Commission on Law & Technology
|Working Group||Mobile Technology|
|Topic||Using Devices in Legal Practice|
|Date of Publication||November 20, 2013|
|Summary||Mobile devices represent an inherent risks because they allow work to be performed outside of the office environment. It is a suggested practice to secure these devices with passwords and encryption if practical. Tracking services are available for most mobile devices that will allow the device to be located if misplaced or left behind. It also is suggested that devices have a remote wipe function is the device cannot be located. Finally it is important to remember that if the devices are used in public, devices may be viewed by others in proximity to the lawyer.|
|Applicable DLRPC (Rules)||1.0; 1.4; 1.6; 1.18; 5.1; 5.2; 5.3|
Disclaimer: The purpose of this leading practice is to provide the Delaware Bench & Bar with an understanding of an appropriate manner in which this technology may be used. There may be more appropriate uses; and the leading practice discussed might not be appropriate for a specific purpose. It is up to the individual to use well-reasoned judgment in making that decision. The Commission is not responsible for the consequences of the decision-making process.
Using Mobile Devices in Legal Practice
- Delaware lawyers utilizing mobile devices in their practice are required by Rule 1.0 to be competent in the use of the device and to ensure that any communication preserves confidentiality as required by Rule 1.6.
Mobile devices represent an inherent risks because they allow work to be performed outside of the office environment. It is a suggested practice to secure these devices with passwords and encryption if practical. Tracking services are available for most mobile devices that will allow the device to be located if misplaced or left behind. It also is suggested that devices have a remote wipe function is the device cannot be located. Finally it is important to remember that if the devices are used in public, devices may be viewed by others in proximity to the lawyer.
Rule 1.6 requires that a Delaware Attorney "make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client." Comment  of this rule reminds that a Delaware attorney must act competently to preserve confidentiality. The comment helpfully explains that just because information is accessed by third parties through inadvertent or unauthorized disclosure, there is not a violation of the Rule, "if the lawyer has made reasonable efforts to prevent the access or disclosure."
When determining what is reasonable, factors include the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, and the extent to which the safeguards adversely affect the lawyer's ability to represent clients.
Devices such as smartphones, tablets and laptops make it easier to perform work activities away from the desk, but it is important that a lawyer is aware of the risks that exist when these devices are used. Since the device and the information stored on the device have value, it is suggested to take steps to prevent access to the information if they are obtained by a third party.
It is suggested that each device be password protected using a secure password. It is recommended that the device have a function that auto-locks it if it is not used for a period of time, with a requirement to reenter the password when the device is awaken. If data cannot be partitioned from third parties, it is suggested that no one else be permitted to use the device. If using memory cards in the device, or if the device can be used as a USB device if accessed by a computer, it is suggested that any accessible data be encrypted or password protected.
In purchasing mobile devices to be used in the practice of law, it is suggested that consideration be made of whether the device has an option to be encrypted, whether there is a tracking service available to locate the device if lost, and whether remote wipe of data is possible.
It is also important to that Delaware lawyers are aware of their surroundings when using the devices. It is suggested that steps be taken to minimize the ability of others to view what is on the screen, or that the device is not used if others can view the information on the screen. If using the device to verbally discuss confidential matters (by a normal telephone conference or a web meeting), it is suggested that this only be done if others cannot hear either end of the conversation.
- The competence requirements of the rules require that an attorney take reasonable steps to safeguard information related to the representation of a client against unauthorized access by third parties. This duty also extends to data that is transmitted using mobile devices.
When accessing information in a remote setting, is possible that information from the remote device can be intercepted. Precautions should be taken to prevent data from being intercepted remotely. It is recommended to take caution before connecting to any public WiFi network. Secure connections will encrypt data while it is being sent and received. Using remote sessions to connect to data prevents the risk of having confidential information stored on the mobile device.
When practical, it is suggested that data be accessed using secure Virtual Private Networks (VPN). VPNs piggy-back on public internet connections to access information using an office network. The connections offer tunneling of the information using a secured connection. When a VPN is not an option, a secure remote desktop sharing solution or encrypted external drive is another consideration.
It is suggested that lawyers never connect to a "free" Public Access WiFi networks. It is easy for a hacker to establish a free WiFi network in a phishing expedition to obtain valuable data including locally stored documents, and email and passwords that are transmitted while using the connection. Even commercially available WiFi networks are beyond the attorneys control and could possibly be compromised.
Lawyers should consider using multiple layers to secure files and services accessed on remote devices. It is suggested that passwords not be stored in applications on remote devices, and if apps are used to store confidential materials, enable password protection of these applications if possible.
It is not recommended that a lawyer use the same password across multiple websites and services. It is a common occurrence to have a commercial website or service hacked and user account information is routinely leaked. If you are using the same password to access information on every service that you use, it is possible that if this occurs, confidential information in one of your other user accounts may be accessed. At the minimum, it is suggested not to use any password that used to access client information on any external site.
Finally, it is recommended to make sure that your device is updated with any pertinent security updates or patches. Patches are usually issued after security issues are identified. Leaving a device running older operating systems, firmware, or applications may create a security risk for not only the mobile device, but for your entire network.
- If managing lawyers and non-lawyer assistants, Rules 5.1 and 5.3 also direct that a Delaware lawyer is responsible for the actions of the subordinates in safeguarding information related to the representation of a client.
Not only is it important for a lawyer to take steps to secure their own mobile devices, access provided to others should also be considered. If subordinate lawyers, staff, or vendors use mobile devices, it is recommended that policies and guidelines be established specifying acceptable use. If practical, it is suggested to enforce security measures on any device that is permitted to access confidential information. It is recommended that if others are provided with remote access or confidential materials, their access be limited to only materials necessary to perform the assigned work.
It is suggested to consider the dangers of allowing Bring Your Own Devices ("BYOD") for any subordinates. If the lawyer does not have direct control of the device, it raises concerns of whether the data accessed on the device can be secured.
If a subordinate or vendor relationship ends, it is recommended that immediate measures be taken to revoke remote access. If there are any firm wide passwords used to access services or data, it is suggested that they immediately be changed. If a BYOD device was allowed, it is important that measures be taken to prevent that device from accessing confidential information.
- Delaware lawyers should consider Rule 1.4 requirements that a Delaware lawyer keep the client reasonably informed about the status of the matter and promptly comply with reasonable requests for information when responding to clients using mobile devices.
A lawyer is required by Rule 1.4 to keep a client reasonably informed about the status of the matter and promptly comply with reasonable requests for information. In order to fulfill this requirement, it is suggested that a lawyer establish an electronic communication policy establishing acceptable methods of communication and to inform a client of potential confidentiality issues using electronic means.
If a lawyer routinely accesses client information using a mobile device, and responds to a client's request using a mobile device, it is suggested that a system be established to acknowledge the communication, and when a response cannot be provided in a prompt manner, that a system be employed to advise the client when a response should be expected. It is important that a lawyer manages a client's expectation of availability using mobile devices.