Attorneys are bound by the ABA Model Rules of Professional Conduct, Rule 1.6: Confidentiality of Information, which notes that “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
But it’s not just the attorneys who should adhere to this important protection of client confidentiality. The entire law firm should be sure to honor that confidentiality in how they work with sensitive documents.
What is considered confidential?
All attorney-client communications, work product, and trial prep documents should be regarded as confidential. Other examples of confidential information include client medical records, workers’ compensation claims, financial records, and HIPAA information of both clients and employees.
Because it’s not just client information that should be kept secure. Law firm personnel information is also confidential. This includes federal (FMLA) and state leave documents, I-9 immigration forms, documents pertaining to employee investigations, such as disciplinary actions, background checks of potential hires, and other materials in the interview, performance review, and termination processes.
Violations of privacy laws can be expensive. For example, the penalties for noncompliance of HIPAA are based on the level of negligence. They can range from $100 to $50,000 per violation (or per record), with a maximum penalty of $1.5 million per year for violations of an identical provision. Violations can also carry criminal charges with potential prison time.
In 2012, 90% of IT respondents in an ABA survey said their organization had experienced a breach of document security. And 70% of IT managers surveyed in 2013 knew or believed that users had business data in their own personal file-sharing accounts.
When consumer devices like tablets and smartphones are added into the mix, the need is that much greater for law firm information technology departments and management to pay close attention to confidential data.
Tips and best practices for handling confidential material
To avoid breaches of security, all hard copies of confidential information should be contained in a secure location. And electronic files with this information must be safeguarded.
Here are some of the best ways to protect confidential documents as they pass through your law firm:
The access to digital information should be restricted with passwords, firewalls, and encryption. Passwords must be secure and changed regularly. Paraments can be set to require users to create passwords that employ a combination of upper and lower-case letters and special characters.
Confidential recycling receptacles and shredders
Although we’ve moved to a digital society with E-signatures and online contracts, the typical law firm still produces a considerable amount of paper. Confidential documents should be shredded or placed in a confidential trash container (in many instances it can also be recycled). Many third-parties provide collection services for sensitive hard copies.
Secure document storage cabinets
In some cases, confidential documents can’t be destroyed and must be saved for future use. One example is estate planning documents. Keep them in a lockable storage cabinet with limited access. In addition, this cabinet can be housed in a locked room with limited access.
Remember that a chain is only as strong as its weakest link. One employee who is lax in safeguarding confidential information or a less-than-diligent IT staff can create severe issues for the firm.
Educate your firm’s employees about protecting confidential information, beginning with explaining why confidentiality is critical to the business. Next, train your staff on the practical aspects of data protection that are discussed above, such as using secure passwords and the proper destruction of confidential documents.
It’s essential in today’s technological world for law firms to safeguard the confidentiality of their firm’s documents.
What steps does your firm take to protect your client and employee privacy against potential security breaches?