Earlier this month, the Baltimore Sun and ABA Journal reported that the law firm of Baxter, Baker, Sidle, Conn & Jones lost a back-up hard drive containing 161 stent patient files. The firm properly recognized it should have off-site storage of its sensitive data to protect from risk of fire and flood but chose to have an employee take the drive home each night via commuter train.
According to the Baltimore Sun, “[t]he storage device held a complete back-up copy of the firm’s data, including medical records related to the stent malpractice claims, along with patient names, addresses, dates of birth, social security numbers and insurance information.”
The hard drive was password protected but not encrypted. While password protection provides some protection, it is a rather minimal level of protection. Law firms have a duty to protect confidential information both under their general ethical duties and under more specific state and federal laws. Here, the protected health information put at risk by the loss of the hard drive implicates regulations under HIPAA and the HIGHTECH Act.
Although it is unlikely the law firm is regulated as a health care provider, the law is much less clear whether the law firm must sign a Business Associate Agreement regarding the data. If the law firm was given access to the data on behalf of its client, then a Business Associate Agreement – and all the HIPAA data protection provisions – would be required. Where the data was collected in an adversarial matter from an opposing party, however, such a duty may not attach.
The niceties of HIPAA are only one of the problems. If the hard drive included all of the firm’s data, then there will be client names, and may also be client trade secrets and other confidential information.
The American Bar Association has recognized that lawyers have an ethical duty to take reasonable measures to protect a client’s confidential information from unintended disclosure and unauthorized access. In fact, a draft proposal will codify this existing obligation under a new ABA Model Rule 1.6(c).
1.6 (c) A lawyer shall make reasonable efforts to prevent the unintended disclosure of, or unauthorized access to, information relating to the representation of a client.
Factors to be considered in determining the reasonableness of the lawyer’s efforts include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
As illustrated by the lapse at Baxter, Baker, Sidle, Conn & Jones, security starts with the physical safeguard of data – in the firm, its physical files and its electronic storage. Trains, backpacks, and car seats are never good ideas for the systematic ongoing protection of data. Secure, encrypted off-site storage is no longer expensive and likely the minimum standard.