If you’ve read my bio, you know by now that I am thoroughly ensconced in the legal services industry … and this post is tribute to the vagaries and quirks inherent in my industry, with an ERM flair. Even if you don’t have the distinct pleasure of working for lawyers, I think you’ll find this topic is applicable beyond the well-appointed walls of fancy law firms.
[Bloggers Note: This got much longer than I anticipated, so grab a fresh cup of coffee then settle in and hang out with me for a few minutes!]
A little background …
The legal profession in the US is mostly self-regulating. Among the most significant self-applied regulations are the ABA’s (American Bar Association) Model Rules of Professional Conduct. The Rules do not carry the weight of law per se, and membership in the ABA is voluntary (although some states require membership in the State Bar), but they are certainly used extensively by lawyers to help guide their practice and behaviors as they relate to the ethical obligations owed to their clients.
Back in 2009 when Carolyn B. Lamm took office as President of the ABA, she created a new Commission – the Commission on Ethics 20/20.
The Commission’s charge is to:
“… perform a thorough review of the ABA Model Rules of Professional Conduct and the U.S. system of lawyer regulationin the context of advances in technology and global legal practice developments. Our challenge is to study these issues and, with 20/20 vision, propose policy recommendations that will allow lawyers to better serve their clients, the courts and the public now and well into the future.”
Ok, back to the topic at hand ...
So the Commission is doing a full review of the Rules and one of the lenses they are looking through is “advances in technology” and its impact on the provision of legal services.
As part of the work of the Commission, it has promulgated various materials presenting topics of concern to the public for comment and guidance. Once such document, Issues Paper Concerning Client Confidentiality and Lawyers’ Use of Technology made reference to something I had never heard of … Cyberliability Insurance. Now I’m no stranger to liability insurance – malpractice insurance is a must-have for every lawyer. But Cyberliability Insurance? Cool!
The premise, as described by the Commission, is that such insurance “provides coverage for lawsuits that might not be covered by some professional liability policies, such as claims by third parties arising out of a lawyer’s failure to protect confidential electronic information”.
Am I the only one who hasn’t heard about this? I can’t say it really surprises me that the insurance industry is capitalizing on this emerging market, but did I miss this?
Here’s my thoughts on the issue …
First and foremost, I'd much prefer the problems inherent with managing electronic content, on or off-premise, be dealt with rather than apply an insurance bandage. It's almost like saying "well, we give up trying to really understand this techno-stuff, so we'll just hedge our bets and get good insurance". Cop-out. Maybe there is still a place for this type of insurance, but I certainly don't want anyone to view it as an alternative to good information managment.
In a lawyer’s world, much of the information they handle is actually the property of the client, not the firm. As such, lawyers have some level of obligation to protect the integrity, privacy and confidentiality of its clients and their information assets. In the paper record world, that was fairly easy to do. In the electronic record world, it is vastly more complex (I know, you know). For more on the quirkiness of “ethical custodianship”, see an article I wrote here.
In addition, many lawyers are slaves to the billable hour and so are fond of devices that facilitate their ability to work from anywhere and at any time. They are also fond of keeping administrative expenses to a strict minimum, and so the financial promises of cloud computing make it attractive.
So, combine a lawyer’s ethical obligations with a lawyer’s fondness of 24/7/365 productivity (and recording and billing for it in .10 hour increments!) and a lawyer’s fondness for not spending money on administrative infrastructure … me thinks that it creates a perfect breeding ground for an information management mess.
Going to the cloud quickly to save money and increase accessibility is one thing, but what price will your clients run the risk of paying if you don’t take the time to make smart choices? What about those pesky ethics requirements like Model Rule 1.1 – Competence, or Model Rule 1.6 - Confidentiality of Information or Model Rule 1.15 - Safeguarding Property?
Even if you, the lawyer, have a high-risk tolerance are you sure your client shares the willingness to risk their information? Should lawyers have to get consent from clients before putting a client’s property in the cloud?
To Sum Up ...
Is the answer here to buy insurance to address the gap until you can answer the information management challenges satisfactorily (or not address them at all and simply rely on the insurance)? Or do you forego the obvious and immediate benefits of the cloud in order to determine for yourself and your clients what the standards and best practices should be for going there in the first place? Is there a proper balance that can be struck?
My personal opinion is I think it’s likely something lawyers should look at, and discuss with their professional liability carrier. I can certainly see where this type of coverage would contribute to a lawyer’s peace of mind, however again, I don’t want it to be something that is used as a work-around for the need for proper information governance. Insurance, alone, is not the answer.
Now it’s your turn …
I’d love to hear any stories of organizations buying cyberinsurance or cyberliability insurance. Is it common? What are the reasons for buying it and how does it fit in with your overall information governance strategy?
#cloudcomputing #lawyer #cyberliability #ElectronicRecordsManagement #cyberinsurance #confidentiality #ERM