Our duties to our clients to protect their private and confidential information do not change even if our communication method does. Those duties, however, probably don’t increase either—even if some new challenges arise.
When society first began to respond to COVID-19 in March, attorneys around the country found themselves shifting how they practiced law. A lot of that shifting was reactionary: stay-at-home orders caught most firms off guard. Even with this sudden shift, though, attorneys rushed to find ways to stay in touch with clients, generate new business, and carry on the practice of law. That was March.
Six months after those first stay-at-home orders, much of that reactionary style of practice has become the new normal. We are still here, conferencing with clients online. Meeting with clients via video conference or video chat has been instrumental in continuing our practices. We can still interact with clients, and we can even have some semblance of physical interactions. After all, when assessing a client’s capacity or the possibility of undue influence, seeing the person we are talking to is essential.
In June, elder law attorney Judith Grimaldi, CELA, CAP, addressed some of the practical challenges of video conferencing in her article, “The Challenge of Video Conferencing
.” From that and our growing experience, many of us have learned a lot about the best practices of enhancing our video conferencing capabilities and our clients’ experiences. As time has passed, though, we are no longer merely reacting to a sudden crisis. We now need to reach beyond enhancing experiences and carefully assess other areas of video conferencing. We must make sure that even in this new normal of video conferencing, we are still protecting the privacy and confidentiality of client information. The rules of ethics require it.
Protecting Client Information
We, as attorneys, have a duty to protect client information. Rule 1.6 of the Model Rules of Professional Conduct, for example, addresses issues related to confidentiality. More specifically, 1.6(c) states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” As this has been analyzed and applied, often it boils down to that favorite term among attorneys: reasonable
So what is reasonable when it comes to a sudden shift in how we practice? I own my own firm, and I am what many would call a true solo: it’s just me. I do not have staff. And I certainly do not have an Information Technology department. But from everything I have read about Rule 1.6(c), none of those things are required or even necessary in order to make a reasonable effort to protect client information. An effort is required, though. I am sharing here the efforts I have made.
Let’s step back and look at client information in life pre-COVID-19. You probably do not have your paper files protected by armed guards. But you do protect them. You have a lock on your office. Maybe you even lock your file cabinet. But you probably do not have a series of armed guards standing watch over your paper files at all times. That would be well beyond reasonable efforts.
At some point, perhaps you ran out of room in your file cabinet. Maybe you used an extra room in your office. But at another point, especially for larger firms, off-site storage eventually presents as the answer to the space problem for storing your files. Entire businesses exist just to store law offices’ files. A key component in choosing such a facility is, of course, security. Even in such vast warehouses storing thousands of legal files, security goes only so far. Again, the 24-hour presence of armed guards seems unlikely. And yet, this storage of client information is surely reasonable.
Over the past decade (or more), more and more law firms have made the move to become paperless (at least as paperless as possible). By scanning everything and returning originals to clients, our space problem with file storage regarding paper files has been solved. But a new problem emerged: what is reasonable in protecting clients’ electronic
information that our firms store?
When we look at how we store electronic data, we might consider some similar comparisons. It is unlikely you require three employees to log on to a server together in order to access an electronic file. On the other hand, you probably do have your computer password protected. If you back up your data to an external hard drive, surely that, too, is password protected. All of these areas address when you
control this data, much like when the paper file is in your office. But when you send the client information to another party, what happens opens an entire new realm of protecting client information: encryption.
Understanding (the Basics of) Encryption
Before I dive into the exciting topic of encryption, I must state that I am not an IT professional. I never even took a computer science class in college. So when I say I’m sharing the basics
, I truly mean it. I am not diving deep into electronic files, data, transmission, etc. (No doubt my surface description will make a computer or IT professional chuckle (or even roll her eyes) the same way we might when a layperson tries to explain a durable power of attorney.) Instead, I am sharing what I have learned from my personal self-education in this area as I assessed what would be reasonable for my office in protecting client data. I encourage each of you to arrive at your own conclusions. I hope that sharing my journey might help you along the way.
Okay—back to electronic data.
When you have files on your computer, they are saved on your hard drive. A best practice in having any electronic files, of course, is backing up those files. Perhaps you use an in-office private server or maybe something as small as an external hard drive. (And please, please at least use an external hard drive to make sure you are constantly backing up your electronic files.) The basic step of protecting those files is to protect them with a password.
Good external hard drives, though, offer more than mere password protection just to access the drive. Your electronic files can be encrypted. This means (again, I’m a layperson here) that your data is converted and scrambled such that if someone steals your external hard drive, that person could not just plug that into another computer and read all of your files. Instead, another password is needed to convert the data back to a readable format. This encryption in storing electronic data is the encryption at rest
When you send information via the internet, whether via email, file uploads, or video chatting, during the time the information is going back and forth between you and your client, it can be encrypted. This is encryption in transit
. Put another way, if your data is encrypted in transit, then if anyone intercepts it, it will be scrambled so it will not be readable.
Beyond understanding that data is encrypted at rest and/or in transit, how much data is encrypted at once identifies the strength of the encryption. Overwhelmingly, the information out there supports that AES is “the most widely accepted and secure encryption method for the price.” 1
And what seems to be the strongest AES encryption is called AES-256.
Encryption is not as simple as I just explained it, of course. My goal was to learn what I felt I needed to know to assure myself that I am using the strongest reasonable methods of protecting clients’ electronic information. I concluded that when I send client information, it should be encrypted. And when I store that information, it should be encrypted. I also decided that my firm will use providers such as cloud storage providers, practice management software companies, CRM software companies, and even my calendaring software companies that use AES encryption (ideally AES-256).
Protecting client information involves more than just encryption, even if encryption is a big part of the picture. Our new format of meeting via video conference presents additional areas to assure we are making those necessary reasonable efforts to protect client data.
Applying Reasonableness in Protecting Remote Meetings
Whether we are meeting with clients in our offices or over the phone, we have experience with protecting that information. We would not sit across the room from a client at a coffee shop and shout to each other to have a meeting. Most of us would not even have a meeting in a coffee shop. Instead, we had our meetings in our offices. We closed our doors.
Video meetings, however, bring new challenges beyond closing a door. The possibility that someone else could be present in the meeting is higher, either by accessing the video conversation online or by being physically present in the room with our client, off-screen. In addition, while meeting virtually, we are sending and receiving data—data that could be intercepted. Whether it is data being intercepted in real-time or data accessed if records of our meetings are stored electronically, this needs protection—at least with reasonable efforts.
Private Meetings on Our End
We can protect our meetings by controlling who is in our meetings. When the initial stay-at-home orders came out, Zoom became quite popular. Following shortly on that, though, came the warnings about Zoom. A new term was coined: Zoom bombing. The FBI even sent a warning regarding Zoom and the bombers.
In Zoom bombing, someone finds a link to a Zoom meeting, logs into that meeting, then takes it over with offensive language/rants or shares his screen with offensive pictures and the like. For a lot of people, this scared them away from the platform entirely. Even if someone does not bomb your meeting with offensive speech or images, no one should be in your meeting other than you and your client. Zoom bombing was made possible because meeting hosts published the links to online meetings. No one monitored who was coming and going from the virtual meeting room. Anyone could join.
As attorneys, part of our responsibility, then, is to make sure that even our video meetings are private. We should not have a public link for our online meetings. Not only should we not have our link public, we must also have a unique ID for each and every meeting along with a password, one that changes for every meeting. We can further protect our meetings by ensuring that no one is automatically entered into the virtual room. (Zoom, for example, now requires
attendees to stay in the waiting room by default.) By changing the URL link, meeting ID, and password for each meeting, by sharing that information with only our client for that client’s meeting, and by using a virtual waiting room to control who enters the virtual meeting space, we can assure the meeting is private from our end. Choosing a video meeting platform that offers all of these options and using those options
helps us make those reasonable efforts to protect client information.
Private Meetings on Our Clients’ End
We control whether our meeting is private by making sure no one logs in uninvited. At the same time, we also need to make sure no one is sitting with our clients on their end. We meet with our clients outside of the influence of adult children, caregivers, and the like to assess capacity. We too need to do so when meeting remotely.
One of the easiest things to do is ask, “Is anyone else in the room with you?” You might find that starting each meeting by asking the client to show you the room with the camera is a good way to start. Remember that in your office, you manage who is in the conference room; you can find your style of managing your video conference room too.
If someone is being unduly influenced, though, the person might not be honest when asked. This is when you need to pay particular attention to body language, eye contact, and sounds. If you see your client frequently looking beyond the camera, you might ask again if anyone is helping the client.
When others are involved in planning, you might then ask your client to position the camera so you are able to see when others come and go. I have had meetings with clients that have started with several family members. I was able to see all the people in the room and the door to the room. When it came time to meet with just one of those persons, I was able to observe the others leave the room and close the door. (The dog, though, stayed in the room, occasionally adding his opinions in the form of barks.)
Data Encryption in Transit and at Rest
The actual data of our meetings also needs to be protected. Zoom made the news this spring for other reasons beyond the bombers. Back in April, when Zoom became so popular, apparently at some point it implied it used a particularly high level of encryption: end-to-end encryption. It did not. Almost overnight, having its name become to video conferencing what Kleenex became to tissues, Zoom promptly pivoted. Within a short amount of time, Zoom was up to using the lauded AES-256 encryption.
Encryption matters as your conversation back and forth is being transmitted from your screen to your client’s screen via the internet. We send information back and forth over the internet if we use a cloud-based server to store or back up client files. We also send information over the internet when we use a VOIP phone in our practice. In any and all of these areas, we need to make reasonable efforts to protect that information. If your video platform provider does not share its encryption method, then it probably is not enough. And it probably is not a reasonable enough effort. For me, I waited until Zoom was using that AES encryption before using it for meetings.
Encryption matters too if your meetings are recorded and stored. Some video platforms allow you to record the meetings. The method for storing those recorded meetings should be as good as that for storing any of your electronic data: encrypted with up-to-date encryption methods. (If you use this feature, be sure you know whether your state requires you to inform the other party. (This is probably a good practice regardless of state requirements.))
Arriving at Best Practices
As new as video meetings might feel, as we see from the above, most of the issues involved in protecting client information are not that new. Regarding the data itself, how we have protected other electronic files applies also to video data. And regarding other aspects, we can analogize tools such as closing our office doors and keeping family members in the waiting room to our video meetings.
As for specifics regarding video conferences, after assessing the similarities and challenges of video meetings, I have a few key points at the top of my analysis for considering what reasonable efforts we need to take to protect client information:
• Use a platform that provides a new and unique link for every client meeting.
• Use a platform that allows each meeting to be password protected.
• Use a platform that provides a waiting room. (This too allows family members who are in other cities to attend a meeting but not necessarily be a part of the entire meeting.)
• Develop a pattern to assess who is in the room with your client.
• Use a provider that lists its encryption method, choosing one that is as good as you can get, using reasonable efforts and reasonable costs.