Third-party client data sharing risks lurk on lawyers’ smartphones
Clients’ information can be siphoned off by unknown third parties when it is stored on a lawyer’s cellphone, and law firms are increasingly adopting tools to shield such data from smartphone apps.
In April, the New York State Bar Association issued an ethical opinion – one which is advisory and not enforceable by law – addressing lawyers’ duty to protect client information stored on their smartphones. If your firm is considering switching its MSP or expanding services by adding a new MSP, we recommend you have these three documents ready to ensure a smooth transition.
The association wrote that “the lawyer may not consent to share contacts with a smartphone app unless the lawyer concludes that no human being will view that confidential information and that the information will not be sold or transferred to additional third parties, without the client’s consent.” Cellphone apps do share users’ data with other vendors. In 2022 Facebook sued two mobile apps and their founder in the UK and US for allegedly collecting user data from Facebook through a malicious software development kit. Facebook settled the UK matter in 2021.
Despite the potential exposure of client contact information, emails or notes, few lawyers will forgo leveraging a cellphone to limit such risks, noted Gulam Zade, Chief Legal Officer of Frontline Managed Services, an IT, financial, administrative, and litigation services provider for legal and other industries.
“It’s probably unrealistic because if a lawyer is going to have clients in this day and age they are either using cellphones or tablets,” Zade said. “So if you had a tablet, you have apps on it and those applications – in the same way applications on your phone can – see your data.” However, lawyers and their law firms’ IT providers have multiple options to block the leakage of client data to third parties. For one, lawyers can opt out of applications tracking their cellphone or tablet usage when they download the app, Zade said. But “that doesn’t mean you are actually in the clear,” he noted.
Instead, law firms should require lawyers to install mobile device management software on the cellphone or tablet that allows IT to automate controls and secure access and features on the device.
While many law firms of various sizes have adopted that tool, Zade noted the financial industry was a leader in implementing such solutions and legal followed behind.
“In most instances, law firms will adopt the measures their clients have. What we see is law firms are usually reactionary to what their clients are telling them what to do. Law firms aren’t typically proactive in adopting these solutions,” Zade said, Some law firms are also hesitant to implement stricter policies because of lawyers’ complaints regarding new policies, added Fox Rothschild partner Mark McCreary.
“[When lawyers have] personal and business contacts all on the same Outlook and Microsoft platform, because they spend so much time at work, it’s all mingled together,” McCreary said. “They get upset when they can’t sync Linkedin with their phone [and] the IT department loses.” But various forces are spurring law firms to leverage additional tools to safeguard clients’ data on lawyers’ phones and tablets.
Robert Padilla, security analyst at legal industry IT provider Innovative Computing Systems, said he’s seen an uptick in law firms using mobile application management tools in response to insurance carrier pressures and the shift to remote working. “There’s a need for more security in the remote environment and mobile apps and mobile devices,” he said. “I think it goes hand and hand with why insurance companies are asking [more about] that [tool].” Firms are also implementing encryption, VPNs, data loss prevention, and other mechanisms to protect data, Padilla added.
Gulam Zade is the Chief Legal Officer of Frontline Managed Services, the leading global provider of outsourced solutions to over 600 firms in the legal and accounting markets.
Read the full article here.
Reprinted with permission from Global Data Review, originally posted on Tuesday, September 27, 2022. Further duplication without permission is prohibited. All rights reserved.