Performing Due Diligence in Selecting a Technology Provider | Esquire Deposition Solutions, LLC

Performing due diligence in the selection of technology providers is an integral part of the attorney’s ethical obligation to adequately protect the client’s confidential information. However, it is also one of the most difficult jobs law firms will undertake for a number of reasons.

Rule 1.6 The American Bar Association’s Model Rules of Professional Responsibility provides: “An attorney must use reasonable efforts to prevent the accidental or unauthorized disclosure or access to information relating to a client’s representation.” similar to how attorneys protect clients’ confidential information.

The attorney’s ethical obligation to technology providers is to use judgment and care in their selection. This is because, in the real world, few attorneys have the expertise to make any meaningful assessment of the technology they use to store and convey tenant information.

The technologies used to provide cloud-based services such as data storage and data processing are complex and constantly changing. The customer data is located in one location – or is distributed over several locations – not physically accessible to the lawyer (not that a look at a server bank would be informative). And technology services are licensed to all but the largest law firms through highly technical contracts that are seldom negotiated.
Cybercrime is at the highest level in history, with Law firms are sitting on a veritable gold mine of information for cyber thieves. Now is the time for law firms to identify and fix cybersecurity vulnerabilities in their operations.

Bar regulators: Careful supplier selection is crucial

Bar associations regulators know that attorneys cannot guarantee the security of customer information. “Reasonable efforts” are required as the circumstances dictate. In the comment on rule 1.6 added in 2012, the ABA stated:

Unauthorized access to, or accidental or unauthorized disclosure of information relating to a client’s representation does not constitute a violation of paragraph (c) if the attorney has made reasonable efforts to prevent access or disclosure. Factors to consider in determining the appropriateness of the attorney’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if no additional safeguards are in place, the cost of using additional safeguards, the difficulty in obtaining the information Implementation of safeguards and the extent to which the guarantees interfere with the attorney’s ability to represent clients (for example, by making a device or critical software excessively difficult to use).

The attorney’s ethical obligation to adequately protect client confidential information has been the subject of many government ethics reviews over the past decade.

The Louisiana State Bar Association recently wrote in a statement regarding ethical considerations raised by the use of technology that lawyers “must exercise due diligence” and “review and consider the service agreement” when selecting a technology provider. Louisiana Bar Association Opinion 19-RPCC-021 (2019).

Similarly, the Kentucky Bar Association has advised attorneys in that jurisdiction that “the duty to be competent, the duty to protect a client’s property, and the duty of confidentiality require an attorney to investigate the qualifications, competence, and diligence of the provider “. Kentucky Bar Association formal ethical opinion KBA E-437 (2014).

The Pennsylvania Bar Association concluded that attorneys can ethically store customer information in the cloud if they “use reasonable efforts to meet their obligations to maintain client confidentiality, and confirm that every third party is also obliged to do so. ”(Emphasis added). Pennsylvania Bar Association Formal Statement 2011-200 (2011).

Elements of due diligence
In her 2019 article Ethics: Keeping up with constantly evolving technology was not something they taught in law school (PDF) lawyers Regina Amolsch from Plave Koch PLC in Reston, Virginia, and Leslie Smith from Foley & Lardner LLP in Miami, Florida, have extensively examined the lawyers Legal and ethical obligations to maintain reasonable security around customer information. On the subject of due diligence when selecting technology providers, her advice to lawyers includes:

• Have a basic understanding of the technology and keep up to date with privacy and cybersecurity laws.
• Choose technology providers who can provide security that is compatible with professional responsibility and customer requirements.
• Carefully review and understand service agreements with technology providers. Important terms include those that cover (a) service levels, (b) physical location of customer data, (c) technology standards used, and (d) remedies in the event of a breach of contract.
• Review service contracts to ensure, in particular, that a service provider does not claim ownership or any other interest in customer-related data.
• Investigate each vendor’s track record of data breaches and service disruptions.
• Review each vendor’s testimonials, length of business, financial security, frequency and thoroughness of security audits, and certifications that the vendor meets industry standards.
• Make sure that the service contract obliges the provider to report data security violations and data or access requests from third parties.
• Communicate – in writing – with each technology provider about how the law firm will be notified of changes to physical or cybersecurity protocols.
• Find a contract language that provides compensation for damage and expense in the event of a service failure or data breach.
• Make sure technology providers have insurance against physical or cybersecurity breaches.

The due diligence measures described above may change over time according to the unique security needs of each representation, as well as changing security threats and evolving technologies.

Esquire Deposition Solutions has a. implemented multilayer security framework (PDF) of physical, digital and procedural risk management controls to protect customer information that is shared with us and transmitted through our technology platforms. All data is encrypted end-to-end and secured with system-wide, automatic threat detection and data loss prevention solutions.

Key vendors used by Esquire Deposition Solutions are required to conduct an SSAE 18 SOC2 Type 2 audit for service organizations if they have access to any type of sensitive data. Esquire Deposition Solutions also requires key vendors to either maintain ISO 27001 certification or provide evidence of controls and compliance with ISO 27001 or an equivalent security framework. After a successful initial review of the key vendors’ documentation, Esquire Deposition Solutions requests and reviews updated SOC 2 reports annually to verify compliance with all Trust Services categories to ensure that key vendor controls are ensuring secure service delivery along with robust backup and security Provide recovery capabilities.

Finally, it’s important to note that focusing on vendors shouldn’t lead lawyers to overlook their own cybersecurity practices. Even the most secure technologies will succumb to the negligence of users. For example, in 2017 a Virginia federal district court found that an insurance company accidentally Legal privilege revocation in a file uploaded to the cloud because anyone could access the file with a hyperlink to its location. The hyperlink pointing to the location of the file on Box’s document-sharing website was distributed in an email message containing a disclaimer stating that the material was privileged. Notwithstanding the disclaimer, the federal judge ruled that the insurance company’s negligence with the file amounted to a waiver of legal confidentiality. Harleysville Ins. Co., v. Holding Funeral Home, Inc., No. 1: 2015cv00057 (WD Va. 2017).

Lawyers should also remove customer information from the cloud when the proxy ends. You should train your staff in safe cybersecurity practices and check with technology providers regularly to ensure that the technology used to store and transmit customer information has kept pace with the latest threats.