by Sheila Blackford ©2016 Lawyers have a fiduciary duty to preserve client confidentiality that has long been codified in Oregon under ORPC 1.6 Confidentiality of Information. For more than a quarter of a century, paper-based client files have become electronic files. The need to protect electronic client records has only become more imperative as lawyer have transmitted and stored their client files on the Internet.
ORPC 1.6 (7) (c):
A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.
ABA Model Rule 1.6 Comments 18 and 19:
Acting Competently to Preserve Confidentiality
 Paragraph (c) requires a lawyer to act competently to safeguard information relating to the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1 and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to safeguard a client’s information in order to comply with other law, such as state and federal laws that govern data privacy or that impose notification requirements upon the loss of, or unauthorized access to, electronic information, is beyond the scope of these Rules. For a lawyer’s duties when sharing information with nonlawyers outside the lawyer’s own firm, see Rule 5.3, Comments -.
 When transmitting a communication that includes information relating to the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule. Whether a lawyer may be required to take additional steps in order to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules.
The words should fill you with dread. Then you will have the proper mindset to address the necessary protections so that you can prevent a data breach or at least insure that if data is breached, the data has been rendered unreadable because it is encrypted.
Be concerned about a breach of security and personal information. Both are defined terms in the Oregon Identity Theft Protection Act. ORS §§646A.600-646A.628.
What is a breach of security?
ORS §646A.602 (1)(a) “Breach of security” means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the person.
What is encryption?
ORS §646A.602 (6) “Encryption” means the use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without the use of a confidential process or key.
What is personal information?
ORS §646A.602 (11) “Personal information”:
(a) Means a consumer’s first name or first initial and last name in combination with any one or more of the following data elements, when the data elements are not rendered unusable through encryption, redaction or other methods, or when the data elements are encrypted and the encryption key has also been acquired:
(A) Social Security number;
(B) Driver license number or state identification card number issued by the Department of Transportation;
(C) Passport number or other United States issued identification number; or
(D) Financial account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account.
(b) Means any of the data elements or any combination of the data elements described in paragraph (a) of this subsection when not combined with the consumer’s first name or first initial and last name and when the data elements are not rendered unusable through encryption, redaction or other methods, if the information obtained would be sufficient to permit a person to commit identity theft against the consumer whose information was compromised.
(c) Does not include information, other than a Social Security number, in a federal, state or local government record that is lawfully made available to the public.
How do we develop safeguards for this personal information?
Requirement to Develop Safeguards for Personal Information ORS §646A.622
646A.622 Requirement to develop safeguards for personal information; conduct deemed to comply with requirement. (1) Any person that owns, maintains or otherwise possesses data that includes a consumer’s personal information that is used in the course of the person’s business, vocation, occupation or volunteer activities must develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the personal information, including disposal of the data.
(2) The following shall be deemed in compliance with subsection (1) of this section:
(a) A person that complies with a state or federal law providing greater protection to personal information than that provided by this section.
(b) A person that is subject to and complies with regulations promulgated pursuant to Title V of the Gramm-Leach-Bliley Act of 1999 (15 U.S.C. 6801 to 6809) as that Act existed on October 1, 2007.
(c) A person that is subject to and complies with regulations implementing the Health Insurance Portability and Accountability Act of 1996 (45 C.F.R. parts 160 and 164) as that Act existed on October 1, 2007.
(d) A person that implements an information security program that includes the following:
(A) Administrative safeguards such as the following, in which the person:
(i) Designates one or more employees to coordinate the security program;
(ii) Identifies reasonably foreseeable internal and external risks;
(iii) Assesses the sufficiency of safeguards in place to control the identified risks;
(iv) Trains and manages employees in the security program practices and procedures;
(v) Selects service providers capable of maintaining appropriate safeguards, and requires those safeguards by contract; and
(vi) Adjusts the security program in light of business changes or new circumstances;
(B) Technical safeguards such as the following, in which the person:
(i) Assesses risks in network and software design;
(ii) Assesses risks in information processing, transmission and storage;
(iii) Detects, prevents and responds to attacks or system failures; and
(iv) Regularly tests and monitors the effectiveness of key controls, systems and procedures; and
(C) Physical safeguards such as the following, in which the person:
(i) Assesses risks of information storage and disposal;
(ii) Detects, prevents and responds to intrusions;
(iii) Protects against unauthorized access to or use of personal information during or after the collection, transportation and destruction or disposal of the information; and
(iv) Disposes of personal information after it is no longer needed for business purposes or as required by local, state or federal law by burning, pulverizing, shredding or modifying a physical record and by destroying or erasing electronic media so that the information cannot be read or reconstructed.
(3) A person complies with subsection (2)(d)(C)(iv) of this section if the person contracts with another person engaged in the business of record destruction to dispose of personal information in a manner consistent with subsection (2)(d)(C)(iv) of this section.
(4) Notwithstanding subsection (2) of this section, a person that is an owner of a small business as defined in ORS 285B.123 (2) complies with subsection (1) of this section if the person’s information security and disposal program contains administrative, technical and physical safeguards and disposal measures appropriate to the size and complexity of the small business, the nature and scope of its activities, and the sensitivity of the personal information collected from or about consumers. [2007 c.759 §12]
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Patients have federal legal rights to their protected health information. We sign forms about our privacy every time we go to the doctor’s office, treatment clinic, or hospital. Doubtful the average lawyer let alone average person has ever read the HIPAA rule which is nearly 700 pages long. Where this impact lawyers is when they are business entity that deals with health care providers, which includes CPAs, doctors, and lawyers.
HIPAA in Oregon. Oregon acknowledges a number of health-care provider/patient privileges that include preventing others from disclosing communications made with the health care provider for the purposes of treatment and diagnosis. See OR. REV. STAT §§40.230, 430.235. Remember, that federal privacy regulations under HIPAA will preempt state laws unless the pertinent state law is more stringent. See 65 Fed. Reg. 82,462, 82,464.
Lawyers need to be careful of individually identifiable health information. The best way to protect confidential client data: ENCRYPTION. Encrypting data which is then properly backed up and stored is the easiest way to begin fulfilling your obligations under HIPAA and under ORPC 1.6.
Gramm-Leach-Bliley Act 15 U.S.C. §§ 6801-6809 and §§ 6821-6827, as amended
Under the Gramm-Leach-Bliley Act, financial institutions must protect the privacy of consumers’ personal financial information. This is why your financial institution provides you with annual notice of their privacy policies and why they must give notice and an opportunity to opt of before disclosing any of the consumer’s personal financial information to an unaffiliated party.
For lawyers, consider that you contain personal financial information in your client files, such as credit card numbers and bank account numbers. There may be a number of reasons that you have copies of your clients’ financial account statements, loan applications, tax returns, financial documents used in bankruptcies and dissolutions of marriages and business partnerships. How are you protecting the confidentiality of this information? Where are you storing it?
The best way to protect confidential client data: ENCRYPTION. Encrypting data which is then properly backed up and stored is the easiest way to begin fulfilling your obligations under Gramm-Leach-Bliley Act and under ORPC 1.6.