Bouchons, Cybersecurity & Ransomware

Yesterday, I met with lawyers from the Lamoille County Bar Association.  Leslie Black, president-emeritus (by my proclamation) of the LCBA, had me up to talk legal ethics.

As an aside, Leslie stole the show by showing up with a fresh batch of bouchons.  You might have heard of Thomas Keller and the Bouchon Bakery.   Fine stuff, I’m sure.

Well, Leslie’s lemon bouchons, with a hint of cinnamon, are better.  And that, my friends, is not mere puffery.   The trick, je pense, is her brown butter recipe.

Leslie – les bouchons etait magnifique!

Now, back to business.

First off, I hope I’ve dispelled those who are less tech competent than others of the notion that “bouchon” has something to do with cybersecurity & ransomware.

Next, yesterday, we had an interesting discussion on cybersecurity & ransomware.  I’ve blogged previously on the issue here.  I’m blogging again for a few reasons.  Mainly, to stress a key point that David Polow made at the CLE:  back-up.  Storing info only in the cloud isn’t enough.

My prior blog post includes links to several helpful articles.  I failed to link to this one from the ABA Journal: Ransomware is a growing threat, but there are things you can do to protect your firm.  A critical point in the article echoes David:

• ” The panelists say that the core of ransomware protection is a robust backup system. However, Simek said that backups need to be tested on a periodic basis.If a firm’s backup is in the cloud, then redundancies of that backup system should be made as well—in other words, one backup is insufficient. For the truly business-critical data, McNew said a backup should be stored offsite and ‘air gapped,’ meaning it is not able to connect to the internet.”

Or, as Jim Knapp says, when it comes to backup “onsite, online, air-gap.”

Are you likely to be targeted? I don’t know.  It happened to one of the nation’s largest firms.  And, a Vermont firm was targeted in April.  The firm did not have sufficient back-up and data was at risk.

If it’s an issue that concerns you, talk to someone with a tech background.  Here are a few links from my original post that might be helpful:

• in March, TechWorld posted Best anti-ransomware tools & decryptors for 2018;
• here in Burlington, Champlain College’s Senator Leahy Center for Digital Investigation is an excellent resource for issues related to cybercrime, digital forensics, and information assurance; and,
• the most recent edition of the ABA Journal has this informative post: Are you covered? Cyber insurance market is highly unstable and lacks uniformity

As always, let’s be careful out there.

Advertisements

Montreal?

There’s a lot going on in Montreal this summer.  Go! Be a #WellLawyer!

But, if you go, make sure you take reasonable precautions to protect client data at the border.

Today, I’m going to share a few old posts, as well as an updated advisory ethics opinion from the New York City Bar Association.

My old posts:

• Thaw Bound? Protect Client Data at the Border
• Crossing the Border?  Consider bringing only what you really need

Last summer, the New York City Bar Association issued Formal Opinion 2017-5.  In short, and as reported by the ABA Journal, lawyers should take reasonable precautions to avoid the disclosure of client information during a border crossing.

Here are some highlights from the NYC Opinion:

• Rules 1.1 (competence) and 1.6 (confidences) impose a duty to act competently to safeguard client information.
• The duty includes taking reasonable precautions against disclosing information that should not be disclosed.
• The duty requires “attorneys to make reasonable efforts prior to crossing the U.S. border to avoid or minimize the risk that government agents will review or seize client confidences that are carried on, or accessible on, electronic devices that attorneys carry across the border.”

Last month, the NYCBA reissued the opinion.  Some other takeaways:

• Odds that a device will be searched might be low.  But, don’t discount the possibility.
• The safest way to protect client data is not to bring any.  This might not be feasible given the increasingly blurred lines between “work” and “personal” devices, but it remains an option.
• If asked to produce a device, an attorney should inform the border agent that it contains confidential & privileged information.  This triggers additional duties by the border agent before the search is conducted.
• Finally, if a device is searched, an attorney likely has a duty to notify clients.

For more, see the opinion.

Adieu et bon voyage!

 

 

 

Ransomware & Cybersecurity Insurance

As I’ve often blogged, Rules 1.1 and 1.6 require lawyers to act competently to safeguard client data.

Last month, I became aware of a law firm that was the subject of a ransomware attack. The cyber attacker blocked the firm’s access to client files and demanded a ransom.

Reminder: if a lawyer’s electronic files are compromised in a cyber attack, the question of whether the lawyer violated the Rules of Professional Conduct will likely turn on whether the lawyer took reasonable precautions to safeguard against the unauthorized access of client data.  In other words, being the victim of an attack is not, in & of itself, an ethics violation.

For example, consider two scenarios.

Scenario 1:  Lawyer operates a solo practice.  Lawyer employs a state-of-the art security system.  Nevertheless, a determined criminal uses C-4 to detonate into the office, into the safe, and then steals Lawyer’s files.

Scenario 2:  Attorney operates a solo practice.  Attorney keeps client files in an unlocked cabinet that’s on the front porch.  A lazy criminal walks up the steps, opens a drawer, and takes some of Attorney’s files.

Between the two, my guess is that a hearing panel is more likely to conclude that Lawyer is the one who took reasonable precautions against the inadvertent or unauthorized disclosure of confidential information.

In any event, on the subject of ransomware, here are few thoughts:

• a lawyer who I know suggests 3 distinct back-ups: onsite, online, and air-gap;
• in March, TechWorld posted Best anti-ransomware tools & decryptors for 2018;
• here in Burlington, Champlain College’s Senator Leahy Center for Digital Investigation is an excellent resource for issues related to cybercrime, digital forensics, and information assurance; and,
• the most recent edition of the ABA Journal has this informative post: Are you covered? Cyber insurance market is highly unstable and lacks uniformity

As always, let’s be careful out there.

 

 

 

Disclosing Information that is Public Record

Regular readers know that I’ve often blogged on the distinction between information that is “generally known”and information that is “public record.”  For further reading, please see:

• ABA & Client Confidences: It’s Deja Vu All Over Again
• Can’t keep quiet? Try harder.
• Hey Lawyers! STFU!!!

Last week, I posted a blog that looked at the other side of the coin.  That is, the side that believes that the First Amendment prohibits a state from sanctioning a lawyer who discloses information that is public record.  The post is here.   In it, I linked to a poll.

The post generated more than 300 views.  However, fewer than 10 people took the poll. Nearly as many complained that the post was too long.  It makes me laugh out loud – literally – that someone takes the time to send me an email complaining that a blog post that they chose to visit is too long.

While few took the poll, several sent me substantive comments.  Also, Jim McCauley, left a comment on the post itself.

Of the comments sent to me, the one that resonated most came from a reader who isn’t a lawyer.  Here it is:

******************************************************************************

Layman’s view here…free opinion so you know what it’s worth.  In my view if it’s in the public record, it’s public.  It’s fair game.  It’s within the rules to comment on it as you will.  

It’s ethical.

But that’s not what we come to your blog for Mr. Kennedy.  We come to your blog to discuss the Rules for Professional Responsibility.  And it is my opinion that it is neither professional nor is it responsible for an attorney to blog, comment, write about, or discuss the specific affairs of a former or current client regardless of whether the information is in the public record or not.  

When a client hires an attorney they expect, reasonably or not, that that attorney will be loyal, above and beyond all. Disputes are often fraught with deep emotion.  Having your own attorney air your linen out in the public square, regardless of the result of the court process, breaches this expectation and undermines the high regard in which most attorneys are held. 

There are a few situations where something that is within the rules just shouldn’t be done.  This is one. 

Which brings me to another point:  The rules represent not the pinnacle but the bottom floor for professional conduct.  The minimum standard.  What you’re supposed to be doing anyway.   

I defer for illustration to a comedy piece by Chris Rock here.  Paraphrasing, Rock says he’s tired of people taking credit for things they are supposed to be doing anyway.  Phrases like “I pay my child support” or “I”ve never been in jail”, don’t impress him.  “You’re supposed to be paying your child support”!”  “You’re not supposed to be in jail”.  “You don’t get any extra credit for that!”.  

He says it much better than I write it here but the principle is the same. 

It’s up to lawyers not to do the minimum; meet the bottom standards.  They should be aspiring to surpass them.  That’s responsible.  That’s professional.    
 

Just my 2 cents.

******************************************************************************

I don’t know that I’ll blog much more on this topic.  I’ve laid out the arguments. Fortunately, it’s rare that the PRP receives a complaint that alleges an unauthorized disclosure confidential information. In fact, I can’t even remember the last.  That’s a good thing.

Returning to the hypo I posted a while back, I don’t know whether the Vermont Supreme Court would conclude that the 1st Amendment prohibits sanctioning my attorney for disclosing information from my 2006 divorce that, while public record, is not generally known. However, I know that it’d bother me to no end to learn that my attorney had posted a blog with the embarrassing details of my case.

Now, I know what you’re thinking, and it’s not anything to do with Rule 1.6, Rule 1.9, or the 1st Amendment.  Nope.  You’re thinking “wait, Mike got divorced in 2006?”

Heeding my own advice, I intend to take full advantage of this opportunity to say nothing at all.

 

 

 

 

The Latest Scam

Last week I re-posted Beware of Last Minute Changes to Wiring Instructions.  The blog was directed at lawyers who receive changes to wiring instructions shortly before disbursing from trust.

Well, scams work both ways.  Here’s the latest:

Last week, Lawyer was set to represent Buyer in a purchase of property.  Buyer intended to fund the purchase with Buyer’s own money.  Lawyer provided Buyer with instructions on how to wire the funds ($110,000) to Lawyer’s trust account.

Two days before closing, Buyer received a text message with revised wiring instructions.  Buyer did not call, e-mail, or otherwise confirm the change with Lawyer.  Buyer instructed bank to wire the funds to the account reflected in the text message.

It was a scam.

As pointed out in last week’s blog, lawyers should confirm with clients upon receiving a last-minute change to wiring instructions.  Lawyers should instruct clients to do the same and, in addition, inform clients that it is highly unlikely that a lawyer’s wiring information will change in the day or too before a closing.

Of course, the latest scam raises a question as to how the scammer knew to text Buyer.  Did Lawyer fail to take reasonable precautions to safeguard client information? For now, it’s too early to tell.

Can a lawyer be sanctioned for revealing information that’s a matter of public record?

Today’s question: does the 1st Amendment prohibit the Supreme Court from sanctioning a lawyer who reveals client information that is public record?

Here’s how the issue would arise.

Rule 1.6 prohibits lawyers from revealing information relating to the representation of a client.  There are some exceptions.  They are:

• disclosure is impliedly authorized to carry out the representation;
• the client consents to disclosure;
• disclosure is required by Rule 1.6(b); or,
• disclosure is permitted by Rule 1.6(c).

As you see, “it’s public record” is not one of the exceptions.

Rule 1.6 applies to current clients.

With respect to former clients, Rule 1.9(c)(2) prohibits a lawyer from “revealing information relating to the representation as these rules would permit or require with respect to a client.”  Basically, the rule refers back to Rule 1.6 and does not include an exception for information that is “public record.”

Similarly, Rule 1.9(c)(1) prohibits a lawyer from using “information relating to the representation to the disadvantage of the former client except as these rules would permit or require, or when the information has become generally known.” (emphasis added).  As I’ve blogged several times recently, the ABA’s Standing Committee on Ethics and Professional Responsibility has opined that information that is in the public record is not necessarily “generally known.”  Here are the blog posts:

• March 2018:  ABA & Client Confidences: It’s Deja Vu All Over Again
• December 2017: Can’t keep quiet? Try harder.
• October 2017: Hey Lawyers! STFU!!!

The October post includes cites to several cases that stand for the notion that the prohibition against disclosing information relating to a representation is not lessened by the fact that the information is public record.  Or, for a more detailed explanation how broad the confidentialy rules are, the ABA’s Litigation News ran this article by Edward Feldman.

But there’s an important case that holds otherwise.  The case is Hunter v. Virginia State Bar.

Attorney Hunter blogged.  His posts caught the attention of the Virginia State Bar and resulted in a disciplinary prosecution.  The  VSB charged Attorney Hunter with violating the advertising rules.  Those charges aren’t relevant here.

What is relevant is that the VSB also charged Attorney Hunger with violating Rule 1.6 “by revealing information that could embarrass or likely be detrimental to his former clients by discussing their cases on his blog without their consent.”

At a disciplinary hearing, the VSB put on evidence that Hunter’s former clients “believe that the information posted was embarrassing or detrimental to [them], despite the fact that all such information had been previously revealed in court.”

Hunter was publicly admonished following a conclusion that he had violated both the advertising rules and Rule 1.6.

In an intermediate-level appeal, a circuit court upheld the advertising violations, but dismissed the 1.6 charge on the grounds that the rule, as applied, violated the 1st Amendment. An appeal to the Virginia Supreme Court followed.

On appeal, the VSB conceded that the blog posts were about former clients, contained information that was public, and would have been protected speech if disseminated by the news media or anyone other than Hunter.

The Supreme Court noted that it had been “called upon to answer whether the state may prohibit an attorney from discussing information about a client or former client that is not protected by attorney-client privilege without express consent from that client.”

The Court’s answer:  no.  Specifically,

• “To the extent that the information is aired in a public forum, privacy considerations must yield to First Amendment protections. In that respect, a lawyer is no more prohibited than any other citizen from reporting what transpired in the courtroom.”

The issue has gained some traction lately, largely in response to the ABA’s most recent formal advisory opinion.  Here’s an excerpt from a blog I posted last week.  It refers to criticism of the ABA’s opinion that “public record” is not necessarily “generally known.”

************************************************************************************

“On that point, the opinion is not without criticism.  Check out the post from Above The Law.   Among other things, the author, Robert Ambrogi, writes:

• “So a lawyer may not ‘reveal’ information that is contained in a public record. But how can someone reveal something that is already public? To reveal is to make something public that was secret.”

Interesting point.  I don’t necessarily disagree. However, on the flip side, what if you went through a messy divorce 10 years ago?

Imagine that it went to trial.  At trial, details emerged that remain embarrassing today.  Yes, the trial was public, but, really, in label only. Nobody went, certainly not the press.  The details are not, by any stretch of the imagination, generally known. The only way anyone could access the details would be by going to the great length of ordering a transcript.  Public? Yes.  Generally known? No.

How would you feel if your lawyer blogged the details tomorrow?”

************************************************************************************

Josh King is Chief Legal Officer at Avvo.  He commented on my post:

“Having hired lots of lawyers over the last 20+ years, of course I wouldn’t want them blabbing about my matters without my consent.

But there’s a difference between a best practice and what the law can prohibit. I’m quite sure that Rule 1.6 can’t constitutionally be applied to discipline a lawyer for stating something that is in the public record.”

Josh runs a blog called Socially Awkward.  He posted a much more detailed response there. You can read it here.

Keith Lee has a blog at Associate’s Mind.  In response to Josh’s post, Keith tweeted a quote from the Hunter decision:

 

f 

Michael Cicchini is a lawyer in Wisconsin.  In 2015, the Vermont Law Review published his article On The Absurdity Of Rule 1.9.  Here’s an excerpt:

“Rule 1.9 is an absurdly broad rule that perpetually bans attorney speech  for all purposes and with regard to all information, including information in the public domain. The rule has no rational, underlying policy, and is not even rooted in clients’ actual expectations regarding confidentiality . . . Instead, Rule 1.9 should be interpreted to permit an attorney to discuss, write about, or otherwise disclose publicly-available information relating to a former client’s case, provided the attorney does not contradict the former client’s position in that case.”

I don’t know that I have a position, mainly because I’ve never had to think about it.  I know that most bar counsel types believe in the idea that “public record” is not “generally known” and, therefore, is not an exception to the general prohibition against disclosure stated in Rules 1.6 & 1.9.  More practically, I simply believe that it’s a good idea not to talk about a former client’s matter, even if the matter received widespread media coverage.  Also, for lack of a better word, it makes me squeamish to think of a lawyer disclosing information about a former client that, while public, almost nobody else knows.

Still, I’m sensitive to the First Amendment argument. And, despite my personal opinion that one should take advantage of every single opportunity to keep one’s mouth shut, I feel like the pendulum has started to swing swung back towards the debate’s equilibrium.

So, what say you? I’m a piece of clay.  Mold me.  Again, here’s the scenario:

• You went through a messy divorce 10 years ago.  Mike represented you. The divorce went to trial.  At trial, details emerged that remain embarrassing today.  Yes, the trial was public, but, really, in label only. Nobody went, certainly not the press.  The details are not, by any stretch of the imagination, generally known. The only way anyone could access the details would be by going to the great length of ordering a transcript.  Public? Yes.  Generally known? No.  Yesterday, Mike blogged about them.

Should Mike be sanctioned? Discuss in the comment section, but keep it civil.  Or, take this poll.

 

 

 

 

ABA & Client Confidences: It’s Deja Vu All Over Again.

Last December, I blogged on ABA Formal Opinion 479.  It’s an advisory opinion in which the ABA’s Standing Committee on Ethics and Professional Responsibility stressed that lawyers should not assume that they are free to disclose client information merely because the information is in a public record.

That’s a point that I made in my post Hey Lawyers! STFU!

To bring you up to speed, here’s the analysis with respect to current and former clients:

Current Clients

• Rule 1.6(a) states that a lawyer “shall not reveal” information relating to the representation of a client unless (1) disclosure is impliedly necessary to carry out the representation; (2) the client consents to disclosure; or (3) one of the exceptions in paragraphs (b) & (c) is met.
• Notably, “it’s public record” is not one of the exceptions in paragraphs (b) & (c).

Former Clients

• Rule 1.9(c)(1) prohibits a lawyer from using information relating to the representation of a former client to the former client’s disadvantage unless the information is generally known.  The fact that something is public record does not mean that it is generally known.
• Rule 1.9(c)(2) states that a lawyer “shall not thereafter reveal” information relating to the representation of a former client except as the rules otherwise authorize or permit. Nothing in the rules authorizes a lawyer to reveal information merely because the information is in a public record.

On March 6, the ABA released advisory opinion 480.  The opinion purports to address the duty of confidentiality as it applies to lawyers who blog.  The ABA Journal and Above The Law reported on the opinion.   In addition, Trisha Rich and Allison Martin Rhodes, law partners at Holland & Knight, blogged on the opinion here.

The opinion strikes me as a bit odd.

First, for an opinion that purports to address lawyers who blog, it really doesn’t.  Indeed, parts of the opinion come off as, how shall I say it, “less than tech savvy.”  For example, the opinion refers to Twitter accounts as a “microblogs . . . that ‘followers’ (people who subscribe to a writer’s online musings) read.”

Twitter is more than a place to read online musings.  Per the Pew Research Center’s latest numbers, 24% of U.S. adults use Twitter, and 46% of those who do visit Twitter every day.  Speaking only for myself, Twitter is where I get my news. I don’t go for “musings.”  I doubt so many Americans do either.

Next, as Attorneys Rich and Rhodes point out,

• “The unusual thing about the latest opinion, though, is that it breaks very little new ground. The main point of the opinion is simply to reinforce to lawyers that their obligations of confidentiality always apply, even where a lawyer is communicating electronically.”

Indeed, the opinion makes me wonder why someone asked for it.  I mean, really.

As many of you know, whether by following this blog or attending my CLE presentations, I often urge lawyers not to fear tech.  Tech doesn’t require new rules. It’s simply a new forum in which the same old rules apply.  For example, many of the questions you should ask a potential cloud storage vendor are remarkably similar to the questions you’d want answered before renting a unit at the Store-All facility out on the Old County Road.

More specifically, would you have needed an advisory opinion to tell you not to reveal client confidences in op-ed pieces for your local paper? I doubt it.  Then why would you need an advisory opinion on whether it’s okay to reveal client confidences in a blog post?

Again, as Rules 1.6 and 1.9 make clear, unless one of the exceptions is met, IT IS NEVER OK TO REVEAL CLIENT CONFIDENCES.

Anyhow, the opinion isn’t entirely a restatement of the obvious. It includes a helpful tip on a pet peeve of mine.

At many of my seminars, lawyers pose “hypotheticals.”  Some are so detailed that I’d guess that half the audience knows who the lawyer is talking about.

Remember, “but I was at a CLE & said it was a ‘hypo’!” is not one of the exceptions listed in Rule 1.6.  Indeed, as the most recent ABA opinion reminds us:

• “A violation of Rule 1.6(a) is not avoided by describing public commentary as a
  ‘hypothetical’ if there is a reasonable likelihood that a third party may ascertain the identity or situation of the client from the facts set forth in the hypothetical. Hence, if a lawyer uses a hypothetical when offering public commentary, the hypothetical should be constructed so that there is no such likelihood.”

Finally, as I alluded to above, the opinion reinforces the notion that “it’s public record” is not license to reveal information. On that point, the opinion is not without criticism.  Check out the post from Above The Law.   Among other things, the author, Robert Ambrogi, writes:

• “So a lawyer may not ‘reveal’ information that is contained in a public record. But how can someone reveal something that is already public? To reveal is to make something public that was secret.”

Interesting point.  I don’t necessarily disagree. However, on the flip side, what if you went through a messy divorce 10 years ago?

Imagine that it went to trial.  At trial, details emerged that remain embarrassing today.  Yes, the trial was public, but, really, in label only. Nobody went, certainly not the press.  The details are not, by any stretch of the imagination, generally known. The only way anyone could access the details would be by going to the great length of ordering a transcript.  Public? Yes.  Generally known? No.

How would you feel if your lawyer blogged the details tomorrow?

In any event, from a practical standpoint, in law & life, I think it’s often best to heed the words of Thomas Edison:

“You will have many opportunities
to keep your mouth shut.
You should take advantage
of every one of them.”

 

Tech Competence: Don’t Let the Web Bugs Bite

Last week, the Illinois State Bar Association (ISBA) became the 4th to opine that a lawyer violates the ethics rules by using secret email tracking software.  The opinion is here.  The opinion was reported by 2Civility .

Secret email tracking software?? What is this? 007, Archer, and Get Smart?

I wish.

Alas, it’s tech competence.  As in, Rule 1.1‘s duty of competence includes tech competence.

The Illinois opinion does a nice job framing the question that was presented.

• “The present inquiry involves the use of email ‘tracking’ software, applications that
  permit the sender of an email message to secretly monitor the receipt and subsequent handling of the message, including any attachments.  The specific technology, operation, and other features of such software appear to vary among vendors. Typically, however, tracking software inserts an invisible image or code into an email message that is automatically activated when the email is opened. Once activated, the software reports to the sender, without the knowledge of the recipient, detailed information regarding the recipient’s use of the message. Depending on the vendor, the information reported back to the sender may include: when the email was opened; who opened the email; the type of device used to open the email; how long the email was open; whether and how long any attachments, or individual pages of an attachment, were opened; when and how often the email or any attachments, or individual pages of an attachment, were reopened; whether and what attachments were downloaded; whether and when the email or any attachments were forwarded; the email address of any subsequent recipient; and the general geographic location of the device that received the forwarded message or attachment. At the sender’s option, tracking software can be used with or without notice to the recipient.”

The ISBA concluded that an attorney who uses email tracking software engages in dishonest & deceitful conduct, and also impermissibly intrudes on opposing counsel’s attorney-client relationship.  As such, the use web bugs violates Rules 8.4(c) and 4.4(a). The ISBA’s conclusions track (pun intended) conclusions reached by New York, Alaska, and Pennsylvania.

The opinion isn’t surprising.  However, it includes a section that I find interesting.

Here’s the sentence that immediately follows the section of the opinion that I quoted above:

• “There do not appear to be any generally available or consistently reliable devices or programs capable of detecting or blocking email tracking software.”

That’s an important statement.  Why?  I’m glad you asked.

Lawyers have a duty to take reasonable precautions against both the inadvertent disclosure of and unauthorized access to client information.  For example, while it might be wrong for a passerby to open your file cabinet and look inside, it’s probably not a good idea for you to leave the file cabinet unlocked on the sidewalk in front of your office.  That’s not a reasonable precaution.  Similarly, and ( i hope) more likely to arise, hacking is wrong and illegal. But, the general trend is towards a conclusion that a lawyer violates the rules by failing to encrypt client data that is electronically transmitted and stored.

So, is the failure to check for – protect against – web bugs a violation of the duty to take reasonable precautions to safeguard client data?

According to the Illinois State Bar, no.  Specifically, the ISBA noted that while the ethics rules:

• “express a general duty that a lawyer should keep abreast of the benefits and risks associated with relevant technology as well as make ‘reasonable efforts’ to prevent unauthorized access to client information, requiring the receiving lawyer to first discover and then defeat every undisclosed use of tracking software would be unfair, unworkable, and unreasonable.”

I apologize for yet another block quote.  But, I think this is an important issue.  So, here’s why the ISBA thought it would be “unfair, unworkable, and unreasonable” to expect a receiving lawyer to defend against web bugs:

• “It would be unfair for at least two reasons. First, it is unfair to require lawyers to use email and other electronic documents in communications regarding their practice and then interpret the professional conduct rules to enable the undisclosed use of tracking software to gain covert, unauthorized access to protected client information of opposing parties. Second, it is unfair to require lawyers receiving email, i.e., all lawyers, to assume that all email messages contain undisclosed tracking software because that approach places the burden of preventing
  unauthorized access to protected client information on the wrong party. The sending lawyer is the actor in these situations and controls whether, when, and what type of tracking software to employ. Tracking software is not, for example, a common functional aspect of electronic documents like metadata. As noted in ABA Formal Opinion 06-442 (August 5, 2006), metadata is embedded information that enables word-processing software to manage documents and facilitates collaborative drafting among colleagues. Unlike tracking software, which must be purposely, and usually surreptitiously, inserted into an email, metadata is a universal feature of every word-processed document. It is appropriate and reasonable to expect lawyers to understand metadata and other ubiquitous aspects of common information technology. But it would be neither appropriate nor reasonable to charge all lawyers with an understanding of the latest version of tracking software that might be chosen, and then employed without notice, at the option of opposing counsel.”

The ISBA opinion continues:

• “Even assuming that ‘defensive’ software or devices capable of discovering and/or
  defeating tracking software were to become available, it would be unworkable to, in effect, force every Illinois lawyer to become and remain familiar with the various tracking programs on the market and then immediately purchase and install whatever new anti-tracking software or device that may, or may not, protect against the latest version. Given the typical rapid changes in technology, few, if any, solo or small firm lawyers could reasonably do so. Aside from creating sustained employment for IT consultants and software vendors, that approach would only precipitate an ‘arms race’ in which the developers and users of tracking software would always be a step ahead.”

I am not condoning a lawyer’s use of web bugs or surreptitious tracking software.  No more than I’d condone wiretapping opposing counsel’s phone. However, I am not sympathetic to the suggestion that tech evolves so rapidly that we shouldn’t expect lawyers to stay abreast of developments in technology.

Also, as I’ve blogged, the rationale for the conclusion that receiving lawyers have no duty to protect against tracking software that is designed to pierce the attorney-client relationship sounds an awful lot like what we used to say about whether lawyers had a duty to encrypt email, scrub metadata, or have a basic knowledge of common trust account (phishing) scams.

I’m fairly confident that someday, it will no longer be difficult or burdensome to detect and protect against email tracking software.  In other words, go back to the statement that’s bolded above.  Soon, I think it might be changed to:

• “There appear to be many generally available and consistently reliable devices or programs capable of detecting or blocking email tracking software.”

When that day arrives, I doubt that “but they shouldn’t have used tracking software on me” will be a defense to a charge that a lawyer failed to take reasonable precautions to safeguard client data.  In any event, regardless of whether there’s an affirmative duty to protect against web bugs, I’d think a prudent lawyer would want to do so anyway.

In conclusion, don’t let the web bugs bite.  Not only that, remember that we’re likely soon to live in a world in which web bugs bite all involved with a particular communication.

 

To: the prosecution. With love, the Defendant’s lawyer.

89 years ago today, almost to the minute, seven men were murdered in Chicago’s Lincoln Park neighborhood.  The incident became known as the Saint Valentine’s Day Massacre. Al Capone is widely regarded as the criminal mastermind behind the killings.

As bar counsel, I’m intrigued by one aspect of the events that led to Capone’s conviction and incarceration.  My intrigue lies in the so-called Mattingly Letter.  It’s a letter that Capone’s tax lawyer provided to treasury agents and that was eventually used against Capone at trial.

Douglas Linder is a professor at the University of Missouri-Kansas City School of Law. He has a website dedicated to Famous Trials.  Among others, Professor Linder has written on the trial of Al Capone.

Per Professor Linder, as of 1929, Capone had never filed a federal income tax return.  So, the Department of Treasury launched an investigation into whether Capone had committed income tax evasion.

Lawrence Mattingly was Capone’s tax lawyer. In April 1930, Mattingly agreed to let “revenue agents” interview Capone.  The transcript of the interview is here.  Here’s an excerpt of what would become a key segment:

• Revenue Agent RALPH HERRICK: I think it is only fair to say that any statements which are made here, which could be used against you, probably would be used.
• LAWRENCE MATTINGLY, Capone’s tax lawyer: Insofar as Mr. Capone can answer any questions without admitting his liability to criminal action, he is here to cooperate with you and work with you.
• HERRICK: What records have you of your income, Mr. Capone-do you keep any records?
• CAPONE: No, I never did,
• HERRICK: Any checking accounts?
• CAPONE: No, sir.
• HERRICK: How long, Mr. Capone, have you enjoyed a large income?
• CAPONE: I never had much of an income.
• HERRICK: I will state it a little differently-an income that might be taxable?
• CAPONE: I would rather let my lawyer answer that question.
• MATTINGLY: Well, I’ll tell you. Prior to 1926, John Torrio, who happens to be a client of mine, was the employer of Mr. Capone, and up to that point it is my impression that Mr. Capone’s income wasn’t there. He was in the position of an employee, pure and simple. That is the information I get from Mr. Torrio and Mr. Capone.

A few months later, Mattingly met again with federal agents.  As the meeting ended, he provided the agents with this letter.  Mattingly opened the letter by stating:

• “The following statement is made without prejudice to the rights of the above-mentioned taxpayer in any proceedings that may be instituted against him. The facts stated are upon information and belief only.”

He closed by conceding:

• “I am of the opinion that his taxable income for the years 1925 and 1926 might fairly be fixed at not to exceed $26,000 and $40,000 respectively and for the years 1928 and 1929 not to exceed $100,000 per year.”

Several months later, a grand jury indicted Capone.

Eventually, Capone and the government reached a plea agreement under which Capone would’ve served 2.5 years.  A judge rejected the plea, stating:

• “The parties to a criminal case may not stipulate as to the judgment to be entered. It is time for somebody to impress upon the defendant that it is utterly impossible to bargain with a Federal Court.”

As trial neared, the government obtained information establishing that Capone had likely bribed a significant portion of the jury pool.  The prosecution team notified the judge. Per Professor Linder, here’s what happened next:

• “Judge Wilkerson took his seat at the bench and looked out over the packed courtroom. He called the bailiff to the bench. ‘Judge Edwards has another trial commencing today,’ he told the bailiff. ‘Go to his courtroom and bring me his entire panel of jurors; take my entire panel to Judge Edwards.'”

At trial, the government sought to introduce the Mattingly Letter through the agent to whom Attorney Mattingly had delivered it.  The defense objected.  The court admitted the letter as proof that Capone had made certain statements, albeit not as proof of those statements.  (yeah, right.)  A transcript of the testimony surrounding the letter’s admission is here.

The prosecution referred to the letter during its closing argument.  That portion of the summation, which I found enthralling, is here.  Here’s my favorite part:

Referring to Attorney Mattingly, the prosecutor argued:

• “He had tried to get the revenue agents to say that the admission would not be used against his client; now, in the letter, Mattingly is saying it himself. The letter says, “‘his statement is made without prejudice to the taxpayer in any criminal action that may be instituted against him.'”

The prosecutor continued:

•  “Suppose a speeder, when stopped by an officer, should say; ‘I am telling you this without prejudice, officer; I don’t want it used against me; but I was going 50 miles an hour.’ Suppose a gambler could tack a little sign on a roulette, ‘This device is not to be used as evidence against me.’ Suppose a murderer could put a sign on his gun, “This weapon is not to be used as evidence against me.’ What a refuge for criminals that would be! And yet, that is what we have here, ‘I am telling you this, but it is not to be used against me.’ “

In the end, Capone was convicted and sentenced to 11 years in prison.  Admissions from his own tax attorney appear to have played a significant role in the conviction.

Competence.  Client confidences.  You be the judge.

An intriguing aside: one of the government’s key informants in the Capone investigation was Eddie O’Hare.  O’Hare held the patent for the mechanical rabbit that lures greyhounds around a race track. He also ran dog tracks for Capone.  Eddie was murdered shortly before Capone was released from prison.

The intriguing aside?  Eddie’s son, Edward, was a naval pilot. He was the Navy’s first “flying ace” and the first member of the Navy to receive the Medal of Honor in World War II. He was shot down in combat in 1943 and never found.  Chicago’s O’Hare Airport is named for him.

 

ABA Journal Provides Cybersecurity Tips

Rules 1.1 and 1.6 operate to impose a duty to act competently to safeguard information relating to the representation of a client.  The duty includes taking reasonable steps to protect against the unauthorized or inadvertent disclosure of (or access to) electronically stored client data.

In 2018, the ABA Journal will publish a year-long series on cybersecurity.  Last month, and as part of the series, the ABA Journal posted 5 cybersecurity steps you should already be taking.  I recommend it.  A quick summary:

1. Check to see if you’ve been pwned.
2. Consider a password manager.
3. Improve the strength of your passwords.
4. Use 2-factor (or multi-factor) authentication.
5. Encrypt your devices.

Again, read the post.  It’s not long, and the tips are as simple as they are valuable.

Finally, don’t forget that the Vermont Bar Association is offering its first ever Tech Day on May 16.  It’s shaping up to be a fantastic CLE.