Client Portals: Should Privacy Regulation Contemplate Individual Confidential Legal Information?

By: Chris Jannace

The use of client portals for storing and disseminating legal documents has become more prevalent.^[1] The intent is to decrease email use for confidential information because of higher confidence in the security of portals.^[2] Portals can be used for sharing documents, bills, and tasks with clients, as well as sharing notes and other required communications with co-counsel.^[3] Advisory ethics opinions generally allow attorneys to communicate with clients using unencrypted email, but recognize that encryption and other security methods are preferred.^[4] As privacy becomes a more pervasive concern and regulation is contemplated, the requirements for securing individual legal client information will likely, and should, increase.

Currently, failure to secure confidential client information may be a violation of the Rules of Professional Conduct and may also be relevant in legal malpractice suits. Rule 1.6 of the ABA Model Rules of Professional Conduct requires firms to make “reasonable efforts” in protecting client information.^[5] Comment 18 clarifies that unauthorized access or disclosure is not a violation “if the lawyer has made reasonable efforts to prevent the access or disclosure.”^[6] Whereas violations of professional conduct do not themselves create claims for legal malpractice, they may be relevant in proving breaches of duty of care.^[7] Failure to reasonably protect confidential information may generate civil liability for malpractice where a promise for heightened security is not kept.^[8] In Guo Wengui v. Clark Hill PLC, which was allowed to proceed for failure to protect the individual client’s information from hackers, the plaintiff became a law firm client with assurance of particular security procedures that were not met.^[9] But what if the firm had not promised heightened security? Should privacy regulations set standards for cognizable causes of action in legal data breaches? What level of security would be considered reasonable?

Tort claims for data breaches are already difficult because of standing requirements.^[10] Most courts have dismissed data breach lawsuits for failure to state an actual harm.^[11] Some courts, however, have recently found risk of future injury sufficient for a claim.^[12] Arguably, a malpractice claim in which a plaintiff suffered damages after individual confidential information was exposed would have sufficient damages under evolving data security “common law,” even absent a heightened security promise.^[13]

The scope of protected information in federal privacy legislation should be expanded to include individuals’ confidential legal information. The Federal Trade Commission (“FTC”) could attempt actions against offending firms based on current practice, and it should be given authority to do so under novel privacy regulations like the Consumer Data Privacy and Security Act (“CDSPA”).^[14] Currently, the FTC’s two-decades-old practice is to find companies with inadequate data security in violation of the FTC Act for “unfair or deceptive acts or practices.”^[15] Reliance on unfair or deceptive acts is similar to the Guo Wengui case because it involves a failure to meet a stipulated data security promise.^[16] More recently, however, the FTC has gone further by finding lacking practices to be “unfair” even absent a promise in either negotiation or published privacy policy.^[17] New privacy regulations should look to evolving data security expectations in professional conduct, tort, and FTC privacy actions to hold law firms accountable for inadequately securing individuals’ confidential legal data.

Finally, by what metrics should data security be assessed, and what are the implications for law firms using client portals? Privacy regulation of confidential legal information could reflect the more stringent requirements seen in the Health Insurance Portability and Accountability Act (“HIPAA”) Security Rule.^[18] Law firms should be required to protect against “reasonably anticipated” threats and disclosures.^[19] Appropriate security measures should be organization-specific, and based upon such factors as size, technical infrastructure, costs, and probability of exposure.^[20] There will also likely be additional administrative and notification requirements. Law firm staff will require training to properly utilize the portals.^[21] Practices and privacy notices will have to be disclosed to clients.^[22] Data breach notifications will likely be required.^[23] Individual legal client confidential information should be as protected as personally identifiable or protected health information.

^[1] Why Attorneys are Flocking to Client Portals, Am. Bar Ass’n (June 2017), https://www.americanbar.org/news/abanews/publications/youraba/2017/june-2017/client-portals-provide-gateway-to-efficiency–privacy-/ [hereinafter Flocking].

^[2] Id.

^[3] See Teresa Matich, A Guide to Using Client Portals at Your Law Firm, Above the Law (June 6, 2018), https://abovethelaw.com/2018/06/a-guide-to-using-client-portals-at-your-law-firm/.

^[4] See Jim Calloway, Email Attachments vs. Client Portals, Okla. Bar Ass’n, https://www.okbar.org/lpt_articles/email-attachments-vs-client-portals/ (last visited Sept. 30, 2020); see also Flocking, supra note 1 (noting that a majority of lawyers still send confidential information over email).

^[5] See Model Rules of Prof’l Conduct r. 1.6(c) (Am. Bar Ass’n 2020) [hereinafter Model Rules] (“A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”); David L. Hudson Jr., Lawyers Must Secure Client Communications from Cyber Breaches, ABA Journal (July 1, 2017), https://www.abajournal.com/magazine/article/ethics_secure_client_communications (requiring “reasonable efforts” in protecting digital client information).

^[6] Model Rules r. 1.6, cmt 18; Hudson, supra note 5.

^[7] See Nagy v. Beckley, 578 N.E.2d 1134, 1138 (Ill. Ct. App. 1991) (“[R]ules of legal ethics may be relevant to the standard of care in a legal malpractice suit.”); see also Ann Peters, The model Rules as a Guide for Legal Malpractice, 6Geo. J. Legal Ethics 609, 613-14 (1993) (“The Disciplinary Rules may have relevance in determining civil liability, but they should not be uncritically incorporated into that context.”).

^[8] See Guo Wengui v. Clark Hill, PLC, 440 F. Supp. 3d 30, 38 (D.D.C. 2020) (allowing legal malpractice claim to proceed based on a cyber attack that disclosed confidential information because the law firm failed to follow promisedprocedures to secure information); Jared H. Lorenz, Cyberbreach Leads to Legal Malpractice Claim: Misrepresentation and Mishandling of Information Allows Claim to Survive, Am. Bar Ass’n (Aug. 11, 2020), https://www.americanbar.org/groups/litigation/publications/litigation-news/top-stories/2020/cyberbreach-leads-to-legal-malpractice-claim/ (noting that a federal court found sufficient claim for a breach of duty of reasonable care where a hacker was able to breach a firm’s security systems).

^[9] See Guo Wengui, 440 F. Supp. 3d at 34 (promising that the confidential information of the prominent Chinese dissident client would not be kept on the firm’s server).

^[10] See Friends of the Earth, Inc. v. Laidlaw Envtl. Sys. (TOC), Inc., 528 U.S. 167, 180 (2000) (requiring an actual “concrete and particularized” injury that is “not conjectural”).

^[11] See Spokeo v. Robbins, 136 S. Ct. 1540, 1546 (2016) (holding that the “risk” of injury from a data breach was not a harm); Reilly v. Ceridian Corp., 664 F.3d 38, 46 (3d Cir. 2011) (denying standing because no harm had been realized—there was only fear of identity theft from a data breach).

^[12] See Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016) (finding an injury where there was an “increased risk of fraudulent charges” after data had been stolen); Galaria v. Nationwide Mut. Ins., 663 F. App’x 384, 385-86 (6th Cir. 2016) (finding standing in a data breach case because of risk of harm and mitigation costs). But see Reilly, 664 F.3d at 46 (denying standing where plaintiff spent money on preventive measures after a breach).

^[13] See generally Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583, 586 (2014) (arguing that FTC actions, forming a “common law,” dominate privacy policy enforcement).

^[14] See Gregory M. Kratofil, Jr. & Elizabeth Harding, Federal Privacy Legislation Update: Consumer Data Privacy and Security Act of 2020, The Nat’l L. Rev. (Mar. 14, 2020), https://www.natlawreview.com/article/federal-privacy-legislation-update-consumer-data-privacy-and-security-act-2020 (designating the FTC to administer the act and grant it rulemaking authority).

^[15] 15 U.S.C. § 45(a) (2006); see Daniel J. Solove & Paul M. Schwartz, Information Privacy Law 975 (6th ed. 2018).

^[16] See Solove, supra note 15, at 975.

^[17] See 15 U.S.C. § 45(n) (2006) (recognizing a practice as unfair if it “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and is not outweighed by countervailing benefits to consumers or competition”); Solove, supra note 15, at 975.

^[18] See generally 45 C.F.R. Part 164 (2013).

^[19] Cf. 45 C.F.R. § 164.306(a) (2013); Kirk J. Nahra, HIPAA Privacy and Security for Beginners, Wiley Rein (July 2014), https://www.wiley.law/newsletter-5029.

^[20] Cf. § 164.306(b); Nahra, supra note 19 (describing approaches as “flexible” and “scaleable” depending on organizational circumstances).

^[21] See Flocking, supra note 1 (describing the necessary training and corresponding enhanced client service); cf. 45 C.F.R. § 164.308(a)(5)(i) (“Implement a security awareness and training program for all members of its workforce (including management).”).

^[22] See Flocking, supra note 1 (emphasizing the importance of discussing terms of use with clients).

^[23] See Solove, supra note 15, at 948 (noting that “48 states and the District of Columbia” require notification of all individuals affected by a breach); cf. 45 C.F.R. § 164.404(a)(1) (“A covered entity shall, following the discovery of a breach . . . notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such a breach.”).