Network Firm News
The Gramm-Leach-Bliley Act: Federal Regulation of the Legal Profession
What are an attorney's responsibilities to secure client information? Today we seem to have many opinions. In law school we learned the ABA Model Rules of Professional Conduct (Rule 1.6): "A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent...."
State variations of this obligation vary from California ("It is the duty of an attorney to ... maintain inviolate the confidences, and at every peril to himself or herself to preserve the secrets, of his or her client") to Texas ("a lawyer shall not knowingly ... reveal confidential information of a client or a former client...."). The former would support implementing computer security while the latter would not.
The FTC also has an opinion on the obligations for those lawyers giving financial advice, relying on its authority under the Gramm-Leach-Bliley Act (GLBA) to regulate attorneys whose primary activity consists of giving financial or tax advice (qualifying them as "financial institutions").
The ABA has recently requested that a federal court decide if the traditional ethical rules or the FTC's GLBA interpretation determine attorneys' obligations. The ABA has requested that the FTC exempt attorneys from the GLBA or from the notification provisions required of attorneys who are "financial institutions" by the FTC's Privacy Rule based on section 6802 of the GLBA. The ABA argues that the majority of attorneys would not give enough financial advice to qualify as a financial institution, and that the GLBA is "more permissive" than the attorney's ethical duty. This latter statement will probably be quoted as establishing the GLBA as a "floor" for ethical duties even for attorneys who would not otherwise be covered by GLBA.
I have found that most attorneys do not comply with the notification provisions of the GLBA, and are not aware of the potential liabilities of noncompliance. If the ABA prevails in its suit, there is no problem. If, on the other hand, the ABA loses the suit, the FTC would be free to enforce the Privacy Rule to applicable attorneys.
This rule includes the requirement that all clients after July 2002 be given specific notices at the time the client relationship is established. Violations of the GLBA are treated as "unfair or deceptive acts or practices." Such violations enable the FTC to issue cease-and-desist orders, and impose fines of $10,000 per violation for further violations, seek "mandatory injunctions" and "such other and further equitable relief" as is deemed appropriate. The FTC may also seek rescission of contracts, refunds of money, payment of damages, and public notification of the unfair or deceptive act or practice. Does anybody have a disgruntled client who would make such a complaint to the FTC?
The significance for security obligations of the GLBA goes beyond the Privacy Rule. While the Privacy Rule requires disclosure of steps taken to protect client information, disclaiming any security protection satisfies this requirement. The more interesting provision of GLBA lies in section 6801, which requires affirmative protections. The FTC has implemented section 6801 in its Safeguards Rule (16 CFR 314), with full compliance required by May 2003. If the FTC grants the requested exemption in the ABA suit, the GLBA would allow only an exemption from section 6802 (the Privacy Rule), not section 6801 (the Safeguards Rule).
The Safeguards Rule requires each regulated organization to designate a responsible individual, and assess, design, implement, and document (presumably for audit) protections for "customer information." The implementation guidelines for this regulation specify that the regulated organization follow the usual good practices for computer security, including the use of adequate backup, detection of computer intrusions, proper disposal of computer records, and prompt notification of clients when their information may have been compromised. Secure communication of confidential client information is also required. Most attorneys currently freely use e-mail communications despite the fact that ABA Formal Opinion 99-413, which allows insecure e-mail, is based on a flawed technological analysis, and further states that ordinary e-mail should only be used after informed consent and not for particularly sensitive communications.
There is an additional reason for attorneys to consider compliance with the GLBA. Both the GLBA and HIPAA require covered entities to ensure that their service providers (such as attorneys) protect personal data in conformance with the regulations.
ABOUT THE AUTHOR -- Joe Dryer, A member of the Texas Bar, currently serves as CEO of Breakaway Systems in Houston, Texas. Joe earned a Ph.D. in electrical engineering from Ohio State University and a J.D. and MBA from the University of Houston. You can contact him via e-mail