Law Firm IT Policy: Guidelines for Safeguarding User Privacy

A recent national survey of solo and small law firm attorneys revealed that only 35 percent of solos and 68 percent of small law firms have information technology (IT) use policies that govern the use of technology at their places of business. Clearly, this is an area of business exposure that firms can reduce by crafting a simple IT policy. One area of concern in any IT policy is user privacy.

Every law practice should express respect for user privacy in its IT policy, and recognize that such privacy is important in effectively carrying out the firm's business mission. At the same time, the policy should acknowledge that there will be circumstances in which certain broad concerns outweigh the user's expectation of privacy and warrant access by the firm to its IT systems without the consent of the user. A well-drafted IT policy will establish procedural safeguards to ensure that access to private user data and communications is gained only when appropriate.

Conditions of Access Without Consent

Define for the user the circumstances under which the firm will be allowed to access, without the user's consent, the technology it owns, manages, or maintains. Broadly worded circumstances include the need to preserve public health and safety, the need to comply with a law or regulation, and the need to carry out essential business functions. More specifically, issues relating to the technology itself may require access, such as when it becomes necessary to identify or diagnose systems or security vulnerabilities and problems, or otherwise preserve the integrity of the systems. Privacy concerns also may need to be trumped during an investigation into wrongdoing, and not just that committed by the user. Access may be necessary when there are reasonable grounds to believe that a violation of law or a significant breach of firm policy may have taken place and inspection or monitoring may produce evidence related to the misconduct. Another situation to keep in mind is when the user's employment or other connection to the firm has ended and there is a legitimate business need to access the user's former device or systems.

Process for Access

Create a process to be followed in the event access to a user's private data or communications without his or her consent is necessary. In larger firms, it may be appropriate to designate certain managers or partners to hold the power to authorize access in non-emergency situations. The firm should log all instances of access without consent, and notify a user of such access either before, during, or after the access. In the case of former employees, logging or notice need not be required.

Personal, Peripheral and Mobile Devices

If users attach privately owned personal computers or other devices, such as a smartphone, to the firm's network, have users consent to use by the firm of scanning programs for security purposes on those devices while attached to the network. In a similar vein, if users encrypt files, documents, and messages, the firm should be allowed to decrypt them in a manner consistent with the rest of the privacy policies.

Logs

Most information technology systems routinely log user actions in order to facilitate recovery from system malfunctions and for other management purposes. The firm or its systems administrators should establish and post policies and procedures concerning logging of user actions, including the extent of individually identifiable data collection, data security, and data retention.