Protecting Client Data

Next week, the Professional Responsibility Board will review several proposed amendments to the Vermont Rules of Professional Conduct, including proposals to change the rules that relate to the duty to act competently to protect client data.

I’ve blogged often on this issue.  Nevertheless, it bears re-visiting.

Rule 1.1 requires a lawyer to provide a client with competent representation.  I’ve asked the Board to recommend that the Court follow the ABA’s and add the underlined & bolded language to Comment [6]:

  • [6] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

Per Robert Ambrogi’s Law Sites Blog, 28 states have adopted a duty of tech competence.

Rule 1.6 prohibits the disclosure of information relating to the representation of a client.  A few years ago, the ABA amended Model Rule 1.6 to include the following language:

  • “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

I’ve asked the Board to recommend that the Court do the same.

I view Rules 1.1 and 1.6 as creating an affirmative duty to act competently to safeguard client information, including client information that is transmitted or stored electronically.

Now, if the proposals are adopted, will a lawyer need to know how to create an encryption key? Of course not.  Just like, right now, a lawyer does not have duty to know how to build a lock, a file cabinet, or a fob that opens & closes a keyless door.  But, a lawyer probably has a duty to understand the risks and benefits associated with leaving client files in a box that’s in a shared hallway, as opposed to in a locked file cabinet that’s in a room behind a keyless door to which only 2 firm employees have fobs.

Similarly, will a hack or data breach automatically lead to a disciplinary sanction? No. Again, if a lawyer has taken reasonable precautions to protect client data, whether by encrypting e-mail or exercising due diligence in choosing a cloud vendor, the fact of a breach likely is not a violation.

However, I believe we’re rapidly approaching, if we haven’t passed, the day when it will no longer be considered reasonable not to have encrypted email.  Further, if you’re considering a move to the cloud, while you don’t know how to build your own cloud server, the duty of tech competence includes a duty to know what you don’t know.

For example, let’s say you ask a potential cloud vendor whether your clients’ data will be encrypted.  The vendor replies “yes, we use a BTTF flux capacitor to encrypt data at rest.  For data in transmission, we guarantee it will make the Kessel Run in 12 parsecs or less.”

What’s your response?

To read more about a BTTF flux capacitor click HERE.  An update on the Kessel Run and parsecs (which are units of distance, not time) is HERE.

Finally, if adopted, my hope is that the new language in Rules 1.1 & 1.6 leads us away from re-evaluating the ethical duty with each technological advance that gives us a new method of transmitting and storing data.

As I’ve written, today’s cloud-based practice management systems are not much different than the businesses that lease storage units on the outskirts of damn near every town.  Before storing client information on or at either, a lawyer must review whether each affords reasonable precautions against unauthorized access and disclosure.

No, the question should not be “is this new way of storing information ethical?”  Nor should it be “is it okay to use smoke signals to communicate with my client?”  Rather, whenever the next big thing comes along, the question should be “does this means of transmitting and storing client information provide reasonable precautions and safeguards against unauthorized access and disclosure.”

For related posts:

cyber-security

 

Advertisements

Avoid Complaints by Managing Expectations

With the start of another school year, I thought I’d take time to go back to basics.  And here’s a basic truth: a lawyer never has to respond to a disciplinary complaint that isn’t filed.

What’s the best way for a lawyer to avoid a disciplinary complaint?  Set clear & reasonable expectations at the outset of the attorney-client relationship and never stop managing those expectations.

I’ve blogged on this issue before.  One way to think about the issue is to remember both Charles Dickens and Cool Hand Luke.

Dickens wrote Great Expectations.  Probably because nobody would’ve read a book called Reasonable Expectations.  Indeed, I’ve yet to read about the client whose reasonable expectations were met. Yet, as I’ve blogged, left untempered, Great Expectations can provide me with reading material in the form of disciplinary complaints.

Similarly, nobody would’ve remembered (or paid to see) a movie about succesful communication between prison guards and inmates.   But, “what we’ve got here is failure to communicate” is one of the enduring lines in movie history.  As I pointed out in Client Communication & Cool Hand Luke, it’s also the perfect approach for an attorney to ensure that a client files a disciplinary complaint.

Lesson: a great way to minimize the chances that a client files a disciplinary complaint is for a lawyer (1) to set clear & reasonable expectations at the outset of the attorney-client relationship; and (2) to manage those expectations by providing the client with clear & candid communication throughout the representation.

Back to Basics

 

 

Encryption & The Evolving Duty to Safeguard Client Information

In December 2015, I posted To Encrypt or not to Encrypt?   

The post began with an analysis of how Rules 1.1 and 1.6 work together to impose a duty to act competently to safeguard client information, including information that is stored and transmitted by electronic means.

From there, I walked readers through a series  advisory ethics opinions.  Over time, the opinions moved from concluding that the duty to act competently to safeguard client information did not include a duty to encrypt to concluding that it might.

I stated that, at the very least, lawyers had a duty to warn clients about the risks associated with unencrypted electronic communications.  Then, I wrote:

  • “My sense is that we will soon reach, if we haven’t already reached, a day upon which it will not be considered reasonable to transmit client information via unencrypted email.  Encryption is not as difficult or expensive as it used to be and more secure alternatives are readily available.”

Last week, that day drew closer.

On May 11, the ABA’s Standing Committee on Ethics & Professional Responsibility issued Formal Opinion 477: Securing Communication of Protected Client Information. The opinion analyzes the duties imposed by Rules 1.1 and 1.6.  It reviews a series of advisory ethics opinions and discusses the trend towards requiring lawyers to encrypt electronic client communications.

Opinion 477 concludes that lawyers must make reasonable efforts to safeguard client information.  It states that “[w]hat constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors.”  That is, lawyers must employ a “fact-based analysis” when transmitting & storing client information.  Factors in the analysis include:

  • the sensitivity of the information,
  • the likelihood of disclosure if special safeguards are not used,
  • the cost of using special safeguards, and
  • the difficulty of using special safeguards.

With respect to these factors, the opinion concludes that lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters . . . to determine what effort is reasonable.”

The opinion makes clear that lawyers must remain cognizant that the analysis will change as technology evolves. In other words, what’s reasonable today might not be reasonable in 2020.

More importantly, what was unreasonable in 1997 might be reasonable today.  For example, as the opinion notes, “a fact-based analysis means that particularly strong protective measures, like encryption, are warranted in some circumstances.”

The opinion suggests that the duty to safeguard client communications likely requires lawyers to:

  • Understand the nature of the threat,
  • Understand how information is transmitted & where it is stored,
  • Understand & use reasonable electronic security measures,
  • Determine how electronic communications should be protected,
  • Label communications as “privileged & confidential,”
  • Train partners, associates, and nonlawyer assistants in information security, and
  • Exercise due diligence when choosing a vendor.

For more on each, see pages 5-9 of formal opinion 477.

In my view, the opinion sends a strong signal that the failure to use basic and widely available tools violates the duties imposed by Rules 1.1 and 1.6.  Those tools include:

  • Within an office, using adequate login passwords
  • Changing those passwords on a regular basis
  • Password protecting email attachments
  • Using secure WiFi (as in, not the coffee shop’s Wifi)
  • Installing & updating firewalls, anti-malware, anti-spyware, and anti-virus software
  • Using client portals instead of email
  • Using established & secure cloud-based file storage vendors to send, exchange, and view documents
  • Remembering that client information is on, or has been accessed from, multiple devices: cell phones, tablets, remote log-ins

If you take anything away from this, as usual, let it be my refrain that “competence includes tech competence.”  For, if you find yourself in times of trouble, it will not be acceptable to respond “but that tech stuff is too complicated!”

It isn’t.

As technology evolves, so evolves the standard of “reasonable efforts to safeguard client information.”

Have you evolved?

Electronic Communication

 

 

 

 

Tech Competence Isn’t Everything: Soft Skills Matter

I often blog about tech competence.

One of my earliest posts was Competence Includes Tech Competence.  A search of “tech competence” on this blog produces a lot of posts.  3 of the 4 most-read posts have tech competence tags:

Well, let me tell you something: tech competence ain’t everything.

Earlier tonight, I was checking out Above the Law (woohoo!) and stumbled across a great post from Michael McDonald: Soft Skills Still Matter for Attorneys.

As I read about the so-called “soft skills,” I was reminded of a book I read long ago: Blink, by Malcolm Gladwell.  I had a vague recollection of Gladwell writing that nice doctors are less likely to be sued for malpractice than doctors who have poor bedside manners.

So, I did a quick search.  Sure enough, I found Why doctors get sued on The Ethical Nag. (great name for a blog!)  The post references Gladwell’s Blink.

Then I found a piece by Aaron E. Carroll in the New York Times: To Be Sued Less, Doctors Should Consider Talking to Patients More.  Carroll wrote:

  • “Learning to be better communicators, and to be better at — in essence — customer service is no small task for physicians. But improving those skills might actually make a difference in whether they are sued.”

And that gets me back to another reason that soft skills still matter for attorneys, one not mentioned by Michael McDonald.  Effective communication, a soft-skill, helps minimize the chances of having a disciplinary complaint filed against you.

A week after I posted my first blog on tech competence, I posted Great Expectations.  It’s a post in which I argue that the “hot topic in legal ethics” is what it always has been and always will be: communicating clear expectations about the representation and managing those expectations throughout.

Earlier this year, I followed up with Client Communication & Cool Hand Luke. For those of you unfamiliar with the movie, I guarantee you’ve heard one of its most famous lines. Readers after my own heart will recognize the line not from the film, but as the intro to GNR’s Civil War.

Anyhow, it’s not all tech competence.  Soft skills matter.  Develop, hone, & use them.

PS: The most read post in this blog’s history?  For some crazy reason, this one.

Communication

Social Media Sanction! Except, Not Really

Regulators, practicing attorneys, and those who opine on legal ethics seem to wait with bated breath for any sort of disciplinary sanction involving a lawyer’s use or misuse of social media.

In my view, the collective anticipation causes an anxiety that leads lawyers to distrust, if not avoid, social media.  That’s too bad.  Lawyers who distrust & avoid social media tend not to develop the level of tech competence required in today’s practice.

Here’s a test: you’re having coffee, procrastinating about getting the work day started. You have time to read ONE article.  You see these two links:

  1. Lawyer who advised client to ‘relax’ in response to Facebook inquiries gets suspension.
  2. Nebraska lawyer suspended for failing to properly communicate with client.

Which do you choose? Everyone who chose #1, raise your hand.

As I expected, lots of hands.

The links are to the exact same story.  #1 ran in the ABA Journal, #2 in the Omaha World-Herald. To borrow a phrase, social media sells.  Are you telling me that my choice is “lawyer suspended for using Facebook!” or “lawyer fails to communicate with client?” Ha! I’ll take social media 11 times out of 10!

Here’s another test for my lawyer readers: raise your hand if, even without reading the story, you thought “See, I knew Facebook could get me in trouble.”

Again, lots of hands.

Now, read the opinion from the Nebraska Supreme Court.  In reality, the lawyer’s violation had very little to do with Facebook.  The lawyer’s responses to his client likely would’ve violated Nebraska’s rules whether transmited via Messenger, e-mail, phone call, or U.S. Mail.

In other words, a failure to communicate is a failure to communicate regardless of the medium.  The lawyer who fails to engage in a reasonable level of communication via Messenger in 2017 is as guilty of misconduct as the lawyer who, way before Nirvana, failed to engage in a reasonable level of communication in 1985.

This violation had nothing to do with social media.  Don’t fear social media.

Social Media

P.S.: talk about burying the lede.  The lawyer intentionally sued the wrong defendant in order to access deep pockets!!  To me, that’s a bit more disturbing than a garden-variety failure to communicate.

 

 

 

 

 

 

Client Communication & Cool Hand Luke

Conventional wisdom is that the most common complaint against attorneys is “I never hear from my lawyer.”  Not true.

Communication lies at the heart of most complaints.  However, it’s usually not a total lack of communication that leads to an ethics complaint.

It’s the confusion that follows a failure to communicate reasonable expectations at the outset of the representation.

I blogged on this topic here.  I wrote:

  • “I’m not talking about ‘my lawyer never calls me back.’  Yes, that would be an issue, but it’s rarely what I hear.  Rather, I’m talking about situations in which it’s as if the client and the lawyer are talking about two entirely different relationships.  The reason: failure to manage client expectations.

    “Here’s an example: I screened an ethics complaint in September.  It was clear that neither the client nor the lawyer had a clear understanding of what the other expected out of the relationship.  The result: a total breakdown in communication, hard feelings, stress, and an ethics complaint.”

A few days ago, I found a post on the LawPay blog.  It’s called The Art of the Interview: How to Interview Clients in a Way that Results in Reasonable Expectations  and was written by LawPay’s Director of Education, Attorney Claude Duclous.  There’s nothing earth-shattering in the post, but I think it’s fantastic.  Very simple tips that will help you to establish and manage expectations.

I’d add one of my own: set clear expectations as to how often you will respond to electronic communications from your client. Then, stick to what you said.  A new client can be like any other new relationship: at first, you can’t respond quickly enough to the latest text or e-mail.  That’s not feasible in the long-term.

Yes, if you were to ask me for a single phrase to summarize the thousands of complaints I’ve reviewed, I’d probably say “it’s like the warden said: ‘what we have here is a failure to communicate.’ ”

Don’t set yourself up for failure.  Rather, set clear & reasonable expectations at the outset.

Cool Hand Luke.jpg