

  1. The sensitivity of the information
  2. The likelihood of disclosure if additional safeguards are not used
  3. The cost of using additional safeguards
  4. The difficulty of implementing the safeguards
  5. The extent to which the safeguards adversely affect the lawyer’s ability to represent clients (for example, by making a device or important piece of software excessively difficult to use).

This summarizes ABA Rule Model Rule 1.6, Comment [18], the comments to Pennsylvania’s Rule 1.6, and other states. In short: employ safeguards to protect sensitive client information without incurring cost-prohibitive or confusing measures.


RELATED: How Lawyers Use Evernote


Making Evernote Compliant

So, how does Evernote, the standout note-taking, information-storing, productivity application, stack up? We’ll look at three practices that go to the “reasonable care” standard: strong passwords, two-factor authentication, and encryption.

1. Strong Passwords

Device – Evernote can be accessed on the web, but it is also available via native apps on your computer and mobile devices. Secure each device with a strong password. (See: 3 Steps to a More Secure Password). This is a no-brainer. If you haven’t password-protected your devices, stop reading now, do it, and come back.

Application – The same goes for logging in to Evernote. Consider getting a password manager like LastPass or 1Password and have it generate a unique, secure, password for Evernote and other applications. After using a password manager you’ll wonder how you managed without it.

Evernote provides another layer of security with a 4-digit PIN to access the application on mobile devices. See: How to set up a passcode or Touch ID to unlock your mobile Evernote.

2. Two-Factor Authentication

evernote security

Evernote calls this setup two-step verification which adds an extra layer of protection to your account. Whenever you sign in to any Evernote application you’ll need to enter both your password and a verification code which you’ll receive on your mobile device via text message. Here’s how to set it up.

3. Encryption

Even after taking the above measures, the sticking point for some is, “who holds the key?” In other words, for sensitive client and firm data, they want another level of protection.

First, the information stored in Evernote should be assigned to one of two camps:

1. Sensitive client information

2. General information.

There is no need to encrypt the latter which may include legal research, blog posts, business cards, and other bits of information.

For sensitive information, however, an additional security measure may be employed: encryption.

In Iowa’s Ethics Opinion 11 – 01 Use of Software as a Service – Cloud Computing, the option for encryption is on their list of questions to consider:

Recognizing that some data will require a higher degree of protection than other data, will I have the ability to encrypt certain data using higher level encryption tools of my choosing?

Evernote offers this option where only you have access to the key that unlocks the encrypted data.

Here’s a suggestion: for every client and matter, assign “general” and “sensitive” notebooks in Evernote. Store related notes in each. Encrypt all notes in the “sensitive” notebook by selecting some of all of the information in each note, hitting the keyboard shortcut SHIFT + COMMAND + X (SHIFT + WIN + X for PCs) and assigning a password. Choose your password carefully. You’re the only one with access to it. Evernote doesn’t store it. If you forget it, you’re out of luck. This is where a password manager again comes in handy.

These measures make using Evernote to store information more secure than servers sitting in your office, files on your desk and in cabinets, or even attachments in your email. And it speaks to “reasonable care” in securing client information online as mandated by the ABA and State Bars.