During a presentation at the ABA’s 44th National Conference of Professional Responsibility last year, a CLE panelist threw out the following. Given that a lawyer has an ethical duty to verify that any vendor a firm works with has in place appropriate safeguards to keep the lawyer’s data secure, why wouldn’t the same duty arise when a lawyer shares data with another lawyer outside of the firm? For example, do lawyers have a duty to make sure any lawyer they co-counsel with has appropriate data security safeguards in place? How about all the lawyers who are adverse to your firm’s clients? After all, data is being regularly exchanged during discovery and contract negotiations just for starters.
I will admit this comment caught me off guard; but I quickly came to realize a legitimate concern had been raised. Think about it. There are no exceptions in the Rules of Professional Conduct that say something along the lines of, ‘don’t worry about data security issues when exchanging digital data with lawyers outside of your own firm.’ Couple that with the reality that there is still a significant percentage of lawyers in active practice who have no idea how to encrypt a file or a mobile device, have no idea what a VPN is, and/or have no intention of using more than one easy-to-remember password for everything they do and hopefully the issue becomes clear. Heck, even failing to scan data coming from lawyers outside the firm for possible malware infections could be problematic.
It’s all about data security and, ethical duties aside, your clients expect you to take whatever steps are necessary to make sure their confidences remain confidential. To your clients, it will make no difference if it was you or your co-counsel who failed to take reasonable steps to prevent the unauthorized access to or inadvertent disclosure of their confidences. The same can be said for sharing data with any lawyer on the other side.
Again, I get it; and yes, trust is a good thing. I’m not suggesting that every time you want to form a co-counsel relationship or negotiate a contract you should have the lawyer complete a 3-page data security questionnaire. That said, what would be wrong with establishing basic guidelines as to the reasonable data security steps both lawyers or firms will take? For example, you might agree to commit to encrypting the data stream for any and all communications that include confidential client information and then decide how to best accomplish that.
Here’s the bottom line. Data security is the name of the game and it’s your reputation that’s at stake. Should the unexpected ever happen, your clients are going to want answers. When the truth is that the misstep was a failure to consider and responsibly address the risks associated with exchanging digital data with other lawyers, well let’s just be honest and admit this is never going to pass muster; but, of course, you already know that.