This article was published in Hong Kong Lawyer (March 2019).
Instant messaging is increasingly penetrating the workplace, and law firms are no exception. A recent study estimates that nearly 70% of employees use smartphones for business, and that, of those, 73% use instant messaging apps installed on their phones for that purpose.
Whilst it may be unsurprising that instant messaging has become the top communication tool for employees using their smartphones for business, significantly outstripping the use of smartphones for emails (66%) and voice calls (58%),1 what is probably less well known is that, whilst one of the leading messaging app provides end-to-end encryption, ensuring that only the sender and receiver can read the message and not third parties, with some other popular messaging apps, it is either only optional, or not available at all.
The prevalent use of instant messaging apps brings new legal, professional conduct and security challenges to lawyers and law firms that are significant and worthy of attention.
Professional conduct
Rule 1.07 of the Hong Kong Solicitors' Guide to Professional Conduct (the "Guide") requires lawyers using "information communication technology", including instant messaging tools, to ensure that such use is in compliance with the Guide, Practice Directions and all applicable law.
Confidentiality risks
Maintaining confidentiality is obviously a key requirement for all lawyers. Instant messaging can however very easily lead to the inadvertent disclosure of confidential and/or privileged information to third parties. For instance, when a messaging app is installed, it may request access to the phone's contact list to enable it to import the entire list straight onto the servers of the messaging app.
A lawyer using the app may therefore have shared his or her clients' personal data with third parties without even knowing it, which is obviously problematic. The risk of this happening is even greater, of course, if the phone was provided by the law firm and contains an individual lawyer's client list.
Privilege risks
In this fast-moving digital age, clients increasingly expect to be able to contact their lawyers at all hours of the day, wherever they are, and via a communication channel of their choice. For example, PRC clients will often wish to communicate with their lawyers via one of the most popular PRC messaging apps. Lawyers should, however, be aware that end-to-end encryption is not available for messages on that app. To the contrary, all conversations and posts on its social media platform are expressly susceptible to use as evidence in PRC courts. It follows that if clients insist on using such app to discuss their business, including potential or existing litigation, it could mean that any privilege attached to those conversations has been waived.
To preserve confidentiality and privilege, it may be prudent to consider adopting a strict protocol, such as never communicating with clients about a case via instant messaging, so that the lawyer's ability to communicate and strategize confidentially with clients is left intact.
Record retention risks
Law firms should review internal policies to determine how best to handle the departure of lawyers, particularly in the context of mobile devices and data management. Law firms should be mindful that when lawyers leave a law firm, the conversations and work documents stored on their mobile devices are likely to move with them.
For that reason, firms need to consider having a backup system in place to archive work-related materials stored on personal devices. Otherwise, documents and conversations may be lost when lawyers leave the firm, which could be a serious issue if they leave to work for a competing law firm.
Discovery risks for clients
Lawyers should also be reminded of their obligation to advise clients on what is expected of them with respect to discovery in litigation. While some of the more popular messaging apps do not store user messages on their servers, and can at most handover metadata to a Court or to the police, clients can opt to back up their messages on the cloud. It can however be difficult, if not impossible, to ascertain where the cloud servers are located, as well as the level of data protection provided to these back up messages. The practical reality is that, even though the messages may not be stored on the servers of a messaging app, the messages backed up by clients could still be subject to discovery in Hong Kong litigation, similar to other electronic records such as emails.
Mitigating the risks
To mitigate the risks associated with the use of instant messaging apps, lawyers and law firms need to be proactive. The first step is to assess a firm's exposure to the risks involved, taking into account its existing security policies and what devices are used by people in the firm (for example computers, tablets, mobile phones, and flash drives). The process involves determining what safeguards are in place, which areas need enhanced security measures, and whether a messaging app is the right communication tool for the practice in question.
Supervision is likely to be a significant challenge for many law firms. It can prove difficult, especially for smaller firms, to supervise and/or monitor all lawyers' business communications via a third party messaging app.
Instant messaging management technology, such as Mobile Device Management (MDM) and/or Mobile Application Management (MAM), enables management to monitor the use of instant messaging, block content in compliance with policy, retain and store messages, and detect viruses, among other features.
This technology gives law firms control, while allowing legal and non-legal staff to communicate with external parties via instant messaging apps. Law firms should consider whether it is cost-effective to adopt such technology if they have not already done so.
Secondly, law firms should also review internal IT policies. If the risks associated with using instant messaging are not adequately addressed, update your policies. Some suggested updates include:
- limiting (or even prohibiting) the type of documents that staff are allowed to send on the instant messaging app;
- defining appropriate use of instant messaging both in the workplace and in client communications;
- installing location tracking devices on all technology devices;
- setting up devices so they can be wiped clean remotely in case they are lost or stolen; and
- identifying the scope and type of monitoring on instant messaging apps to be conducted by your firm.
Depending on the size of the law firm, it may also be beneficial to look into the option of the firm setting up its own enterprise-grade messaging app. Some of the key benefits of this include device-to-device encryption with unique keys so that messages and data are protected during transmission, secure cloud-based storage, and giving the firm total control and management over all data and ensuring that no outside parties have access to such data.
Finally, firms should educate all their legal and non-legal staff on best practices for communicating in the digital world, ensuring that all staff will follow basic rules on usage, content and record retention. Staff, especially lawyers, are likely to use the messaging apps more sensibly if they understand the risks involved.
Footnote
1 Pathfinder Report: Growing Use of Consumer Messaging Apps Exposes Organizations to Privacy, Compliance and Security Risks, October 2017.
