We need to keep in mind that we have an obligation of confidentiality. The obligation is nearly absolute.We need to keep in mind that we have an obligation of confidentiality. The obligation is nearly absolute.
– Stafford Shepherd, Senior Ethics Solicitor
Confidentiality is central to the legal process in Australia. Legal professionals have a responsibility at common law to protect information passing between them and those with whom they consult, even if those consultations do not produce billable clients. Unlike the duty of loyalty, the duty of confidentiality continues beyond the end of a retainer – even beyond a client’s death.
But perhaps more important than legal obligations are client perceptions. In an increasingly privacy-conscious marketplace, the information management practices of law firms are no longer solely an area of concern for larger clients. Weekly news reports of government and corporate data breaches have put confidentiality at the forefront of the public awareness. Now, data does not even need to be compromised before serious concerns are raised, as was seen in May 2016 when Telstra Health was awarded a contract to manage a national cancer screening register. More so than ever before, law firms stand to profit through explicit demonstration of their ability to keep information private, secure, and firmly on Australian shores.
Unfortunately, however, the information management practices of many firms are putting them at risk of breaching client confidence. Rapid technological advances in other industries have stolen the lead that the legal sector has traditionally held in its treatment of confidential information, and many firms are now struggling to catch up.
“We’re seeing many other sectors becoming just much faster fish,” says Dave Coughanour, director of security and information management at K&L Gates. “It’s harder to hack into a bank, it’s harder to hack into a defence-contractor or critical infrastructure company, so hackers are shifting their focus to what they perceive to be the weaker link in the chain, which is why law firms need to ensure their cyber security systems are keeping up with other industries.”
Some firms have dealt with this by staying entirely offline and paper-based. But in an on-demand legal era where the sector is under increasing pressure to minimise discovery costs, this creates its own problems.
While hard copies are an indispensible reality of law firm information flows, they present two major challenges. For in-house archives, firms must maintain a level of security – and allocate floor space – on premises that is costly and might otherwise be unjustified. Indexing can also be erratic, increasing the time staff have to spend locating documents. When storing archives off-site, firms may inadvertently expose their information to compromise during transit, especially over long distances where multiple handovers are involved. Very few information management companies have a secure chain of custody across all their delivery locations. Instead, when they have to deliver outside certain geographical boundaries or times of day, they outsource to contractors. This adds one or more unnecessary steps to the information transmission process. While it may only increase the risk of breach by a slight margin, it elevates the risk of data loss significantly.
Security of hard copies is addressed with off-site facilities designed and equipped to protect documents from fire and water damage, as well as theft. Archiving is set up in such a way that even employees of the information management company cannot identify their contents at a glance, with access only available to them once a request has been issued from an authorised individual inside the firm. To ensure the same level of security when transporting documents, these companies maintain an entirely secure chain of custody, never outsourcing collection or delivery to contractors, even when working outside urban areas or normal trading hours.
Good information management companies have also invested heavily in digital security infrastructure. They provide on-shore cloud-based systems that allow access only to pre-vetted firm employees, with customisable access privileges to ensure the right people have access to the right information.
With information stored off-site, much of the pressure is taken off firms that are currently maintaining a high level of physical and cyber security in their office premises. The cost savings to be had here are significant. Done properly, digitisation can also dramatically increase information security, which in turn elevates clients’ faith that a firm has their best interests at heart.
A law firm that can ensure the safety and security of its information assets is one that will stand out for all the right reasons to the privacy-conscious public. Find out more in Grace’s FREE in-depth information management report for government agencies – available exclusively at www.grace.com.au/information/legal
 Shepherd, S., Loose Lips Sink Ships, Queensland Law Society Ethics Centre, (January 2014)