This is part two of this article. Please read part one first.
4. Risk. Risks of error are inherent in Lit-Support Department activities. What they do is often complex and technical, just like any e-discovery vendor. So too are risks of data breach. There is always a danger of hacker intrusions. Just ask Target.
Do you know what your exposure is for a data breach? What damages could be caused by the accidental loss or disclosure of your client’s e-discovery data? How many terabytes of client data are you holding right now? How much of that is confidential? What if there is an ESI processing error? What if attorney-client emails were not processed and screened properly?
Mistakes can happen, especially when a law firm is operating outside of its core competency. What if an error requires a complete re-do of a project? What will that cost the firm? You cannot bill for that. Are errors made in non-legal services covered by a firm’s malpractice insurance? Is it insured in any way whatsoever? How much cyber-liability insurance do you have? Is it enough? Do you have an agreement with the client regarding the provisions of these services? Is there any limitation on liability, or are these services rendered under a lawyer client fiduciary relationship? Is the risk priced into your charges, into your fees? Is that fair to your clients who might not use these non-legal services as much as others, if at all?
5. Ethics. There are a host of ethical issues involved in a law firm’s rendering of non-legal e-discovery services. These are likely to be treated as “law-related” services, and, as the Comment to ABA Model Rule of Professional Responsibility 5.7 says: “When a lawyer performs law-related services or controls an organization that does so, there exists the potential for ethical problems.” If such services are offered by a law firm, absent special disclosures and consents, the full gamut of professional responsibility rules apply, even though the work is largely performed by non-lawyers. There are even more general issues regarding whether a law firm should be engaged in a side-business at all? The ethics on protecting the confidentiality of client data is clear. More on that in a minute.
Outsourcing is not the only answer, but, in my opinion, the only viable alternative to outsourcing is for a firm or corporate law department to invest significantly in their litigation support departments. For any firm large enough to be in AmLaw 100, like my firm, that would require millions to do right. Just having a specialist attorney like me to attend to legal issues is not enough. One way or another, either by investing big and going All In, or by going All Out, like I did, every law firm needs to have a cybersecurity program focused on client data. Law firms should not only take appropriate steps to protect the privacy of their paper documents, and their voice communications, but also their cyberspace, including emails, and especially including their clients’ ESI for discovery.
Cyber Theft Risks Are Growing
The problem of cyber theft is intensifying each year as cyber criminal activity increases and the amount of confidential information stored in computers increases. In large cases today attorneys must often search all of the emails and other communications of top corporate executives. These communications are usually filled with business trade-secrets. ESI subject to discovery also often contains highly confidential financial records, employee records, and customer information. It may also contain protected personal information, including health care information and credit card numbers. All of this confidential information has value to criminal hackers.
Any law firm that does not realize that it is subject to cyber attack is naïve. The best firms today are very aware of these threats and proactive in protecting their computer systems, especially their clients’ confidential data. I know I am very paranoid about this and hyper in insisting that proper protocols be followed.
Protection of client ESI in litigation can be a daunting task. The amount of ESI that attorneys must search to find critical evidence grows exponentially every year. This is not because the scope of legal relevance has expanded. It has not. If anything, it is shrinking out of practical necessity. This problem was not caused by lawyers. The problem comes from clients. It comes from the ever growing amount of data that corporations store in their IT systems. It is the dark side of Big Data. For this reason it is not uncommon in large cases today for attorneys to have to search through millions of their client’s confidential records. This key evidence needed to defend or prosecute a case is often hidden in plain view in a mountain of other ESI.
Cybersecurity is an Ethical Imperative
Finding the relevant evidence is a procedural duty under the Rules and ethical duty of competent representation. All attorneys are trained in this. For instance, my firm has an extensive training program and an e-Discovery liaison program in place. I have been training the attorneys in my firm for years now. I also do training for the law departments of many of our clients. But an even higher duty exists, the ethical duty under Rule 1.6 of the ABA Model Rules of Professional Conduct, to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
That is why I am hyper about clawback agreements and orders. If mistakes do happen, I want the client to be protected. That is also why I am focused on cybersecurity. I want to make sure no one steals my clients’ data from me.
As a side note, to be sure I am not misunderstood, I should emphasize that if information must be disclosed in discovery, then this duty of disclosure trumps the duty of confidentially. You can set up protective agreements and orders, but you must still produce, confidential or not. The only way around that is to make the case go away. If you are the plaintiff, you can dismiss the case. If defendant, pay the damages. Settle before disclosure is required. In my thirty plus years of litigation practice I have done this several times. I have also produced smoking gun type documents a few times, as part of large productions, and the other side never even noticed them. Some opposing counsel are lazy or careless. You can still settle the case before disclosure of confidential information causes too much damage to the client.
Moreover, there is no rule requiring you to put the hot documents on top, or first, in a production. (Although I did have one opposing counsel do that for me once, much to his chagrin. His vendor did it by mistake. He is an expert in e-discovery, a reader of this blog, and a friend, so I will not name names!) You never have to label documents as “Hot” in your production, even if that is how you privately categorize them. The difference between relevant and highly relevant is clearly protected from disclosure by work product.
Specialized Non-Legal Computer Skills Are Needed for Cybersecurity
Fulfillment of a law firm’s duty to maintain client confidences in today’s world of cyber attacks requires much more than legal knowledge and legal skills. It requires sophisticated computer knowledge and skills far beyond the purview of legal practice. That is why cybersecurity experts should be used to assist in any law firm’s client data protection efforts. A team approach is necessary. That is one important reason why my law firm outsources holding of client data for e-discovery to its trusted partner with special expertise and cybersecurity infrastructure, Kroll Ontrack.
My law firm does not hold large amounts of client data. Kroll Ontrack does this for us. Most of the time the attorneys in my firm never even need to become a link in the chain of custody. It is clean, quick and efficient that way. Most of all, it is secure. My attorneys typically only handle and hold the evidence, the actual productions, which is a small fraction of the total data searched. That is one reason I sleep well at night, in spite of the FBI warnings, in spite of hackers from China and elsewhere who would like to steal our clients data from us. We have outsourced the protection of our crown jewels to professionals. Kroll’s reputation in security, including cybersecurity, is very well known, and has been for years.
Unless a law firm is ready and willing to spend the money it takes to set up and maintain proper cybersecurity to protect terabytes, or for larger firms today, petabytes, of high-risk client confidential data, they would be well advised to outsource.
Still, there is more to cybersecurity than just outsourcing. Even when your high value targets are protected, your clients’ data, you must still remain vigilant about securing the information that you still hold and possess, including your emails to clients. Training in security, including cybersecurity, should be a part of every lawyers eduction. It is especially important for lawyers who do electronic discovery. For that reason I have created a new educational resource on cybersecurity that is designed for lawyers. It is found at eDiscoverySecurity.com. It can also be accessed by the Security button on the top right of this blog. It not only contains a collection of essays on cybersecurity relevant to attorneys, but also FAQs on Data Breach. I have also put together a collection of favorite books on cybersecurity, including many fictional works, and another page on favorite YouTube cybersecurity videos.