This is the second article in our series on Cyber Security for Lawyers. Through this series, we aim to initiate a discussion on why cyber security is essential for lawyers and suggest best practices for modern-day legal professionals in India. In the first article, we focussed on a guidance document published by the UK’s General Council of the Bar. In this article, we take a look at the practices being followed by Canadian legal professionals.
Canadian Bar Association (CBA) published a guideline titled Legal Ethics in a Digital World. Prepared by CBA’s Ethics and Professional Responsibility Committee, these guidelines build on similar guidelines published earlier in 2008, 2009, and 2014. They recognise the role of technology in contemporary legal practice. At the same time, it accepts that a lawyer should be able to understand how to use technology responsibly and ethically. Unline USA, where the use of technology is explicitly mentioned, several ethical obligations under different codes of practice suggest the appropriate use of technology. The main objective of this guideline is to assist lawyers in identifying potential ethical issues related to their legal practice and recommend best practices. As per their research, CBA has found that security, marketing, and providing services electronically are three areas where lawyers most often face ethical risks in using technology.
Traditionally, cyber security measures aim to protect the CIA triad – confidentiality, integrity, and availability. Similarly, lawyers need to ensure that they implement the required measures to protect confidentiality, integrity, and availability of their data.
Even without technology, lawyers have a professional obligation to hold client information in strict confidence. While professional rules do not cover specific measures concerning lawyers’ usage of technology, PIPEDA can provide guidance on the types of security measures that must be followed. Further, this guideline also suggests the lawyers to consider the applicability of provincial privacy laws to their practice. It states that confidentiality measures should not be limited to technical controls, they should also include physical measures. It recommends the following best practices:
- Locking file cabinets and restricting physical access to offices
- Implementing security clearance and limiting access on a need-to-know basis
- Using robust encryption algorithms to protect data during transmission as well as when it is at rest
- Using a VPN to access client information over the cloud, instead of carrying a USB/hard-disk drive
- Avoid using public wireless networks
- Taking appropriate measures while discarding a storage device such as wiping, scrubbing, or shredding
- Preventing inadvertent disclosure of metadata containing confidential information
- Implementing an incident response plan for your law firm
Here, integrity does not refer to a lawyer’s duty to upload the standards of the legal profession. In the context of cyber security, integrity means protecting data from modification, alteration, or destruction, whether accidental or unauthorised. It is also closely linked with authenticity, non-repudiation, and traceability. In general practice, electrical/digital signatures are preferred to maintain the integrity of data while communicating online. Lawyers should consider implementing the following best practices:
- Implement sufficient security measures to monitor the integrity of available data.
- Use technical measures such as digital signatures, archival policies, backups, and metadata comparison.
In Canada, the Personal Information Protection and Electronic Documents Act, 2000 (PIPEDA) and the Electronic Commerce Act, 2000 (ECA) deal with the legality of electronic signature.
Data should be accessible and usable when required by an authorised user. Unavailability may be a result of power failure, server maintenance, natural disasters, and cyber attacks. Hence, there must be backup procedures in place containing the following best practices:
- Regular backups
- Storing backups in an off-site location
- Routine checks to ensure that data can be restored when needed
- Insurance protection in place for recovering lost hardware/information
In Canada, lawyers are bound by the Model Code of Professional Conduct which states that
“A lawyer may market professional services, provided that the marketing is
- demonstrably true, accurate, and verifiable;
- neither misleading, confusing, or deceptive, nor likely to mislead, confuse, or deceive;
- in the best interests of the public and consistent with a high standard of professionalism.”
As far as marketing is concerned, the suggested best practices include:
- If a law firm uses email/social media for marketing purposes, it should comply with the requirements of the Canadian Anti-Spam Legislation.
- Prevent inadvertent disclosure of confidential information while marketing through social media platforms.
- Implement a well-defined social media policy for prescribing standards and protocols for your law firm’s employees.
3. Providing services electronically
Providing legal services over the internet expands client development opportunities and has great potential to improve access to legal services. At the same time, it brings forth numerous security and compliance risks. Instead of benefitting the client-lawyer relationship, such risks may have a negative impact in the end. A lawyer can provide their services over email, social media platforms, through video conferencing solutions, and other telecommunication services. This guideline suggests the following best practices while providing services electronically:
- Responding to tweets or comments on a social media post may be misconstrued as a consultation. This creates a lawyer-client relationship in the mind of a client. Always put a disclaimer while posting information online and keep a record of online communications to defend against a claim that legal advice was given.
- While providing legal services over emails, email spoofing, phishing, and spear-phishing are serious risks. A lawyer should always verify the identity of a client before sharing any confidential information.
- Take reasonable steps to determine the actual identity of people you are dealing with to avoid the risks related to conflict of interest.
- Take all reasonable steps to ensure that a client correctly identifies a lawyer and communications thereof.
- Inform your clients about the risks associated with communicating by email and video conferencing tools.
While concluding the last article, we discussed how compliance with data protection laws is unavoidable for lawyers and legal professionals. Irrespective of whether guidelines like this are mandatory in nature or not, incorporating good security practices in the delivery of legal services will never be a wrong choice on any given day. In the upcoming articles in this series on Cyber Security for Lawyers, we explore more such countries where the legal community is discussing cyber security and adopting good security practices.
An initial draft of this article was prepared by Akshara P. Kamath, an undergraduate student at Symbiosis Law School, Hyderabad, during her internship with The Cyber Blog India in June/July 2020.
With inputs from Raj Pagariya.
Featured Image Credits: Job vector created by stories – www.freepik.com and Travel vector created by freepik – www.freepik.com.