Crossing the Border? Consider Bringing Only What You Really Need.

There’s a lot going on in Montreal.

The city is celebrating its 375th anniversary.  The Impact and Alouettes have opened their seasons.  Guns N’ Roses plays Parc Jean Drapeau in a few weeks, and hopefully things go better than at the Big O in 1992.  The Museum of Fine Arts has Revolution.  The Lachine Rapids are a great way to beat the August heat.

Whatever draws you north, think twice about bringing electronic devices that contain client information.

A few weeks ago, I posted an update on protecting client information while returning to the U.S. from abroad.  In it,  I included this quote from another blogger: “I wish I could conclude this post with easy answers, but it appears that there are none at the moment.”

Moments change.

On July 27, the New York City Bar Association issued Formal Opinion 2017-5.  In short, and as reported by the ABA Journal, lawyers should take reasonable precautions to avoid disclosure of client information during a border crossing.

Here are some highlights from the NYC Opinion:

• Rules 1.1 (competence) and 1.6 (confidences) impose a duty to act competently to safeguard client information.
• The duty includes taking reasonable precautions against disclosing information that should not be disclosed.
• The duty requires “attorneys to make reasonable efforts prior to crossing the U.S. border to avoid or minimize the risk that government agents will review or seize client confidences that are carried on, or accessible on, electronic devices that attorneys carry across the border.”
• What are reasonable efforts/precautions? It’ll depend on a variety of factors.
• Those factors suggest “that an attorney should not carry clients’ confidential information on an electronic device across the border except where there is a professional need to do so.”
• The factors also suggest that “attorneys should not carry clients’ highly sensitive information except where the professional need is compelling.”

The opinion goes on to provide some detail on how to evaluate the risk that confidential information will be reviewed at the border. (It’s low).  The opinion also sets out safeguards to implement, with “the simplest option with the lowest risk [being] not to carry any confidential information across the border.”  (emphasis mine)

Importantly, the opinion suggests that an attorney does not violate New York’s rules by complying “with a border agent’s demand, under a claim of lawful authority, for an electronic device containing confidential information during a border search.”   Key, however, is that the opinion stresses that an attorney must first undertake “reasonable efforts to dissuade border agents from reviewing clients’ confidential information or to persuade them to limit the extent of their review.”

Finally, the opinion states that if client information is reviewed during a border crossing, Rule 1.4’s duty of communication requires the lawyer to inform each affected client.

I cannot give you “yes” or “no” answers for every conceivable possibility related to client information, electronic devices, and border searches.  I’ll leave it at this: if devices containing client information are searched – and that’s a big if – will you sleep easier knowing that you took precautions against it happening?

Remember, not every unauthorized access creates ethics liablity for the attorney.  “Reasonable precautions” does not mean “fool-proof.”  However, the failure to take precautions might be viewed as clear & convincing proof of foolishness – a determination that might lead to sleepless nights.

Whatever you do before you travel to Canada with devices that contain client information, do whatever will help you (and your clients) sleep best after you return.

 

Update: Protecting Client Information at the U.S. Border

Two months ago, I posted Protect Client Info When Traveling Abroad.

Earlier this week, Jeff Richardson posted New information on your iPhone being searched by Customs at the border.  If you’re heading to Montreal this summer, it might be worth a read.

For those of you who reflexively avoid any tech-related post, do so at your own risk. Here’s the concluding paragraph from Jeff’s post:

• “I wish I could conclude this post with easy answers, but it appears that there are none at the moment.  I don’t know how you should weigh the usefulness of having your iPhone and iPad with you outside of the country versus the risk that a border agent will try to search the device as you enter the country.  And remember, we are just talking about U.S. border agents right now; you may also find yourself facing an official in another country who demands access to your device and who has no regard for the Rules of Professional Conduct or the Rules of Evidence governing privilege.” (emphasis added)

By the way, Jeff’s blog is a helpful resource (think “tech competence“) for lawyers who use iPhones and iPads.

Protect Client Info When Traveling Abroad

Given the proximity of the Canadian border, and with the YLD Thaw in mind, this article strikes home.

As reported by the ABA Journal in this post, ABA President Linda Klein recently authored a letter to DHS in which she expressed “serious concern about standards that permit searches of lawyer laptops and other electronic devices at the border in the absence of reasonable suspicion.”  President Klein’s letter is here.

Let me be clear: I am NOT suggesting that Vermont lawyers have an affirmative duty to refrain from bringing devices that contain client data to Montreal when traveling for the weekend. However, understand what might happen upon your return.  And, as I often say in response to inquiries, avoiding problems is a great way not to have any.  So, if you don’t need your device that contains work & client data while you’re wandering the Old Port, consider not bringing it.

Somewhat related, I’ve previously posted a blog Subpoena to Disclose Client Info?

 

 

 

Phising Scheme Alert: Google Docs

A phishing scheme is making the rounds today. It’s an attack in which an email invites the target to edit a document in Google Docs.

Adi Robertson at The Verge has the details here.

Let’s be careful out there.

So You Want To Store Client Data in the Cloud….

. . . you should! Odd are it’ll make your law practice more efficient, which will help both you and your clients.

With the June 30 deadline to report CLE compliance, I’m asked to present at a lot of CLEs in May and June.  This year, several folks have asked me to talk about the ethics associated with storing client data in the cloud.

I will do as asked. Reluctantly.

Last November, I posted a blog in which I expressed my hope that I’d done my last seminar on the ethics of storing information in the cloud.  I think it’s time we move beyond “can I use the cloud?” to figuring out whether the cloud works for you & your firm and, if so, which vendor to choose.

Since my hope has not yet been realized, I’m re-posting my post. Two words to remember: “Reasonable Precautions.”

****

The Cloud:  What are Reasonable Precautions?

Last Friday, I presented a CLE for the Rutland County Bar Association. My assigned topic: the ethics of storing client information in the cloud.  I started by saying that I hoped it was my final seminar on the topic.  I was serious.

Let’s walk through this.

In general, a lawyer has a duty not to disclose information relating to the representation of a client absent client consent.  See, Rule 1.6.  A lawyer also has a duty to keep client property safe.  See,Rule 1.15.

I view the cloud as the latest in a long line of different places to store information.  In that sense, the cloud is not different than manila folders, boxes, offices, attics, basements, barns, file cabinets, file cabinets with locks, storage facilities, hard drives, floppy disks, CDs, and thumb drives.

No matter where a lawyer stores client information, a lawyer must act competently to protect the information against inadvertent or unauthorized disclosure. See, Rule 1.6, Comment [16].  When transmitting client information, a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.  Rule 1.6, Comment [17].

So, think about cloud storage like this:  client information is electronically transmitted to a place where it will be kept.  Thus, a lawyer must take reasonable precautions to protect client information both while it is in transit and while it is at rest.

In fact, that’s almost exactly what the VBA’s Professional Responsibility Committee said – SIX YEARS AGO when it issued Advisory Ethics Opinion 2010-06.  Here’s the digest of the opinion:

• “Vermont attorneys can utilize Software as a Service in connection with confidential client information, property, and communications, including for storage, processing, transmission, and calendaring of such materials, as long as they take reasonable precautions to protect the confidentiality of and to ensure access to these materials.”

(Aside: for anyone wondering why I included an advisory opinion about “Software as a Service” in a post on cloud computing, I remind you that Rule 1.0’s duty of competence includes tech competence.)

The question I hear most often is this:  “what are reasonable precautions?”  In Rutland, I suggested to the audience that they already know the answer, if only by treating the cloud as if it were a storage facility out on Old County Road. Some questions you might ask when considering that facility:

• who do you let into this facility?
• do you require a passcode or badge for the gate?
• are there locks on the individual units?
• who besides me has a key or knows the combination?
• can i get into my unit whenever i want to?
• what happens to my files if I don’t pay or if you go out of business?

Indeed, take a look at page 6 of the VBA Opinion.  The Committee suggested some of those exact questions when considering a cloud vendor.

Or, take a look at this post from Robert Ambrogi.  He writes that “[s]ome basic questions to ask of a cloud vendor, distilled from various ethics opinions, include:

• Is it a solid company with a good reputation and record?
• Can you get access to your data whenever you want, without restrictions?
• If your service is terminated – by you or by the company – can you retrieve your data?
• Does it allow use of advanced password protocols and two-step verification?
• What are its internal policies regarding employee and third-party access to your data?
• Is your data encrypted both while in transit and while at rest on the company’s servers?
• How is your data backed up?
• What security protections are in place at the data centers the company uses?”

Finally, remember that asking the questions isn’t enough.  You need to understand the answers or find someone who does.  For example, imagine this:

• You:   Will my data be encrypted in transmission and at rest?
• Vendor:  Yes.  In transmission, we use a BTTF Flux Capacitor.  At rest, we use the latest cloaking technology from Romii.
• You.  Sounds awesome. Sign me up.

Umm, no.  You just signed up to star in the next entry in Was That Wrong.

In conclusion, you may store client information in the cloud so long as you take reasonable precautions.  This entry includes links that will help you determine what “reasonable precautions” are.  Don’t fear the cloud, but know what you don’t know.

Speaking of which, info on the BTTF Flux Capacitor is HERE. And, for more on Romii cloaking technology, go HERE.

 

Guest Pass: Peter Zuk on Data Security

I’m rolling out a new column: Guest Pass.  Like Captain Kirk and the bridge, it’s a column in which I hand over control to a guest.

The first recipient of a Guest Pass is old friend Peter Zuk.  Many of you remember Peter from his title insurance days.  In my early years as disciplinary counsel, Peter was instrumental in helping me to learn the importance of a swift and serious response to a violation of the trust accounting rules.  He also served as an invaluable resource and sounding board when I found myself confronted with trust accounting issues that, having come from the AG’s office, I’d never encountered.

These days, Peter works for Kyocera Document Solutions and serves as a member of one of the Professional Responsibility Program’s hearing panels. Peter’s Guest Pass serves up an important reminder on tech competence & maintaining the security and confidentiality of client data.

Mr. Zuk, you’ve got the bridge.

**********

Data Security: Don’t Forget the Copier

by Peter Zuk

Michael:

I’m selling copiers and secure networks to lawyers many of whom were former title insurance customers.  It’s great to be able to serve my old clientele again.

In working through the purchase of a new copier or multi-function printer (MFP, as we like to say), the question frequently arises as to how to dispose of the old machine.  Big and heavy, they’re impossible to lift and few have a car big enough to haul it to a recycling facility.

Fortunately for most business customers the answer is an easy one:  The new company takes the old copier as a condition of the sale.

But what about law offices?  Is there anything else that they should consider?

The answer is “maybe”.

To understand this answer you have to know how the modern MFP works.

While they don’t look like much, copiers come packed with technology these days.  Part of that technology is a large capacity hard drive.  To provide you with a crisp, clear copy or scanned image, the MFP takes a picture of your document, digitizes it and saves it to an internal hard disk located within the machine.  From there, the internal computer then copies that image from the drive to a photo-statically charged drum which transfers the charged image to paper.

What happens to the image on the hard disk you may be asking?  Fortunately most machines now overwrite the image at the completion of each job obscuring its discovery.

Lawyers may be ok with that level of security.  To be sure though, the prudent attorney may wish to request that the copier company remove the hard disk from the old machine on premises and surrender it to a member of the firm for proper and documentable destruction.  On premises removal of hard disks is becoming requested more and more and should be considered as part of an overall data security plan for the firm.

Firms wishing to do this should notify their leasing company prior to removal as they may ask to be reimbursed for the cost of the hard drive.

******************

Thank you Peter!  For those of you saying to your selves “self, this isn’t a very big deal,” check out this 2010 story from CBS News: Digital Photocopiers Loaded With Secrets. 

 

 

Withdrawing? Remember this Disco Tune

So, you want to withdraw because your client hasn’t paid.  There’s a rule for that: Rule 1.16.

Specifically, Rule 1.16(b)(5) permits withdrawal when:

• “the client fails substantially to fulfill an obligation to the lawyer regarding the lawyer’s services and has been given reasonable warning that the lawyer will withdraw unless the obligation is fulfilled.”

Per Comment 8, this includes a client’s failure to abide by the terms of a fee agreement.

This is where disco comes in.

As I was driving to work this morning, Thelma Houston’s version of Don’t Leave Me This Way came on the radio.  I admit: it caused me to dance in the driver’s seat as I carpool-karaoked south on 89.

But the chorus provides a great lesson: when you withdraw, don’t violate a client’s confidences on your way out.  A client’s failure to abide by the terms of a fee agreement does not relieve a lawyer of his or her obligations under Rule 1.6, the rule that prohibits disclosure of information relating to a representation.

Last December, the ABA’s Standing Committee on Ethics & Professional Responsibility issued Formal Opinion 476: Confidentiality Issues when Moving to Withdraw for Nonpayment of Fees in Civil Litigation.  In an excellent article on the advisory opinion, the ABA Journal warned that Lawyers should tread carefully before quitting a troublesome client.

Don’t leave your clients pleading for you not to leave them this way.

 

Tips for Choosing a Practice Management System

Most of you know that when it comes to legal tech, I highly recommend Robert Ambrogi’s Law Sites Blog.  Ambrogi also writes a This Week In Legal Tech column for Above The Law.

Here’s the most recent column: 6 Questions To Ask Before Selecting A Practice Management Platform.

Read it.

A summary of the 6 questions:

1. Do you want a cloud platform or a platform installed on site?
2. How much do you want to pay?
3. Does the system comply with security requirements and obligations under the Rules of Professional Conduct?
4. Does it have the basic features that you need?
5. Does it have the advanced features that you need?
6. Does it feel right when you try it?

Again, read the article.

For part 2 of question 3, my view is that a lawyer’s obligation under the Rules of Professional Conduct is to take reasonable precautions to protect client data, whether the data is in transmission or at rest.  What are reasonable precautions?  I addressed that question HERE.

Still drinking coffee this morning?  You’ve got time to try this week’s legal ethics quiz before you hit the trails or slopes.

 

Web Bugs: An Update.

Update:  So, I  received an e-mail stating that I’m “way off base” in “endorsing” the use of web bugs. Please review each of the posts I’ve made on the topic.  One is HERE, the other is HERE.  

I have not endorsed the use of web bugs or spy mail.

What I intended to convey is this: the fact that it may be wrong for someone to try to access information relating to the representation of your clients doesn’t relieve you from the duty to take reasonable precautions to prevent unauthorized access to that information. See, Rule 1.6, Comments 16 and 17.  

Do you have to store your paper files in a subterranean vault that’s equipped to survive an RPG attack?  No.  But you probably shouldn’t leave your file cabinets unlocked in a shared hallway, trusting that passersby will remember not to look at things that aren’t theirs.

Imagine a passerby looks through the files.  Are you willing to roll with the “but he shouldn’t have been looking!” defense to a formal charge that you violated Rule 1.6 by keeping your files unlocked in the hallway? If so, take a look at this decision from a hearing panel of the PRB.

Is there an affirmative duty to use available technology to protect against spy mail? I don’t know.  No matter the type of technology, including a type we can’t even imagine today, it will boil down to this: have you taken reasonable precautions to protect against the unauthorized disclosure of client information?

I will not be surprised if, someday, someone concludes that the duty to take reasonable precautions to protect against the unauthorized disclosure of information relating to the representation of a client includes using reasonably available technology to protect against web bugs & spy mail. In fact, as I mentioned in the first post, that’s almost exactly how the debates over metadata and encrypted e-mail have evolved.

 

 

Web Bugs

One of the questions at Thaw Bowl IV involved Web Bugs.  Due to several blank looks, I thought I’d re-visit the issue.

What are Web Bugs? I first blogged about them  HERE.  Think of them as e-mail tracking.  Some might call it ” spy mail.” Essentially, a web bug is a tool that allows a sender to track when an e-mail is opened, the device used to open it, and whether the e-mail is forwarded.

Last week, Chad Gillies posted an article on LinkedIn entitled “E-Mail Tracking: Is It Ethical? Is it Even Legal?”  His article had previously appeared in the January 11, 2017, issue of Bloomberg’s ABA/BNA Lawyer’s Manual on Professional Conduct.  Mr. Gillies made a PDF of the article available on LinkedIn. It’s HERE.  It includes a lengthy quote from my blog post on Web Bugs.

Mr. Gillies handles customer strategy and legal affairs for a MailControl.net .  The company’s website, which is HERE, bills it as a “the leader in enterprise and anti spy mail solutions.”

Anyhow, if you read my original blog post, you’ll not see anything in which I endorse the use of web bugs, e-mail tracking, or spy mail as ethical or consistent with the rules.  Rather, as Mr. Gillies points out, you’ll see a section in which I remark upon an advisory ethics opinion issued by the Alaska Bar Association.

The Alaska opinion is HERE.  The opinion concludes that the use of web bugs violates Alaska’s Rules of Professional Conduct.  It also includes the following language:

• “The Committee notes that Rule 1.6(c) requires a lawyer to take ‘reasonable precautions’ transmitting a communication that includes a client confidence or secret so as to avoid allowing the information to come into the possession of unintended recipients, including information in electronic form.  The Committee does not interpret this duty as requiring the lawyer to presume that opposing lawyer will seek to ‘bug’ communications and requiring the lawyer to take active steps to detect and prevent such tracking devices.  As a practical matter, with rapidly changing technology and software that may be impractical or even impossible for the receiving lawyer to accomplish.  The Committee believes that the only reasonable means of protecting attorney-client communications and work product in this situation is to bar the lawyer sending the communication from using these types of tracking devices.”

This paragraph stood out to me.  Why?  As anyone who attended my CLEs on digital security in Montreal, Rutland, or Brattleboro knows, I’ve stressed that Vermont lawyers have a duty to take reasonable precautions to protect client data, whether the data is in transmission or at rest.   For more on reasonable precautions, click HERE.

With that in mind, here’s what I wrote in my original blog post:

• ” I find this final point somewhat interesting.  It’s quite different from the evolving view of a lawyer’s duties with respect to the electronic storage and transmission of client information.  It’s also the exact opposite of what we’re telling lawyers with respect to metadata & track changes. With metadata & track changes, we’ve clearly stated that it’s perfectly okay to look for information that goes to the heart of the attorney-client relationship.  In so doing, we’ve said that if you don’t know about metadata and don’t take steps to prevent it from being accessed, it’s your problem, not the lawyer’s who looks for it without telling you that she’s looking.”

From there, I added:

• “No, I’m not arguing that a lawyer has a duty to sweep the office for bugs or listening devices once opposing counsel departs after visiting.  Rather, I simply wonder whether technology soon will have evolved to the point where it is not unreasonable for a lawyer to check an email for a web bug.”

So, I want to be clear: by suggesting that lawyers have a duty to protect against web bugs and spy mail, I am not suggesting that the rules allow a lawyer to use web bugs and spy mail.

That being said, I remain struck by the language in the Alaska Opinion.

I’ll close by repeating myself:

• Lawyers have a duty to take reasonable precautions to protect client information.
• There are bad people out there using spy mail and web bugs.
• Lawyers have a duty to stay abreast of the benefits and risks of relevant technology.
• There is technology available to protect against spy mail and web bugs.

So, as I wrote in my original blog post on web bugs:

“No, I’m not arguing that a lawyer has a duty to sweep the office for bugs or listening devices once opposing counsel departs after visiting.  Rather, I simply wonder whether technology soon will have evolved to the point where it is not unreasonable for a lawyer to check an email for a web bug.”