We have swiftly transitioned into a digital age and it seems as if information could be the new weapon of mass destruction. Cybercriminals have long realised just how valuable information can be and have been launching missiles at an unprecedented rate, resulting in copious causalities of information security breaches. Earlier this year, CNN reported that Hospitals in the United Kingdom fell prey to the WannaCry cyber attack and had to declare states of emergency because patient records were inaccessible, putting patient lives at risk. From multinational corporations, to even patients lying in hospital beds – it seems as if no one is immune to these threats. Could the legal fraternity be next?
Potential Liability and Cybersecurity Strategy
There are some secrets that must be taken to the grave. Information flowing from the lawyer-client relationship is generally one of them. The lawyer-client privilege bestows upon lawyers a legal and professional duty to protect clients’ confidential information. Confidentiality does not only involve the “Chinese Wall”, being tight-lipped about certain information or locking away case files in vaults. In this technologically advanced society, it also requires a lawyer to take reasonable steps to protect digital information as well. Failure to do so may have far reaching implications; ranging from discipline from a law society, to even civil liability and the administration of justice being adversely affected.
Discipline from Governing Law Societies
Rule 3.3-1 of the Federation of Law Socieities of Canada’ Mode Code of Professional Conduct states that a lawyer owes a duty of confidentiality to every client and as such must hold in strict confidence all information flowing from the lawyer-client relationship. This duty even survives the professional relationship. Therefore, a lawyer could potentially face discipline if an investigation revealed that reasonable steps were not taken to protect clients’ digital information.
Civil Liability
Multi-national corporations including Home Depot and Target have reported unauthorised access to some of their clients’ personal information. Canada has endeavoured to raise the standard by passing a number of statutory provisions such as the Digital Privacy Act and the Personal Information Protection and Electronic Documents Act that require entities to incorporate Cybersecurity Best practices in their operations. The legal fraternity is no different in terms of the personal, confidential and financial information they may collect from their clients. There is still a legitimate expectation to take reasonable steps to protect information so clients could very well bring a civil action against lawyers who fail to meet this expectation.
Implications on the Administration of Justice
Imagine if a Court’s information system got compromised because of poor cyber security practices and personal information of key witnesses or jury members inadvertently became public. Not only would there be legitimate concerns regarding their personal safety but there may be serious implications on the administration of justice.
The Supreme Court of Canada pronounced in Lavallee, Rackel & Heintz v. Canada (Attorney General) that “unjustified, or even accidental infringements of the privilege erode the public’s confidence in the justice system”. Alva Group in a White Paper concluded that data breaches always present a reputational risk. In fact, share price, customer acquisition and retention are some of the critical areas that may be affected. The court system, arguably, is no different. Many trials could face significant delay if persons become apprehensive about serving as witnesses or jurors for fear that their personal information inadvertently get into the wrong hands. This is one way that “unjustified, or even accidental infringements” of confidential information could erode the public’s confidence in the justice system.
Oh come on, I am no tech whiz, I am just a lawyer!
As much as that may be true, unfortunately, this argument won’t fly, especially in Canadian courts. The courts have dealt with the vexed issue of inadvertent disclosure and have taken a firm position. Elliot v Toronto (City) reminds us that inadvertent disclosure does not waive privilege. As Arbour J puts it in Lavallee, Rackel & Heintz v. Canada (Attorney General), a client has a reasonable expectation of privacy in all confidential documents and communications flowing from the lawyer-client relationship.
Having a brilliant IT team may allow some to sleep well at nights but lawyers have a role to play too. Certainly, lawyers are not expected to know the nuances of binary code but the reality is that many Cybersecurity attacks are not necessarily sophisticated attacks either. IBM reported that 60% of all attacks originated from threat agents inside the organisation. Earlier this year, McEwan University reported that they succumbed to phishing attacks resulting in them losing $11.8 million dollars. This was not a high tech, state of the art attack; employees were merely duped into changing electronic banking details for one of their vendors.
Law and technology can no longer be business as usual
It is ripe time that the legal fraternity pulls up their proverbial socks and adjust to this technological era by incorporating sound Cybersecurity strategies into their practice. Failure to do this may lead to discipline from a law society, civil liability or have far reaching implications on the administration of justice.
Andrae Campbell is an IPilogue editor and LLM Candidate at Osgoode Hall Law School.