More From Eric Dixon at http://www.NYBusinessCounsel.com

Top 50 Twitter Rank of Worldwide Startup Advisors For Much of 2014. Go to my professional site for solutions to your legal, business and strategic problems. The only lawyer who is a co-inventor of multiple, allowed-for-grant patents on blockchain technology!!! Blockchain and Digital Currency Protocol Development --
Top Strategic Judgment -- When You Need A Fixer -- Explore Information Protection and Cryptographic Security -- MUST-WIN: JUST DON'T LOSE -- SURVIVE!: Under Investigation? Being Sued? Handling Extreme Stress -- Corporate Issues -- Startup Issues -- Investor Issues -- Contracts To Meet Your Needs -- Opposition Research -- Intellectual Property, Media and Reputation Issues -- Independent, top-notch legal, strategic and personal advice -- Extensive ghostwriting, speechwriting, book writing, issue research, press and crisis management services. Listed by American Bar Association's Law Bloggers (Blawgers). Contact EDixon@NYBusinessCounsel.com. European Union audiences: This site uses a third party site administrator which may use cookies but this site is intended for AMERICAN clients and prospective clients only!

Thursday, April 6, 2017

Client Information Is Never Totally Safe: Why We Need A "Know Your Lawyer" Rule

When you, or your company, hires a large law firm, you are assuming your information, your sensitive trade secrets, even sensitive personal information, is safe.

Far from it.

Your sensitive data could be at risk. Not from technology, not from breaches, technology failures or the ready-made-scapegoat-excuse of "hacking."

The risk is from the people who work at the law firm or corporation. 

The risk gets larger, and is harder to control, the bigger the organization is, simply because the biggest "X factor" is human nature and human integrity. That means that the more people with potential or actual access, the less safe your information is. Period. Even if there are "controls." 

That means that confidential client information is often only as safe as the integrity of the least-obedient person working in that firm or company. 

Consider this breaking news from the middle of the State of New Jersey, where a young lawyer got busted for accessing confidential files while a law student working for a county prosecutor's office. 

Could the same wrongful access happen to your files?

Financial institutions have had to obey the anti-money laundering and 'know your customer' rules largely implemented after the 9/11 attacks.

Far too many legal clients don't enjoy the same protections when they use a large law firm. The controls on who has access to information can be unevenly applied, hard to enforce, and susceptible to circumvention.

Most commentary on this topic focuses on the "ethical rules" which are in place in just about every state which govern the practice of law. I don't focus on these rules at all, because those rules are good at shifting the blame from the "leaker" to the lawyer. I think lawyers get blamed for enough things which are not their own doing, and the blame-shifting is only good for other lawyers to find a deep pocket (read: money) to go after in court.

That does nothing -- nothing at all -- to keep your data safe. Preventing your loss is my focus here. So-called deterrence is useless Monday-morning-quarterbacking that others can engage in to try to sound smart. But that does you no good at all, not before your loss and certainly not afterwards.

Risk managers will talk about how to "mitigate" risk. This is a smart distinction. The honest manager knows the risk can never be eliminated, but it can be reduced. 

In a "cover your ass" corporate world, decisionmakers are often rewarded for taking steps which, in hindsight, can be explained or rationalized or defended. But that is different from actual risk management. 

Often, the best risk management starts with the initial decision about which law firm or outside service provider or information technology vendor to use. Those decisions are commonly made in favor of "brand name" or "known" (and so often, larger) institutions, which always carry the integrity risk because of the sheer volume of people who are either working on a matter or have incidental access to sensitive data. (The list goes from top partners and executives down to janitors and copy-room workers.)

A solution may be to use select smaller institutions or even solo practitioners. Those are options which allow for direct accountability and the ability to "know" 100 percent of the personnel involved. There may be a loss of convenience, but as those whose information has been stolen or secrets revealed can attest, there is nothing more damaging or "inconvenient" than a busted deal or lost case because data got into the wrong hands.

No comments:

Post a Comment