By Jennifer Ellis, Esq.
These days most businesses have websites that market to potential clients/customers. Also, some businesses offer a portal through which they communicate with clients/customers. Of course, many businesses take payments through their sites. For law firms, all these issues come into play. However, law firms must be cautious about meeting ethical obligations while using websites to gather and/or store confidential client data.
Security Can Make Your Website Easier to Find
SEO or Search Engine Optimization involves helping people find and visit a website. After all, there is no point in having a website if no one can find it. Google has complex algorithms that impact how sites rank in its search results for various key words and phrases. Because Google cares about security, insecure websites rank lower than similarly situated secure websites.
The initial step in securing a basic website is to add a security certificate. When you visit websites, you likely have noticed that some URLs show http and some websites show https. Websites with https have SSL (Secure Sockets Layer) installed. Proper installation of security encrypts the data that passes through a website and makes it much harder for it to be stolen.
Google’s browser, Chrome, warns visitors when sites are not secure. As a result, in addition to the negative impact on ranking, potential clients/customers will be hesitant to visit a website that shows that it is lacking security. The majority of websites that show up on the first page of Google search results tend to be those that are properly secured.
While most lawyers are not in the business of building websites, they are in the business of managing their clients’ risks. A smart question to ask your clients is if they have properly secured their websites, especially if they ask their clients to submit private information. If you or your clients accept credit cards, it is important to make certain that websites are PCI compliant. This means that the site complies with the payment card industry’s data security standards. As a side note, PBA has a relationship with LawPay. If your firm is interested in taking credit cards, LawPay has a portal for payments, making it much easier to securely take cards online.
Portals & Security
If you or your clients have web portals, you need to make sure that they are set up securely. For example, if you plan on using a cloud based practice management system, your provider might offer a web portal that will allow clients to download documents you want them to complete, and then securely upload them into their own files once they are done. For example, Clio is a cloud based system that provides many tools, including a web portal for clients. As a side note, PBA offers a discount for Clio.
Given the type of data law firms and client businesses might collect through portals, it is incumbent upon attorneys to make sure that their firm websites are secure and that they are advising their clients about the importance of website security. This means that lawyers must be aware about not only data collection and storage laws for the appropriate jurisdiction(s) of their clients, but also any unique legal or ethical requirements for the client type. For example, an entity covered by HIPAA will need to be especially careful about how it collects and stores PHI (Protected Health Information) on its website.
Since many web portals are hosted and managed separately from a business’s website, it is critical to be cautious when choosing a cloud provider. If your client manages its own portal, it is important that those coding the portal implement the appropriate security measures and keep them updated.
If your firm has a portal or you are exploring setting one up, it is make certain to choose an ethically appropriate service provider when creating a client portal. PBA has an excellent ethics opinion that offers advice on choosing a cloud provider.
Not only do lawyers have to worry about legal and public relations issues if client data gets exposed, they must worry about violating ethical requirements on competence with respect to technology and data confidentiality. (See Pennsylvania Ethics Rules 1.1 and 1.6d). Rule 1.1 requires attorneys to be competent with technology. Simply put, competence with technology means that lawyers should be:
- Aware of technology that should be used in their practice area(s)
- Capable of properly using any technology that they implement in their practice
Regarding law firm websites, in addition to following all marketing ethics rules, lawyers who collect any data should be making certain that the data is being collected and stored properly. Even lawyers who only have a form for basic client leads should make certain the form has appropriate warnings about forming an attorney/client relationship and risks surrounding sending confidential information through the web. Such forms should have appropriate security, meaning, at the least, a website with a security certificate and a properly installed form-collection method.
Legally speaking, it is important to follow any laws that impose additional requirements for data collection about their residents. For example, California, Delaware and Nevada require website operators to post privacy policies informing consumers about their information-collection and data use practices. Also, be careful to meet any limitations on how data may be used and stored after it is collected. If you practice internationally, make certain your website meets the strict laws that many countries and the European Union have implemented.
As lawyers, it is important to take the time to familiarize ourselves with the legal and technical issues that arise with collecting customer/client data online. While it is not necessary to be a security or website expert, it is important to have at least a basic understanding of the risks and the technology that helps to minimize them.
Jennifer Ellis is an ethics attorney who also advises law firms on their technology and online marketing. Find her at https://jlellis.net.