Lawyers and Foursquare: ethical problems?

Foursquare is one of the many social networking ideas online today. I’ve never used it, but from what I gather, with Foursquare you can “check in” at various venues like restaurants, stores, movie theaters, and the like. As a person checks in more often at a single place, that person can earn titles. I think if you are the person who checks in the most at a certain locale, you win the title “mayor.” (This particular “game” has little appeal for me. I don’t need all my friends knowing that I’ve just arrived at the local burger joint.)

Foursquare’s business model obviously counts on business locations to play along. Foursquare encourages businesses to offer incentives for people to check in. For most business owners, this is a good plan: if my customers know that they’ll get a free large espresso when they get to X number of check-ins, those customers will come back to my coffee shop more often. It’s simply a variation on the punch cards that many restaurants offer to regular customers: a classic customer rewards program.

What does this have to do with lawyers? It appears that some law offices have decided to join the Foursquare world. Clients can check in on their smart phones while waiting for their appointment. People apparently love to check in on Foursquare as a way of competing with their friends, and law firms appear to be cool and current with the latest trends. Sounds great, right?

I’m not so sure. While digging around on Foursquare’s web site, I found that one client of our firm apparently checked in (even though our firm has not registered as an official Foursquare participant). I realized that it might be wise for our firm to “claim” our business on Foursquare before someone else does, so I went through the process, and Foursquare sent a static cling window label we can use to advertise the fact that our firm is participating on Foursquare.

At no time did I seriously consider putting the label on our front door, but that idea made me think of something. By encouraging our clients to check in on Foursquare or any of the similar social networks, are we getting too close to the line of breaching a client’s confidence? Some clients or potential clients may not want anyone to know that they have visited a lawyer’s office. A person seeking a consultation about a possible divorce fits into this category nicely. Of course, one would hope that a person in that type of situation would know not to check in on Foursquare. The possibility that a person might do so without thinking through the idea is what concerns me. I would guess that some people are so into Foursquare that they semi-automatically check in whenever they see the window decal. People tend not to think when they are doing something out of habit. As an example, we had one close call where a client almost had her credit card receipt mailed to her house after a divorce consultation. That caused us to change our forms and ask if the client wants the receipt mailed elsewhere.

These concerns have led me to the conclusion that our firm will not be an active participant on Foursquare. We’ve claimed our business, but that’s as far as we’re going. If clients are waiting and just happen to check in on their own, that’s fine. We’re not going to encourage the practice, however.

Cloud computing and client confidentiality

Because of my upcoming presentation on cloud computing for lawyers, the issue of client confidentiality has been bouncing around in my mind. The rules that govern attorneys (in most jurisdictions, including Indiana, we call them the Rules of Professional Conduct), particularly Rule 1.6 [link to Model Rule 1.6] require us to maintain client information in confidence. In other words, no blabbing your client’s secrets to your golfing buddies.

Many lawyers, with good reason, are reluctant to use services like DropBox for client information because of the possible disclosure of the client’s information to third parties, namely the service’s employees or possibly others as allowed by the company’s terms of service.

This all makes sense, of course, but as I’ve thought about it recently, I wonder if we’re being overly paranoid. Let me say at this point that what follows are not my conclusions or my recommendations. The rest of this post is simply a set of musings, and I hope that readers will leave their thoughts so we can have a conversation about this issue.

If a lawyer decides not to use DropBox because of the possible security/confidentiality “holes,” is the lawyer being consistent with his or her everyday practice? For example, does that lawyer:

  • Have and enforce a “clean desk” policy that requires all client files and materials be returned to a central storage facility at the end of the day?
  • Secure access to the central facility after the files and materials have been returned?
  • Have and enforce protocols concerning who has keys to the central facility?
  • Use a file storage service for the maintenance of archived files? If so, are boxes taped shut before being transferred to the storage facility?
  • Use Pretty Good Privacy or other data encryption when sending emails?
  • Use an encryption scheme for printing correspondence before putting the correspondence in the U.S. Mail?
  • Use an office cleaning service?
  • Allow repair persons into the office without removing files or materials from viewable areas?

Many law firms do not have a clean desk policy, but I am aware of at least one Indiana law firm that implemented such a policy after tornado-force winds blew out the windows in the firm’s office. Client files and documents were strewn around the streets of that city in the aftermath of the storm. While a clean desk policy is a good practice, many times lawyers may simply feel it’s too much of a hassle to pack up the files, return them, and pull them out again the next morning.

I have no data on this point, but my guess is that locking file cabinets and storage facilities are hit and miss in law firms. Some use the locks on the file cabinets, and some do not. I think a common practice is to lock things that go in a fire-proof cabinet (such as wills) but to not lock other cabinets. Still, even if all filing cabinets are locked, the locks tend to be standardized and replacement keys easy to obtain.

Continuing to guess about common practices, I’m betting that most firms do not have and enforce protocols about who has access to keys (or key codes) for the central file storage location(s). Having a limited number of trusted employees who can open your file cabinets is secure, but if those few employees happen to be out sick, on vacation, or just running late it can put a real crimp in productivity. As security expert Bruce Schneier has noted, security measures always involve trade-offs. The more secure we make something, the less convenient (or more expensive) it is to use.

The culture in which lawyers work makes lawyers into packrats. We keep client files, copies of everything, “just in case we need it later.” Of course, storage space is always limited, so off-site storage is often necessary. Packing files into bankers boxes and storing them is a common practice. How many of us take the extra step of sealing the boxes to prevent (or prove) tampering is a good question.

Electronic mail is rather insecure as a means of communication. Anyone who has engaged in electronic discovery knows that copies of email messages can live on any number of email servers at various places around the world. (Not to mention the backup copies of those servers!). People who work for the companies that maintain those servers have access to those messages. In twenty years of practice, however, I have had only one client insist on using Pretty Good Privacy to encrypt our email communications. Although unencrypted email communications can be accessed by third parties, most people assume it will not happen—and probably correctly so. As a practical matter, some employee maintaining a server farm in North Carolina is probably not going to be interested in digging through my mediation notes from a case.

Of course, the idea of using some encryption scheme to encrypt correspondence in the U.S. Mail is silly. No client is going to be happy having to spend time decoding something like 5c6ffbdd40d9556b73a21e63c3e0e904. The point, however, is that even the U.S. Mail is not completely secure. While there are federal laws that prohibit postal workers from snooping into sealed envelopes, we’ve all heard of stories where postal workers have been found with hoards of mail in their apartments or trunks. If the U.S. Mail was completely secure, we wouldn’t need to have the postal inspectors.

Every office needs cleaning, copiers repaired, and so on. Delivery people and repair technicians come into our offices, and only the most diligent pre-visit efforts will remove all files and materials from their potential view during the visit. I would be surprised to learn of any firms that assign an employee to escort and remain with a delivery person or repair technician at all times. This is so even though it would be quite easy for a repair person to stop in an office (to purportedly look at the pictures on the wall more closely) and take a quick look at files.

The point of all these examples is not to increase anyone’s level of worry or paranoia about preserving client information in confidence. Rather, the point is to illustrate that we lawyers regularly allow gaps in our security as a matter of convenience. We also recognize that in many instances, the sheer volume of data makes it harder to stumble across something of interest to a third party. (Unless, of course, that third party happens to be on a mission to find specific documents or files.)

Arguably, services like DropBox—even with their imperfect confidentiality—probably provide as much security for client information as our own office practices. DropBox, for example, uses Amazon’s secure servers to store data. At this point, I’m comfortable using a service like DropBox as a convenience (for example, putting certain files in the DropBox so I can access them at home, and then removing them when finished). I’m not so sure I’m comfortable with using DropBox for long-term storage of client information—yet given what I’ve said above, I wonder if my discomfort is not well-grounded.

Please tell me your thoughts in the comments. This is an important issue for lawyers, and we need to be discussing it so we can make sure our professional conduct rules adequately address the issue in future revisions.