Mistakes law firms make safekeeping client personal information can cause embarrassment, cost revenue and lead to bar complaints. Lawyers are expected to understand the benefits and risks of the technology the firm uses and, in addition, are required to “…make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Rule 1.6, ABA Modern Rules of Professional Conduct

Here are the most common mistakes law firms make in collecting and keeping client personal information and some best practices to implement:

1. Collecting unnecessary client personal information.

Law firms tend to believe that more information is better. It’s an advantage to know more than an adversary knows, so the thinking goes. Collecting client personal information that is not needed for the case is a mistake.

Best practice: When it comes to keeping data safe, less is better. Limit personal information your firm collects to only what is needed and less will be at risk. If you don’t need a client’s social security number, for example, don’t collect that information. If you do collect it, destroy it as soon as you no longer need it.

2. Failing to get informed consent to the collection and storage of client personal information.

Law firms rarely discuss their data collection, storage and destruction policies with clients. Some fee agreements include only a line or two about “electronic data” and destruction after a specified number of years.

Best practice: A firm can minimize a client’s concerns by having the discussion during the engagement process. Telling the client you are requesting a minimum of personal information and that it is (or is not) encrypted, for example, gives the client the opportunity to express any concerns and ask questions up front. An ounce of prevention.

3. Keeping outdated, incomplete or inaccurate client personal information.

Law firms often rely on the client to update personal information in the firm’s file. When the lawyer becomes aware of a change, often the “old” information is kept even if it has become irrelevant.

Best practice: Have a policy to ask clients whether any update to personal information is needed. (think doctor’s office) Destroy irrelevant information immediately. Have a system in place to periodically check the accuracy of personal information. Review information to make sure it is complete, relevant and accurate.

4. Failing to keep client personal information secure.

It’s hard work to keep up with the continuing changes in technology. What was secure yesterday may have changed today and law firms that don’t stay aware are putting client’s personal information at risk. What lawyers don’t know about technology and data security can be their Achilles’ heal.

Best practice: Security decisions are the lawyer’s responsibility. If your firm has an IT department or person, communicate and understand what is said. If you are a solo practitioner or a small firm, become competent at data security or hire an attorney or firm to advise you. Make sure staff are trained about privacy and security. Periodically assess firm practices and look for holes.

5. Failing to encrypt client personal information.

Encryption is a subject that is not easily understood (by definition) so law firms tend to avoid it. A firm may have not considered that its phone bill, for example, contains a wealth of information. Hacked unencrypted client statements can reveal client secrets and the firm’s strategies. A subpoena can reach saved text messages and emails.

Best practice: Beyond using private servers and VPNs (Virtual Private Network) to sign on remotely, think about other interactions that are outside of that system. There are solutions like VaporStream that encrypt (end-to-end) and shred text messages. There are free email encryption options like Virtru to ensure that an encrypted email is delivered to the right recipient. Review all forms of client communication and secure them. Make sure staff is on board.

Rules of Professional Conduct/Responsibility require that lawyers take reasonable steps to keep client information safe. As we’ve seen recently, even the biggest organizations are subject to attack. Lawyers are trusted to keep client’s confidences. Keeping data safe is just one more way lawyers do that.

Susan Kayler practices in the area of Privacy and Technology Law and provides firms, individuals and businesses with privacy assessments, data breach plans and information technology best practices. Contact her at susan@kaylerlaw.com.