As my readers know, I am an avid iPhone user, and have blogged and presented seminars about the iPhone in law practice. I am a practice management advisor and also present seminars on mobile security, using our Rules of Professional Conduct as a guide.
I do not question the thoroughness of the forensic analysis detailed in the article, rather my quarrel is with their application of our Rules of Professional Conduct. Model Rule 1.6 governing confidentiality of client information is not a strict blanket concept. Lawyers must take reasonable steps to keep the information confidential; we are not required to take all steps to achieve absolute perfection in guarding our clients’ information.
The article suggests lawyers avoid using the iPhone because of the risk of an iPhone being lost or stolen, then found, hacked and the all data harvested and sold. In reality, what is the likelihood that an iPhone owned by a lawyer will fall into the hands of well-trained criminal hacker who knows how to jailbreak the phone, has the right equipment to harvest the data, and the contacts to sell it to someone who will use it? And how many of those phones will be wiped clean by the attentive owner using the remote wipe feature before the data is harvested? (Instructions for remote wiping are available to anyone in the iPhone OS Enterprise Deployment Guide, and for subscribers to Apple’s MobileMe service.
Applying this very high “hit by lightening” ethical standard to a law practice is not possible or practical; we would be paralyzed against any possible breach of confidentiality. We would not connect to the Internet for fear a new virus will infect our computers, even though we have anti-virus protection. We could never engage a temporary receptionist for fear they will cause—negligently or otherwise--a breach of confidentiality while in our office. I mean, with all due respect to receptionists, a malfeasant temporary receptionist could do more damage in a law firm in a couple days than a hacked iPhone can do in a lifetime.
Yes, reasonable steps are necessary to guard client data on mobile devices--including passwords and the know-how to remotely wipe the phone should it be lost. And, yes, with the knowledge provided by John and Sharon, we should be more careful.
Furthermore, John and Sharon’s point is equally applicable to many other types of cell and smart phones, especially the older ones. I dare say thousands of lawyers are using phones that do not have the PIN enabled nor are their users aware of what to do quickly in the event it is lost or stolen.I don’t think the fear of a lost iPhone should stop lawyers from using it given the freedom and functionality it gives as a productivity-enhancing tool. Neither our Rules of Professional Conduct, nor our malpractice standards are so high as to preclude using this or other technology tools with the standard precautions we use for any computer.
So, I'll say "nice try" to John and Sharon next time we chat, but they'll have to try harder before they pull my iPhone out of my cold dead hands! ;-)