Don't let your firm's digital assets walk out the door

Regardless of size, location or type of practice, many law firms now issue or subsidize pieces of technology for their attorneys. Whether it is a laptop, smartphone, tablet or some combination of those, attorneys' use of and dependency on these items raises certain questions in various contexts.

For example, what happens to the technology (and the data stored on them) when attorneys change firms? Can they take their laptops and smartphones to the new law practice? This issue, among a multitude of others, has arisen in lawsuits between law firms. The former law firm may be concerned that these items contain sensitive, proprietary, or client confidential data. Meanwhile, the new law firm has invested in a seamless transition of the attorney's practice.

This sort of dispute highlights the challenges that arise from the portability of today's modern technology. Now more than ever before, law firms must address these challenges head-on to protect themselves and to assure compliance with the ethical and professional rules that govern their conduct.

Laptops, smartphones and tablets (as well as flash drives and "the cloud") present a new set of risks for law firms. Departing attorneys can take a law firm's most valuable commodity - information - without removing a single physical file. Forms, client contact information, and client files can be duplicated and taken with a few simple key strokes. As a result, controls focused only on protecting or securing physical documents are largely meaningless in today's electronic world. With the ease of virtual duplication of files comes the challenge of controlling access to information.

Control is essential to a law firm's ability to fulfill its obligations to protect not only client confidences and secrets but also its business interests. This is complicated by the fact that easy access to technology can make attorneys more efficient and, therefore, more profitable.

The modern law practice faces a challenge: How to maintain a delicate balance by implementing controls sufficient to fulfill ethical and professional obligations, but not so formidable as to hinder the law firm's ability to remain efficient and earn a profit.

Define Ownership

Typically, there are three different kinds of information at play. First, firms can own significant intellectual property derived from work performed on behalf of the law firm and its clients. Obviously, clients own their own data, but few law firms actually define who owns the attorney work product information, even though such information can be extremely valuable.

Some firms have considered including provisions in the partnership or employment agreement that address this. Clarifying ownership makes recovery much more manageable. Like any other company, law firms can then use these provisions to seek either injunctive relief or damages when information is misappropriated in violation of a partnership or employment agreement.

Second, firms own the right to relationships, including client contact information. In part, this ownership right arises out of the fiduciary obligations that attorneys owe to their fellow partners and to the firm.

By specifying the ownership, law firms can protect themselves from the misappropriation of data. It is possible to waive the right to the ownership of such relationships through what are often called Jewel waivers. See, e.g., Heller Ehrman LLP v. Davis, Wright, Tremaine LLP, 527 B.R. 24 (N.D. Cal. 2014).

Finally, until terminated, law firms have a right and duty to control client files. Clients remain clients of the law firm until they instruct otherwise. Thus, some practitioners have confirmed this custodial control in the initial engagement letter or fee agreement.

If the client agrees in writing that the law firm shall retain exclusive custodial control over client files until the client gives instructions otherwise, the law firm has the ability to assert and maintain that control. Departing partners or attorneys violating this agreement risk claims not only for breach of fiduciary duty by the law firms, but also ethics grievances for violating client confidences and secrets.

Implement Protocols

In addition to fulfilling ethical and professional confidentiality obligations, technology also provides the firm with protection against cyberattacks. Although there are many resources for attorneys that describe the technologies available to protect law firms, one recognized approach is to hire specialists charged with designing protocols, practices, and procedures tailored to the specific firm.

In order to maintain duties of confidentiality and competence, a California attorney must take certain steps to evaluate the technology used to store client confidences and secrets. The California State Bar's Standing Committee on Professional Responsibility and Conduct has advised that attorneys should confirm: "1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client's instructions and circumstances, such as access by others to the client's devices and communications." See Formal Opinion No. 2010-179.

In implementing these issues, firms can focus on three objectives. First, firms may consider asking for systems that confirm data integrity. Whether faced with a departing partner or cyber attacker, a firm can have the ability to determine whether data has been downloaded and if so, when, where, and by whom.

Second, firms may consider encrypting their data to increase system security.

Finally, most firms' systems will require regular password/passcode updates. Time-limited passwords and passcodes at least reduce the duration of risk.

Act Promptly

When it comes to electronic data, nothing good comes from delay. The ability to enforce rights often dissipates with time, while the risk of waiver increases.

Prompt action enforcing the rights documented in partnership and employment agreements and confirmed in engagement letters and fee contracts ensures that law firms have the greatest likelihood of success in protecting their digital data and their clients from whatever comes.