Confidentiality is at the core of the attorney-client relationship. Confidentiality is an ethical obligation, an evidentiary privilege, and a promise we make to our clients. We keep our clients’ secrets.
But what about the companies to which we entrust our clients’ information? How do they think about confidentiality? Do they take it as seriously as lawyers and clients do? To find out, I talked to a variety of cloud-based legal software providers about how they make decisions about safeguarding client information.
“Best Practices” for Legal Software
I’m not trying to spread fear, uncertainty, and doubt about legal tech companies and security and privacy. All the companies I spoke with—like any company that is serious about doing business with lawyers—take the same sort of precautions your bank would use, which are sufficient for most lawyers’ needs.
But that’s just part of the story. Every legal software company uses “best practices,” but that’s no more specific than the reasonable person standard in law. There is no official list of best practices for legal software (although the Legal Cloud Computing Association is working on one).
What I wanted to know is how legal software companies think through the practices that will be best for the attorneys and clients who will be using their software. Who decides whether to use 256-bit or 448-bit encryption keys? How do they decide whether it’s important to allow users to back up their files to a third-party service? Did they have a conversation about whether it would be practical to implement zero-knowledge data storage? In other words, is a process for raising and deciding these kinds of questions baked into their procedures?
Take Apple’s privacy triumvirate, for example. According to Reuters, “any collection of Apple customer data requires sign-off from a committee of three ‘privacy czars’ and a top executive.” The privacy czars ensure Apple isn’t collecting any more information than it needs to, and that it isn’t sharing that information with anyone or anything else unless absolutely necessary.
Legal software companies aren’t sharing data with advertisers. Instead their decisions about data security and privacy have implications for how easy it is for someone to get at your clients’ information.
When your clients’ information is on someone else’s computers (that’s what the cloud is, after all: other people’s computers), you give up a measure of control over it. You need to know how a company thinks about security and privacy in order to decide whether to trust it with your clients’ information.
How Legal Software Companies Think About Security and Privacy
“We have a guy.”
That is basically the answer I got from everyone. It’s usually the lead software developer (and I’m not being unconsciously sexist; it’s almost always a guy). That’s who decides which practices are best.
So from one: “Ultimately our CTO is responsible for such decisions.” Another has “team members that focus on the security of client data stored within our application.” At another: “our CTO and chief developer … is a cyber security expert. He tests, approves, or rejects the code before it [is] published to beta.” Another isn’t quite there yet: “we currently do not have a dedicated person devoted to privacy.”
Then they each gave me a stack of information about security measures. I even learned about some clever approaches I hadn’t heard of before.
But I confess I was a little disappointed. I was really hoping for some kind of indication that legal software companies think about client information more like lawyers do. As lawyers, our obligation is not just to take security measures and call it done; it’s to keep our clients’ secrets. That means fitting the security measures to the needs of our clients, a step beyond legal software companies’ security measures.
Confidentiality Is Your Responsibility
Maybe this should have been obvious from the beginning, but I haven’t seen a legal software company yet that looks at confidentiality the way lawyers need to. That doesn’t mean they don’t take security seriously. They all do, and I have an even better appreciation for that now. But confidentiality and security are different things. What they don’t do—what they probably can’t do—is decide whether those security measures are adequate to protect a particular client’s need for confidentiality.
Consider a couple of examples where you might need extra security in order to protect the confidentiality of your client’s information.
- Your client has a vindictive ex-spouse who works in cyber-security.
- Your client is a small or large company that believes a competitor is after its trade secrets.
- You client’s criminal matter implicates national security.
In those cases, you should probably take extra precautions against targeted hacking. In the last example, you might also want a buffer between a possible national security letter, subpoena, or court order and your client’s information.
In other words, it is still up to you to learn about the security of the systems you use and assess their suitability to your clients’ needs. That’s part of what it means to be competent. Legal software providers can and should be as transparent as possible about the security measures they use (although some security measures do need to be kept secret to be effective). But it remains your job to make sure those security measures are a good fit for your clients’ needs.