It seems like every day there is a new story about hackers stealing and publishing confidential personal information. Even the largest, most tech-savvy telecommunications companies in the world have been proven vulnerable. It’s one thing to have your name and date of birth exposed; it’s quite another to have your corporation’s trade secrets and litigation-sensitive information fall into the wrong hands. Good thing your attorney is keeping it safe, right? After all, “a lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” La. State Bar Art. 16, RPC Rule 1.6(c). So what exactly are the “reasonable efforts” attorneys must make?
In the 1980s, reasonable efforts might have included placing paper documents in a folder marked “confidential” in a file cabinet in a locked office. With the advent of electronic documents in the 1990s, it was probably reasonable to “burn” CD-ROMs stored under lock and key, or to save client documents to individual computers protected by passwords. Nowadays, attorneys have 24/7 worldwide access to their clients’ confidential information—and hackers can invade those data streams from the privacy of their own homes. As technology advances, attorneys’ data protection efforts must keep pace.
The American Bar Association suggests a multi-factor test to determine whether an individual lawyer or firm is keeping up. Factors include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients.
As with all of our client services, Kuchler Polk Weiner has found that the best way to ensure compliance with our information protection obligations is to “Lead the Pack” and stay ahead of the curve. Rather than doing the bare minimum to pass muster under the ABA’s balancing test, we sought guidance from our Fortune 100 clients who are at the forefront of information security. Several of them employ the best practices recommended by the International Organization for Standardization (ISO) and others hold ISO/IEC 27001 information security certifications.
ISO/IEC 27001 is the best-known worldwide standard for an information security management system (ISMS). An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process. Our firm ISMS ensures that our client data is secure and always available to our staff. Our customized processes are regularly monitored to ensure all systems are working effectively, so modifications can be implemented to strengthen any weakness. An annual audit is performed by a certified ISO Auditor to measure and verify the effectiveness of our system.
Kuchler Polk Weiner is one of only a handful of law firms in the United States with an ISO/IEC 27001 Certification and, to our knowledge, the only one in Louisiana at this time.1 The certification process is time-consuming, expensive, and not required by law. So why did we do it? Our clients go to great lengths to protect their sensitive information. When they hand it over to us, we want to protect it at least as well, if not better, than they do.
— Mark E. Best
- Complete survey data is available from the International Organization for Standardization.