Your Fiduciary Responsibility to Your Client's Data - Smeester & Associates - Denver, Colorado USA

Your Fiduciary Responsibility to Your Client’s Data

Make the most responsible choice to protect your client’s data, regardless of what they think is the best method. They’re not the experts.

I saw Leonard the other day, and he started the conversation off like he always does; “what are your thoughts about storing data in the cloud, like Google or Dropbox or something?  My clients would have a problem with that so I keep all of their data in house.”

Leonard is a business attorney I’ve known for years, stemming from a board we were both members of.  He thinks he’d be making a big mistake by trusting his data in the hands of an outsourced entity. “If you put it on Google or Dropbox, it’s out there!” he’ll say.  Yes, it is.  But the truth is it’s out there even on your hard drive in your office if that device is connected to a computer that is connected to the Internet – which it most likely is.

Knowing what I know – that Leonard’s extent of data security knowledge goes as far as his ability to plug in his little external hard drive his IT guy gave him – I’d have a huge problem if that is the way he handled my critical information.  I’d trust the engineers at Google and Dropbox or in a data center handling managed services before I’d trust Leonard and his IT guy.

In our conversation, Leonard agreed that outsourced vendors probably do have better security, given the fact that it’s what they do for their lives (whew, a milestone). So when I asked why he still wouldn’t trust a 3rd party, it boiled down to because his clients would have a problem knowing that.  I get it.  His clients still think like he did (oh no, it’s ‘in the cloud’!).  Well, regardless of their perception, isn’t it Leonard’s fiduciary responsibility (watch out for the legal terminology!) to make sure his clients’ information is safe, regardless of what they think?

Pretend Leonard’s clients’ data was compromised (actually much more likely to happen under his in house system).  In the court of law, I wonder how a judge would rule if Leonard admitted to me he chose to store his client’s critical and sensitive information on his external hard drive when he knew about Google and Dropbox and managed services. I’m willing to bet it would go bad for Leonard.

Here are some links to articles discussing how the courts are starting to pay attention to “standards of practice”:

Negligence Liability for Breaches of Data Security

Assessing risk: Data breach litigation in U.S. courts