Many law firms issue or subsidize laptops for their attorneys. So what happens when attorneys move between firms? Can they take their laptops with them? This very issue has arisen in lawsuits between law firms. The law firm from which the attorneys departed may have concerns that laptops contain sensitive, proprietary or client confidential data; the law firm that hired the departing attorneys may want to ensure that its new employees can transition their practice seamlessly.
This sort of dispute highlights the challenges that arise from the portability of today's modern technology. It is much more difficult now than ever before for law firms to protect themselves and to assure compliance with the ethical and professional rules that govern their conduct.
Laptops (and now flash drives and the cloud) present a new set of risks for law firms. Today, departing attorneys can take information—a law firm's most valuable commodity—without taking a single box of files or photocopying a single sheet of paper. Forms, client contact information, and client files can be taken with the single stroke of a computer key. Controls aimed at protecting or securing hard copies are largely meaningless in today's electronic world.
Data backup, not hard copies, are the new norm for virtually every law firm. With the ease of virtual duplication of files comes the challenge of controlling access to the information.
Control is essential to a law firm's ability to fulfill its obligations to protect not only client confidences and secrets but also its business interests. In a business where time is money, control is inversely related to efficiency. In other words, the more difficult that firms make access to information, the less efficient attorneys can be. Less efficiency inevitably translates to less money.
Today's law firms must maintain a delicate balance by implementing controls sufficient to fulfill ethical and professional obligations (and to protect their most valuable asset), but not so formidable as to hinder the law firm's ability to make money. To strike this balance, firms must shift their focus from physical possession of client information to "virtual" control.
Control by clarifying ownership
When dealing with tangible assets, possession is often described as nine-tenths of the law. But when dealing with intangible assets, the law is a little more complicated.
For the typical law firm, there are three different kinds of information at play. First, firms can own significant intellectual property derived from work performed on behalf of the law firm and its clients. Obviously, clients own their own data, but few law firms actually define who owns the attorney work product information, even though such information can be extremely valuable.
One course is to include provisions in the partnership or employment agreement that clearly specify who owns any data not specifically owned by the clients. Clarifying ownership makes recovery much more manageable. Like any other company, law firms can then use these provisions to seek either injunctive relief or damages when such information is misappropriated in violation of a partnership or employment agreement.
Second, firms own the right to relationships, including client contact information. In part, this ownership right arises out of the fiduciary obligations that attorneys owe to their fellow partners and to the firm.
For many reasons, many firms opt to specifically address these valuable assets in partnership and employment agreements. By specifying the ownership, law firms can protect themselves from the misappropriation of these assets as well. It is possible to waive the right to the ownership of such relationships through what are often called Jewel waivers. See, e.g., Heller Ehrman LLP v. Davis, Wright, Tremaine LLP, 527 B.R. 24 (N.D. Cal. 2014).
Finally, until terminated, law firms have a right and duty to control client files. Clients remain clients of the law firm until they instruct otherwise. The initial engagement letter or fee agreement is the best time and place to confirm this custodial control.
If the client agrees in writing that the law firm shall retain exclusive custodial control over client files until the client gives instructions otherwise, the law firm has the ability to assert and maintain that control. Departing partners or attorneys violating this agreement risk claims not only for breach of fiduciary duty by the law firms, but also ethics grievances for violating client confidences and secrets.
Most firms err by failing to document these important rights in ways that make them clear and enforceable. Firms can even include severe and enforceable penalties to deter violations. With such provisions in place, violators take all the risks—making ownership closer to control.
Control by implementing protocols
Just like keys to the front door, technology can provide protection to valuable assets. In addition to fulfilling ethical and professional confidentiality obligations, such technology provides the firm with additional protection against cyberattacks.
Although there are many resources for attorneys that describe the technologies available to protect law firms, one recognized approach is to hire specialists charged with designing protocols, practices,= and procedures tailored to the specific firm.
In order to maintain duties of confidentiality and competence, a California attorney must take certain steps to evaluate the technology used to store client confidences and secrets. The California State Bar's Standing Committee on Professional Responsibility and Conduct has advised that attorneys should confirm: "1) the level of security attendant to the use of that technology, including whether reasonable precautions may be taken when using the technology to increase the level of security; 2) the legal ramifications to a third party who intercepts, accesses or exceeds authorized use of the electronic information; 3) the degree of sensitivity of the information; 4) the possible impact on the client of an inadvertent disclosure of privileged or confidential information or work product; 5) the urgency of the situation; and 6) the client's instructions and circumstances, such as access by others to the client's devices and communications." See Formal Opinion No. 2010-179.
In implementing these issues, firms can focus on three objectives. First, firms should ask for systems that confirm data integrity. Whether faced with a departing partner or cyber attacker, a firm should have the ability to determine if data has been downloaded, by whom, to where, and when.
Second, firms' systems should require regular password and/or passcode updates. Time-limited passwords and passcodes at least reduce the duration of risk. Once current passwords or passcodes expire, then the risk should too.
Third, firms should "salt," or encrypt, their data to increase system security. The earlier the detection of an issue, the lower the risk of a significant breach.
When it comes to electronic data, nothing good comes from delay. The ability to enforce rights dissipates with time, while the risk of waiver increases.
Prompt action enforcing the rights documented in partnership and employment agreements and confirmed in engagement letters and fee contracts ensures that law firms have the greatest likelihood of success in protecting their most valuable assets: their time and their clients.
As published in The Recorder