How can you stay ahead of a fast-moving, intimidatingly vast and complicated subject area?
Technology as a subject covers both practice management and substantive client advice. In both guises, there are obligations on lawyers to stay ahead. It is an intimidatingly vast and complicated topic, changing fast. Even if your client work has nothing to do with IT substantive law, you still have to keep up with developments in order to ensure that your systems and data are safe.
Delegating to IT specialists is one way. But they are not usually lawyers. They doubtless know all about the threats from fraudsters and viruses, but they may not be aware of the special threats to our profession. One of these is how lawyers should take steps to keep data safe from government surveillance, which requires a knowledge both of the extent and importance of lawyer-client confidentiality together with the latest on how governments might spy on us.
It is stating the obvious to note that it is the lawyer’s responsibility to give the IT specialist proper instructions, since the lawyer will be finally responsible, in the same way as he or she is responsible for adequate controls on the management of client funds or client documents.
The Solicitors Regulation Authority published a document earlier this year called ‘IT and innovation’, which covered the benefits of IT for lawyers, as well as the downside through issues such as cybersecurity. It is already out of date, since it was published before the Privacy Shield agreement was entered into between the EU and the US, to replace the previous Safe Harbour in relation to transatlantic data transfers.
And even that news needs updating, since, as predicted, Privacy Shield is now itself being challenged before the Court of Justice of the European Union by Digital Rights Ireland (Digital Rights Ireland v Commission, Case T-670/16). Digital Rights Ireland is the same NGO that successfully challenged (and had annulled) the Data Retention Directive some years ago. The new case is not expected to be heard for a year or more.
The Council of Bars and Law Societies has published a very useful document called ‘Guidance on improving the IT security of lawyers against unlawful surveillance’. I commend it because, as against the SRA guidance mentioned above, it rolls up its sleeves and gets its hands dirty in the details of how to protect lawyer-client confidentiality, for instance by listing the acceptable security standards.
And while the SRA guide refers lawyers to the government’s official ‘10 steps to cybersecurity’, which I have no doubt is wonderful, the CCBE guide is tailored to lawyers alone, and deals also with threats from the government itself through its surveillance programs. So the CCBE guide helpfully provides a list of lawyer-specific ‘usage scenarios’ which give rise to risks to confidentiality, including using e-government and e-court solutions, communicating with clients in a variety of ways, or undertaking legal research. And it highlights the greatest areas of general vulnerabilities, suggesting possible counter-measures in each case.
Lawyers should read it and either act on it themselves or hand it to their IT specialists, to protect themselves.
While on the subject of surveillance of lawyers, there are three further developments to note, all from the Council of Europe. The Conference of International NGOs associated with the Council of Europe is discussing a resolution whose title says it all: ‘Surveillance of lawyers: the need for standards safeguarding client confidentiality.’ The world will not change as a result, but each measure of support is important.
Second, the case brought by ten human rights organisations, including Privacy International, the American Civil Liberties Union, and Amnesty International, against the UK government in the European Court of Human Rights (ECHR), alleging that ‘blanket and indiscriminate’ surveillance operations carried out by our spy agencies, in collaboration with their US counterparts, violate privacy and freedom of expression is still wending its way through that court (application no. 24960/15). This will be the first time that the ECHR will have been asked to consider the legality of the surveillance revealed by Edward Snowden.
And, finally, there was an ECHR decision earlier this year on the relationship between surveillance and client confidentiality. In Versini-Campinchi and Crasnianski v France (application no. 49176/11), the court held, maybe not surprisingly, that there had been no violation of the convention following the transcription of a telephone conversation between a lawyer and her client which had given rise to the presumption that the lawyer had participated in an offence.
The facts are complicated, but the essence confirms that confidentiality is not absolute and does not protect a lawyer where there is a presumption that the lawyer has been guilty of wrongdoing.
So the struggle continues, both to preserve our core values, and to keep up with the many developments affecting us.
Jonathan Goldsmith is a consultant and former secretary-general at the Council of Bars and Law Societies of Europe, which represents around a million European lawyers through its member bars and law societies. He blogs weekly for the Gazette on European affairs