Electronic storage of client data and how to not get sued for it
A decade or more ago, it was simple to keep documents secure – keep them where you can see them and lock the door after yourself. It is more difficult today. How do you protect documents when you cannot see them floating away on WiFi signals towards the clouds?
The complexity of an electronic storage system is an order of magnitude (or two) greater than a paper system. Take the simple example of scanning a file using your office copier, instead of taking a paper copy and placing it on the file. Do you know answers to the following: does your scanner email the document or save to a networked drive? If it emails you, what email server does it use? Who has access to the email server? Is it running on a computer which physically belongs to you? If not, who owns it and could they take it away? What software is running on that server? Is it up-to-date? Is the server behind a firewall and if so how is it configured? Has someone changed the default credentials or is access open to anybody who simply asks for it? How long does the server keep copies of emails? Are files transmitted over the Internet or kept within a private network? Are they encrypted in transit? And perhaps most importantly, do you know why you should care about any of that?
We should care. We have obligations relating to the safety and security of client data. Unless we understand the nature and extent of the risks involved in electronic storage, it will be difficult to work out whether we are meeting our obligations. But it is impractical to insist all lawyers must understand exactly how networks and computers function. So this article looks briefly at our obligations and suggests a few easy things to do that will help, even if you do not understand cryptography and subnets and binary solos.
Our obligations about safety and security of electronic data come from a few different areas – legislation, contract and negligence. The most significant legislative requirements are found in the Rules of Conduct and Client care (which deal with confidentiality, security and also require good password management – see rule 11.4), and the Privacy Act 1993 (principle 5 in particular). There might be some clauses in your retainer that talk about retention, access to and security of electronic data (if not, I suggest you consider inserting some).
Covering all of those areas is beyond the scope of this article. But, while acknowledging the risk of oversimplification, I suggest the following three questions are a good starting point to make sure you are meeting your obligations:
- Have you taken reasonable steps to protect against unauthorised access or disclosure?
- Does your electronic storage comply with your obligation to keep client information confidential?
- Can you ensure that documents stored electronically can be used as admissible evidence?
In this article, I want to elaborate a little on the first question and suggest things that might qualify as “reasonable steps”. The hope is that these simple steps will help avoid the risk of complaints or negligence proceedings.
Encrypt data on your devices
Soon (if not already), it will be reasonable to require the encryption of all stored data, wherever stored. Until recently, computers were too slow to make this feasible, at least for data stored on servers. It is close to the point where the effort involved in doing so is no longer such a barrier – if it ever was.
At the very least, if you store any client data on a mobile device or laptop, you must turn on encryption. It is super-easy. On an iPhone, if you use a passcode, then it is probably enabled already. Go to “Settings -> Touch ID & Passcode” to check that “Data protection is enabled” appears at the bottom of the screen. On an Android, go to “Settings -> Security” and turn it on. On a Windows laptop, it can depend on your version of Windows, but to check go to “Settings -> System -> About” and look for the “Device Encryption” section.
Without encryption, if you lose your device, it is trivial for someone to plug the device into a computer and take a copy of its contents, including emails and attachments. You might think that, since you have a password, that is enough. It is not. If you do not have encryption turned on, you are likely breaching principle 5 of the Privacy Act and are probably negligent as well.
Store data in New Zealand, or maybe Australia
Increasingly, firms are starting to use Cloud-based systems. You might find yourself considering an overseas provider, or a provider that stores data or backups overseas. There is nothing inherently wrong with that, but you should be prepared to enforce your rights and your client’s rights in the event of a data breach. My view is that, unless you are prepared to file proceedings in America, or Russia, you should not store data there.
The Privacy Act is also relevant to overseas storage of data. You should investigate what privacy laws and protections will apply to the proposed overseas storage and consider whether they are adequate. Principle 3 requires you to tell your clients what agency will be holding their information – a good place is in your engagement letter.
Practise good password management
There are lots of myths and bad advice circulating around password management. And, in any event, “good practice” changes regularly. Bearing that in mind, (and you may not want to take my word for this), the following is generally accepted today:
Do not re-use passwords across different sites, or themes on passwords.
Use a password manager like “LastPass” or “Dashlane”, both of which will automatically generate secure passwords when needed and autocomplete forms, so you do not need to remember your passwords at all.
If you must commit a password to memory, think of a long but memorable nonsense phrase, take the first letter from each word, capitalise some, and add some numbers or punctuation. For example, the phrase “The Family Court is well resourced to speedily and efficiently deal with all cases, particularly relationship property” could be “TFCwrtsa3dwac, prp”. Obviously, do not use that one, since it is now published and therefore will shortly be added to a database somewhere.
Where possible, use two-factor authentication.
Do not write passwords down on paper kept anywhere near your computer.
Your clients trust you to ensure anything that might be needed as evidence is admissible.
If you can satisfy the standard used by the Electronic Transactions Act 2002 (soon to fall under the new Contract and Commercial Law Act 2017), that will probably be enough. That test is (basically) whether an electronic form of the record “reliably assures the maintenance of the integrity of the information, given the purpose for which, and the circumstances in which, the information is required to be provided or produced”. Give it some thought but, as a starting point, I would suggest you ensure that all documents stored electronically have:
- appropriate meta-data – title, description, date, author;
- with scanned documents, a minimum level of quality and a policy that explains what categories should be saved in full colour;
- a flag to show whether an electronic record is a copy made directly from an original document or a copy, and whether the original has been destroyed or retained; and
- some way to prevent alteration or deletion of certain documents (for example, anywhere the “original” flag is present, prevent deletion).
NZLS has published guidance on protecting personal information and Cloud computing (see https://goo.gl/prUZKU and https://goo.gl/7MNcCs);
The Privacy Commissioner has some comments on location of data at https://goo.gl/qJTH2Q;
Bruce Schneier is a security expert and has a good blog post on passwords at https://goo.gl/uEPV89.