Part 1 of this series, “Avoiding the worst case scenario: Data theft during discovery” can be found here.
While most lawyers tend to become ostriches when they hear buzz words like “cybersecurity,” it may be time they pull their heads out of the sand. There are many scenarios in which corporate clients’ data is at risk, and it is up to their outside counsel to ensure that protection. A leak of corporate privileged data can cause catastrophic results, and no outside counsel wants to be responsible when that happens. The next real-world scenario below describes how a few cost-saving decisions can leave the corporate client unhappy and outside counsel fired and potentially brought up on ethics charges.
Weeks later the investigator you hired figures out that the identities were in fact all stolen by one individual working as a contract attorney at the agency hired to review the documents. It turns out the individual had a previous record of theft in another state. The individuals whose identity had been stolen spend thousands of dollars and countless hours dealing with the issue. They seek reimbursement from you as it was your turning over of the files that compromised their PII. You are fuming as you have to reimburse all the employees plus pay the investigator fees. You are also upset that outside counsel never brought this to your attention after you mentioned the problem. You not only fire outside counsel, but you bring the firm up on ethical violations.
The ABA model rules dictate that an attorney’s obligation of supervision extends to lawyers and nonlawyers in the firm, as well as to third-party service providers. The ethical obligations regarding security of confidential client information also extends to supervision of these providers. The comments to the rule (Rule 1.18: Duties to Prospective Client) state that, “[w]hen using such services outside the firm, a lawyer must make reasonable efforts to ensure that the services are provided in a manner that is compatible with the lawyer’s professional obligations . . . including . . . the terms of any arrangement concerning the protection of client information.”