More than a year has passed since businesses moved to a virtual format in the wake of the Covid-19 global pandemic. Covid-19 is still circulating and new strains, including some more virulent strains, are still a concern for much of the world. We can no longer assume that the remote work place is merely a temporary convenience. While some businesses are in the process of returning their workers to the office, for many businesses, virtual offices is here to stay. All businesses, but especially small businesses, need to explore how to keep private client information confidential. Confidentiality is important not only for state and federal compliance laws, but also to serve client needs and expectations.
The American Bar Association - Standing Committee on Ethics and Professional responsibility, recognizing that the number of attorneys working remotely has increased and the need to address some of the privacy issues associated with the remote practice, issued a formal opinion on the virtual practice of law, its recent formal opinion. (Formal Opinion 498, March 10 2021). The Formal Opinion 498 provides guidance for a virtual practice not only for attorneys, but for all businesses, primarily in the area of protecting confidential information.
While the ABA opinion is directed toward the practice of law, its content is relevant to most businesses, even those that are mostly back in-house. Most businesses do not operate under the same confidentiality strictures as legal professionals, but confidentiality still plays a vital role in most companies. The ABA Virtual Opinion focuses on different aspects of working remotely and discusses both commonly implicated rules of professional conduct as well as the practical considerations of implementing.
Companies Need to Safeguard Confidential Information Accessed by Employees Working Remotely.
The ABA opinion discusses confidentiality and an attorney’s obligation to fulfill its duty of “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the presentation of a client.” This is something every business should expect of their employees, to keep their information confidential.
There are numerous federal laws that require that certain information be kept confidential, especially in the medical, financial, and insurance fields, including Health Insurance Portability and Accountability Act of 1996 (HIPAA), Genetic Information Nondiscrimination Act of 2008 (GINA), Right to Financial Privacy Act (RFPA) and others, including state laws such as Illinois’ Biometric Information Privacy Act (BIPA) protecting against the disclosure of biometric information. The violations of these statutes can bring civil and/or criminal penalties.
The need to protect against inadvertent disclosure is also essential in the area of protecting confidential information, whether it be customer lists or any other proprietary information that qualifies as a trade secret.
For example, the Economic Espionage Act of 1996 (18 USC 1831-39) defines trade secrets as all forms and types of financial, business, scientific, technical, economic or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if:
- The owner thereof has taken reasonable measures to keep such information secret, and;
- The information derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable through proper means by the public.
The salient feature of protection is that the owner (in this case employer) take steps to keep it confidential. This is true whether the trade secret is a protectable trade secret under federal law, or is it is a protectable trade secret by state common law. A company must safeguard its secrets from the public as well or else risk losing its protection against espionage.
How to Safeguard Confidential Information Accessed by Those Working Remotely.
The most important consideration is to have a plan that meets your company’s legal obligations and company’s needs. The ABA opinion includes the following list of areas for attorneys to safeguard confidential information, but the same is true for businesses that want to safeguard confidential and proprietary information:
- Hardware/Software Systems. The Virtual Practice Opinion states that lawyers “should ensure that they have carefully reviewed the terms of service applicable to their hardware devices and software systems to assess whether confidentiality is protected.” This is equally important to all businesses. To protect confidential information from unauthorized access, businesses should be diligent in installing any security-related updates and using strong passwords, antivirus software, and encryption. When connecting over Wi-Fi, businesses should ensure that the routers are secure and should consider using virtual private networks (VPNs). Finally, as technology inevitably evolves, businesses need to assess whether their existing systems are adequate to protect confidential information.
- Accessing Client Files and Data. The Virtual Practice Opinion states that lawyers practicing virtually “must have reliable access to client contact information and client records” but that access to this information must be safeguarded. In companies, confidential information is being accessed virtually. If the access to such files is provided through a cloud service, the company should (i) choose a reputable company, and (ii) take reasonable steps to ensure that the confidentiality of client information is preserved, and that the information is readily accessible to the remote employees. The company also needs to make sure that the data is regularly backed up and that secure access to the backup data is readily available in the event of a data loss. In anticipation of data being lost or hacked, businesses should have a data breach policy and a plan to communicate losses or breaches to the impacted clients.
- Virtual meeting platforms and videoconferencing. The Virtual Practice Opinion states that lawyers “should review the terms of service (and any updates to those terms) to ensure that using the virtual meeting or videoconferencing platform is consistent with the lawyer’s ethical obligations.” To avoid information being compromised, business should also ensure that the platform they chose complies with their confidentiality requirements. Access to accounts and meetings should be only through strong passwords, and provide the security needed. Likewise, any recordings or transcripts should be secured. If the platform will be recording conversations, it is inadvisable to do so without the consent of the parties because state laws may prohibit the recording of such conversations or require both party consent. In addition, confidential meetings or information should not be overheard or seen by others in the household, office, or other remote location, or by other third parties who are not authorized to receive the confidential information.
- Virtual Document and Data Exchange Platforms. The Virtual Practice Opinion states that attorneys, in addition to the protocols noted above, should carefully chose their data review and exchange platform. All companies should ensure that documents and data are being appropriately archived for later retrieval and that the service or platform is and remains secure. For example, if the company is transmitting information over email, the company should have a policy regarding what information should be encrypted, both in transit and in storage.
- Smart Speakers, Virtual Assistants, and Other Listening-Enabled Devices. The Virtual Practice Opinion also states that unless the technology is assisting the lawyer’s law practice, the lawyer should disable the listening capability of devices or services such as smart speakers, virtual assistants, and other listening-enabled devices while communicating about client matters. Again, this is something a business needs to consider to avoid trade secrets or other confidential information from being disclosed.
To review Formal Opinion 498, March 10 2021, in its entirety, go to https://www.americanbar.org/content/dam/aba/administrative/professional_responsibility/aba-formal-opinion-498.pdf .
If you have any questions regarding this or any other employment matters, please contact Kristin Tauras at firstname.lastname@example.org.