It’s an old adage that bad facts make bad law.
In the last few weeks, a good number of pieces were written focusing heightened attention on an issue that many lawyers were already stewing about . . . technological vulnerabilities arising from how lawyers and law firms use (and don’t use) technology. Most of these stories, like this one and this one, used the news of hackers targeting particular large law firms as the jumping off point for the discussion.
I happen to think that the question of how law firms should address the topic of cyber security is actually a fairly complex one. Given the vast amount of sensitive information that law firms handle and store, there are obvious strong arguments to make that law firms should have to have the highest level of cyber security in measures in place in all respects. Yet, I think there are also legitimate arguments that certain aspects of data privacy and data breach laws should not apply in the same fashion to law firms as they do to other businesses. In the event of a breach of a law firm’s electronic records, the mere act of publicly communicating about it to more than those whose information was known to be compromised, for example, could actually result in certain circumstances in additional harm to clients in the form of breaches of attorney-client confidentiality or privilege.
The last thing lawyers and law firms needed as something that might drive the needle in one direction or another was for the absolute wrong kind of high-profile situation involving a law firm hack to be the focus of attention and in the forefront of any discussion about what the standard of care ought to require of lawyers and law firms in terms of cyber security. Yet, the last thing lawyers needed arrived: the Mossack Fonseca data breach in Panama, now known as the Panama Papers.
This obscure but remarkably large and incredibly well-connected (or shady depending on your perspective) law firm founded in Panama has been victimized by a hack of some sort resulting in some 2.6 terabytes of documents to have been improperly accessed and then leaked to the International Consortium of Investigative Journalists. The vast amount of otherwise confidential information (if you want to visualize how much 2.6 terabytes, imagine you had 1 terabyte sitting on your desk … now think what that would look like if you had another one and then like 60% of another one. ? ) that has come out has led to a deluge of news stories about the maneuverings of the global rich to hide their money offshore to avoid taxes or scrutiny or both.
The latest story I’ve seen is this one in The Guardian that focuses a good bit on the firm itself. It also offers a nice snapshot of the nature of the documents and information leaked after the breach:
The company’s leaked internal database gives some idea of the massive scale of these international operations, many of them perfectly legal. The 11.5m documents include shareholder registers, bank statements, emails from lawyers and accountants, passport scans and contracts. Much of it legal, if hidden.
Most of the media attention to this story has focused on the clients and the policy questions regarding the legality/illegality of what the clients were doing. Most of the legal media attention paid to the story has, so far, focused on the questionable nature of the lawyering involved — in a way it seems a bit like the 60 Minutes story we covered here a while back but if all of the examples were real in a fashion and one firm was undertaking to represent all of the endeavors. As Bill Freivogel elegantly put it in an online piece I saw “A U.S. lawyer skating on the edge of what Mossack Fonseca has been doing could easily slip into a federal wire fraud or other criminal prosecution.”
Inevitably, this story will ramp up the rhetoric and discussion about what lawyers and law firms “absolutely” must be doing on the technological side of their business. For example, we now have this piece from the assistant director of the Center of Practice Management of the North Carolina Bar Association essentially insisting that lawyers must encrypt all of their data, when in use, when in transit, and when it’s in storage and insisting on restrictions on access and downloads, etc.
In an utopia where price and practicality were no option for all lawyers, the North Carolina advice would be commonsense, but many lawyers do not practice in such utopian settings. And, importantly, the ethics rules nowhere in the United States presently insist that all lawyers adhere to such requirements. Not in North Carolina, and not even under the post Ethics 20/20 ABA Model Rules, which North Carolina has adopted. What they require is in Rule 1.6(c): ” A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
And jurisdictions like North Carolina that have adopted the Ethics 20/20 version elaborate on what this means in two paragraphs of the Comment accompanying Rule 1.6:
[18] Paragraph (c) requires a lawyer to act competently to safeguard information acquired during the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1, and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, information acquired during the professional relationship with a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule, or may give informed consent to forgo security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to safeguard a client’s information to comply with other law—such as state and federal laws that govern data privacy, or that impose notification requirements upon the loss of, or unauthorized access to, electronic information—is beyond the scope of these Rules. For a lawyer’s duties when sharing information with nonlawyers outside the lawyer’s own firm, see Rule 5.3, Comments [3]-[4].
[19] When transmitting a communication that includes information acquired during the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the client’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule. Whether a lawyer may be required to take additional steps to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules.
(all emphasis has been added by me)
But bad facts make bad law. All of the ramifications of the loss of confidentiality of the data possessed by this particular law firm are going to continue to play out in the most public of ways. There is no question that this particular firm — given its size, including the number and location of offices, and the fact that it’s core business turned completely on the promise of secrecy — over and above even the level of secrecy people normally think of when they think of hiring a lawyer — needed to have incredibly stringent measures in place to secure its electronic data. We’re talking about clients, as The Guardian article explains, who were paying thousands of dollars extra just to be able to correspond only through fake email accounts the firm helped create under names like Harry Potter and Isaac Asimov for goodness sake.
If the end result of this story is going to be a call for mandatory encryption, that is not going to be great for the profession at all. And, frankly, could create a stratification between haves and have nots that could ironically look a lot like the one that already exists between the truly, extraordinarily rich who were hiring a firm like Mossack Fonseca and the rest of the world. Such a result will only further drive up the cost of legal services and make it even harder for those engaged in the traditional delivery of legal services to compete in a marketplace increasingly under pressure from alternative providers of legal services.
(Edited to fix a few errors caught by a loyal reader.)