The Panama Papers—the 2016 leaking of over 11 million documents hacked from the databases of the Panama-based law firm Mossack Fonseca—were noteworthy for what they revealed about the offshore assets of some of the world’s wealthiest politicians.
But the leaks were also an important reminder for law firms everywhere they remain tempting targets for computer hackers. Most firms don’t hold secrets anywhere near as juicy or political as those uncovered in the Panama Papers, but they often possess highly sensitive client data, and their security measures may not be on par with those of the most vigilant data-keepers. That makes them a target for garden-variety malicious profit seekers, at the very least.
Keeping data secure when it’s in your own possession is challenging enough. But complying with electronic discovery requests (“e-discovery”) from opposing counsel in anticipation of litigation creates yet another layer of risk. Once client data is shipped out the door in response to a discovery request, or to your own expert witnesses, it becomes exposed to other environments that may have very different levels of data security.
E-discovery thus involves a tension about which attorneys need to be highly cognizant. Legal discovery is supposed to be permissive, whereas data security depends on tightly limiting and controlling access to information.
“Almost every large firm has had to address this issue,” said Craig Cannon, who leads the e-discovery team for Kilpatrick Townsend, which is based in the firm’s Winston-Salem office. “I think that clients expect that you will have security measures in place and you will be familiar with how to address any breach events, both for your environment and for any downstream partners.”
Wells Fargo’s data goes far
There are several steps that attorneys should take to keep client data as safe as possible. The first is to make sure that firms don’t hand over more information than they should. For example, Wells Fargo, which has had no shortage of legal headaches lately, added another one last summer when it accidentally released private information about thousands of its clients in response to a lawsuit brought by a former employee.
The bank handed over customers’ names, Social Security numbers and financial details, none of which were relevant to the litigation. (Its lawyers blamed the kerfuffle on a vendor error.) The sensitive information was apparently transferred via a compact disc, which added yet another security risk because the data was therefore not encrypted, meaning that had the discs been stolen or mislaid in transit, anyone who got his or her hands on them could have accessed the data.
If firms feel they have their own house in order but are worried about practices at opposing counsel’s firm, the issue should be broached at a discovery conference to negotiate the care with which data will be protected. Those who are still jittery can request a protective order to require the opposing side to employ specific data security measures. Judges, who can vary in their level of technological fluency, have broad discretion to impose such orders where appropriate.
“You definitely want to consider the use of protective orders,” Cannon said. “You want to examine opposing counsel on what security measures they have in place in case you do send them sensitive information to ensure that their information is protected appropriately.”
Cannon said that firms like his have served as e-discovery counsel for other firms that do not have the necessary levels of data protection in place, and in some cases the larger, more expert firms end up actually housing the relevant data for the smaller ones.
Have a witness protection plan
Another potential security risk crops up when firms pass along sensitive data to their chosen expert witnesses for review. Sean Fernandes, an attorney with Ellis & Winters in Raleigh and a member of the firm’s privacy and data security practice group, recommends that firms create data security and usage terms in whatever contract is going to govern the relationship with expert witnesses, to give the client a remedy in case a breach occurs.
Depending on the client’s tolerance for risk and ability to absorb costs, Fernandes suggested that firms could maintain control of their data by setting up a portal through which their experts could log in to access and review it. Conversely, if firms hand over possession of data to a third party, that data could potentially sit on a witness’s computer for years, creating a security risk that would endure long after the underlying litigation has ended.
“It removes the problem where if an expert witness downloads a bunch of documents, you don’t have to get on their laptop and get them deleted,” Fernandes said. “It allows you to continue to control the information while also giving them the data they need to do their jobs. If they leave the laptop in a taxi, and stranger things have happened, and someone steals that laptop, then that data isn’t going to get out into the real world.”
One other potential vulnerability point for client data is the vendors that firms hire to handle e-discovery. Fernandes said that while vendors are cognizant of the important role they play in terms of maintaining data security and will have their own protocols and security measures in place, it’s still important to communicate beforehand about what those protocols are.
In particular, firms want to ensure that if a breach does happen, they will be notified about it immediately so they can initiate the proper legal response.
“I do think it’s absolutely the best practice to check what those policies and procedures are to make sure everything is compliant with what your firm’s policies are and what your client’s preferences are,” Fernandes said. “I think it would not be wise to assume that just because a vendor is in the business of e-discovery that their policies and procedures are going to be the ones that your clients need.”
Follow David Donovan on Twitter @NCLWDonovan