A new nonprofit organization has emerged to help lawyers assess the safety and security of their law practice environment. The organization is the International Legal Technology Standards Organization and it recently released a set of standards that law firms can used to evaluate:
- the law firm’s internal security standards; and
- help law firm’s make informed decisions about "cloud computing" vendors and other hosting arrangements where confidential data is stored outside of the physical office of the law firm
The Standards are much more detailed and comprehensive than the ABA/LPM’s eLawyering Task Force publication of Cloud Computing Guidelines for Law Firms.
Disclosure: I am on the Advisory Board of ILTSO and provided some guidance to the development of the standards.
The standards are being circulated for comment before final publication.
The standards offer a sensible definition of "reasonable under the circumstances" by recognizing that different types of law firms have different security needs, although all lawyers are bound to prevent the disclosure of client data. Law firms are categorized into three types of situations:
- "Bronze – this standard is appropriate in every law practice, including solo practices."
- "Silver – this standard is typically appropriate for firms of more than one attorney, or where circumstances or resources dictate."
- "Gold – this standard is typically appropriate for larger firms or those with additional IT resources, or where circumstances or resources dictate."
The idea of categorizing law practice environments into these three categories is a new idea, as some of the standards only apply to the Gold and Silver category. The intent is to recognize that law firms have different IT capabilities and the size of the law firm usually determines how the law firm will approach the problem of securing client and other firm data.
At this point of development, the law firm is responsible for undertaking their own self-assessment. Law firms can apply to the standards to their own law practice environment and if in compliance display the ILTSO seal.
At some point, I can see where ILTSO might undertake an independent assessment of a law firm’s security arrangements and if it compliance with the standards, award a certificate like the Truste certification which assesses an organization’s privacy policies. A small fee could be charged for this assessment and it would vary depending on whether the type of law firm practice environment is Bronze, Silver, or Gold. This would give assurance to clients that all reasonable efforts have been taken to secure the confidentiality of their data.
It will be interesting to see how the organized bar responds to these standards, as their are entities both at the state level, and the American Bar Association that are analyzing these same subjects.
The ABA Ethics 20/20 Commission, for example, has been holding hearings on cloud computing and security of data and has released a working paper on this subject.
Just last week, the Commission released its recommendations on outsourcing, which is a process that has an impact on the confidentiality of client data. The recommendations have not yet been posted on the Commission’s web site, but the ABA Journal reports that:
"The commission proposes revisions to the Model Rules recognizing that electronically stored information, including metadata, is material subject to confidentiality rules. It also proposed revisions directing lawyers to make reasonable efforts to prevent inadvertent disclosure of information relating to representation of a client."
ILTSO’s new standards would give concrete meaning to the definition of "reasonable efforts" and provide a detailed framework that could guide attorney assessment of particular outsourcing and cloud computing arrangements.
A positive impact of having this evaluation framework in place might be the accelerated adoption of technologies, such as cloud computing. Compliance with the guidelines would support a law firm’s assertion that the firm has taken all reasonable steps to secure client data to reduce its liability in case of a security breach over which the firm had no control.
An unanticipated consequence might be a slow down in adoption, as the lack of clarity in this area might give many lawyers a reason not to become "early adopters." Many lawyers might choose to wait until standards like ILTSO’s are accepted by a broad base of legal organizations and law firms.
Of course, by then, the "real" early adopters will have acquired a first mover advantage over law firms that are still thinking about the subject, to the those firms competitive disadvantage.
