The inaugural post of this blog explored lawyer’s ethical duties of professional responsibility to protect client documents when using cloud storage. In addition to these ethical duties regulating lawyer’s use of cloud-based storage solutions, many states have enacted statutory regulations that require heightened standards of protection of when using technology to handle sensitive client information.
Unlike the ethical duties that apply to all practicing attorneys, statutory requirements vary by state and can hold lawyers to a higher standard of care when using technology to handle confidential client information. Massachusetts, for example, requires attorneys to implement and maintain an information security program that contains technical and physical safeguards. Forty-seven states now have laws that mandate attorneys to notify clients when confidential data has been breached, and nineteen states also require secure disposal of electronic records that contain confidential information.
There are obvious advantages to states passing laws at a local level that ensure strict security standards when it comes to electronic storage of confidential client documents. Lawyers often are trusted with information, such as Social Security numbers, driver’s licenses numbers, and financial account information, that can lead to identity theft if accessed by an unauthorized third-party.
However, there are disadvantages to not having federal regulations that standardize what is required of lawyers when uploading client documents to the cloud or sending emails with personally identifiable information. First, the lack of standardization across the profession has led to confusion among practicing attorneys. Case in point: a recent ABA report found that nearly half of lawyers are unclear of what their technological duties are. Second, the lack of standardization has the potential to leave clients uncertain of what level of protection they should be expecting from their attorney. For example, clients may fully expect to be notified of data breaches of their confidential information stored electronically by their attorney regardless of whether they live in a state that requires such notifications.
If the extent to which lawyers are required to be technologically competent varies this much state-to-state, wouldn’t you be confused too?