Law School Clinics Must Better Secure Client Data

Andrew Budzinski, a University of the District of Columbia Professor, has made waves with his new paper asserting that law school clinics all over the country are way behind the curve when it comes to the ethical obligations of using technology in a legal setting.

“Some maintain outdated protocols, and some have no protocols at all, to manage and safeguard client data,” Budzinski said in the 58-page paper. “This leaves client data less secure than it ought to be, risking harm to clients, ethical violations for attorneys, and missed opportunities to communicate the importance of ethical technology use to clinic students.”Budzinski cites a late 2021 study from Suffolk University professor Sarah Boonin and Texas A&M University professor Luz Herrera that found that while law school clinics overwhelmingly used standard legal technologies, only 54% of clinics surveyed trained students on data security. The authors found that the majority of clinicians “do not appear to provide their students with written data security policies.”The paper argues that users of client data have a duty to keep informed of the best storage practices, protect the confidentiality of the client and their property and, responsibly oversee the work of nonlawyer assistants.Budzinski also laid out a roadmap to ensure law school clinics specifically follow best data security practices in lieu of lax policies.Clinics should choose to store client data on local servers or on remote servers using cloud storage and should not allow client data to be stored directly on student or faculty devices without careful consideration of the risks involved.Clinics should also be clear to their personnel about what devices they may use to access client data. Public computers or devices not owned by the users should be avoided, as well as any device not updated with antivirus and firewall software or password protections. Wireless networks must also be secured.The paper argues that clinics should identify and regulate which university personnel can access the data, protect email servers, disable forwarding to nonclinic inboxes and encrypt messages when possible, and secure a safe means of electronic document transmission.As his final point, Budzinski adds that, if such policies prove impossible to implement, a clinic and its clients can reach a limited consent agreement that allows the use of technology where protective measures are not practical.“Clinic personnel should be careful to adequately explain the risks of insecure technology use to the client and avoid glossing over or minimizing them,” he said.

“This is an opportunity for clinical legal education to continue its tradition of moving to the forefront,” Budzinski concluded. “Technology is a central part of law practice, and our students must be prepared to use it ethically.”

You can read more about this report here.

To make sure you are compliant with your New York CLE requirement, you will need to complete a course on cybersecurity for attorneys, which is now included in our most recent CLE bundle found  here. Just email us at if you have any questions regarding your CLE compliance rules.