Skip to content
Opinion
Link copied to clipboard

Clinton's private server would never fly at law firms

    by Chris Mondics, STAFF WRITER | Columnist
    Published 

Hillary Clinton's private email server arrangement as secretary of state would never fly at most law firms.

With the advent of cyber crime and hacking threats, firms have devised elaborate protections and protocols for lawyers requiring that client matters be handled on secure in-house computers, or on laptops equipped with protections that guard against unauthorized release of information.

Operating a private server out of your home is strictly out of the question.

"If you are not sufficiently protecting your computer system, you are actually negligent," said William H. Roberts, an antitrust lawyer and general counsel of Center City's Blank Rome.

Blank Rome hires an outside vendor to monitor the firm's computer network for signs of hacking.

"To our knowledge, we have not been hacked," he said.

With only a few days to go before the election, Democratic presidential nominee  Clinton has been embroiled in a tense national debate over the propriety of using a private server, independent of secure government computers, to handle her email during her time as secretary of state.

FBI Director James Comey, in an unprecedented step on July 1, announced that following a government investigation, the FBI would recommend that Clinton not be charged. Comey said Clinton's offline computer use exposed her communications to hacking by foreign governments, although he said the FBI had no evidence that had taken place. Clinton herself has acknowledged that it was a mistake to use a private server. The investigation recently resumed when additional emails were found on the laptop of her aide Huma Abedin.

Lawyers are mandated by the professional conduct rules to protect client confidentiality. That means idle chitchat at cocktail parties, with friends, or at home is strictly barred and the nature of conversations with clients and documents related to their cases must be zealously guarded. In years past, documents relating to client matters were kept in locked file cabinets in offices that themselves were locked.

That same principle now applies to digital information, which is password protected and subject to constant monitoring to guard against breaches.

It has always been the case that lawyers who break these rules can be subject to professional discipline and claims by clients. But the advent of digital technology has greatly increased the stakes.

Law firms at times can have access to vast quantities of sensitive client information and personal data such as Social Security numbers of clients' customers. Data breaches of this kind of information have the potential to result in multimillion-dollar claims by clients and severe reputation damage to law firms.

"Our firm, in particular, has a very large financial-services industry client base and as a result many of our clients have very stringent data security requirements," said Edward J. McAndrew, a partner in the Ballard Spahr privacy and data security group who, before joining Ballard, was a federal prosecutor focusing on cyber crime. "And they pass those requirements on to us at our law firm."

Like other firms, lawyers at Ballard are restricted to the firm's computer system for handling client matters. McAndrew said it is easy to imagine how an employee of a company with a restrictive policy on the use of non-authorized systems might run afoul of the rules. Often, it is the result of an employee's trying to get work done in the face of a balky internal computer system, causing the employee to use some other device.

Such BYOD practices – or bring your own device – are at the root of numerous security breaches in the private sector, said Blank Rome's Roberts.

Apart from protecting client confidentiality, firms have another reason to make sure lawyers and other staff do all work on internal systems. Mark Silow, managing partner of Center City's Fox Rothschild, which created the position of chief privacy officer to oversee the security of client information, noted that firms have a duty to provide all relevant documents when a matter is in discovery. That simply can't be guaranteed if work is done outside the firm's network, he said.

"If we are ever required to make documents or emails available during discovery, we would never be able to comply if people had emails and so forth on" their own devices, Silow said.