The Risk Manager, Winter 2012
Case I: In Minneapolis a mother discovered her daughter drawing on paper given to her at school which contained on the back detailed medical information about a woman. It was soon learned that a paralegal working at a Minneapolis law firm had, rather than destroying old documents, donated them to the daughter’s school. Needless to say the woman whose confidentiality was breached is upset and the law firm has a serious problem with her and other clients whose confidential information was revealed.
Case II:The Baltimore Sun recently reported this careless handling of electronic files:
A Baltimore law firm lost a portable hard drive containing information about its cases, including medical records for 161 stent patients suing [a] cardiologist … a firm client, for alleged malpractice ….
The drive was lost Aug. 4 by an employee of Baxter, Baker, Sidle, Conn & Jones who was traveling on the Baltimore light rail, according to a letter obtained by The Baltimore Sun that was sent to one of the stent patients last week — two months after the drive went missing.
The storage device held a complete back-up copy of the firm's data, including medical records related to the stent malpractice claims, along with patient names, addresses, dates of birth, social security numbers and insurance information.
It was taken home nightly as a security precaution in case of fire or flood, a firm spokesman said, though the portable information was not encrypted — among the most stringent security precautions that is standard practice for health professionals dealing with medical records. (emphasis added)
In Case I obviously the paralegal made a serious mistake, but so must have the firm’s management in not assuring that the paralegal knew client confidentiality requirements and file destruction procedures. In addition to meeting your professional responsibility to train paralegals (see SCR 3.130(5.3), Responsibilities Regarding Nonlawyer Assistants), be sure your firm has written file management and destruction procedures. For file destruction we recommend that:
- At the conclusion of a matter assign the file a closed file index number.
- Check for outstanding fees and proper client trust account documentation.
- Return client property such as original documents being sure to copy any returned documents necessary for the firm to have a complete file.
- Strip the file of duplicate documents, etc. – do not remove work product such as drafts, phone messages, or research notes.
- Send a closing letter to the client.
- Assign a file destruction date and calendar it in the office closed file index.
- At the time a file is calendared for destruction notify the client by certified mail. Advise that in the absence of instructions to the contrary the file will be destroyed after the date indicated in the notice.
- If the client cannot be located, files may be destroyed in the lawyer’s sound discretion. KBA E-300, however, advises that these files should be destroyed only if they contain no important papers.
- In destroying files client confidentiality must be preserved. Firms in states with paper recycling laws failing to shred documents or disposing of files in clear plastic bags have had problems. Literal destruction of the file is recommended – shred or burn.
In Case II it is ironic that in an effort to safeguard client information the firm managed to expose itself to a major breach. It is worse than ironic that the firm would not think to encrypt the data on such an important electronic file that was routinely carried out of the office. In our Spring 2011 Newsletter we offered this checklist from the article Serious About Confidentiality (The National Law Journal, October 18, 2010) by Michael Downey of Hinshaw and Culbertson:
- Adopt clear policies and educate all personnel about the proper use and disclosure of client confidences, including to the media and on the Internet, and the consequences of noncompliance.
- Purchase travel laptop computers and flash drives protected by full disk encryption, and insist that lawyers and staff use such protected devices when they travel with client-related or other sensitive information.
- Ensure that all computer systems, scanner/copiers and smart phones that can send and receive data have password protections activated.
- Ensure that people who have access to firm facilities and information can pass reasonable background checks and agree in writing to preserve confidences.
- Keep the most sensitive information off the Internet, or at least secured on document-management systems.
- Provide for secure disposal of confidential information at each workstation, as well as at copiers, printers and the like, and also for secure disposal of any computers (home or office) or data-storage devices that might contain firm-related information.
- Assess whether the firm should purchase additional insurance or equipment to protect against data disclosure.
- Plan now how the firm will respond to any disclosure that may occur, including how notice will be given to regulators, affected clients and the public, and what actions the firm will take to re-establish protection and sanction anyone who caused the disclosure.