CLE: 2010: Loose Lips Sink Attorney-Client Ships: Unintended Technological Disclosure of Confidential Communications

Dublin Core

Title

CLE: 2010: Loose Lips Sink Attorney-Client Ships: Unintended Technological Disclosure of Confidential Communications

Creator

Bill Piatt, Paula deWitte

Publisher

St. Mary's University School of Law San Antonio Texas Alumni Homecoming, St. Mary's University School of Law Alumni Homecoming

Date

2010-03-12

Relation

St. Mary's University School of Law Alumni Homecoming

Format

RFC3778

Language

English, en-US

Type

Text

Identifier

STMU_HomecomingCLE2010PiattDeWitte

PDF Search

Text

Loose Lips Sink Attorney-Client Ships:
Unintended Technological
Disclosure of Confidential Communications
Bill Piatt
Paula deWitte

Copyright 2008, St. Mary's University of San Antonio. All rights reserved.

Loose Lips Sink Attorney-Client Ships: Unintended Technological
Disclosure of Confidential Communications
Bill Piatt•
Paula deWitte••

I.
II.

Ill.

IV.

V.

Introduction ................................................... ........... ............ 1
Why Recognize Attorney-Client Confidentiality? ................. 3
A. The Nature of Confidentiality .................................... .....3
B. The Lawyer's Obligation to Maintain Confidences ........ .5
Unintended Disclosure via Tecbnology................................. 8
A Hotel Room Security .................. .................................. 10
B. Insider Threat and Social Engineering........................... 12
C. E-mail Correspondence ............. ... ............................. .... 16
D. Disposal. ........ ................... ............................................ 17
E. Physical Destruction of Law Offices ...... ....................... 20
Reasonable Measures to Protect Confidences ..................... 21
A. Prevention... ..... ..... . ... .. ..... . . ..... ....... . ......... .. .. .. 24
B. Detection.. . ....................................... . ............. 27
C. Remediation ................................................................. 30
Conclusion ... ...................................................................... 34

I. lN1RODUCTION

In genera~ lawyers must not reveal confidential information relating to the representation
of their clients. 1 Moreover, lawyers must make reasonable efforts to ensure that the attorneys
*Ryan Professor ofLaw and former Dean (1998- 2007) of St. Mary's University School ofLaw.
I am indebted to my legal secretary and former Coordinator, Grace M. Garcia, and to my
research assistant, Rebecca Covarrubias, for their assistance. I wish to thank Vincent Johnson,
Professor ofLaw and former Associate Dean of St. Mary's University School ofLaw, for
sharing his research and insights with me.
**Ph.D. Computer Science, J.D. Candidate St. Mary's University School ofLaw (2009).
1

See MODEL RULES OF PROF'L CONDUCT R. 1. 6( a) (2007) ("(A] lawyer shall not reveal
information relating to representation of a client unless the client gives informed consent, the
disclosure is impliedly authorized in order to carry out the representation or the disclosure is
permitted by [Rule 1.6(b)]"); cf id. R. 1.6(b) (stating that it is permissive for lawyers to reveal
confidential client information if they reasonably believe it is necessary to prevent "certain death
or substantial bodily harm," or other certain crimes and fraudulent activities committed by the
client in which the lawyer's services have been used).
1

D~fT
Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

they supervise, as well as their non-lawyer employees, maintain client confidences? In a bygone
era, attorney-client communications consisted of face-to-face meetings which may have included
written confirmation of discussions or an exchange of simple written letters.3 If files were
copied, it was easy to ascertain who had the copies, and more importantly, who had viewed those
copies. Today, technology virtually guarantees that communications between attorneys and
clients will be memorialized, copied, archived, and perhaps accessed by others with whom the
4
attorney did not intend to share the information. While most attorneys would not knowingly
betray client confidences, there is a growing problem regarding unintended disclosure through
technological means including by both nefarious and accidental means. 5 Many attorneys are
probably unaware of the magnitude of this risk.6 How does an attorney gather and utilize the

2

-

See id. R. 5.1, 5.3 (providing that supervising attorneys must "make reasonable efforts to ensure
[subordinate attorneys] conform to the Rules of Professional Conduct," and that non-lawyer
assistants "conduct is compatible with the professional obligations of the lawyer").
3
See Jesse J. Richardson, Jr., How a Sole Practitioner Uses the "Electronic Office" to Maintain
a Competitive Law Practice, 3 DRAKE J. AGRIC. L. 141, 147 ( 1998) (highlighting that in the past
lawyers relied on telephone and mail rather than electronic communications); Ronald W. Staudt,
Does the Grandmother Come with It? Teaching and Practicing Law in the 21st Century, 44
CASE. W. REs. L. REv. 499, 520 (1994) ("Electronic mail supplants some communications that
previously occurred by visit, telephone, and memoranda."); see also Robert H. Thornburg,
Electronic Discovery in Florida, 80 FLA. BAR J. 34, 34 (2006) (''Today, over 90 percent of a
company' s documents are created electronically, but never printed. The filing cabinets of
yesteryear have gone by the wayside and have been replaced by desktops and laptops.").
4
See SECTION OF SCI. & TECH. LAW, LAW PRACTICE MGMT. SECTION, INFORMATION SECURITY
FOR LAWYERS AND LAW FIRMS 167 (Sharon D. Nelson, et al. eds., 2006) (stressing the
importance ofbacking up email since reliance on paper documents is declining and the need to
password protect voicemail message systems). There are guidelines and recommendations for
information security within law firms including the protection ofprivileged communications
between attorneys and clients. !d.
5
See KEVIN D. MTINICK & WILLIAM L. SIMON, THE ART OF DECEPTION 179-80 (2002) (telling a
story ofhow an attorney gained entrance into his client's office through deception and hacked
into their network and subsequently downloading confidential files .). See generally SECTION OF
SCI. & TECH. LAW, LAW PRACTICE MGMT. SECTION, lNFORMATION SECURITY FOR LAWYERS AND
LAw FIRMS 1 (Sharon D. Nelson, et al. eds., 2006) (highlighting different means in which a lack
of information security can lead to accidental disclosure such as unauthorized access to computer
network through inadequate password protection and failure to maintain operational firewall
leading to spyware or full comprise of computer).
6
See SECTION OF Sci. & TECH. LAW, LAW PRACTICE MGMT. SECTION, lNFORMATION SECURITY
FOR LAWYERS AND LAw FIRMS 35- 36 (Sharon D. Nelson, et al. eds., 2006) ("Lawyers tend to
have less experience and focus less attention upon the stealthy information security risk that
arises from their increasing use of information technology as a legal practice tool."). The FBI
estimates that the average cost of data theft is $350,000. http://www.news.com/Beware-the-podslurping-employee/21 00-1029_ 3-6039926.html?tag=item. Symantec estimates the average
laptop contains data worth approximately $972,000, and the FBI estimates that the average
2

D~FT
Copyright 2008, St. Mary 's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

information necessary to represent the client effectively, and at the same time, maintain
procedures that prevent the unintended disclosure that could ruin the client's case and subject the
attorney to discipline or malpractice claims? Many technology and security protections that are
available are not yet widely used in the legal profession.7 Awareness of the problems and
possible solutions are critical first steps to addressing these concerns.
In this article, we will examine why we recognize attorney-client confidentiality, what
possibilities now exist for unintended disclosure through use or misuse of technology, and how
attorneys must adapt to the new realities in order to fulfill obligations of effective representation
and maintenance of client trust and confidences. We address how an attorney can employ
reasonable care through both technical and non-technical means to better protect client
information.
II. WHY RECOGNIZE AITORNEY -CLIENT CONFIDENTIALITY?
A. The Nature of Confidentiality
Human beings have a basic need to form relationships based upon trust. 8 One
element of that trust is the mutual willingness of those involved in a relationship to keep
information vital to the physical survival of the group among only the members of the group.
Perhaps an early example might involve tribal members keeping secrets within the tribe as to the
location of food stores or supplies. 9 Obviously, the safety of the group would also be
compromised if information regarding defense systems was spread to hostile outsiders. 10

annual cost of computer security incidents is $67.2B.
www.scottandscottllp.com/resources/article_laptop_ data_loss-1. asp.
7
See SECTION OF SCI. & TECH. LAW, LAW PRACTICE MGMT. SECTION, lNFORMATION SECURITY
FOR LAWYERS AND LAw FIRMs 48-50 (Sharon D. Nelson, et al. eds., 2006) (stating the Learned
Hand risk assessment test may need to be utilized for lawyers in attempting to determine the
proper amount of security needed to maintain confidentiality). There are currently no standards
set by the ABA for a minimum amount of information security but adoption of such standards
would provide considerable guidance to lawyers in how to respond to the increasing threat. !d.
8
See J. David Lewis & Andrew Weigert, Trust as a Social Reality, 63 No. 4 Soc. FORCES 967,
968 (1985) (stating that trust is a "functional prerequisite" to form other types of societal
relationships).
9
Obviously, no records exist of early tribal decisions to secrete food stores, but just as obvious
as the ability to gather food and keep its location secure would have increased the chances for
group survival among early humans. In more contemporary times, the suspicion that the
Communist government in Poland was maintaining secret food supplies led to the ultimate
success ofthe solidarity movement. Thomas A. Sancton, We Have Come to Win, TIME, Aug. 17,
1981, available at www .time.co urn/time/magazine/article/0,9171 ,949324-2, OO.html.
10
Secreting weapons stores seems to be another obvious method to ensure group survival.
Searching out these secrete caches is an important undertaking when another group seeks to
minimize their threat. Major Weapons Cache Seized in Iraq, Feb. 26, 2007 available at
www.military.corn!NewsContent/0,13319,126519,00.html; Weapons Cache Found in
Afghanistan, BBC News, Apr. 18, 2003, available at
http://news.bbc.co.uk/2/hi/south_asial295926l.stm; Feds Find Weapons Cache Near Mexican
Border, CNN, Feb. 4, 2006, available at www.cnn.com/2006/us/02/03/laredo.arsenallindex.html.
3

Copyright 2008, St. Mary 's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

On an emotional level, we seek to find someone with whom we can share our innermost
thoughts, ambitions, concerns, and fantasies with the expectation that these shared matters of
intense personal concern will not be broadcast to others. Consider, for example, the lyrics
composed by Paul McCartney and John Lennon: "Do you want to know a secret, [d]o you
11
promise not to tell?" A negative response to the second ofthese inquiries would end the hope
of a romantic relationship held by the person making the inquiry. The first of these inquiries
points to perhaps another basic human interest; people seem to want to know secrets, although,
as discussed below, learning a secret and then maintaining it creates significant burdens for the
person who must keep t hat secret. 12
The law recognizes this deep-seated human need to create and maintain confidential
relationships for reasons of physical and emotional well-being. Evidentiary privileges or other
13
14
privacy protection extends to communications with clergy and health care providers. Spouses
enjoy the legal right to communicate in most regards without being subjected to forced
16
A host of
disclosure of the discussion. 15 Educational records are protected by federal law.
17
privacy laws and precedent afford a remedy against prying eyes, ears and hands.
11

THE BEA1LES, Do You Want to Know a Secret?, on PLEASE PLEASE ME (Parlophone 1963),
lyrics available at http://www.dmbeatles.com/song.php?song=56.
12
See Anita E. Kelly, Julie A. Klusas, Renee T. von Weiss & Christine Kenny, What is it About
Revealing Secrets that is Beneficial?, 27 PERSONALI1Y & Soc. PSYCHOL. BULL. 651, pincite
(2001) (reporting that people who do not reveal negative secrets "are more depressed, anxious,
and shy and have lower self-esteem and higher levels of general symptomatology") (citations
omitted).
13
See In re Grand Jury Investigation, 918 F.2d 374,384 (3d Cir. 1990) (recognizing the federal
common law clergy-communicant privilege as long as the communication was conducted in
confidence with clergy person acting in their official capacity).
14
See FED. R. EVID. 501 (stating that privilege shall be governed by common law and state law if
applicable); see also Health Insurance Portability and Accountability Act of 1996, Pub. L. No.
104-191, 110 Stat. 1936, 2033 (requiring the Secretary ofHealth and Human Services to
promulgate rules determining privacy standards for patient health records). The final rule
promulgated by the Secretary became effective April 21, 2003 and created a substantial list of
rrivacyrequirements to protect patient information. 45 C.F.R. §§ 164.500-.534 (2006).
5
See FED. R. Evm. 501 (stating that privilege shall be governed by common law and state law if
applicable); Blau v. United States, 340 U.S. 332, 333 (U.S. 1951) (noting that "confidential
communication between husband and wife [is] privileged").
16
See Family Educational and Privacy Rights Act (FERPA), 20 U.S.C. § 1232g(b) (Supp. II
2002) (denying federal funds to educational institutions that violate confidentiality by releasing
student records to unauthorized individuals or agencies).
17
See 12 U.S. C. § 3402-03 (2000) (prohibiting financial institutions to release financial records
of customers except in compliance with subpoena or search warrant); 18 U .S.C. § 1702 (2000)
(providing criminal penalties to anyone who opens mail ''to obstruct the correspondence, or to
pry into the business or secrets of another"); 18 U.S.C. § 2511 (2000) (providing criminal
penalties to anyone who intentionally intercepts "any wire, oral, or electronic communication");
18 U.S.C. §§ 2701-2(a) (2000) (providing criminal penalties to anyone who knowingly discloses
electronic communication provided through the means of communication or access to the
4

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

Even where the law does not recognize a legally-enforceable privilege, other professions
seek to afford a shelter from disclosure. For example, journalists routinely agree to speak to
sources "off the record" and insist upon maintaining the confidence even in the face of court
orders to the contrary. 18
Yet, there is still conflicting sentiment regarding the maintenance of confidences. By
definition, the person who guards a secret is being secretive. 19 He or she is not being completely
"open." Indeed, when inquiries are directed to the person regarding the confidential matter, the
response by the person maintaining the secret may fairly be characterized as evasive at best or
even down right dishonest. Ironically, journalists, who are some of the strongest proponents for
maintaining confidentiality of their sources, are also among the strongest opponents of public
maintenance of official confidences. 20 This conflict between maintaining trust and at the same
time affording "transparency" or "openness" is reflected in conflicting claims to privilege and
pnvacy.
B. The Lawyer's Obligation to Maintain Confidences
It should come as no surprise then that as members of a profession charged with protecting
the well-being of their clients, lawyers are required to maintain the secrets oftheir clients. 21 It
should also come as no surprise that some of the societal ambivalence relating to the
maintenance of secrets, coupled with public distrust of attorneys, makes the lawyers role
particularly challenging. Under the general obligation to maintain confidentiality as set out in
Rule 1.6 of the Model Rules of Professional Conduct, attorneys are precluded from revealing
"information relating to the representation of the client.'.22 Rule 1.6 allows disclosure only under

electronic storage); 18 U.S.C. § 2710 (2000) (providing a civil action for a video tape service
provider that releases consumer information to anyone not authorized); Dietemann v. Time, Inc.,
449 F.2d 245,249 (9th Cir. 1971) (holding that the First Amendment does not give the media "a
license to trespass, to steal, or to intrude by electronic means into the precincts of another's home
or office" even for criminal investigative reporting); Camp, Dresser & McKee, Inc. v. Steimle &
Assoc., Inc., 652 So. 2d 44, 48 (La. Ct. App. 1995) (holding that it is an invasion of privacy to
scavenge and remove trash from another because it is unlawful based on anti-scavenging and
deceptive trade practices statutes).
18
See In re Grand Jury Subpoena (Miller), 397 F.3d 964, 970 (D.C. Cir. 2005) (applying
Supreme Court ruling that the press does not enjoy a privilege of confidentiality and must
comply with court orders to reveal sources). After the D.C. Circuit upheld the court order to
compel her to testify, reporter Judith Miller still refused to testify and reveal her source in the
leak ofthe C.I.A. agent Valerie Wilson; she spent over 12 weeks in jail before deciding to testify
after her sources waived confidentiality. David Johnston & Douglas Jehl, Jailed Times Reporter
Freed After Source Waives Confidentiality, N.Y. TIMES, Sept. 29, 2005, at .
19
See WEBSTER'S UNABRIDGED DICTIONARY 1730 (2d ed. 2001) (defining secretive as "having
or showing a disposition to secrecy; reticent").
20
See Gordon Dickson, Lawsuit Filed to Keep Documents Private, FT. WORTII STAR-TELEGRAM,
June 25, 2005, at B5 (reporting that multiple newspapers made open records requests in regards
to contracts concerning the Trans-Texas Corridor).
21
MODEL RULES OF PROF'L CONDUCT R. 1.6(a) (2007).
22
MODEL RULES OF PROF'LCONDUCT R. 1.6(a) (2007).
5

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

carefully defmed circumstances. 23 The underlying reason for the existence of the rule is that the
maintenance of the confidentiality "contributes to the trust that is the hallmark of the clientlawyer relationship." 24 The resulting knowledge of a client will result in the client feeling
encouraged to seek legal assistance and to "communicate fully and frankly with the lawyer even
as to embarrassing or legally damaging subject matter."25 The importance of maintaining this
confidentiality and allowing attorneys to decline to reveal confidential information obtained from
their clients has been recognized as necessary ''to encourage full and frank communication
between attorneys and their clients." 26 Even where the attorney has preliminary discussions with
a prospective client that do not result in the creation of a client-lawyer relationship, the lawyer
nonetheless must maintain the confidences acquired in those communications? 7 Supervisory
attorneys must make "reasonable efforts" to ensure that attomeys28 and non-lawyer assistants29
comply with all professional obligations of the attorney, including the maintaining of
confidences. 30
Even within the legal profession there continues to be controversy regarding the underlying
purpose of the principals of confidentiality. 31 Some critics suggest that because confidentiality
increases the demand for legal services, the legal profession is the primary beneficiary of these
confidentiality provisions, not clients and not society as a whole.32
23

See id. R. 1.6(b) (stating that it is permissive for a lawyer to reveal confidential client
information if they reasonably believe it is necessary to prevent "certain death or substantial
bodily harm," or other certain crimes and fraudulent activities committed by the client in which
the lawyer' s services have been used).
24
Jd. R. 1.6 cmt. 2.
25
MODEL RULES OF PROF'LCONDUCT R. 1.6 cmt. (2007).
26
Upjohn Co. v. United States, 449 U.S. 383, 389 (1981). The attorney-client evidentiary
privilege is "one of the oldest recognized privileges for confidential communications." Swidler
& Berlin v. United States, 524 U .S. 399, 403 (1998).
27
See MODEL RULES OF PROF'L CONDUCT R. 1.18b (2007) (enumerating the duties owed by
lawyers to prospective clients).
28
See MODEL RULEs OF PROF'L CONDUCT R. 5.1 (2007) (explaining the duties of supervisory
attorneys over other lawyers, including efforts to guarantee the other lawyers are complying with
f«rofessional conduct rules).
9
See MODEL RULES OF PROF'L CONDUCT R. 5.3 (2007) (explicating the responsibilities of
supervisory attorneys regarding non-lawyer assistants, including the duty to make sure that nonlawyers are complying with the professional conduct rules).
30
See MODEL RULES OF PROF'L CONDUCT R. 1.6 (2007) (providing that unless a stated exception
applies, a lawyer is prohibited from revealing confidential information).
3
See GEORGE M. COHEN & SUSAN P. KONIAK, FOUNDATIONS OF lliE LAW AND Ennes OF
LAWYERING 148-52 (Foundation Press 2004) (describing the initial purposes and the current
effects of the confidentiality rules).
32
See GEORGE M. COHEN & SUSAN P. KONIAK, FOUNDATIONS OF 1HE LAW AND E1HICS OF
LAWYERING 148 (Foundation Press 2004) (recognizing confidentiality rules "made clients more
willing to hire attorneys"). In a similar vein, Associate Justice O'Connor favored narrowly
construing the attorney-client privilege. See Swidler & Berlin v. United States, 524 U.S. 399, 416
(1998) (O'Connor, J., dissenting) (arguing for a "narrow exception to the rule that the attomey6

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volwne 39 in June 2008

DRAfu
On a practical level, maintaining the confidences is ofutmost importance to both lawyers and
33
their clients.
Lawyers who fail to adequately protect their client 's information may face a
number of repercussions including: discipline (e.g., sanctions, suspension, disbarment) for
34
violating professional responsibility rules; liability or sanctions under federal or state statutes;35

client privilege survives the death of the client"). ''We are reluctant to recognize a privilege or
read an existing one expansively unless to do so will serve a public good transcending the
normally predominate principle of utilizing all rational means for ascertaining truth." Swidler &
Berlin v. United States, 524 U.S . 399, 411 (O'Connor, J., dissenting).
33
See GEORGE M. COHEN & SUSAN P. KON~ FOUNDATIONS OF 11IE LAW AND Ennes OF
LAWYERING 148-52 (Foundation Press 2004) (explaining "[w]hy confidentiality is so
important," including benefits to lawyers and benefits to clients).
34
See, e.g., People v. Hohertz, 102 P.3d 1019, 1022-24 (Colo. 2004) (relating disbarment of
attorney because the attorney committed several ethics violations, including revealing client
confidences); Akron Bar Ass'n v. Holder, 810 N.E.2d 426, 435 (Ohio 2004) (upholding a twoyear suspension imposed on an attorney for improperly disclosing his client's confidences during
a deposition); State v. Chappell, 93 P.3d 25, 28, 31 (Okla. 2004) (imposing a one-year
suspension upon an attorney who used confidential information in a court document); In re
Bryan, 61 P .3d 641, 649, 661 (Kan. 2003) (affirming public censure as punishment of an
attorney for disclosing confidential information to opposing counsel about his client's unrelated
pending defamation case); In re Disciplinary Proceeding Against Schafer, 66 P.3d 1036, 1040
(Wash. 2003) (fmding a six month suspension appropriate punishment for a lawyer who revealed
his client's confidences and secrets); In re Disciplinary Proceedings Against Harman, 628
N.W.2d 351, 358, 361 (Wis. 2001) (ordering six month suspension of an attorney for disclosing a
client's medical records to a prosecutor who was prosecuting the client's cohabitant).
35
See, e.g., Vincent R. Johnson, Cybersecurity, Identity Theft, and the Limits of Tort Liability, 57
S.C. L. REv. 255, 264-72 (2005-2006) (analyzing the duty to protect database information). In
this article, Professor Johnson discusses the possibility ofliability under the Gramm-LeachBliley Act of1999, codified in various sections of titles twelve and fifteen ofthe United States
Code. Vincent R. Johnson, Cybersecurity, Identity Theft, and the Limits of Tort Liability, 57
S.C. L. REv. 255, 266-70 (2005- 2006). Under the Gramm-Leach-Bliley Act, "financial
institutions" must protect the security of customers' non-public personal information. GrammLeach-Bliley Act§ 501(a) (codified at 15 U.S.C. § 6801(a)) (2000)). While this Act does not
explicitly pertain to attorneys (and while Professor Johnson does not mention attorneys
specifically), the Federal Trade Commission has used the Gramm-Leach-Bliley Act to pursue
actions against companies such as Petco Animal Supplies, Inc. where consumers' personal
information was not encrypted. See, e.g., Heath Dixon, FTC Nails Company for Failing to
Implement Reasonable Security, PRIVACY SPOT, Nov. 21, 2004,
http://privacyspot.com/?q=node/view/429 (last visited Nov. 19, 2007) (reporting charges against
Petco for failing to have reasonable security to protect its online customers). See also, Benita A.
Kahn & Heather J. Enlow, The Federal Trade Commission's Expansion of the "Safeguards
Rule," FEDERAL LAWYER 39, September 2007 (discussing FTC enforcement actions). For a
discussion ofliability under state statutes, see Vincent R. Johnson, Cybersecurity, Identity Theft,
7

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

malpractic(;! claims for incompetence or negli~ence; or loss of reputation including professional
embarrassment or negative media exposure. 7 Lawyers may believe they are diligently using
good faith, competent, and reasonable actions to protect their clients' information from security
breaches, and yet may be inadvertently allowing unauthorized access to clients' information? 8
These disclosures may result in problems such as identity theft, loss of intellectual property
protection, or exposure of legal strategy-all of which could result in significant losses to the
39
client.
36

III. UNINTENDED DISCLOSURE VIA TECHNOLOGY
Before computers, lawyers wrote down clients' information and stored these files in
40
lockable file cabinets in lockable offices.
If a file was stolen, read, or altered, it was easily
detected.41 For someone to surreptitiously listen to client conversations conducted in a lawyer's
office usually required a physical presence, which was also easily detected. Phones or offices

-

and the Limits of Tort Liability, 57 S.C. L. REv. 255, 263-80 (2005- 2006) (discussing liability ·
under state statutes).
36
See Vincent R. Johnson, Cybersecurity, Identity Theft, and the Limits ofTort Liability, 57 S.C.
L. REv. 255,272- 76 (2005-2006) (discussing a potential cause of action for negligence when a
business fails to safeguard confidential information); see also, MODEL RULES OF PROF'L
CoNDUCT R. 1.6 cmt. (2007) (discussing the duty of lawyers with regard to confidential
information).
37
See, e.g., Jonathan Saltzman, Lawyer May Face Disbarment, BOSTON GLOBE, July 2, 2005 at
B5 available at
http://www.boston. com/news/local/massachusetts/ articles/2005/07/02/lawyer- may- face- disbar
ment/ (reporting an attorney facing disbarment for posting confidential information on her
website about a boy being sexually abused by his father and for negligently failing to use a
pseudonym for the boy's name in court proceedings); Gregory D. Kesich, Court Disbars Lawyer
for String a/Complaints, PORTLAND PREss HERALD, April 15, 2004 at 2B (detailing the reasons
for disbarment of a lawyer, including "client neglect, excessive fees, incompetency, [and]
unauthorized disclosure of confidential information"); Bob Egelko, The BALCO Case: Admitted
Leaker Agrees to Longer Prison Term, SAN FRANCISCO CHR.ON., July 6, 2007 (telling oflawyer
who accepted a plea agreement to serve two years and nine months in prison for leaking
confidential information to a newspaper). Chris Dettro, Court Disbars Attorney Involved in Drug
Probe, ST. J. REG., June 5, 2007 at 31 (reporting disbarment of an attorney for drug use with
clients and for profiting from the sell of confidential reports).
38
See, e.g., Gold Mine for ID Thieves: Thousands ofRecords Found in Dumpster (WOAI
television broadcast Nov. 9, 2006) (reporting the discovery of confidential material belonging to
a law firm, including social security numbers and patient records, in a dumpster).
39
In re Huffman, 328 Or. 567,581 (1999) (discussing potential harm to client due to attorney
disclosing confidential information).
40
See Jesse J. Richardson, Jr. , How a Sole Practitioner Uses the "Electronic Office " to Maintain
a Competitive Law Practice, 3 DRAKE J. AGRIC. L. 141, 147 (1998) (noting that historically
lawyers did not use electronic means of communication).
41
See, e.g., David Jackson, Watergate 's Tidal Wave, DALLAS MORNING NEWS, June 15, 1997, at
lA (reporting discovery of Watergate burglary).
8

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

could certainly be tapped,42 but this was considered too far fetched to be a legitimate concern to
43
law firms.
At this time, securing file cabinets and office space usually through locks was
considered reasonable, state-of-the-art precautions to safeguard client information. 44
As computers became more prevalent, the legal profession, and other businesses, began
to rely on the convenience of electronic files, stored on computers within networks, and
transmitted through e-mails. 45 As computer systems have become more ubiquitous, electronic
transmissions make it harder to detect if a file has been inappropriately accessed, altered, or
copied.46 Relatively inexpensive listening devices and cameras are easily procured and can now
be used to remotely spy on conversations.47 While the technology exists for detecting listening
devices, it is still difficult to detect hidden cameras.48 Lawyers who still secure their office space
and file cabinets with locks may not realize that their walls and windows are permeable and can
49
allow access.
While lawyers may claim that this type of behavior from adversaria1 parties
would violate legal rules of professional responsibility, the fact remains that the adversarial party
is not always another lawyer or party who feels bound to play by the rules. 50 Instead, the

42

See MSN Encarta, http://encarta.rnsn.com/dictionary_1861713641/wiretap.html (last visited
Nov. 19, 2007) (defining ''wiretap" as a "connection made to a telephone line in order to listen
secretly to somebody's conversations"); see, e.g., White v. Weiss, 535 F.2d 1067, 1068 (8th Cir.
1976) (describing wiretapping by a private investigator).
43
See Dalia v. United States, 441 U.S. 238, 252 (1979) (explaining in 1968 the difficulties of
installing wiretapping devices, stating that is sometimes impossible).
44
See Jesse J. Richardson, Jr., How a Sole Practitioner Uses the "Electronic Office" to Maintain
a Competitive Law Practice, 3 DRAKE J. AGRIC. L. 141 , 147 (1998).
45
Jesse J. Richardson, Jr., How a Sole Practitioner Uses the "Electronic Office" to Maintain a
Competitive Law Practice, 3 DRAKE J. AGRIC. L. 141, 147 ( 1998) .
46
See, e.g., KEVIN D. M11NICK & WILLIAM L. SIMON, THE ART OF DECEPTION: CONTROLLING
THE HUMAN ELEMENT OF SECURITY 179- 81 (2002) (describing how it is possible to steal every
document-even more than 120 megabytes of data-from a computer without being detected).
47
See, e.g., Spy Associates, http://www.spyassociates.com (last visited Nov. 12, 2007)
(providing information on surveillance products and selling cameras, tracking devices, recorders,
computer software, etc.).
48
See Marc Roessler, How to Find Hidden Cameras, March 25, 2002,
http://www.franken.de/users/tentacle.papers (last visited Nov. 12, 2007) (describing various
methods that are available to detect hidden cameras).
49
See Michael Evans, Inside the Most Bugged Offices in the World, TIMES ONLINE, Feb. 27,
2004, http://www .timesonline.co. uk/tollnews/uk/articlel 031533 .ece (last visited Nov. 12, 2007)
(describing a "laser aimed at the window of a targeted office [that] can detect minute
reverberations in the glass caused by conversations"); see also Paul Bishop, The Spying Game,
TRANSPACIFIC, Jan. 1, 1994, http://www.accessmylibrary.com/coms2/summary_ 02869287068_ITM (last visited Nov. 12, 2007) (describing surveillance equipment that can detect
conversations without being near the room of the conversation).
50
See, e.g., Bob Sullivan, The Untold Tally of "Netspionage, "ZDNETNEWS, Sept. 12, 2000,
http://news.zdnet.com/21 00-9595_ 22-523790.html (last visited Nov. 12, 2007) (illustrating use
of confidential information by professionals other than attorneys).

9

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

adversarial/iarty may be someone with a significant stake in the outcome of the legal
proceeding. 1 Further, there is an even higher risk associated with law firms that handle cases
involving national security, particularly with international entities that may operate with different
rules in their business cultures. 52
The various ways which information might be unintentionally exposed or disclosed are
limitless. 53 However, the following scenarios and accompanying explanations illustrate the
potential problems. After examining these problems, we will outline an approach attorneys
should utilize in fulfilling the obligation to protect these confidences.
54

A. Hotel Room Security

Several attorneys check into a deluxe hotel when traveling to another city for work on a
products liability lawsuit worth millions of dollars. 5 5 After a hard day's work, the attorneys
return to the hotel and plan to have dinner in town. They consider leaving their laptops and
documents in the trunk of their rental cars, but fear the risk of having their car broken into or
stolen. They decide that it is safer to leave their computers and documents in their hotel rooms
since their rooms were cleaned earlier in the day, thus no one is expected to come into their
rooms for the rest of the day. 56 When they return to their hotel rooms, there is nothing out of the
51

-

See Bob Sullivan, The Untold Tally of "Netspionage, "ZDNETNEWS, Sept. 12, 2000,
http://news.zdnet.com/2100-9595_22-523790.html (last visited Nov. 12, 2007) (describing
corporate espionage).
52
See, e.g., Douglas Jehl, US. Expanding Its Effort to Halt Spying by Allies, NEW YORK TIMES,
April13, 2007,
http://query.nytimes.com/gst/fullpage.html?res=9FOCEFDF143DF933A05757COA965958260
(last visited Nov. 13, 2007) (discussing spying by French intelligence agents); see also Jason
Kirby, Corporate Espionage is Big Business, MACLEAN'S MAG., July 2, 2007,
http://thecanadianencyclopedia.com/index.cfm?PgNm=TCE&Params=MlARTM0013113 (last
visited Nov. 13, 2007) (discussing the attempts of two Canadian companies to gather
information).
53
See generally, KEVIN D. MITNICK & WILLIAM L. SIMON, THE ART OF DECEPTION:
CON1ROLLING TiiE HUMAN ELEMENT OF SECURTIY 13- 242 (2002) (describing the different ways
confidential information can be leaked); Privacy Rights Clearinghouse,
http://www.privacyrights.org/ar/ChronDataBreaches.htm (last visited Nov. 14, 2007) (listing
data breaches, including an up-to-date total number of records lost due to breaches).
54
Interviews with Keith Frederick, Founder and President, Computer Network Assurance, Inc.,
www.cnacorporation.com, (April 7, 2006; September-November, 2007; September 28, 2007).
55
See, e.g., Bank of the West v. Valley Nat'l Bank of Ariz., 41 F.3d 471, 480 (9th Cir. 1993)
(deciding an eleven million dollar dispute); Shell Oil Prod. Co. v. Main St. Ventures, 90 S.W.3d
375, 379 (Tex. App. -Dallas 2002, pet. dism'd by agr.) (affirming a seven million dollar
judgment).
56
See Interim Hospitality Consultants, A Clean Hotel Will Lead to More Business,
http://www.hotel-online.com/Trends/IHC/CleanHotel.html (last visited March 1, 2008) (noting
that hotel policy means rooms are usually cleaned during the normal workday). This is standard
practice as "[ e]very guest expects a clean room In fact, it is a hotel owner's requirement by state
law to provide a clean room." !d.
10

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

[))RAfT
ordinary. Yet, once back in their home office, it seems that their adversary anticipates their legal
strategy and is knowledgeable about some of the confidential aspects of their case.
Was there a security breach? Consider this possibility: an investigator bribes hotel
personnel to inform him when members of a certain law firm check into the hotel. 57 Perhaps the
maid or bellboy learns this information from the luggage tags on the attorneys' bags identifying
their firm. 58 While the attorneys are enjoying their dinner, the investigator gets into their rooms
with the informant's pass key. This allows him to copy files from their computers. Maybe he
installs software on the laptops to create a secret account whereby the investigator can access the
computer remotely. 59 Alternatively, this software may send files back to the investigator
whenever the computer is connected to the Internet. 60 The investigator may even make copiesperhaps with a high-tech digital camera-of documents in the room.61 The lawyers never realize
what happens and therefore, cannot trace the adversarial party's actions to this incident. 62 The

57

It is highly likely other parties know where opponents are staying. This scenario is taken from
real world industrial espionage examples.
58
Compare Studio 6 Extended Stay Rote~ http://www.staystudio6.com/about/privacy.asp (last
visited March 1, 2008) (providing the hotel's privacy policy, including the policy not to give
guest information to third parties), and Four Seasons Hotels and Resorts,
http://fourseasons.com/privacy.html (last visited March 1, 200?) (assuring that no guest
information will be given to third parties), with Marcus Bruninghaus, Protecting Guest Data:
Why Hotel Information Security Awareness Training is So Important, EN1ERPRISE INNOVATOR,
Apr. 21, 2006, http://enterpriseinnovator.com/index.php?articleiD=7291&sectioniD=25 (last
visited March 1, 2008) (urging hotels to properly train employees regarding security issues to
~revent the majority of incidents that are caused by human error and improper training).
9
See, e.g., AceSpy, http://www.acespy.com/details.html (last visited March 1, 2008) (selling
different spy software products). "Ace Spy Spy Software makes it easy to secretly see what
others do online. After you install, it will begin secretly recording EVERYTHING that is done
on [the personal computer]. AceSpy is COMPLETELY hidden from others. They won't know
it's running unless you tell them!" !d.
60
See NetVizor, http://www.spytech-web.com (last visited March 1, 2008) (selling computer
monitoring software that records and transmits all information and key strokes from one
computer to another computer). There are several versions of computer monitoring software
available with a variety of spyware features, including remote capabilities and the ability to
control the targeted computer. !d.
61
Digital cameras are widely available, with an increasing number even being integrated into
telephones. See Telecommunications Industry News, Annual Camera Phone Shipments
Expected to Hit 1 Billion by 2001, Dec. 29,2005, http://www.teleclick.ca/2005/12/annualcamera-phone-shipments-expected-to-hit-lbillion-by-2010/ (noting the growing use of camera
~hones).
2

Hotel security maintains a log of room entries only for computer activated door locks. See
Elizabeth Lauer, Hotel Security: The Evolving Electronic Lock (Spring 1999), http://www.hotelonline.com/News/PressReleases1999_2nd/Apr99_ElectronicLocks.html (last visited March 1,
2008) (documenting the rise of the electronic lock in hotels and ability to monitor entries into the
11

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

security breach was not prevented, detected, or remedied and regardless of the nefarious means,
it is the client who suffers.
What security precautions could have prevented these security breaches? Should laptops
never be left unattended? What is a lawyer's duty to a client ifhis laptop is stolen? Does the
lawyer have a statutory duty to inform the client of the theft if her confidential information was
on that laptop? Would it matter if the laptops were password protected?63 Short of carrying a
laptop around (with the possibility of either leaving the laptop or having it stolen), what can be
done? The problem with this type of analysis is that it is reactive and typically establishes a
band-aid64 approach to fix the problem. For example, today a firm has a laptop stolen from an
attorney's car at lunch, 65 so tomorrow it establishes a rule that laptops are not to be left in cars
during lunch. Lawyers also cannot take comfort in the fact that their files are password protected
as password hackers are available for free from the internet. 66
B. Insider Threat and Social Engineerinl1
A large law flrm routinely and diligently trains its support staff personnel in security
processes. 68 It establishes rules for all aspects of computer security.69 For example, passwords
must consist of a minimum number of letters and numbers and be changed regularly.70 The
machines are routinely checked for viruses, worms, spy ware, Trojans, and spam by the latest

rooms). Even so, ifthe maid's key was used, this would not trigger any suspicion. A good hotel,
after all, will "tum the bed down."
63
See generally Mark Bassingthwaighte, Ten Technology Traps and How to Avoid Them, THE
WEST VIRGINIA LAWYER, Sept./Oct. 2006, at 34 (recommending several steps that lawyers and
employees may take in order to prevent security breaches).
64
See WEBS1ER'S UNABRIDGED DICTIONARY (defining band-aid as "offering, making use of, or
serving as a temporary or expedient remedy or solution"). Attorneys need to find a permanent
solution to solve the problem ofkeeping information confidential.
65
See CPA Advisor, Fire & Theft, Power & Computer Failure,
http://www.cpaadvisor.us/sub/8_failure.htm (last visited March 1, 2008) (reporting that laptop
theft increased by 53% from 2000 to 2001 ).
66
See http://www.brothersoft.com/downloads/yahoo-password-hack.html (last visited Nov. 25,
2007) (website giving users access to free programs that restore user login passwords).
67
Interview with Larry Teverbaugh, Ph.D., P.E., President, K2Share, LLC. www.k2share.com,
(August 23, 2007). Dr. Teverbaugh's input came from an auditing team sent to a government
agency to test the efficacy of the internal security procedures.
68
See Howard I. Hatoff & Robert C. Wert, LAW OFFICE POLICY & PROCEDURES MANUAL,
FORMERLY LAW OFFICE STAFF MANUAL 108-09 (American Bar Association 5th ed. 2006) (1982)
(discussing training of all new employees at law firms).
69
See Mark Bassingthwaighte, Ten Technology Traps and How to Avoid Them, THE WEST
VIRGINIA LAWYER, Sept./Oct. 2006, at *2 (noting that keeping the laptop in sight, carrying it on,
using password protection, and using encryption software can all keep confidential client
information safe).
7
Cf. id. (encouraging lawyers to use passwords on their laptops so as to not grant instant access
to anyone who might try to use your computer).
12

°

-

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

71

security software. The law firm out-sources maintenance of its computers and networks to a
72
well-known and highly competent company, the best in its breed. During complex legal
negotiations, however, highly confidential information in documents stored only on a computer
used by a long-term and trusted staff member is now known by the adversary party. The
negotiations are undermined, and the firm's client pays a significant price.
Was there a security breach? Consider two possible explanations. The first possibility is
rather obvious. Perhaps the once well-trusted staff member has become a disgruntled employee
who has provided the adversary with a copy of the files. 73 A less obvious possibility is that the
well-trusted staff member is just that, a well-trusted and diligent employee. While working, a
friendly man approaches her with a legitimate identification badge from the computer support
company hired to maintain the equipment. 74 She is used to seeing the company's personnel in
the office although she has never met this particular consultant. He shows her a work order for
routine maintenance on a printer in her work area. He apologizes profusely for interrupting her
71

See id. at *39 (stating that the use ofmalware detection programs as well as firewalls or antivirus programs can make your computer safer from unwanted access and threats).
72
See PC Professional, http://www.pcprofessional.com/casestudies.html (last visited March 1,
2008) (discussing a success story of a law firm outsourcing their technical support to their
company).
73
If the staff member actually provided an adversary with a copy of the files, this would be an
example of an insider threat. See www.cert.org/insider_threat (last visited March 1, 2008)
("Current and former employees and contractors have exploited vulnerabilities . . . to commit
fraud, theft of sensitive information, and IT sabotage."). Many insiders who pose threats are
actually disgruntled employees, although many are also "plants," people who obtain these jobs
for the express purpose of obtaining information for a party outside the company. Insider threats
are one ofthe fastest growing and hardest to detect security breaches, yet few law articles
mention even the possibility of insider threats in law firms; see also
http://cybercrime.gov/cases.htm (last visited March 1, 2008) (reporting federal computer crime
cases and also providing information about cyberethics). But see SECTION OF SCI. & TECH. LAW,
LAW PRACTICE MGMT. SECTION, INFORMATION SECURITY FOR LAWYERS AND LAW FIRMS 30~3
(Sharon D. Nelson, et al. eds., 2006) (noting that the authors use the term "disgruntled
employee," rather than the term "insider threat"). The authors also detail "real-life nightmares"
of companies where insiders stole personal information or trade secrets, crashed systems or stole
personal files; however none of these incidents occurred at law firms. Id. Furthermore, to gauge
the damage from an insider threat, consider that the most dangerous spy in F.B.I. history was a
trusted F.B.I. agent and supervisor, Robert Hanssen, who used his computer expertise and direct
knowledge of the workings of the internal systems to circumvent detection for nearly 20 years.
DAVID A. VISE, THE BUREAU AND 1HE MOLE (Grove/ Atlantic, Inc. 2002); see also
http://www.sei. emu.edulnews-at -sei/columns/security_ matters/2007 /02/security-matters-200702.htm (last visited March 1, 2008) (providing an excellent list of practices for preventing insider
threats).
74
See KEVIN D. MITNICK & WILLIAM L. SIMON, THEART OF DECEPTION, CONTROLLING TilE
HUMAN ELEMENT OF SECURITY 8 (2002) (describing social engineers as "charming, polite, and
easy to like," and using these traits to gain "rapport and trust" with people).
13

Copyright 2008, St. Mary 's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

work to check the printer from her computer and offers to finish quickly in order to minimize the
disruption. Because she is both well-trusted and very trusting of others, she allows the
consultant to sit at her desk while he performs maintenance on the printer. 75 In fact, they chat
amicably about their families. There is nothing that occurs that raises the staff member's
suspicions about the friendly consultant who is so intent on minimizing the interruption of her
work. He tells her not to bother logging off of her account so that he can fmish as quickly as
possible. 76 While pretending to run printer diagnostics, he inserts a flash drive77 into the USB
pore 8 and copies her flies. 79 Alternatively, he may install spyware software80 as in the preceding
scenario. Again, the breach was not prevented, detected, or remedied. Yet the loss is substantial.

75

In this situation, the law firm will be responsible for any breach of fiduciary duty that results
from the staff member's actions. See MODEL RULES OF PROF'L CONDUCT R. 5.3(b)-(c) (2007)
(stating that a lawyer with direct supervisory authority over a non-lawyer employee is
responsible for the conduct of such a person ifthey violate a rule of professional conduct).
76
See KEVIN D. MTINICK & WILLIAM L. SIMON, THE ART OF DECEPTION, CONTROLLING 1HE
HUMAN ELEMENT OF SECURITY 41 (2002) (''The more a social engineer can make his contact
seem like business as usual, the more he allays suspicion.").
77
See http:/ Iencarta.msn. co mldictionary_ 701 70605 9 /flash_drive.html (last visited March 1,
2008) (defining flash drive as a "card that stores computer information: a small plastic device
functioning as a disk drive, containing memory chips that retain their contents without electrical
power and that have a capacity of 16 megabytes and 2 gigabytes of data"). An example of a
more nefarious use of currently available technology is pod slurping. All that is required is to
slip a device into the USB port of any active machine on a network and an intruder wearing an
iPod can copy the entire contents of all machines on the network. "[I]n 2 minutes, it's possible
to extract about 1OOMB ofWord, Excel, PDF files-basically anything which might contain
business data- and with a 60GB iPod, you could probably have every business document in a
medium-size firm." http://www.news.com/Beware-the-pod-slurping-employee/21 00-1029_ 36039926.html (last visited March 1, 2008).
78
See http://encarta.msn.com/encyclopedia_761564104/Port_(computer).html (last visited March
1, 2008) (descnbing a port as "a location for passing data in and out of a computing device.
Microprocessors have ports for sending and receiving data bits; these ports are usually dedicated
locations in memory. Full computer systems have ports for connecting peripheral devices such
as printers and modems").
79
See How TO USE A FLASH DRIVE (PC COMPUTER)
http://www.hs.iastate.edu/it/support/instructions/How_to_Use_USB_flash_drive_(PC_Version).
doc (last visited Nov. 25, 2007) (giving the user steps to properly copy files from a computer to a
flash drive). To copy documents from a computer to a flash drive you first must insert the flash
drive into a USB port in the computer. Id. Then you must locate the file that you wish to copy.
Id. You then right-click the folder and highlight "send to." Id. Next, you select the appropriate
"Removable Disk" according to the drive letter. Id. Before removing the flash drive make sure
that the file was copied and then double-click "My Computer," followed by the "Removable
Disk" that you clicked on previously. !d.
80
See http://encarta.msn.com/dictionary_701710050/spyware.html (last visited March 1, 2008)
(defining spyware as "software that reveals identity ofuser: software surreptitiously installed on
14

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

This scenario is an example of two of the most prevalent security intrusion techniques:
81
82
(1) insider threat and (2) "social engineering." Insider threat is just that- that the risk comes
from within the organization, either through disgruntled employees or ''plants" as in the first
83
In fact, it is estimated that 84% of security breaches come from insider threats. 84
analysis.
There is no reason to believe that law firms are more immune from insider threats than any other
firm. Most are usually disgruntled employees.
The second technique, social en~ineering, is the process of obtaining information or
5
access through person-to-person contact.
In fact, most of all computer break-ins occur not
through hacking into the computer or network but by obtaining information allowing access
86
through friendly chats.
This clearly demonstrates that no number of rules for password
protection will prevent social engineering attacks.

a hard disk without the user's knowledge that relays encoded information on his or her identity
and Internet use via an Internet connection").
81
See John D. Comerford, Competent Computing: A Lawyer's Ethical Duty to Safeguard the
Confidentiality and Integrity of Client Information Stored on Computers and Computer
Networks, 19 GEO. J. LEGALEnncs 629, 639 (2006) (discussing briefly the insider threat and the
lawyer's responsibility for the conduct of employees who handle confidential information)
82
See generally KEVIN D. Ml1NICK & Wn..LIAM L. SIMON, THEARTOF DECEPTION: CONJROLLING
THE HUMAN ELEMENT OF SECURITY 173-224 (2002) (providing an excellent treatise on social
engineering). This book also lists several social engineering ploys which gain access to
confidential information over the telephone or in person. !d.
83
See Insider Threat Research (Jan. 9, 2008), www.cert.org/insider_threat (last visited Nov. 25,
2007) (detailing that an insider may be a current or former employee who knows how a
company's system works).
84
See SECTION OF Sci. & TECH. LAW, LAW PRACTICE MGMT. SECTION, lNFORMATION SECURI1Y
FOR LAWYERS AND LAW FIRMS 303 (Sharon D. Nelson, et aL eds., 2006) ("The Gartner Group
reports that 84% of high-cost security incidents occur when insiders send confidential
information outside the company."); see also Insider Threat (Jan. 9, 2008),
www.cert.org/insider_threat (last visited Nov. 25, 2007) (providing reports and podcasts on
security issues including protection against insider threats from the Software Engineering
Institute at Carnegie-Mellon University).
85
See SECTION OF SCI. & TECH. LAW, LAW PRACTICE MGMT. SECTION, INFORMATION SECURI1Y
FOR LAWYERS AND LAW FIRMS 293 (Sharon D. Nelson, et al. eds., 2006) (defining social
engineering as ''the art of getting people to divulge information ... so that there is no necessity
of going to the trouble of hacking").
86
See generally KEVIN D. MITNICK & Wn..LIAM L. SIMON: THE ART OF DECEPTION,
CONTROLLING THE HUMAN ELEMENT OF SECURTIY 15-146 (2002) (providing examples of
methods used to obtain information such as building trust, offering help, and using sympathy
tactics).
15

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

-

C. E-mail Correspondence

87

A key client has e-mailed a lawyer several times in the ~ast few days seeking a response
to an issue of critical and immediate importance to the client. 8 Finally, agitated that the law
frrm has obviously given his request such low priority, the client telephones the attorney,
demanding to know what is going on. 89 The lawyer apologizes profusely and cannot explain
why he has not received the client's e-mails.
Was there a security breach? Actually, in this case, the overzealous spam detecto~ has
misclassified the client's e-mail as spam91 and has prevented them from reaching the lawyer's e93
mail inbox. 92 When the lawyer checks, he fmds the client's e-mail in a spam folder.
Unfortunately, it was over-zealous prevention that disallowed a legitimate access. Regardless,
the client relationship is severed.
0

Consider a related scenario. 94 Over a period of a few years, a client has brought sixfigure income to a law firm through three corporations and extensive personal business. She is
somewhat upset about the time associated with a particular personal issue and engages in rather
lengthy back-and-forth e-mail communication with the Accounts Receivable Department in the
law firm. She requests a complete history of the issue which includes all detailed billing over a
two-year period. The Accounts Receivable Department gathers the extensive information, which
95
represents a complete history of the litigation, and e-mails it to the client. Although both the
87

-

This scenario comes from the personal experience of one of the authors whose e-mail from her
accountant, daughter' s law firm, and ex-husband (as well as e-mails containing Aggie jokes) is
often mis-identified as spam by her ISP and never reaches her attention.
88
Most lawyers monitor their e-mail through various means: blackberry, legal assistant, desktop
pc, laptop, etc., but if these e-mails are stopped by the Internet Service Provider ("ISP"), they
will never reach these devices. They are typically held in a Spam folder. The ISP may or may
not send a bounce-back message to the sender to alert them that the intended recipient has not
received the e-mail.
89
When initially engaging a client, be sure to discuss communication expectations. See MODEL
RULES OF PROF'L CONDUCT R. 1.4 (a) (2007) (requiring lawyers to communicate with their
clients promptly when request for information are made).
90
See SECTION OF SCI. & TECH. LAW, LAW PRACTICE MGMT. SECTION, lNFORMATION SECURITY
FOR LAWYERS AND LAW FIRMS 159-60 (Sharon D. Nelson, et al. eds., 2006) (listing antispam
f:rograms available to filter e-mail and clean out unwanted e-mail).
1
See WEBS1ER'S NEW WORLD HACKER DICTIONARY (200) (defining spam as "unsolicited,
unwanted, impersonal email").
92
See MERRIAM-WEBS1ER'S COLLEGIAIE DICTIONARY 628 (11th ed. 2003) (defining inbox as "a
computer folder devoted to incoming e-mail").
93
See SECTION OF SCI. & TECH. LAW, LAW PRACTICE MGMT. SECTION, lNFORMATION SECURITY
FOR LAWYERS AND LAW FIRMS 159 (Sharon D. Nelson, et al. eds. , 2006) (stating that "[t]he
easiest way to filter spam" is to create a spam folder also known as a junk e-mail folder that
·
filters out the unwanted spam).
94
This scenario (unfortunately) is also from the direct experience of one ofthe authors.
95
See MODEL RULES OF PROF'L CONDUCT R. 1.4 (2007) (laying out the requirements for
effective communication between attorneys and clients); MODEL RULES OF PROF'L CONDUCT R.
16

DRAflf
Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

client and the Accounts Receivable Department have used the "reply to" e-mail function during
the communication, the Accounts Receivable Department inadvertently types in an old e-mail
96
address of a former employer. Consequently, the law firm erroneously sends the client's
97
information to the wrong party. The law firm does not discover the error until the client again
requests the information. The senior partner tells the client the error was an unintentional
mistake, probably inconsequential, and he will advise the Accounts Receivable Department to be
more careful in the future.

D. Disposaf8
99

A law firm acquires new computers. There are several alternatives to dispose of the old
100
Being a good corporate citizen, the law firm could donate its old computers to
computers.

1.5 (2007) (establishing the rules for assessment of fees on a client in exchange for service).
These two provisions, when read together, indicate that communication regarding fees is
essential to maintaining an open and effective relationship between practitioner and client. See
also TEX. R. DISCIPLINARY Profl Conduct. 1.03, reprinted in TEX. GOV'TCODE ANN. , tit. 2,
subtit. G app. A (Vernon 2005) (Tex. State BarR. art. X,§ 9) (codifying the Texas Rules of
Disciplinary Procedure's stance on the necessity of communication between the client and
attorney); TEX. R. DISCIPLINARY P. 1.04 reprinted in TEX. GoV'T CODE ANN.,tit. 2, subtit. G app
A (Vernon Supp. 2007) (Tex. State BarR. art. X,§ 9) (explaining the Texas rules regarding how
attorneys should charge their clients). In this case, e-mailing a client may satisfy both the
requirement of communication and the prohibition against unreasonable fees.
96
See generally TEX. DISCIPLINARY R. PROF'L CONDUCT 1.05, reprinted in TEX. GOV'T CODE
ANN., tit. 2, subtit. G app. A (Vernon 2005) (TEX. STATE BARR. art. X, § 9) (codifying the
requirements of confidential communication to clients); ABA Comrn. on Ethics and Profl
Responsibility, Formal Op. 99-413 (1999) (establishing the ABA's approach to the relationship
between the need for confidentiality and e-mail communications).
97
However, even if sent to the right address, unencrypted e-mail can be read by anyone with
relatively simple tools.
98
See Andrew Beckerman-Rodau, Ethical Risks from the Use ofTechnology, 31 RUTGERS
COMPUTER & TECH. L.J. 1, 29-31 (2004) (providing an excellent list of various scenarios related
to ethical considerations stemming from the disposal ofhard drives and old computer systems);
Mark Bassingthwaighte, Ten Technology Traps and How to Avoid Them, THE WEST VIRGINIA
LAWYER, Sept./Oct. 2006, at 34, 39 (listing proper disposal of sensitive data among the top
concerns facing modem-day litigants).
99
See Karen A. Clanton, Ode to Joy, 18 CBA RECORD 43, 44 (2004) ("Law firms on the other
hand, upgrade and replace their computers all the time."); cf Steve Bickerstaff, Shackles on the
Giant: How the Federal Government Created Microsoft, Personal Computers, and the Internet,
78 TEX. L. REV. 1, 30 (1999) (noting "[t]he continuous pressure on personal computer users to
ufograde or replace their systems or applications .. .. ").
1 0
See generally Andrew Beckerrnan-Rodau, Ethical Risks from the Use ofTechnology, 31
RUTGERS COMPUTER & TECH. L.J. 1 (2004) (exploring the many ethical complications related to
technology, including disposal of old computer systems).
17

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

charity. 101 Additionally, conscious ofthe need to destroy any client information on the hard
drives, the firm may engage the services of a business that specializes in removing such
102
information permanently.
On the other hand, instead of purchasing the computer equipment,
the firm may simply lease its equipment and allow the vendor to switch out and upgrade old
workstations. 103 Regardless, the last time the law firm has direct control of the computers, they
are being loaded into a truck.
Legal scholars have recently begun examining the many repercussions ofthis scenario. 104
There is a growing awareness of what can happen to the hard drives of discarded computers, or
more precisely, what can happen to the data contained on the hard drives of discarded
computers. 105 It is also more commonly known that deleting files on computers does not delete
the information from the hard drive any more than deleting a card catalogue in a library deletes
the books stored there. 106 What is less commonly known is that reformatting a hard drive, even a
number of times, does not prevent recovering information stored on that hard drive. 107 There are
101

-

-

See, e.g., United States Environmental Protection Agency, Where Can I Donate or Recycle
My Old Computer and Other Electronic Products?,
http://www.epa.gov/epaoswer/hazwaste/recycle/ecycling/donate.htm (last visited Feb. 27, 2008)
(showing the EPA's extensive computer recycling, disposal, and reuse program). The page
provides advice for business and personal donators, as well as useful links to various recycling
~rograms. !d.
02
See generally Secure Destruction Business, http://www.sdbmagazine.com/ (last visited Mar.
4, 2008) (providing links, articles, and trade information to businesses seeking secured
destruction of their sensitive documents).
103
E.g., Dell Computer Inc., Dell and Recycling, 2006 Product Recovery Metrics (2006),
http://www .dell. corn/content/topics/global. aspx/corp/environment/ en/recycling? c=us&l=en&s=c
orp&~ck=anavml&~section=002 (depicting graphically Dell Computer's statistics for usage of
its recycled computers after they have been donated). The Dell program is an excellent example
of the capabilities of a recycling program and the benefits of allowing the manufacturer to
reclaim old workstations. !d.
104
See Mark Bassingthwaighte, Ten Technology Traps and How to Avoid Them, THE WEST
VIRGINIA LAWYER, Sept./Oct. 2006, at 34-40 (playing out various scenarios where attorneys
may breach their client's confidences by improperly disposing of sensitive data).
105
See United States v. Stulock, 308 F.3d 922, 924 (8th Cir. 2002) ("[W]hen a computer file is
deleted, the contents of the file are not irretrievably lost."). ''The space occupied by the file is
flagged as available, and until new data is stored in that location the deleted file can be recovered
using an undelete tool." Id.
106
See Andrew Beckerman-Rodau, Ethical Risks from the Use of Technology, 31 RUTGERS
COMPU1ER & TECH. L.J. 1, 29 (2004) (explaining that deleting a file from a computer does not
permanently remove the file, as well as exploring the ethical issues regarding this problem).
107
See, e.g., Will Knight, 'Cleaned ' Hard Drives Reveal Secrets, NEWSClENTIST, Jan. 16 2003,
http://www.newscientist.com/article.ns?id=dn3274 (pointing out how researchers employed
simple techniques to recover data off hard drives after they had been formatted). The techniques
were so successful that the researchers were able to collect over 6000 credit card numbers, most
from a hard drive once used in an ATM machine. !d.
18

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

several well-publicized examples where computers were discarded with no attempt to remove the
108
information and confidential student, medical, 109 and legal110 information was compromised.
In fact, Simson Garfinkel of Massachusetts Institute of Technology has built a database of
information gathered from discarded hard drives retrieved, among other sources through eBay
·
·
'
'
c1ty dumps, and small busmesses. I ll As Garfinkel notes, people frequently discard ''broken"
11
hard drives that can be restored by unconventional procedures.
There is great risk of security breaches, then, in replacing old computers. 113 Important
questions must be thoughtfully answered to minimize this risk. What is done with the old
computers when a law firm acquires (either through lease or purchase of) new computers? More
importantly, what happens to the data contained on their hard drives? 114 Should a wellintentioned law firm donate or sell the computers? 115 A group of reporters for PC World
Magazine found a treasure trove of computers with vulnerable data during an excursion in

108

See generally Privacy Rights Clearing House, A Chronology ofData Breaches,
http://www.privacyrights.org/ar/ChronDatabreaches.htm (last visited Mar. 4, 2008) (providing a
detailed, chronological list of reported privacy violations stemming from computer theft, data
breaches, and improper disposal methods).
109
See generally Privacy Rights Clearing House, A Chronology ofData Breaches,
http://www.privacyrights.org/ar/ChronDatabreaches.htm, (last visited Mar. 4, 2008) (providing a
detailed, chronological list of reported privacy violations stemming from computer theft, data
breaches, and improper disposal methods).
110
See Tom Spring, Hard Drives Exposed, PC WORLD MAGAZINE,
http://www.pcworld.com/articlelid,11 0012-page, l/article.html, Apr. 3, 2003 (exposing several
stories of computer users loosing sensitive data by improperly disposing of old hard drives).
111
See Simson L. Garfinkel & Abhi Shelat, Remembrance ofData Passed: A Study ofDisk
Sanitization Practices, 1 IEEE SEC. & PRIVACY 17, 24 (2003),
http://www. computer.org/portaVsi~e/security/menuitem.6f7b2414551 cb84651286b 108bcd45f3/i
ndex.jsp? &pN ame=security_level I_article&path=security/vl nl &file=garfinkel.xml&xsl=article.
xsl& (reviewing and summarizing the research of the authors, who were able to obtain numerous
hard drives from various sources and harvest the sensitive data contained on them, regardless of
their previous owners' attempt to clear such data).
112
See Posting of Simson L. Garfinkel to Technology Review,
http://www.technologyreview.com/blog/garfinkeV17609/ (May 25, 2007) (describing how data
from supposedly clean hard drives can be retrieved by placing the device in the freezer over
night).
113
See Andrew Beckerman-Rodau, Ethical Risks from the Use ofTechnology, 31 RUTGERS
COMPUIER & TECH. L.J. 1, 1 (2004) (exploring the many ethical complications related to
technology, including disposal of old computer systems).
114
See id. at 29 (noting the problems associated with equipment disposal issues).
11 5
See Martin B. Schneiderman, Donating Used Computers, FOUNDATION NEWS & COMMENT.
(2000), available at http://www.foundationnews.org/CME/article.cfm?ID=91 (commenting that
many donors do not realize they may be violating software licensing agreements when they
donate computers without erasing application software.
19

D~fT
Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

-

DAAf'f
Boston. 116 One, previously owned by a Boston area attorney, contained, among other files, bank
account numbers and draft legal documents. 117 Further, many lawyers don't know what is
required to permanently remove data from a computer or assume that data cannot be retrieved
118
from a broken hard drive. What if a computer vendor promises to scrub the hard drives?
How
does a law firm ensure that confidential client data is not present on discarded machines?

E. Physical Destruction ofLaw Offices
A law frrm is hit by a violent storm with high winds and rain. The storm blows out
windows, scattering files throughout the city. The law finn has backed up its computer files, but
119
unfortunately, these backups may be stored at the office.
This scenario occurred in 2006 to
several Indianapolis law firms when a tornado seriously damaged the offices of one ofthe city' s
120
most prominent skyscrapers.
Lawyers cannot ignore the fact that physical destruction of law
offices through fire, flood, or other "Acts of God" can seriously jeopardize their client's
confidential comrnunications. 121

116

See Tom Spring, Hard Drives Exposed, PC WORLD MAGAZINE, Apr. 1, 2003,
http://www. pcworld.cornlarticle/id, 11 0012-page, 1/article.htrnl ("An examination of ten used
hard drives we bought or salvaged in the Boston area disclosed a wealth of sensitive data. On all
but one of them, we found data, including confidential business, medical, and legal records;
Social Security, credit card, and bank account numbers; e-mail. . .").
117
See id. (reporting the contents of salvaged PC previously owned by an area attorney).
liS See, e.g., MODEL RULES OF PROF'LCONDUCT R. 5.3 (2007) (explaining that a lawyer must
ensure that all non-lawyers who work on a client's case must undertake the same standards as the
attorney would). An interesting issue arises when a lawyer contracts with a firm to clean its
disposed hard drives. Should a problem arise, does liability fall on the lawyer or the technology
firm?
119
See generally How to Decide What Data to Back Up (Oct. 6, 2006)
http://www.microsoft.com/protect/yourself/datalwhat.mspx (recommending that backed-up files
should be stored at a separate location).
120
See Posting of Marcia Oddi to The Indiana Law Blog,
http://www. indianalawblog. corn!archives/2006/04/
ind_law_much_mo.htrnl (Apr. 4, 2006, 07:40 EST) (on file with the St. Mary's Law Journal)
(describing the extent of the damage arising from a tornado's impact on a building). But see
Peter Schnitzler, Repairs to Wind Damaged DoYVntoYVn Indianapolis Office Tower May Take
Months, IND. ECON. DIG., APR. 10, 2006
http://www .indianaeconomicdigest.net/main. asp ?S ectioniD=31 &SubSectioniD=74&ArticleiD=
26225 (relating the experience of one lawyer who worked in the same office building who was
able to continue his work without substantial loss of data or communications with his clients).
121
See Leigh Jones, Katrina 's Lingering Effects on New Orleans Lawyers, NAT'LL.J., (Feb. 16,
2006), available at http://www.law.com/jsp/law/sfb/lawArticleSFB.jsp?
id= ll39911518281 (noting the side effects ofHurricane Katrina on many Louisiana law firms);
see also LA. REv. STAT. ANN. § 9:5824 (2005) (granting statutory reliefto the many businesses,
including law firms, effected by Hurricane Katrina).
20

Copyright 2008, St. Mary'sLawJoumal; final version to appear in Issue 4, Volume 39 in June 2008

Having now examined the preceding common problems, we turn to constructing a
framework of reasonable measures attorneys should implement to fulfill their obligation to guard
their clients' confidences in a technological context.
IV. REASONABLE MEASURES TO PR01ECT CONFIDENCES
The legal profession has begun to educate its practitioners about confidentiality issues
122
At a minimum, every attorney should review any relevant
involving the use of technology.
technology-related publications by the American Bar Association, 123 by state and local
124
Continuing Legal Education providers,
academics, 125 and government agencies. 126
Technology changes rapidly. While attorneys are quite busy keeping up with their own cases
and substantive developments in their particular practice areas, it is now likely that maintaining

122

E.g., Nathan Brooks, Information Privacy, FED. LAW., Sept. 2007, at 4 (dedicating the entire
issue of this publication to information privacy). However, while the articles therein offer
attorneys an excellent summary of developing law in this area, other publications seem to still be
geared towards representation with little or no focus on the application of these standards. See,
Ariz. Bar Comm. on Profl Ethics, Formal Op. 05-04 (2005) (noting the many ethical issues tied
to electronic storage of client information).
123
See generally SHARON D. NELSONET AL., SECTION OF SCI. & TECH. LAW, INFORMATION
SECURI1Y FOR LAWYERS AND LAW FIRMS (Sharon D. Nelson et al. eds., Am. Bar Assoc. 2006)
(providing security guidelines for the modem attorney and noting the need for lawyers to protect
their computers from breach leading to theft of client files).
124
See generally The Law Practice Management Program of the State Bar ofTexas, Disaster
Preparedness: Securing the Firm, MCLE Course No . 900023298, Sept. 2007); John Podvin &
Irene Kosturakis, Identity Theft: How to Protect Your Practice and Clients, State Bar ofTexas
(via webcast) May 10, 2006; Merri A. Baldwin & Kathryn Fritz, Information Ethics for Lawyers:
Information Management-Knowing What You Have, Why You Have It, and How to Dispose of
It (Without Breaking the Law or Violating Ethical Duties), 11253 PRACTICING L. INST. 637, 643
(2007) (discussing steps in preserving all types of documents including '"deleted' files and file
fragments recovered from forensically captured image ofhard discs"). These sources stand out
as excellent examples of CLE courses regarding proper measures to protect client confidences.
12 5
See, e.g. , Andrew Beckerman-Rodau, Ethical Risks from the Use ofTechnology, 31 RUTGERS
COMPU1ER & TECH. L.J. 1 (2004) (recognizing potential risks with digital data and suggesting
measures attorneys should take to avoid violating rules of professional conduct); Paul M .
Schwartz & Edward J. Janger, Notification ofData Security Breaches, 105 MICH. L. REv. 913
(2007) (proposing an approach for protection of data leaks whereby a coordinated response agent
oversees protection and mitigation).
126
See generally United States Computer Emergency Readiness Team, Cyber Security Tips,
http://www.us-cert.gov/cas/tips (last visited Mar. 1, 2008) (laying out in easy-to-click categories
how to protect oneself from cyber threats). Many times the practices of government agencies are
considered behind the times. However, when it comes to security, especially cyber security,
governmental bodies tend to lead commercial practices by a number of years. This may be due
to the critical concerns of national security.
21

Copyright 2008, St. Mary 's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

some familiarity with technological advances is going to be part of the ''reasonableness" required
127
to guard client confidences.
It is also important to recognize that something beyond basic technological understanding
will be required when an attorney or a firm is involved in a particularly large or important
undertaking. 128 The extent of technological protection afforded by a solo practitioner in small
civil cases might not be reasonable if employed by an attorney or law firm handling a large
corporate merger or a death penalty case. 129 Some minimum protection should be afforded by all
attorneys, but additional safeguards will be considered reasonable where the risks are
heightened. 130

127

See, Ariz. Bar Comrn. on Profl Ethics, Formal Op. 05-04 (2005) (holding that an attorney is
required to take reasonable steps to prevent any client information stored on digital sources from
being stolen or lost). It is not out ofthe question to presume that this level of reasonableness
requires the requisite knowledge to competently use such data storage; that is, the attorney must
have the capability to store information without allowing a third party to access that data. See id.
(discussing how the lawyer may employ certain technological safeguards to protect confidential
materials).
128
See Don Clark, Recovered Emails Bedevil Qualcomm in Court, WALL ST. J., Oct. 9, 2007, at
B 1 (reporting that nineteen corporate attorneys were considered for sanctions for failure to tum
over e-mails to the adverse party in corporate litigation). This case stands out, as each of the
attorneys facing sanctions claimed their mistake was an honest one. I d.
129
In general, a lawyer must exercise "reasonable diligence" in representing a client, which is
determined, in part, by the importance of the matter to the client. This, in tum, is a factor of the
· client's own assertions as to the importance of the matter, as well as the attorney's assessment as
to the impact of the matter upon the client's affairs. See RESTA1EMENT OF Tiffi LAW GOVERNING
LAWYERS § 52 cmt. c (2007) (listing the various factors that an attorney must consider in order to
meet the standard of reasonable diligence). Moreover, attorneys with a particular area of
concentration or skill might be held to have a higher duty to clients than those who lack this
expertise. SUSAN SAAB FORTNEY & VINCENT R. JOHNSON, LEGAL MALPRACTICE LAW:
PROBlEMS AND PREVENTION 71 (Thomson/West 2008). Obviously, a death penalty case would
require great diligence in many areas, including the use of technology. "Computer problems"
were cited by defense attorneys for Michael Richards as the reason they requested that the Texas
Court of Criminal Appeals remain open 20 to 30 minutes later than the 5 p.m closing time on
September 25, 2007. Chuck Lindell, Crticism Grows For Judge Over Execution, AUSTIN AM.
STATESMAN, Oct. 11, 2007, at B1. The request was denied; the after-hours appeal was not
accepted by the Court, and Mr. Richard was executed. I d.
130
See, e.g., Ariz. Bar Comm. on Profl Ethics, Formal Op. 05-04 (2005) (noting the ethical
requirements of Arizona lawyers to retain outside assistance if they are unable to adequately
meet the needs of protecting their clients' confidences in electronic communications and data
storage). Analogously, where the scope of litigation expands, so too must the extent to which an
attorney must protect his digital resources; thus, under the Arizona Bar Committee's ruling,
highly complex litigation would require more attention to electroni'? data than would a simple
civil suit.
22

DRAfr
Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

DrRAf r
A review of judicial opinions, ethics opinions, and the Model Rules is not particularly
131
helpful in this regard.
Most of the case law regarding inadvertent disclosure of client
confidences arises in the context of discovery and is inconsistent regarding the issue of whether
the attorney-client privilege is waived under these circumstances. 132 The Model Rules probably
allow the attorney recipient of such information to use it, after notifying the unintending sender
133
of the error.
Rather, the best way to structure a plan to protect client communications is to

131

See Richard J. Heafey, Return to Sender?: Inadvertent Disclosure ofPrivileged Information,
28 AM. J. TRIALADvoc. 615, 615 (2005) (noting that even the Model Rules can directly conflict
with ethics opinions from the same organization-the ABA).
132
See id. at 615- 16 (Stating that the reporated court decision do not provide clear guidance
regarding the issue of waiver).
133
See MODEL RULES OF PROF'L CONDUCT R 4.4(b) (2007) (detailing the required conduct for a
lawyer who receives inadvertent information). Rule 4.4(b) provides that "[a] lawyer who
receives a document relating to the representation of the lawyer's client and knows or reasonably
should know that the document was inadvertently sent shall promptly notify the sender." !d.
The comments to the rule then "punt" on the use attorneys may make of such material:
[1] Responsibility to a client requires a lawyer to subordinate the interests
of others to those of the client, but that responsibility does not imply that a lawyer
may disregard the rights of third persons. It is impractical to catalogue all such
rights, but they include legal restrictions on methods of obtaining evidence from
third persons and unwarranted intrusions into privileged relationships, such as the
client-lawyer relationship.
[2] Paragraph (b) recognizes that lawyers sometimes receive documents
that were mistakenly sent or produced by opposing parties or their lawyers. If a
lawyer knows or reasonably should know that such a document was sent
inadvertently, then this Rule requires the lawyer to promptly notify the sender in
order to permit that person to take protective measures. Whether the lawyer is
required to take additional steps, such as returning the original document, is a
matter of law beyond the scope of these Rules, as is the question of whether the
privileged status of a document has been waived. Similarly, this Rule does not
address the legal duties of a lawyer who receives a document that the lawyer
knows or reasonably should know may have been wrongfully obtained by the
sending person. For purposes of this Rule, "document" includes e-mail or other
electronic modes of transmission subject to being read or put into readable form.
[3] Some lawyers may choose to return a document unread, for example,
when the lawyer learns before receiving the document that it was inadvertently
sent to the wrong address. Where a lawyer is not required by applicable law to do
so, the decision to voluntarily return such a document is a matter of professional
judgment ordinarily reserved to the lawyer. See Rules 1.2 and 1.4.
MODEL RULES OF PROF'L CONDUCT R. 4.4 cmt. (2007).
This Rule and comments replaced the prior view of the ABA requiring the receiving
attorney to refrain from examining the confidential information, notify the attorney who
23

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

134

utilize experts in the area of information assurance.
Those involved with effective information
security programs would take a broad perspective on the obligations of attorneys to safeguard
client information. It is likely that their views will become the "reasonableness" expected as
135
well of attorneys particularly in view of new state statutes discussed below.
We will approach
this discussion the way these consultants would, by discussing prevention, detection, and
remediation. 136
A.
Prevention
The first question the information insurance consultant would ask of an attorney is
whether the attorney can effectively and appropriately prevent unauthorized access to clients'
information. 137 This requires an assessment of the physical environment (including people), the
138
electronic environment, and the relative value of the information.

-

inadvertently sent it, and follow that attorney's instructions for the return or disposal of the
document. ABA Comm. on Ethics and Profl Responsibility, Formal Op. 92-368 (1992).
134
See Andrew Beckerman-Rodau, Ethical Risks from the Use of Technology, 31 RUTGERS
COMPU1ER & TECH. L.J. 1, 33- 34 (2004) (discussing ethical concerns and possible solutions
regarding attorneys' use of technology). Professor Beckerman-Rodau suggests that hiring a
consultant might be required ''to fully understand the potential risks of reliance on technology as
a prerequisite to evaluating the reasonableness of conduct." !d. at 10; see also Ariz. Bar Comm.
on Profl Ethics, Formal Op. 05-04 (2005) (imposing an ethical requirement to hire a consultant
if the attorney lacks the requisite competence to secure client information on her own).
135
See Perkins Coie Legal Counsel to Great Companies, Security Breach Notification Chart
(Sept. 17, 2007), http://www.perkinscoie.com/files/upload/securitybreach.pdf(last visited Nov.
25, 2007) (charting security breach legislation enacted in jurisdictions throughout the United
States)
136
See 16 C.F.R. § 314 (2006) (outlining the "standards for safeguarding customer
information"). It is likely that Federal and State statutes and regulations may codify some of
these good practices and eventually make them binding upon attorneys. See id. § 314.1
(describing the scope for safeguarding customer information). For example, the Federal Trade
Commission (FTC) has implemented safeguard rules setting forth a standard of care to protect
customer records. !d. These rules are applied to financial institutions the FTC regulates and
include at least three important requirements. !d. at 314.1-314.4. First, designate a coordinator
for the information security system. !d. at 314.4. Second, conduct a risk assessment involving
personnel training, information systems and detection, prevention, and response to breaches. 16
C.F.R. § 314.4 (2006). Third, design and implement safeguards and regularly analyze the
effectiveness of those safeguards, and update the entire security program as necessary. !d.
See generally SECTION OF SCI. & TECH. LAW, LAW PRACTICE MGMT. SECTION, INFORMATION
SECURITY FOR LAWYERS AND LAW FIRMS ? (Sharon D. Nelson, et al. eds., 2006) (suggesting
rractices for physical security in law firms).
37
Arizona Bar Comm. On Profl Ethics, Formal Op. 05-04 (2005).
138
Interviews with Keith Frederick, Founder and President, Computer Network, Inc., (Apr.7,
2006, Sept.- Nov. 2007, Sept. 28, 2007). Mr. Frederick's forthcoming book will discuss
integrating physical and electronic security as an effective business processes.
24

DRAFT
Copyright 2008, St. Mary 's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

D!RAfT
The physical environment is that which can be seen and readily observed and includes the
physical structures and people in the environment. 139 The physical structure includes the
tangible--the building, offices, walls, windows, and the physical assets (e.g., computers, paper
140
files)- contained within.
Physical security secures the physical environment against intrusion
which can be either physical (i.e., someone breaking into the office space or surreptitiously
listening in to conversations through a wall) or electronic (e.g., listening in through electronic
means, viruses on computers, intercepting e-mails). 141 We may want to protect walls and
windows, not because they are valuable and may be stolen, but because they allow access to
what is inside. 142
Included within the physical environment are people or personneL Unfortunately,
people, some with only the best of intentions, are often the weakest link in the security chain. 143
For example, many significant intrusions to computers begin with a technique known as "social
engineering", an innocuous term for a rather deceptive tactic of obtaining information (e.g.,
passwords or account numbers) from friendly and helpful targets. 144 In other words, social
engineering is tricking well-meaning and honest people into revealing information. 145 Kevin
Mitnick, who excelled at both social engineering and hacking, used a process of data aggregation
by retrieving pieces of seemingly meaningless information from a number of sources where each
piece seemed meaningless, but in the aggregate could be successfully used to access the target's
146
Attorneys will need to work with security consultants to screen potential
credit information.

Jd.
140 Jd.
141 ld.
142
Brenna G. Nava, Comment, Hurricane Katrina: The Duties and Responsibilities of an
Attorney in the Wake of a Natural Disaster, 37 ST. MARY'S L.J. 1153, 1158-60 (2006)
(discussing the various issues that come to pass after a natural disaster, the lawyer's standard of
care during that time, and a proposal for a paperless system to effectively prepare and recovery
from such a disaster).
143
See generally United States v. Miller, 984 F.2d 1028, 1029 (9th Cir. 1992) (affirming the
conviction of Richard Miller as the first FBI officer ever to be found guilty of espionage); United
States v. Walker, 796 F.2d 43, 45 (4th Cir. 1986) (affirming the conviction of Arthur James
Walker for transfer oftop secret United States Naval defense information to Soviet agents);
Ames v. United States, 155 F. Supp. 2d 525 (E.D. Va. 2000) (denying Aldrich H. Ames's
petition motion to vacate his guilty plea of conspiracy to defraud the United States and commit
espionage).
14
SECTION OF SCI. & TECH. LAW, LAW PRACTICE MGMT. SECTION, INFORMATION SECURITY FOR
LAWYERS AND LAW FIRMs? (Sharon D. Nelson, et al. eds., 2006) (suggesting practices for
physical security in law firms) .
145
KEVIN D. MTINICK & WILLIAM L. SIMON, THE ART OF DECEPTION iv (2002).
146
See generally id. (describing the way Mitnick went about his "art of deception"). Mitnick
could begin with just the name of an intended target and within four or five conversations with
well-intentioned people, gain enough information to gain access to the target's confidential
financial information. See id. at 15-29 (giving various examples of people giving out
confidential information after a few conversations). One case, documented in his book, concerns
a private investigator who is helping a wife who is divorcing her husband. ld. at 16-22. Her
25
139

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

employees and educate current ones regarding these dangers, to prevent the damage from an
insider threat. 147
The distinction between physical and electronic becomes important when one considers
the ways access can be obtained, Rossibly through a combination of intrusion against the
physical and electronic environment. 48 The nature of security is that it is tempting to emphasize
one environment over the other or neglect the fact that it is the integration of the environment
that must be secured. 149 Consider the electronic environment of the computer system including
the mode of communication (wireless or hard-wired), the network, and the computers
themselves. Some companies protect the electronic environment without considering that one of
the most effective means of gaining access to data on the computer is to steal the computer, a
physical intrusion. 150 In fact, laptop thefts are one ofthe most critical vulnerabilities that can be

-

attorney was unable to locate the husband' s assets. !d. The PI called the bank pretending to be
an author and obtained the correct terminology ("Merchant ID") for the bank to identify itself to
its credit bureau; called the bank a second time and, using the correct lingo, passed himself off as
a customer service representative from the bank' s credit bureau and obtained the bank' s
Merchant ID; and finally called the credit bureau and identified himself as the bank with the
correct Merchant ID, the husband's name and social security number, and obtained all his
financial information. KEVIN D. MI1NICK & WILLIAM L. SIMON, THE ART OF DECEPTION 16-22
(2002). In fact, Mitnick is known for retrieving Leonardo DeCaprio's mother's maiden name
and President George W. Bush's social security number from the internet within 15 seconds.
Rebecca Harrison, 'Computer Terrorist ' Kevin Mitnick Now Teaches Antihacking After Almost
Five Years in Jail, He Wrote Two Books and Started an IT Consulting firm, Computer World
Security (Mar. 09, 2006) available at
http://www.computerworld.com/securitytopics/security/story/0,10801 ,10935l ,OO.html. His
books including The Art ofDeception, contain a treasure trove of his techniques for obtaining
confidential access information from helpful and friendly staff who never realized they had been
tricked. See KEVIN D. MI1NICK & WILLIAM L. SIMON, THE ART OF DECEPTION xv- xvi (2002)
(introducing the various techniques that are outlined in the book). Mitnick is fond of saying that
the most powerful computer security is useless if hackers can con helpful targets into revealing
information that allow access. Rebecca Harrison, 'Computer Terrorist ' Kevin Mitnick Now
Teaches Antihacking After Almost Five Years in Jail, He Wrote Two Books and Started an IT
Consulting firm, Computer World Security (Mar. 09, 2006) available at
http://www.computerworld.com/securitytopics/security/story/O 10801,109351 ,OO.html.
,
147
KEVIN D. MTINICK & WILLIAM L. SIMON, THE ART OF DECEPTION (2002).
148
Interviews with Keith Frederick, Founder and President, Computer Network, Inc., (Apr.7,
2006, Sept.- Nov. 2007, Sept. 28, 2007).
149 !d.
150
See Absolute Software, http://www.absolute.com/resources/computer-theft-statisticsdetails.asp#stolen_lost_laptops (last visited Nov. 17, 2007) (stating that computer theft or loss
accounts for 54% ofbreaches related to identify theft and that 47% surveyed professionals of
computer security indicated a laptop theft sometime in the last twelve months).
26

Copyright 2008, St. Mary 's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

exploited including theft from hotel rooms, "smash and grab" thefts from automobiles or
switching machines at an airport. 151
Finally, in order to formulate a plan for preventing access to client information, the
consultant would need to have some idea of the relative value of the infonnation. 152 The more
valuable the information, the greater the obligation of the attorney to secure it, and more
sophisticated (and expensive) prevention systems would need to be implemented. 153
Essentially every lawyer should, consistent with Model Rule 1.6, conduct this
"prevention" analysis, working with a qualified consultant, 154 and implement the security plan
including a plan for backing up data 155 and destruction of files where appropriate. 156 There is not
"one size fits all." The test is reasonableness. Technology will change, but the fact-based
"reasonableness" obligation probably will not.157
B.
Detection
How does a lawyer know if a security breach has occurred? Some breaches might be
obvious, particularly if the breach involves an alteration ofthe physical environment. 158 Broken
or unlocked doors and windows, a missing laptop computer, and other related physical changes
151

See Nationwide, http://www .nationwide.com/nw/newsroom/on-your-side/smash-grab/smashgrab.htm?oys=smash_grablll207 &pos=2 (last visited Nov. 25, 2007) (addressing "smash and
rs;ab" theft and listing laptops as among the items vulnerable to such a theft).
52
See MODEL RULES OF PROF' CONDUCT R. 1.6 cmt. (2007) (discussing instances in which a
lawyer should take special precautions to prevent a client's information from "coming into the
hands ofunintended recipients").
153
Arizona Bar Comm. On Profl Ethics, Formal Op. 05-04 (2005).
154
See CERT -Certified Computer Security Incident Handler, http://www.cert.org/certificationl
(last visited Nov. 25, 2007) (outlining a certification program for individuals with experience
handling computer security who wish to "achiev[e] the knowledge, skills, and abilities to be a
hifhly successful security professional").
15
See TechTarget, http://searchstorage.techtarget.com/tip/l ,289483,sid5_gci930542,00.html
(last visited Nov. 25, 2007) (outlining backup plan principles to following included daily,
weekly, and monthly backups, as well as off-site storage and removable data storage media).
156
See National Association for Importation Destruction, Inc. http://www.naidonline.org/ (last
visited Nov. 25, 2007) (outlining the mission of this international association for companies that
provide services to destroy information as ''to promote the information destruction industry and
the standards and ethics of its member companies").
157
See MODEL RULES OF PROF'L CONDUCT R. 1. O(h) - (j) (2007) (defining "reasonable" when
used in relation to a lawyer's conduct as ''the conduct of a reasonably prudent and competent
lawyer," a "reasonable belief' refers to the fact ''that the lawyer believes the matter in question
and that the circumstances are such that the belief is reasonable," and "reasonably should know"
is used to "denot[e] that a lawyer of reasonable prudence and competence would ascertain the
matter in question").
158
See Mary Brandel, Data Scandal: do you know how to respond to the inevitable security
breach? You'd better., COMPU1ERWORLD, Oct. 3, 2005 at 1 - 5 (discussing the importance of
immediate response, teamwork, and deliberate speed necessary when responding to a security
breach).
27

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

-

would give cause for the attorneys to call in the technology consultant to determine the nature
and extent of loss. 159 A change in personnel, particularly if someone leaves under unpleasant
circumstances, would also give cause for the consultant to review and re-set security
measures. 160
Unfortunately many breaches, particularly those involving the electronic environment,
will not be readily apparent. 161 Files can be copied and transferred to compact discs, other
machines, or flash drives. 162 Hospitals operated by the Veterans Administration recently banned
all such devices in an effort to control the proliferation of patient data and cause a violation of
the IDPPA. 163 By definition, the ongoing need to accelerate the transfer of data will likely
accelerate the likelihood of its theft. No system now, or in the future, is or will ever be, totally
secure. 164 Unfortunately, the first sign of detection might occur under the first two scenarios in

159

See CERT -Certified Computer Security Incident Handler, http://www.cert.org/certification/
(last visited Nov. 25, 2007) (outlining a certification program for individuals with experience
handling computer security who wish to "achiev[e] the knowledge, skills, and abilities to be a
highly successful security professional").
160
See TechNewsWorld, http://www.technewsworld.com/story/49652.html (last visited Nov. 25,
2007) (recognizing that companies must understand threats from inside their organization may be
more dangerous than threats from outside the organization). But see Larry Downes, Shareholder
Values; Hewlett-Packard had legal alternatives to plugging the leaks in the boardroom. But
who's got time for that?, CIO INSIGHT, Nov. 6, 2006, at 2 (pointing out that while companies
may have individuals devoted to finding sources of information leaks, it should take care not to
fto about it in appropriate ways).
61
See Asking for Trouble: Most Companies Don 't Have Plans to Handle Data Breach,
TECHWEBNEWS (CMP Media LLC), May 22, 2007, at 1 (reporting the results of a survey done
by the Ponemon Institute of over 700 security and IT managers finding "[a]round 85% ofiT and
security managers say they've suffered a data breach, but less than half have a plan in place for
when it happens again").
162
T echT arget, http://searchstorage. techtarget. com/tip/1,289483 ,sid5 _gci93 0542, 00.html (last
visited Nov. 25, 2007) (outlining backup plan principles to following included daily, weekly, and
monthly backups, as well as off-site storage and removable data storage media).
163
See United States Department ofVeterans Affairs, http://www.va.gov/ (last visited Nov. 25,
2007) (providing an extensive website with information on all types of issues affecting veterans'
affairs); United States Department ofHealth and Human Services,
http://www.hhs.gov/ocr/privacysummary.pdf (last visited Nov. 25, 2007) (providing a summary
of the "Health Insurance Portability and Accountability Act of 1996" ("HIPPA")").
164
See Alison Fitzgerald, Careless Workers Expose IRS Data, SEATILE TIMES, Aug. 4, 2007, at
E4, available at
http:/I seattletimes.nwsource.comlhtml/businesstechno logy/2003 82091_irssecurity04.html
(describing an incident where auditors posing as help-desk technicians persuaded IRS employees
to give out their passwords and change them to ones suggested by the auditors); see also Steve
Brewer & Mark Carreau, Programmer who Allegedly Broke into NASA Computers is Indicted,
HOUSTON CHRONICLE, Apr. 27, 2007, at 21, available at http://www.chron.com/cgibinlauthlstory.mpll content/interactive/space/news/99/990427 .html (explaining that a hacker
28

-

DRAfT
Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

DAAFT
the previous section, where suddenly an adversary seems to know of the existence of confidential
communications or litigation strategy.
Up to that point, the most reasonable method ofboth prevention and detection is a regular
auditing process involving internal security and external consultants, as well as implementing a
security plan tailor-made for the law office. 165 Auditing, in this sense, means to determine the
status ofthe security system and produce a snap-shot ofthe current security. 166 The goal of the
consultants is to determine what is to be done based on this snap-shot assessment and develop a
migration plan as to what must be done in order to effect improved security. 167 Auditing is a
necessary function throughout the security process as a way to constantly monitor status. 168
Another use of auditing is to close the loop between what is intended and what is actually
169
practiced.
For example, prevention of insider threat might be an auditing exercise to
determine if an employee would allow an outsider through social engineering to breach security.
Although the employee has been trained, the efficacy of that training should be tested in practice

obtained encrypted passwords and ''used an Internet password-cracking tool" to decipher the
passwords and gain entry to NASA computers).
165
See DEBORAH RUSSELL & G.T. GANGEMI SR., COMPU'IER SECURI1Y BASICS 108 {Tatiana
Apandi ed., O'Reilly Media, Inc. 2006) (1991) (describing a security audit and suggesting
possible problem areas). "A security audit is a search through your system for security problems
and vulnerabilities." Id.
166
See NATIONAL STA1E AUDITORS ASSOCIATION & TilE U. S. GENERAL ACCOUNTING OFFICE, A
JOINT INITIATIVE: MANAGEMENT PLANNING GUIDE FOR INFORMATION SYS1EMS SECURI1Y
AUDITING 6 (2001 ), available at http://www.gao.gov/special.pubs/mgmtpln.pdf (stating that "IS
security auditing involves providing independent evaluations of an organization's policies,
procedures, standards, measures, and practices for safeguarding electronic information from loss,
damage, unintended disclosure, or denial of availability").
167
See id. at 24 (describing the role of consultants relating to information security). "Consultants
may offer immediate capabilities not otherwise available without considerable start-up time and
cost." !d.
168
See DEBORAH RUSSELL & G.T. GANGEMI SR., COMPU1ER SECURI1Y BASICS 108 (Tatiana
Apandi ed., O'Reilly Media, Inc. 2006) (1991) (discussing the importance of conducting audits
to evaluate security systems). "It's a good idea to check on the security of your system by
fcerforming periodic security audits." Jd.
69
See DAVID CODERRE, INSTI1U1E OF IN1ERNAL AUDITORS, GLOBAL TECHNOLOGY AUDIT
GUIDE CONTINUOUS AUDITING: IMPLICATIONS FOR ASSURANCE, MONITORING, & RISK
ASSESSMENT 4 (2005), available at http://www.theiia.org/guidance/technology/gtag/gtag3
(explaining that the other component of continuous auditing, besides risk assessment, is to focus
on control deficiencies). In essence, auditing aims to assure that controls that were developed in
order to achieve a particular purpose are operating efficiently. Id. at 5. "Continuous control
assessment will allow internal auditors to assess the adequacy of management monitoring
activities and provide ... assurance that the controls are working effectively and that the
organization can respond quickly to correct deficiencies that arise." !d.
29

DAAFT
Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

within an actual real-life exercise. Throughout the security process, auditing is used to determine
not only what might happen, but also the identity of the weak links in the process. 170
C.
Remediation
In addition to the reasonableness requirement set out in the Model Rules, recent
legislation is adding to attorneys' obligations. At the time of this writing, thirty-five states
require businesses to notify their customers or clients if there is a security breach involving
sensitive personal information. 171 These laws generally apply to any business maintaining the
information of a resident of the state which enacts the statute. 172 Thus, an attorney might be
subject to laws of various states, depending upon the residency of the clients. 173 Complicating
174
the matter further is the fact that these laws are not completely uniform.
To obtain a feel for
the remediation obligations and some questions concerning the applicability of this legislation,
consider the impact and applicability of Texas statutes, patterned after similar legislation in
California.
The Texas Eightieth Legislature, 2007 Regular Session, enacted the following law as part
of the Texas Business & Commerce Code:
Any person who maintains computerized data that includes sensitive personal
information not owned by the person shall notifY the owner or license holder of the
information of any breach of system security immediately after discovering the breach, if
the sensitive personal information was, or is reasonably believed to have been, acquired
by an unauthorized person. 175
The law defmes sensitive personal data as:

170

See id. at 4 (specifying the two main components to continuous auditing: control assessment
and risk assessment). Control assessment focuses on whether the processes that are in place are
suffering any deficiencies, and risk assessment focuses on processes that are "experiencing
higher than expected levels of risk." Id.
171
David L. Silverman, Data Security Breaches: The State ofNotification Laws, 19 No. 7
IN1ELL. PROP. & TECH. L.J. 5, 5 (2007J. An interesting insight in Silverman's article is that
because the law reaches within state borders to anyone maintaining personal information, the
effect is that businesses will actually be held to the strictest law and not necessarily the law of
their particular state. I d.
172
See e.g., TEX. Bus. & COM. CODE ANN.§ 521.053(b) (Vernon 2007) (requiring someone who
conducts business in Texas to notify any resident ofthis state when a breach occurs).
Notification is required if the personal information ''was, or is reasonably believed to have been,
acquired by an unauthorized person." Id. at§ 521.053(c).
173
See TEX. Bus. & CoM. CoDE ANN.§ 521.053(b) (Vernon 2007) (implying that a lawyer with a
client in Texas, whose personal information was accessed, would be subject to the laws of
Texas).
174
See David L. Silverman, Data Security Breaches: The State ofNotification Lavvs, 19 No. 7
IN1ELL. PROP. & TECH. L.J. 5, 5 (2007) (describing the differences among the states and their
respective notification laws relating to security breaches).
175
TEX. Bus. & CoM. CODE ANN.§ 521.053(c) (Vernon 2007) (emphasis added).
30

-

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

Sensitive personal information" means, subject to Subsection (b), an individual's first
name or first initial and last name in combination with any one or more of the following
items, if the names and the items are not encrypted:
(A) social security number;
(B) driver's license number or government-issued identification number; or
(C) account number or credit or debit card number in combination with any
required security code, access code, or password that would permit access to
an individual's financial account. 176

This statute seems to impose a notification requirement on any attorney, regardless of the
circumstances, who loses enough confidential client information to risk identity theft of the
177
Because most discovery documents have at a minimum identifying information such
victirn.
as a social security number or driver's license number, 178 this law seems to apply to more
circumstances than most lawyers are probably aware. 179
For example, if a lawyer loses his mobile PC (e.g., laptop, PDA), flash drives, or CDs,
either by theft or accident, the lawyer must contact that client ''immediately after discovering the
breach" 180 even though the lawyer may have all files backed up and neither the client nor the
176

/d. at§ 521.002(a)(2) (emphasis added). Subsection (b) excludes any "publicly available
information that is lawfully made available to the public from the federal government or state or
local government." /d. at§ 521.002(b).
177
See TEX. Bus. & CoM. CODE ANN. § 521.053(c) (Vernon 2007) (explaining that an individual
who maintains a data system with personal information has a duty to notify the owner of the
personal information when a breach occurs). This is presuming that all attorneys keep their
client's data on some type of computerized system.
178
TEX. Bus. & CoM. CODE ANN.§ 521 .002(a)(2)(A), (B) (Vernon 2007).
179
See Paul M. Schwartz & Edward J. Janger, Notification ofData Security Breaches, 105 MICH.
L. REv. 913, 933 (2007) (explaining that "Model One" has a "low threshold for notification" and
as such it would not be surprising that many Texas attorneys are in situations where the laws
could be implicated). Professors Schwartz and Janger have classified the Texas statute in their
terms as a "Model One" law, exemplified by California Senate Bill1386, on which the Texas
statute is modeled (if not explicitly copied word for word). !d. at 933. The Model One
characterization, as a pure notification model, has a "low threshold for notification" and "lacks a
coordination infrastructure to mitigate the harm flowing from a data security incident." /d.
Their article makes an argument for even more effective and useful models than Model One for
notifying of data security breaches. !d. at 933-35.
180
TEX. Bus. & CoM. CoDE ANN. § 521.053(c) (Vernon 2007). Most lawyers do not realize that
this type oflegislation might apply to them. As generally acceptable and reasonable standards
become more pervasive, lawyers will find themselves held to the generally accepted standard.
These standards are developing through application of ethical rules. State of Arizona Formal
opinion No. 05-04 discusses the ethical duty of law firms in Arizona to protect client
information, especially data stored in electronic format. Ariz. Comm. on the Rules ofProfl
31

D~fT
Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

-

-

lawyer would notice any disruption in their work. If a lawyer loses track of these devices long
enough for someone to copy theiil, the notification provisions might apply because a lawyer
should reasonably believe that the information has been acquired by a third party who, by
181
definition, is an unauthorized person.
Attorneys theoretically could avoid the more serious applications of the statute by
encrypting the sensitive personal information. 182 The term "encryption" however is not
particularly helpful. While encryption is generally understood to be the means of translating data
into something that is not understandable by those who are not authorized access, there are no
industry-wide encryption standards. 183 Each vendor uses encryption techniques according to its
own proprietary algorithms. 184 Peter Coffee, a well-known writer on computer security issues,
185
took issue with this encryption provision when the California bill was being debated.
He
pointed out that an encryption is not a yes-or-no attribute, and noted, "[w]eak crypto algorithms
or poor implementations of good algorithms or poorly administered deployments of even robust
crypto products are equally hollow in their promises of protection." 186 As a result, most lawyers,
on their own, would not even know if their files were encrypted, and if so, how "strong" the
187
encryption would be.

Conduct, Op. 05-04 (2005). A standard is emerging through statutes and regulations. See, e.g.,
16 C.P.R. § 314.3(a) (2007) (requiring maintenance of"a comprehensive information security
program"); see also David L. Silverman, Data Security Breaches: The State ofNotification
Laws, 19 NO.7 INTELL. PROP. &TECH. L.J. 5, 5 (2007) (stating that at least thirty-five states
have enacted notification laws concerning data security breaches).
181
TEX. BUS. &COM. CODE ANN. § 521 .053(b) (Vernon 2007).
182
See DEBORAHRUSSELL&G.T. GANGEMI SR., COMPUTER SECURITY BASICS 65 (Tatiana
Apandi ed., O'Reilly Media, Inc. 2006) (1991) (defining encryption as ''transform[ing] original
information into altered information" so others cannot read or understand the original
information). "Encryption ensures that even if file security is somehow breached, the intruder
won't be able to read the passwords in the file; they'll look like gibberish." !d.
183
See id. at 36 (outlining the movement toward creating a standard encryption algorithm and its
subsequent demise). Today, a host of algorithms are ''powerful encryption tools" that are readily
available "as open source programs." !d.
184
See Winn Schwartau, To Hell with Proprietary Encryption Algorithms, NE1WORK WORLD,
Aug. 27, 2001 , http://www.networkworld.com/columnists/2001 /0827schwartau.html (explaining
that vendors continue to create proprietary algorithms for their encryption processes, which are
vulnerable to hackers).
185
See Peter Coffee, Computer Literacy Jsn 't Kid Stuff, EWEEK.COM, May 2, 2006
http://www.eweek.com/article2/0, 1759,1956817,00.asp (takirig exception with the California
legislature and their use of the word encryption).
181>!d.
187

-

How strong is an encryption? The word "CAT" can be encrypted "BZS" by substituting a
letter with the previous letter in the alphabet. That is how IBM became HAL in the movie 2001
Space Odyssey. In a technical sense, this is encrypted data, although the encryption is extremely
weak and even laughable. Most attorneys would not be able to determine the validity of
software vendors' promises that data would be "encrypted" using that particular program
32

Copyright 2008, St. Mary 's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

There are other questions raised by state statutes, including issues related to whether or
not notice of a breach is even required. 188 The complexity ofthese issues once again points to
the need for the attorney to utilize a competent consultant in planning and implementing any
remediation scheme. 189
Moreover, attorneys will likely face tort liability for security breaches. 190 Professor
Vincent Johnson, in his article, analyzes the growing concerns relating to cyber security, and
although his article does not focus on attorney-client obligations, there is no reason to assume
that attorneys are immune to liability under the principles he discusses. 191
Attorneys would do well to anticipate that some breaches will occur and make plans to
minimize the impact upon the client, even where statutes do not now require it. Attorneys
working with consultants should develop plans to back up data and store it securely off-site in
order to assist in remediation efforts following a physical breach or destruction of data as well.

188

See, e.g., IND. CODE ANN.§ 24-4.9-2-2 (LexisNexis 2007). One particularly disturbing issue
found in this law, effective July 1, 2006, renders notice to affected parties not necessary if there
is unauthorized access to "a portable electronic device," but the device is password protected.
Id. Passwords pose almost no barrier to hackers. In reality, passwords, whether on a device or
file, can be easily broken (or ''cracked"). In the case oflaptops, the hard drive can be removed
from a password-protected machine and accessed by another machine. Further, password
crackers are available on the web and are relatively inexpensive and sometimes free. They are
easily obtained by searching through www.google.com. See also Donna L. Beatty, Malaysia 's
"Computer Crimes Act 1997" Gets Tough on Cybercrime but Fails to Advance the Development
ofCyberlaws, 7 PAC. RIM L. &POL'Y J. 351 ,373 (1998) ("Virus how-to guides and code
generators are available on underground world-wide Web sites and bulletin boards. System
passwords can easily be broken using software programs such as 'CRACK'-a program freely
available on the Internet.").
189
See, Mark Bassingthwaighte, Ten Technology Traps and How to Avoid Them, THEW. VA.
LAW., Sep-Oct 2006, at 34 (discussing ten technology traps and how attorneys can avoid them);
see also Andrew Beckerman-Rodau, Ethical Risks from the Use ofTechnology, 31 RUTGERS
COMPUTER & TECH. L.J. 1, 14-15 (2004) (suggesting the use of a single password system).
190
See John D. Comerford, Competent Computing: A Lawyer's Ethical Duty to Safeguard the
Confidentiality and Integrity of Client Information Stored on Computers and Computer
Networks, 19 GEO. J. LEGALEnncs 629, 642 (discussing possible malpractice liability for failing
to take appropriate precautions).
191
Vincent R. Johnson, Cybersecurity, Identity Theft, and the Limits of Tort Liability, 57 S.C. L.
REV. 255 (2005). Courts have found liability for actual damages where plaintiffs proved how
their identities were stolen. See, e.g., Daly v. Metro. Life Ins. Co., 4 Misc. 3d 887, 893 (N.Y.
Sup. Ct. 2004) (holding that a life insurance company had a duty to protect its client's private
information from theft); Bell v. Mich. Counci125 of the Am. Fed'n of State, County, and Mun.
Employees, No. 246684, 2005 WL 356306, at *5 (Mich. Ct. App. Feb. 15, 2005) (per curiam)
(holding that a union was liable for the identity theft of its members' information because it
"knew confidential information was leaving its premises and no procedures were in place to
ensure the security of the information").
33

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in JWle 2008

V . CONCLUSION
Attorneys have an ethical obligation to act in a reasonable fashion to protect their clients'
192
This includes the obligation to protect data stored electronically from unintended
confidences.
disclosure either through inadvertent release of the information or from failure to secure the data
193
Attorneys must act reasonably to prevent, detect, and remedy
against unauthorized access.
.
secunty breaches. 194
State statutes are becoming more specific and are imposing greater obli~ations on
1
attorneys to provide notice to clients when loss of personal information has occurred. 5 Some of
196
these statutes create a civil cause of action against attomeys and all of them undoubtedly raise
the bar on what an attorney is reasonably required to do when a breach occurs, thus implicating a
higher ethical standard. After all, it is certainly reasonable to comply with mandatory state
197
statutes and not reasonable to violate them.

192

See, e.g., MODEL RULES OF PROF'L CONDUCT R. 1.6(a) (2007) ("A lawyer shall not reveal
information relating to the representation of a client unless the client gives informed consent, the
disclosure is impliedly authorized in order to carry out the representation or the disclosure is
permitted by paragraph (b)."); Tex. Disciplinary R. Profl Conduct 1.05(b)(1) (stating that "a
lawyer shall not knowingly [r]eveal confidential information of a client").
193
MODEL RULES OF PROF'L CONDUCT R. 1.6 cmt. 16 (2003).
194
See MODEL RULES OF PROF'L CONDUCT R. 1.6 cmt. 17 (2003) (setting forth a lawyer's duty to
take reasonable steps to prevent unauthorized access to privileged information); see also Andrew
Berkerman-Rodau, Ethical Risks from the Use of Technology, 31 RUTGERS COMPUTER & TECH.
L.J. 1, 27- 32 (2004) (discussing possible security breaches and ways to avoid them).
195
See, e.g, Perkins Coie Security Breach Notification Chart (Sept. 17, 2007),
http://www. perkinscoie. com/files/upload/ securitybreach. pdf (providing information regarding
security breach notification laws in various jurisdictions); CAL. CN. CODE § 1798.82(a) (West
2007) (imposing a duty to disclose a security breach); MoNT. CoDE ANN. § 30-14-1704 (2007)
(discussing the duty to notify any resident of Montana of any breach of personal information);
MONT. CODE ANN.,§ 30-14-1702 (2007) (defining personal information).
196
See, e.g., CAL. CN. CoDE§ 1798.45 (West 2007) (allowing a civil suit for any violation of the
statute).
197
See SUSAN SAAB FOR1NEY AND VINCENT R. JOHNSON, LEGAL MALPRACTICE LAW: PROBLEMS
AND PREVENTION 15 (2008) (explaining that one area where attorneys face liability for failure to
comply with statutory requirements is in the area of deceptive trade practices); see also Perkins
Coie Security Breach Notification Chart (Sept. 17, 2007),
http://www. perkinscoie.com/files/uploadlsecuritybreach. pdf (discussing violations of the
Consumer Fraud and Deceptive Business Practices Act). Proof of a violation of a rule or statute
governing the conduct oflawyers may be considered by a trier of fact in order to understand the
duty owed by the attorney, but does not, of itself, create liability to a client. See SUSAN SAAB
FOR1NEY & VINCENT R. JOHNSON, LEGAL MALPRACTICE LAW: PROBLEMS AND PREVENTION 7273 (2008).
34

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

How does an attorney meet these obligations? Most attorneys are not trained in the
198
Even if they are, they do not have the
increasingly complicated area of information assurance.
time to practice both law and information assurance on a full-time basis. 199
Other areas of commerce and industry, however, may be making more progress in
information assurance because of the new statutes and regulations requiring heightened
200
protection ofhealth care records, financial matters/01 and other areas?02 The legal profession
can learn from these industries and from professionals who are developing and implementing the
necessary plans to prevent, detect, and remediate securitybreaches.203
Indeed, it appears incumbent upon attorneys to utilize this expertise. Attorneys rely on
experts from any number of fields in the representation of their clients and in the management of
04
their practices?
Given the risks to clients and attorneys from security breaches regarding
198

John D . Comerford, Competent Computing: A Lawyer's Ethical Duty to Safeguard the
Confidentiality and Integrity of Client Information Stored on Computers and Computer
Networks, 19 GEO. J. LEGAL Ennes 629, 630 (2006) ("[F]ew practicing attorneys possess the
expertise necessary to effectively implement computer security measures.").
199
See id. at 632 (saying that ''building a robust computer network defense is neither cheap nor
easy''). According to one author, nationwide statistics place the median attorney work-week at
50 hours. Maria Pabon Lopez, The Future of Women in the Legal Profession: Recognizing the
Challenges Ahead by Reviewing Current Trends, HASTINGS WoMEN'S L.J. 53, 84 (2008). Most
attorneys would likely report their work week would not leave many hours available for
information assurance and practice. The point should also be made that qualified and competent
information assurance is its own profession, requiring significant training and certification. It
may be presumptuous to assume that attorneys could achieve that level of competence with just a
few hours of weekly study.
200
See The Health Insurance Portability and Accountability Act, 5 U.S.C. § 601(8) (2007)
(alluding to the "record keeping requirement" imposed by the statute).
201
See 16 C.F.R. § 314.1 (2005) (requiring all financial institutions subject to FTC jurisdiction to
protect customer information); Vincent R. Johnson, Cybersecurity, Identity Theft, and the Limits
of Tort Liability, 57 S.C. L. REv. 255, 269-70 (2005) (describing statutory obligations of
fmancial institutions); Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No.
106-102. 113 stat 1338
202
Pui-Wing Tam & Robin Sidel, Security Software's Mini-Boom, WALL S1REET JOURNAL, Oct.
2, 2007, at B3 (concerning the heightened standards for credit card processing and the vendorimposed fines in place for not adhering to these industry standards).
203
See 16 C.F.R. § 314.4 (2005) (listing the elements necessary to "develop, implement, and
maintain [an] information security program"); see also Andrew Beckerman-Rodau, Ethical Risks
from the Use of Technology, 31 RUTGERS COMPUTER & TECH. L.J. 1, 33- 34 (2004) (explaining
that attorneys may need to hire computer personnel to protect client information).
204
Lawyers can locate experts in bar journal publications. In some fields, expert testimony is
required. Plaintiffs in legal malpractice cases ordinarily must present expert testimony
establishing the standard of care. Television Capital Corp. of Mobile v. Paxson Comm'ns Corp.,
894 A.2d 461, 469 (D.C. 2006) (noting that the rule requiring plaintiffs to present expert
testimony to establish the standard of care in legal malpractice cases is widely followed) . But
see Hickox By and Through Hickox v. Holleman, 502 So.2d 626, 635 (Miss. 1987) (stating that
35

Copyright 2008, St. Mary 's Law Journal; final version to appear in Issue 4, Volume 39 in JWle 2008

-

confidential information, it appears reasonable for attorneys to employ information assistance
experts to design and implement security plans and to conduct periodic audits to provide the
necessary client protection and statutory compliance. 205 In addition to the immediate benefit to
clients, attorneys who utilize these experts might more easily convince a factfinder, should a
breach and loss occur, that the attorney acted reasonably and did not act in an unethical,
unlawful, or liability-producing fashion. 206
Finally, when a security breach occurs, attorneys will want to send more than a cold,
technical notice of the breach to their clients. Even if such a notice satisfies the statutory
requirements,207 it certainly would not help to maintain the goodwill of the client, unless the
attorney offers some assistance in minimizing losses the client might suffer as a result of the
breach. Moreover, there might be instances where the attorney learns of a security breach that
does not fall within the notice requirements of the statutes, but nonetheless could prove
dama§ing or embarrassing to the client. Here the attorney should be willing to notify the
client 08 and take reasonable measures to protect the client's interests.
Maintaining client confidences is important to both attorney and client. Preserving the
confidence of clients in their attorneys and our legal system is critical to the success of our
209
profession.

the general rule requiring expert testimony to support a malpractice claim does not apply when
the attorney's conduct is "negligent as a matter of law and the plaintiff is entitled to a directed
verdict on liability").
205
See John D. Comerford, Competent Computing: A LaYil)ler 's Ethical Duty to Safeguard the
Confidentiality and Integrity of Client Information Stored on Computers and Computer
Networks, 19 GEO. J. LEGALE1HICS 629, 630 (2006) (acknowledging that few attorneys possess
the necessary expertise to implement the proper computer security measures on their own).
206
A CONCISE RESTATMENT OF 1HE LAW GOVERNING LAWYERS 127 (2007) (''Expert testimony
by those knowledgeable about the legal subject matter in question is relevant in applying the
standard."). "A defending lawyer (defending himself or herself on a civil liability claim) may
also introduce expert evidence on what constitutes care in the circumstances of the case or to
support a defense .. .. " Id. at 130.
207
See TEX. BUS. & COM. CODE ANN. § 48.1 03(b) (Vernon Supp. 2007) (putting forth the
statutory requirement of notice upon breach).
208
ABA Comm. on Ethics and Profl Responsibility, Formal Op. 95-398, (1995) ("[S]hould a
significant breach of confidentiality occur within a computer maintenance company .. . a lawyer
may be obligated to disclose such breach to the client or clients whose information has been
revealed.").
209
Andrew Beckerman-Rodau, Ethical Risks from the Use ofTechnology, 31 RUTGERS
COMPU1ER &TECH. L.J. 1, 6 (2004); see also MODEL RULES OFPROF'LCONDUCTR. 1.6 (2002)
(imposing on attorneys a duty to keep client information confidential).
36

-

Copyright 2008, St. Mary's Law Journal; final version to appear in Issue 4, Volume 39 in June 2008

-

-

-

Files

Collection

Citation

Bill Piatt, Paula deWitte, “CLE: 2010: Loose Lips Sink Attorney-Client Ships: Unintended Technological Disclosure of Confidential Communications,” St. Mary's Law Digital Repository, accessed October 21, 2017, http://lawspace.stmarytx.edu/item/STMU_HomecomingCLE2010PiattDeWitte.

Document Viewer