Because of my upcoming presentation on cloud computing for lawyers, the issue of client confidentiality has been bouncing around in my mind. The rules that govern attorneys (in most jurisdictions, including Indiana, we call them the Rules of Professional Conduct), particularly Rule 1.6 [link to Model Rule 1.6] require us to maintain client information in confidence. In other words, no blabbing your client’s secrets to your golfing buddies.
Many lawyers, with good reason, are reluctant to use services like DropBox for client information because of the possible disclosure of the client’s information to third parties, namely the service’s employees or possibly others as allowed by the company’s terms of service.
This all makes sense, of course, but as I’ve thought about it recently, I wonder if we’re being overly paranoid. Let me say at this point that what follows are not my conclusions or my recommendations. The rest of this post is simply a set of musings, and I hope that readers will leave their thoughts so we can have a conversation about this issue.
If a lawyer decides not to use DropBox because of the possible security/confidentiality “holes,” is the lawyer being consistent with his or her everyday practice? For example, does that lawyer:
- Have and enforce a “clean desk” policy that requires all client files and materials be returned to a central storage facility at the end of the day?
- Secure access to the central facility after the files and materials have been returned?
- Have and enforce protocols concerning who has keys to the central facility?
- Use a file storage service for the maintenance of archived files? If so, are boxes taped shut before being transferred to the storage facility?
- Use Pretty Good Privacy or other data encryption when sending emails?
- Use an encryption scheme for printing correspondence before putting the correspondence in the U.S. Mail?
- Use an office cleaning service?
- Allow repair persons into the office without removing files or materials from viewable areas?
Many law firms do not have a clean desk policy, but I am aware of at least one Indiana law firm that implemented such a policy after tornado-force winds blew out the windows in the firm’s office. Client files and documents were strewn around the streets of that city in the aftermath of the storm. While a clean desk policy is a good practice, many times lawyers may simply feel it’s too much of a hassle to pack up the files, return them, and pull them out again the next morning.
I have no data on this point, but my guess is that locking file cabinets and storage facilities are hit and miss in law firms. Some use the locks on the file cabinets, and some do not. I think a common practice is to lock things that go in a fire-proof cabinet (such as wills) but to not lock other cabinets. Still, even if all filing cabinets are locked, the locks tend to be standardized and replacement keys easy to obtain.
Continuing to guess about common practices, I’m betting that most firms do not have and enforce protocols about who has access to keys (or key codes) for the central file storage location(s). Having a limited number of trusted employees who can open your file cabinets is secure, but if those few employees happen to be out sick, on vacation, or just running late it can put a real crimp in productivity. As security expert Bruce Schneier has noted, security measures always involve trade-offs. The more secure we make something, the less convenient (or more expensive) it is to use.
The culture in which lawyers work makes lawyers into packrats. We keep client files, copies of everything, “just in case we need it later.” Of course, storage space is always limited, so off-site storage is often necessary. Packing files into bankers boxes and storing them is a common practice. How many of us take the extra step of sealing the boxes to prevent (or prove) tampering is a good question.
Electronic mail is rather insecure as a means of communication. Anyone who has engaged in electronic discovery knows that copies of email messages can live on any number of email servers at various places around the world. (Not to mention the backup copies of those servers!). People who work for the companies that maintain those servers have access to those messages. In twenty years of practice, however, I have had only one client insist on using Pretty Good Privacy to encrypt our email communications. Although unencrypted email communications can be accessed by third parties, most people assume it will not happen—and probably correctly so. As a practical matter, some employee maintaining a server farm in North Carolina is probably not going to be interested in digging through my mediation notes from a case.
Of course, the idea of using some encryption scheme to encrypt correspondence in the U.S. Mail is silly. No client is going to be happy having to spend time decoding something like 5c6ffbdd40d9556b73a21e63c3e0e904. The point, however, is that even the U.S. Mail is not completely secure. While there are federal laws that prohibit postal workers from snooping into sealed envelopes, we’ve all heard of stories where postal workers have been found with hoards of mail in their apartments or trunks. If the U.S. Mail was completely secure, we wouldn’t need to have the postal inspectors.
Every office needs cleaning, copiers repaired, and so on. Delivery people and repair technicians come into our offices, and only the most diligent pre-visit efforts will remove all files and materials from their potential view during the visit. I would be surprised to learn of any firms that assign an employee to escort and remain with a delivery person or repair technician at all times. This is so even though it would be quite easy for a repair person to stop in an office (to purportedly look at the pictures on the wall more closely) and take a quick look at files.
The point of all these examples is not to increase anyone’s level of worry or paranoia about preserving client information in confidence. Rather, the point is to illustrate that we lawyers regularly allow gaps in our security as a matter of convenience. We also recognize that in many instances, the sheer volume of data makes it harder to stumble across something of interest to a third party. (Unless, of course, that third party happens to be on a mission to find specific documents or files.)
Arguably, services like DropBox—even with their imperfect confidentiality—probably provide as much security for client information as our own office practices. DropBox, for example, uses Amazon’s secure servers to store data. At this point, I’m comfortable using a service like DropBox as a convenience (for example, putting certain files in the DropBox so I can access them at home, and then removing them when finished). I’m not so sure I’m comfortable with using DropBox for long-term storage of client information—yet given what I’ve said above, I wonder if my discomfort is not well-grounded.
Please tell me your thoughts in the comments. This is an important issue for lawyers, and we need to be discussing it so we can make sure our professional conduct rules adequately address the issue in future revisions.