The lawyer’s emerging duty not to share

As technology morphs, the lawyer’s obligation to protect client data becomes more difficult. With each new advancement there become new ways that client information could be revealed, and our duty to take reasonable steps to protect that data changes.  It gets tougher and tougher to figure out what actually constitutes “reasonable steps” to protect the data as required by Rule 1.6(c).  Today I believe that the question of whether a lawyer is taking “reasonable steps” to protect client data is being redefined once again.  I believe that there is an evolving duty not to share information.

I’m not talking about the stupid kind of sharing like posting a comment on social media about a client matter. I’m talking about lawyers’ less obvious way sharing of information, and there are two ways that concern me in particular: sharing access to contacts and sharing access to our location.  

Here’s how those two concerns appear in the practice. Some platforms we use ask us if we want to import our contacts, or provide that site “access” to our contact list. It’s most likely done because it allows the software we’re using to make communication more efficient.  Or consider other instances where you share your location— not by checking in somewhere on Facebook— maybe it’s a fitness apps that runs constantly in the background and tracks your location. Other times, the app is not so obvious. In fact, most of us probably don’t even realize that certain apps are sharing our location.  When I started looking into this issue I learned that I was allowing the app that updates the firmware on my headphones to track my location.  I also inadvertently gave location-tracking permission to the app that helps me organize my reimbursable expenses.  I even remember reading somewhere that crossword puzzle apps sometimes track your location.  

My concern is that these sources of information can be put together by the bad guys to find out lots of stuff about our practices and our clients. That’s why I see contact lists and location information as puzzle pieces.  We are revealing bits and pieces of our practice that, when put together, could end up revealing client relationships, the status of client matters, etc. 

A bad guy with access to this information could learn a slew of things: when you were at your adversary’s office? How often did you go to your adversary’s office? Does that mean a deal is imminent? Did you accompany your client to a meeting with a bankruptcy attorney, or a white collar criminal lawyer? What if bad guys want to target a particular corporation, and they have focused on a particular corporate officer. They realize you’re the lawyer, so they hunt through your contact lists to see if you’re connected with that individual. You became the hard target…and you gave them another step toward the client.  Now maybe the bad guys can find your client’s mobile number and track the client.  Or maybe they learn a personal email address which allows them to send phishing emails, malware, or ransomeware to the client. Plus, there’s other information people can get from our contact list — what if the contact-sharing that you authorized also imports the notes that you keep in your contact’s entry? There could be information covered by the attorney-client privilege in those notes.

It’s true that we can’t say how this danger will actually manifest itself. We can’t say, “this is the specific app watch out for” or “stop using this particular platform.” We don’t know how or when the bad guys will put the puzzle together.  But here’s something that we do know for sure— they are trying. That is a given. But, despite accepting that undeniable fact, we continue to voluntarily provide the puzzle pieces and that doesn’t seem to be reasonable.

Think about it — if we know that they are constantly and consistently trying put these pieces together, is it reasonable to think Hey these bad guys are scouring the internet trying to put these puzzle pieces together…so I need to keep giving them those pieces. No. It’s not. Our duty is to stop helping the bad guys.  Lawyers need to reconsider whether we should continue sharing this type of data.

My concern gained a bit more credibility after I read an article in the Wall Street Journal recently (Note, that we live in a politically charged environment and I am not giving you this quote because the Trump Administration was involved, nor because it’s about immigration issues. This is about a tech concern.) According to the Wall Street Journal, 

“The Trump administration has bought access to a commercial database that maps the movements of millions of cellphones in America and is using it for immigration and border enforcement…The location data is drawn from ordinary cellphone apps, including those for games, weather and e-commerce, for which the user has granted permission to log the phone’s location. The Department of Homeland Security has used the information to detect undocumented immigrants and others who may be entering the U.S. unlawfully, according to these people and documents.”

See what I mean? It’s not about the fact that the Trump Administration bought access to this commercial database. It’s about the fact that the commercial database exists at all and that anyone can purchase access to such a database. It’s a problem for lawyers because it means that people are collecting data that could reveal information about our practice and our client matters. Oh, and the kicker is that that information is being delivered by us— we are sharing it voluntarily and gifting it to the company that’s collecting it for their database. 

Maybe, today, part of taking “reasonable measures” to protect client confidential information includes putting up a barrier….making it more difficult for people to gather our information…making it tougher for them to put the pieces together.  Given what we know about the relentless efforts that people are making to gather and use that information, maybe we have a duty to take appropriate evasive tactics.  

I think good analogy is “proper password selection.” We would all agree, I’m sure, that it’s not reasonable to have a password that is your birthday, or something common like the word, “Password.”  Everyone would agree that it is not reasonable to use easily discoverable passwords, and that doing so is not taking “reasonable steps” to protect client information.  But it wasn’t always like that. There was a time when no one considered the need for uncommon passwords. That was, of course, until people started getting hacked because of their weak passwords. Once the infiltration started, the standard changed. Today it’s simply expected the lawyers will have proper passwords. And that’s where we are headed with the duty not to share. 

Up to today every lawyer has shared their contacts and location and we’ve never batted an eye. But times are changing. The danger of doing so is becoming apparent and it might be time that we stop giving away the puzzle pieces. That’s why I think we are witnessing the evolution of a lawyer’s duty not to share.