UPDATE: The FTC announced this week that it will delay enforcement of the Red Flags Rule until November 1, 2009.
A new Federal Trade Commission rule proposes requiring businesses to have a written plan to identify and respond to "Red Flags" indicating possible identity theft. Failure to comply may result in several government sanctions. Many feel that these should not apply to law firms and the American Bar Association has communicated that belief to the FTC.
Here's an article from the Ohio Lawyer with more details about the rule. But the date is almost here and, according to the FTC, if the lawyer regularly defers payment for services performed the rule applies. The FTC told the doctors the same thing. So if you tell a client they can pay their bill late because their home was just destroyed a few federal rule applies to your firm? I'd hate to guess the meaning of "regularly" for most law practices.
The good news is that the legal profession has long protected the confidentiality of client information. The bad news is that this is so deeply ingrained in the DNA of law firms that the required written documentation may be sparse and identity theft issues may present a somewhat different risk.
Maybe the answer is to reduce to writing the many protections of our clients' confidentiality we already have in place.
Judith D. Equels, Director of The Florida Bar's Law Office Management program, has these observations:
"Here are some tried and true tips for preserving client/matter confidentiality and file security from the annals of good old fashioned law office policies:
• No one should have access to personal information in a client/matter file except those assigned to work on the file. Who has access to your client files?
• Visitors, guests, clients, maintenance staff, janitorial staff, repairman and vendors should not be allowed to roam the office without being accompanied by a firm employee.
• Consider making offers of employment contingent on a clean criminal background check.
• Grant weekend and after hours access to the firm's offices to only those who must have 24-7 access. Keep an accurate record of those with access privileges, and review it regularly.
• No files are ever removed from the firm's premises without specific written authorization from an owner of the law firm. If a file must be taken out of the office, must it be the whole file?
• It is important to verify the identity of new clients. Also, during the course of the work, it is often necessary to verify and/or hold client's personal information. Use a checklist that risky information has been collected/verified. Redact the working copy for the file, and lock up the originals, or the full copy if the original was returned to the client. This would include birthdates, SSN's, DL numbers, birth certificates, passports, medical files, banking information, tax returns and the like.
• No one enjoys the task of putting up files at the end of the day, even though we know we're supposed to secure them. Just do it! This may mean installing a lock on the lawyer's private office door.
• Buy a shredder/shredders with enough capacity to handle the job for your firm's needs.
• Imaged files are more easily protected, but then how secure is the firm's file server? Are sensitive drives password protected? Does the firm change the password frequently? And, is access to the backup media adequately protected?
• Most lawyers and law firm employees have remote access to the firm's information, are there limits and boundaries in place to prohibit access to sensitive client/matter information? What is an employee capable of downloading on a laptop, from his/her PC?
• Never send a client's personal information to be copied at a commercial copy service center.
• Never release a file to another lawyer without obtaining the client's written permission.
• And, finally, here's a really old policy, but it works: If an employee's workspace is in the common area of the law firm, papers are turned face down when not actively working on same, and these papers/files are secured at the end of the day."
I think Judith has a lot of great points and I appreciate her letting me share them in this space. If you want help preparing documentation, the FTC has also placed a form online for businesses at low risk of identity theft. It is a six page fill-in-the-blank form.