Is there a duty to encrypt email?

Given that it’s Friday, I’ll start with a quiz question:

Which is most accurate? A lawyer must _____

  • A.  encrypt an email that contains information related to the representation.
  • B.  encrypt an email that contains “sensitive information.”
  • C.  encrypt an email that contains privileged information.
  • D.  act competently to protect the confidentiality of information related to the representation of a client, including by taking reasonable precautions to protect against the inadvertent disclosure of or unauthorized access to that information.

The answer is D.

I understand that practicing lawyers with professional responsibility inquiries want “yes” or “no” answers. However, bar counsel types who provide ethics guidance often don’t get as specific as lawyers would like. In no area is that more common than protecting client information.

Decades ago, I’m guessing that my predecessors didn’t answer “yes” or “no” when asked “am I required to buy one of those fancy new file cabinets that has locks on each drawer?”  Rather, they replied “you are required to take reasonable precautions to protect client information.”  Whether the inquirer’s personal circumstances made file cabinets sans locks unreasonable would’ve depended on the circumstances.  For instance, were the file cabinets in a locked closet to which only the lawyer and staff had access? Or were the file cabinets in storage room that the law firm shared with other businesses that rented space in the building?

Indeed, in 2017, the ABA’s Standing Committee on Ethics & Professional Responsibility declined to set “hard and fast rules” for storing client’s electronic information. In Formal Opinion 477, the Committee essentially announced that it’s not going to review every new advance in technology. No matter the next new thing, the duty remains the same: take reasonable precautions to protect client information.

Earlier this week, Professor Bernabe posted Does a lawyer have to encrypt e-mail messages? In it, he linked to LexBlog’s Encryption Ethics. I like the LexBlog post. The author makes clear that there will come a day when the failure to encrypt is deemed unreasonable. Here’s the post’s concluding sentence:

  • “But as encryption and other safeguards get less expensive and cumbersome, your duty to implement these measures will undoubtedly increase.”

I’ve been saying the same thing for years. In 2015, I said it To encrypt or not to encrypt?  I said it again in 2017’s Encryption and the Evolving Duty to Safeguard Client Information.  In each post, I referenced various advisory opinions that make clear that, someday, technology will have evolved to the point at which it is no longer reasonable to choose not to encrypt email.  Similarly, there will come a time when it is not reasonable to use modes of information transmission or storage that do not encrypt the information in transit or at rest.

As I’ve run out of coffee and fret about having time to draft a Five for Friday post, I fear that I’ve lost focus.  So, I’ll leave you with this:  yesterday’s reasonable safeguards might be wholly unreasonable tomorrow. At the very least, take some time to think about how you and your firm are handling electronically stored client information.

Safeguarding data

Conflicts, Confidences & Prospective Clients

Long ago, I investigated this disciplinary complaint:

  • Person met with Lawyer to discuss representation in a matter;
  • Person shared information about the matter with Lawyer;
  • Person opted not to retain Lawyer;
  • Litigation ensued;
  • Opposing Party retained Lawyer; and,
  • Lawyer represented Opposing Party in the same matter about which Person had consulted with Lawyer.

Back then, Vermont had yet to adopt V.R.Pr.C. 1.18, the rule that sets out a lawyer’s duties to a prospective client.  Thus, as disciplinary counsel, I was left to analyze whether Lawyer had violated the rule that prohibits concurrent representation of clients with conflicting interests or the rule that prohibits representing a client whose interests are materially adverse to those of a in the same or a substantially related matter.

At the time, the general legal principle was that prospective clients were “neither fish nor fowl” for the purposes of the ethics rules.  Thus, conceding that Person was not a current or former client, I argued that the spirit and intent of the conflicts rules rendered Lawyer’s representation of Opposing Party a violation.

Alas, a hearing panel of the Professional Responsibility Board disagreed. The panel concluded that my decision to charge Lawyer with a violation was not supported by probable cause.  Thus, complaint dismissed.

Not long thereafter we got to work on proposing & promulgating V.R.Pr.C 1.18.  It took effect on September 1, 2009.

Under the rule, a “prospective client” is a person who, in good faith, discusses with a lawyer the possibility of forming client-lawyer relationship.  If no relationship ensues, the lawyer’s duty of loyalty is relaxed, but the duty of confidentiality is not.

That is, the lawyer must maintain the prospective client’s confidences as if the person had retained the lawyer.  However, the lawyer may represent someone whose interests are materially adverse to the prospective client, even in a matter that is the same as or substantially related to the matter that was the subject of the consultation, as long as the lawyer did not receive information that “could be significantly harmful” to the prospective client. Depending on the steps that the lawyer took to avoid or minimize the receipt of disqualification, lawyer’s conflict might not be imputed to lawyer’s firm.

Earlier this week, the ABA’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 492. The opinion addresses a lawyer’s obligations to prospective clients. The ABA Journal reported the opinion here.

In my view, the opinion provides clear and helpful guidance on (1) what constitutes a “consultation;” (2) the type of information that would be considered “significantly harmful” and thereby potentially disqualifying in a subsequent matter; and (3) the steps lawyers and firms can take to avoid receiving disqualifying information in an initial consultation.

I suggest reading it. Which is my way of saying that, as I ease back into blogging after the annual mini-hiatus that comes with the CLEs and training that take place this time of year, I’m not going to regurgitate an advisory opinion that is written far better than I could.

Aside: with the adoption of Rule 1.18, I assume that the prospective client has achieved fish or fowl status.  I’m not sure which.

Neither Fish Nor Fowl - Liz Sumner | Life Coach

Responding to Online Reviews

I took a week off from blogging.  I’m back, albeit not so much because I missed it.  Rather, I’m here to celebrate a Vermont connection, however tiny, to an article in today’s ABA Journal.

Lawyers in Bennington County might remember Cynthia Sharp.  Last year, Attorney Sharp presented a CLE for the BCBA.  Today, the ABA Journal ran her article How to ethically respond to negative reviews from clientsThe article shares valuable tips and includes quotes from two names that regular readers of this blog will recognize: Tom Wilkinson and me.  Tom serves on the ABA’s Standing Committee on Professionalism and frequently appears on the #fiveforfriday Honor Roll in Legal Ethics.

Not having blogged in a week, I’m unprepared to dive directly back into the deep end.  So, here’s the “knee-deep” version on responding to online reviews:

  1. Information relating to the representation of a client is confidential.
  2. The rules prohibit lawyers from disclosing information relating to the representation of client.
  3. There are exceptions to the general prohibition.
  4. “The client gave me a negative review” is not one of the exceptions.

Last month, I received two inquiries from lawyers seeking guidance on how to respond to negative reviews.  I was struck by the intensity with each wanted to respond. It reminded me of the criticism often directed my way in various online forums when I was coaching high school basketball.

Trust me, I get it.  Still, be careful.  Don’t let your initial reaction cause you to disclose information that the Rules of Professional Conduct require you to keep confidential. If, upon reflection you choose to respond, consider the type of response suggested by Tom Wilkinson in Attorney Sharp’s article.

Be Quiet

Additional Resources

Related Posts






Negative Online Review? How not to respond.

Whether here or at CLEs, I’ve often mentioned the perils of responding to a former client’s negative online review. As reported by the ABA Journal and Legal Profession Blog, here’s another example of what not to do.

Last week, the New Jersey Supreme Court suspended a lawyer for 1-year for violating several rules, including the Garden State’s rule that prohibits a lawyer from using information relating to the representation to a former client’s disadvantage unless the information has become “generally known.”  The underlying decision of the Disciplinary Review Board is here.

Now, the sanction resulted from multiple violations committed while representing multiple clients. In other words, the lawyer’s response to the negative online review wasn’t the sole basis for the 1-year suspension.  Still, the opinion serves as important reminder that, whether you agree with the rule or the interpretation thereof, it is well-established that information that is “public record” is not necessarily “generally known.”

Before I share the facts of the NJ case, let’s look at Vermont’s rule. It’s V.R.Pr.C. 1.9(c)(1):

“(c) A lawyer who has formerly represented a client in a matter or whose present or former firm has formerly represented a client in a matter shall not thereafter:

(1) use information relating to the representation to the disadvantage of the former client except as these rules would permit or require with respect to a client, or when the information has become generally known.”  (emphasis added).

As reported by the ABA Journal, the New Jersey lawyer “had won unsupervised visitation for the client after she took her children to another state without authorization, ‘seemingly, a good result,’ according to the review board.”  Nevertheless, the client posted a negative online review regarding the lawyer’s services.

The client owns a massage therapy business.  Miffed at the review the client had left for him, the lawyer posted the following Yelp review of the client’s business:

  • “Well, [client] is a convicted felon for fleeing the state with children. A wonderful parent. Additionally, she has been convicted of shoplifting from a supermarket. Hide your wallets well during a massage. Oops, almost forgot about the DWI conviction. Well, maybe a couple of beers during the massage would be nice.”

In response to the subsequent ethics complaint, the lawyer wrote:

  • “As to the Yelp rating about [client’s] massage therapy business, I admit to same. I was very upset by [her] Yelp rating of my practice. This rating was made more
    than a year and a half after the conclusion of my representation. My disclosures, i.e. her arrests, were public information and I did not violate attorney client
    privilege. My position was that what was good for the goose was good for the gander. I do concede that I do not believe that the rating was my finest moment.
    However, it was not unethical. That posting has subsequently been taken down.”

Long story short, the Disciplinary Review Board disagreed that it wasn’t a violation.  Citing to ABA Formal Opinion 479 and a few court decisions, the Board concluded that the lawyer’s review of the former client’s business violated the rules because the information, “although publicly available, was not generally known.”

As I’ve said before, and as my dad told me as a kid, when it comes to client confidences, lawyers would be well-served to remember this quote:

“You will have many opportunities
to keep your mouth shut.
You should take advantage
of every one of them.”
Thomas Edison

Be Quiet

Related Posts








Negative Online Review? Restrain Yourself.

A few weeks ago, a lawyer called me for guidance on how to respond to a negative online review.  It’s not an inquiry I receive often, but it’s a topic that warrants a reminder. Also, the call was timely in that the North Carolina State Bar recently issued an advisory opinion that’s on point.


More on the nuts & bolts of the legal ethics issues in a moment.  I’ll start with a practical observation.

I was struck by how upset the lawyer was to have discovered the negative online review. I get it: none of us enjoys having our work trashed, especially by someone who we feel omitted key information in trashing it.  But remember: a negative online review is not the end of the world.

Most everyone reading this post has shopped online.  Did the product you bought have only positive reviews?  Since the new year, and before the coronavirus pandemic, many of you likely went out to eat.  Odds are that the restaurants you frequented had more than one negative review on Yelp.  Finally, I’m willing to bet that, before the internet, every single lawyer had at least one unhappy client who bad-mouthed their services afterwards.  While the ease with which lawyers now learn about negative online reviews is a function of modern technology, unhappy clients are nothing new.

My point is that you can’t make all clients happy all the time.  However, while you can’t control the unhappy clients, you can certainly control your response to their unhappiness.

Personally, when reviewing hotels or restaurants, I appreciate the proprietor who responds with a simple “we regret your experience, please contact us.”  I do not appreciate the “the food wouldn’t have been cold if you’d have eaten it as soon it was served instead of having 3 more beers.”

Enough of my soapbox.

Generally, Rule 1.9(c) prohibits lawyers from revealing or disclosing information relating to the representation of a former client. There’s an exception for any revelation or disclosure otherwise authorized by Rule 1.6, the confidentiality rule for current clients.  Rule 1.6 includes the so-called “self-defense” exception to confidentiality.

The self-defense exception permits a lawyer to disclose otherwise confidential information:

  1. “to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client;” or,
  2. “to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved;” or,
  3. “to respond to allegations in any proceeding concerning the lawyer’s representation of the client.”

I’ll give it to you straight, no chaser: a negative online review doesn’t fall within any of the exceptions.  For those of you that need more than my word, I don’t blame you.

In January, the North Carolina State Bar proposed this advisory opinion.  Citing the NC rule that is the same as Vermont’s, the opinion concludes:

  • “Thus, the self-defense exception applies to legal claims and disciplinary charges arising in civil, criminal, disciplinary or other proceedings. A negative online review does not fall within these categories and, therefore, does not trigger the self-defense exception.”

As far as I’m aware, no bar association or court has concluded otherwise.

The North Carolina opinion includes a helpful summary of opinions from other bar associations. I won’t regurgitate them here.  However, harkening back to my earlier point, I will share two sentences from New York State Bar Association Ethics Opinion 1032:

  • “Unflattering but less formal comments on the skills of lawyers, whether in hallway chatter, a newspaper account, or a website, are an inevitable incident of the practice of a public profession, and may even contribute to the body of knowledge available about lawyers for prospective clients seeking legal advice.  We do not believe that [the rule] should be interpreted in a manner that could chill such discussion.”

In short, a negative online review does not operate as a client’s waiver or consent that the lawyer may disclose otherwise confidential information.

So, what can a lawyer post in response? Again, being risk averse and appreciating politeness, I’d not post much, if anything.  But some people can’t help themselves.  So, let’s look again at the NC opinion.

It concludes that an attorney “may post an online response to the former client’s negative online review provided the response is proportional and restrained and does not contain any confidential client information.”   As an example, it cites Pennsylvania Bar Association Ethics Opinion 2014-200 which suggests the following response:

  • “A lawyer’s duty to keep client confidences has few exceptions and in an abundance
    of caution I do not feel at liberty to respond in a point-by-point fashion in this
    forum. Suffice it to say that I do not believe that the post presents a fair and accurate picture of the events.”

Even that gives me pause.  But, as the North Carolina opinion points out, most to address the issue have concluded that a lawyer does not violate the rules by denying the merit of the client’s assertions.

Okay.  This post is officially too long.  So, I’ll leave you with this.

Catherine Sanders Reach is the Director of the Center for Practice Management at the North Carolina State Bar Association.  Last month, Catherine posted Responding to Negative Online ReviewsIt’s a fantastic resource that I highly recommend.

Or, you can remember a lesson my dad taught me (via Thomas Edison) that I’ve often used on client confidences:

  • “You will have many opportunities in life to keep your mouth shut: You should take advantage of every one of them.”



Blogger’s Note: this picture is more than a year old.  As I blog today, I’m at home, doing my part. I am not at my office and I’m not touching my face.

Buried Ledes, Hackers, and Protecting Client Data

A friend of mine used the word “lede” in a text she sent me earlier this week.  So impressed that she knew the proper spelling, the word has stayed on my mind ever since.  Good thing.  Because as I proofed this post, I realized that I almost buried the lede.

Even Vermont-sized law firms are vulnerable to hackers.

Image result for hackers data

In January, hackers stole data from five small firms.  From each, the hackers demanded 100 Bitcoin to restore access to the data and 100 Bitcoin not to sell it. Then, the hackers began publishing the data on the web. Among others, Law.Com, CoinTelegraph and the ABA Journal have the story.

Did I mention that, at the time, 100 Bitcoin cost $930,000?  Today it’s only $890,416.

I’ll return to the story in a moment.  First, however, I’d like to introduce Jim Knapp.

Jim is Vermont State Counsel for First American Title Insurance.  But the day I blog about underwriting will be the day I retire as a blogger.

For many years, Jim and Kevin Ryan presented their famed “Road Show” across Vermont. It was a CLE that included great tips on tech and data security. You know – tech competence!

I’ll start with the basic premise: lawyers have a duty to take reasonable precautions against the inadvertent disclosure of or unauthorized access to information relating to the representation of a client. The duty applies to the electronic transmission and storage of client information & data.

As I noted here, there is no set answer to “what are reasonable precautions?”  The ABA’s Standing Committee on Ethics and Professional Responsibility agrees. In Formal Opinion 477, the Committee advised:

  • “What constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors. In turn, those factors depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of electronic communications employed, and the types of available security measures for each method.”

With respect to cyber threats, the Committee stated:

  • “the reasonable efforts standard. . . rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”

Now, back to the story of the hackers.

Along with blogger’s bloc, the story made realize today is a great day for a Q&A with Jim Knapp. Jim was kind enough to agree.

MK: Thanks for doing this Jim. First reaction when you read about the hack?

Jim: So, this would be deemed a really bad day! First you are locked out of your system, and even if you had good recent backups, and could expend the money and time to restore everything, second, the bad actors are still threatening to sell / release your data. Not to mention, now you have a data breach and must satisfy all the legal requirements related to the analysis and notifications imposed by State laws. What a way to start a week!

MK: I’ll say. For me, this hit home because it didn’t involve one of the ginormous multi-national firms. The firms involved are similar in size to most Vermont firms. How do Vermont lawyers protect themselves?

Jim: As we’ve seen, 2020’s are barely a few weeks old and the news is not good. Ransomware has reached a new high(?) / low (low). The bad actors are not just encrypting your files, they are offering to publish your firm’s files to the public, or at least the public that uses the dark web.

You can no longer rely on having anti-virus software as your only means of protection. Backups are important to recover your data in the case of disaster, but a good backup won’t stop a bad actor from publishing data they have stolen from your firm. Acting reasonably is acting from a sufficient pool of knowledge to understand the risks and the potential solutions.

MK: I love the last sentence: “acting reasonably is acting from a sufficient pool of knowledge to understand the risks and the potential solutions.” Many lawyers, myself included, aren’t exactly tech savvy. My sense is that many firms “leave that to the IT person.” Of course, in the end, a lawyer is responsible for ensuring that the nonlawyer staff – including IT staff and vendors – are protecting client data. Anyhow, how do we move from toes-in-the-water to the deeper end of that pool of knowledge? Some states require tech CLE. In December 2018, I posted this blog wondering if we should.

Jim: While the idea of mandatory participation in professionalism, mindfulness, wellness, etc., are all good subjects, it seems to me that perhaps mandatory participation in cybersecurity training would be a worthy subject. Not just for lawyers but for all persons who work in a law office. As regards Vermont, out of the 2700+ lawyers, I’ll bet not more than 350-400 unique persons have attended a well prepared and presented program on cybersecurity. Of course, those folks will roll their eyes, if they have to hear one more presentation on “don’t click”; have good passwords etc.

MK: I agree. But I still run into lawyers who say, “I wouldn’t even know what the presenters are talking about.”

Jim: Gaining a suitable level of the essential elements of data security is a challenging task if you choose to pursue this on your own. The key is finding a suitable CLE program that can translate the arcane elements of information security into knowledge you can use to assess how safe your law office environment is. Everyone whose practice depends on the availability of information stored on a computer system owes it to their clients and to themselves to attend enough CLE programs to understand what options exist for protecting their digital information.

MK: Music to my ears! But it has to be more than just “go to a tech CLE,” right?

Jim: Training is a key element to protecting your digital environment. But training alone isn’t sufficient, as no matter how diligent you are in reminding all your colleagues not to open questionable emails, stay away from questionable websites, and to watch out for the social engineers looking to convince you to hand over key information like passwords, the bad actors will eventually find an opening and pounce.

Information security for a law office involves all kinds of elements, from

  • properly configuring the hardware included in your network, like the router that connects your office to the outside world; to,
  • running a suitable firewall; to,
  • using effective anti-malware software; to,
  • keeping your operating system and applications up to date with all patches (Note: if you are still using Windows 7 you must STOP now. Microsoft is no longer providing patches for Windows 7 and there are still numerous vulnerabilities that have never been fixed and now will not be fixed)
  • possibly running intrusion detection and intrusion prevention systems within your network;
  • and more.

MK: Good stuff! Last question before we lose everyone: I’ve often called you for tips on backing up client data. Can you give us the quick version that you’ve given me on backups, airgap, etc.?

Jim: Backup, like all tech issues, has lots of components. The right backup strategy depends on what kind of data you have, how much data you have, and where you store your data. But, everyone should consider at least the following elements:

  • Nearline – a backup that is connected to your network storage, or to your personal PC (wherever you store your day to day work product) all the time and periodically (hourly, every few hours, at least twice a day), duplicates the data in your data storage. Usually, an external USB hard drive purchased for less than $100.00 will suffice. This allows you to recover immediately, or nearly immediately from a problem with your storage device, e.g. your hard drive or SSD croaks at 3:30 and the response to the motion for summary judgment is due tomorrow.
  • Offline – a backup that is stored off-site. It can be cloud based, or a rotation of physical drives, one of which is stored off-site at all times. This provides a recovery option for the electrical surge that kills your onsite storage, a fire, a flood, or somebody breaks into your office and steals the computers. This backup is run at an interval calculated by how much work-product you are willing to lose and have to recreate. It could be measured in weeks, but I would offer that daily is a more reasonable assessment.
  • Airgap – this a backup device that is only connected to your network or the PC while the backup is running. This is one tool in the kit to address a ransomware attack on your systems. Again, an airgap backup will typically fit on a good quality external USB hard drive which is a $100 item. To run the back-up, you connect the device to the storage device you want to backup, and as soon as the backup is complete, you disconnect the backup device and store it safely away from any connection to your data storage systems.

MK: I lied, one more question: you & I bumped into each other at church on Ash Wednesday. Was that your cell phone that went off during mass? Tech competence is a thing at worship too.

Jim: Fortunately no, neither of my cell phones was that particular culprit.

MK:  Good.  The ringtone reflected a failure to act competently when choosing a ringtone.

Jim:  I have two cell phones because of the nature of the insurance business and my employer’s policies. Particularly, in the case of regulators, they can demand access to Company information, some of which may be stored on my phone. And, the Company retains the right to monitor and inspect all data stored on or passing through their data-stream. Now, while I have few secrets worth discovering, and after 40 years of practice in Vermont, net worth is not one of them, I have no desire to expose my personal information to either the regulators or the Company. Hence, I have a personal cell phone and a work cell phone. I would suggest that lawyers should consider the same analysis I did. If you were sued, do you really want opposing counsel and your appointed defense counsel rummaging through the materials on your phone?

MK:  It’s almost as if you’ve seen what’s on my phone.  No, I don’t want anyone rummaging through!  Good reminder though: as I blogged here, lawyers who travel abroad should consider leaving behind devices that contain client data.

Thanks Jim, this was great!

To be clear: being hacked isn’t necessarily an ethics violation.  Even reasonable security can be breached.  My point today is to encourage lawyers and firms to assess the measures that they have in place.  And, to encourage those who don’t know how to perform such an assessment to find someone who does.

Finally, if you or your firm has been breached, you should (1) read my post ABA Addresses Lawyer’s Duties in Response to a Data Breachand (2) review the Attorney General’s outline of duties that arise under Vermont’s Security Breach Notice Act.

As always, let’s be careful out there.

Facebook Post Leads to Public Reprimand

I’ve blogged often on the risk associated with disclosing information relating to the representation of a client.  At times, I sense that lawyers think I’m exaggerating to make a point.

I’m not.

Earlier this week, the Legal Profession Blog posted Public Discipline For Facebook Posts That Violated Duty Of ConfidentialityThe post shares this opinion from the Massachusetts Board of Bar Overseers.

Briefly, a lawyer represented Jane Doe in connection with a petition for guardianship of her grandson.  Following a confidential juvenile hearing, the lawyer posted the following on his personal Facebook wall:

“I am back in the Boston office after appearing in Berkshire
Juvenile Court in Pittsfield on behalf of a grandmother who
was seeking guardianship of her six year old grandson and
was opposed by DCF yesterday. Next date-10/23.”

Two people commented.

The first asked the grounds on which DCF opposed the petition.  The lawyer replied:

“GM [grandmother] will not be able to ‘control’
her daughter, the biological mother, and DCF has ‘concerns.’ Unspecific.” 

The second asked if DCF preferred foster care.  The lawyer replied:

“The grandson is in his fourth placement in foster care since his removal from GM [grandmother]’s residence in late July. I will discover what DCF is doing or not doing as to why DCF opposes the GM [grandmother] as guardian. More to come.”

Eventually, Jane Doe’s daughter saw the post and comments and told Jane Doe about them. Doe sent the lawyer an email in which she stated that he

“seem[ ed] to think that discussing my custody case (and who knows what else) with your Face book [sic] buddies on an open account … is okay and at the least just [a] mistake. I beg to differ. Posting client information on Face book [sic] is a violation of the attorney client law.”

The lawyer replied that he had not disclosed protected information and that his post indicated “from where I was returning and DCF’s position only.”

The MA disciplinary prosecutor charged the lawyer with violating Rule 1.6(a) of the Massachusetts Rules of Professional Conduct.  With few exceptions, none of which were present, the rule states that a lawyer “shall not reveal confidential information relating to the representation of a client.”

(I emphasized confidential.  Why?  Because Vermont’s rule isn’t as narrow.  Vermont’s rule states that a lawyer “shall not reveal information relating to the representation of a client.”)

Anyhow, the MA rules defines “confidential information” as “information gained during or relating to the representation of a client, whatever its source, that is (a) protected by the attorney-client privilege, (b) is likely to be embarrassing or detrimental to the client if disclosed, or ( c) information that the lawyer has agreed to keep confidential.”

At the trial level, the disciplinary prosecutor argued (b).  That is, that the Facebook post revealed information that was likely to be embarrassing or detrimental to Jane Doe if disclosed.

The hearing committee recommended dismissal of the disciplinary charges.  Upon review, the Board of Bar Overseers characterized the committee’s decision as follows:

  • “In recommending dismissal of the petition for discipline, the hearing committee
    concluded that, ‘the information at issue could only be embarrassing or detrimental to Doe if it could reasonably be linked to her.’ Based on its reading of [the rule] the hearing committee concluded that, ‘there must be enough revealed to get to a certain threshold, some identifiable or linear nexus reasonably connecting the information to a particular person.’ Thus, in recommending dismissal of the petition, the hearing committee found that, ‘There is no reasonable likelihood that the client could have been recognized.'”

The Board disagreed.

First, the Board concluded that the Facebook post was “confidential” because the disclosure that Jane Doe and her grandson were involved in a DCF matter was likely be embarrassing or detrimental to Jane Doe.

Next, the Board noted it was enough that Jane Doe and her daughter had recognized the post as referring to the lawyer’s representation of Jane Doe.  More specifically, the Board rejected the hearing committee’s conclusion that “there must be enough revealed to get to a certain threshold, some identifiable or linear nexus reasonably connecting the information to a particular person.”  Rather, after concluding that the daughter, who was not the lawyer’s client, figured out the the post was about her mother, the Board wrote:

  • “Even if there were no evidence that a third party actually recognized the client in the post, we would still conclude that the respondent had violated Rule l.6(a). There is no requirement that a third party actually connect the dots. If it would be reasonably likely that a third party could do so, the disclosure runs afoul of the rule. In addition to her daughter knowing about the case, Doe could have mentioned to a friend that the respondent was representing her in a case (perhaps in connection with making a referral). If the friend looked up the respondent on Facebook, the friend would learn about the ’grandmother’ and her litigation with DCF. There are numerous other reasonable scenarios.”

Now, I know what you’re thinking:  if that’s the rule, how can I ever run anything by another lawyer who isn’t in the same office as I am? The Board’s answer:

  • “In posting on Facebook, the respondent did not seek advice from other lawyers, nor can we discern any other purpose that would have served his fiduciary duty to his client. There is no legitimate analogy between seeking advice from other lawyers and the respondent’s Facebook post.”

Turning to the appropriate sanction, the Board publicly reprimanded the lawyer. While dissenting members urged a private admonition, the Board stated:

  • “The post is no different than publishing the facts in a newspaper or broadcasting them on television. Furthermore, the matter discussed by the respondent here was a sensitive child custody case that our legislature has deemed to be worthy of confidential protection by statute [citation omitted]. The respondent’s conduct ignored not only the basic tenets of Rule 1.6, but the basic confidentiality requirements that all attorneys who handle these sort of child custody and protection matters should honor.”

The Board concluded:

  • “Confidentiality is a central tenet of our profession.  If nothing else, the public knows that attorneys are obligated to protect their confidences.  This obligation exists to encourage clients to be truthful and to place great trust in their counsel.  By posting information about his client on Facebook, the respondent jeopardized that trust.  Public discipline is warranted.”

When it comes to disclosing information relating to the representation of a client, my thoughts remain the same.  Unless required or permitted by the rule, don’t.  As this case proves, “not much” can be “too much.”


 Related Posts:

Client alleges you did wrong? Still, don’t talk too much.

When it comes to client confidences, I think lawyers would be well served to remember lessons imparted by Run-DMC: it’s not tricky, don’t talk too much.

Information relating to the representation of a client, no matter the source, is confidential.  Per Rule 1.6, such information can only be disclosed if:

  • the client gives informed consent to the disclosure;
  • disclosure is impliedly authorized to carry out the representation;
  • disclosure is required by Rule 1.6(b); or,
  • disclosure is permitted by Rule 1.6(c).

Today, I want to look at one of the instances in which paragraph (c) permits disclosure of otherwise confidential information.  I’m going to refer to (1) an ineffective assistance of counsel claim made by a criminal defendant against a defense attorney; and, (2) an ABA advisory opinion on the extent to which Rule 1.6 applies to claims of ineffective assistance.

Don’t tune out simply because you don’t do criminal defense.  There’s a larger point: the mere fact that the client alleges that you did something wrong does not give you license to disclose anything and everything that the client ever shared with you.

Rule 1.6(c)(3) permits (but does not require) a lawyer to reveal information relating to the representation if the lawyer reasonably believes that disclosure is necessary:

  • to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client;
  • to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved; or,
  • to respond to allegations in any proceeding concerning the lawyer’s representation of the client.

Per Comment [14], if a lawyer reasonably believes that (c)(3) permits disclosure, disclosure is nonetheless limited to “the extent the lawyer reasonably believes the disclosure is necessary to accomplish one of the purposes specified.”  It continues:

  • “[D]isclosure adverse to the client’s interest should be no greater than the lawyer reasonably believes necessary to accomplish the purpose.  If the disclosure is made in connection with a judicial proceeding, the disclosure should be made in a manner that limits access to the information to the tribunal or other persons having a need to know it and appropriate protective orders or other arrangements should be sought by the lawyer to the fullest extent practicable.”

In simple terms, do what you advise your clients to do in depositions and on the witness stand: listen to the question and answer only the question.   Actually, a federal magistrate recently stated it far more succinctly.

Yesterday, I came across this post in the ABA Journal.  The opening paragraph:

  • “A federal magistrate judge has ordered a West Virginia lawyer accused of ineffective assistance of counsel to respond to his one-time client’s allegations in a way that limits disclosure of confidential information.”

The magistrate’s opinion is here.  The analysis includes reference to Rule 1.6 and ABA Formal Opinion 10-456.  The magistrate’s succinct conclusion:

  • “Simply put, the filing of an ineffective assistance of counsel claim does not operate as an unfettered waiver of all privileged communications.”

I’ll stop there otherwise I risk sudden onset of carpal tunnel syndrome.

Suffice to say, even when a client puts your representation into issue, don’t talk too much.

After all, who wants to be this guy? (80’s lyrics are the best!)

“Everywhere that you go, no matter where you at
I said you talk about this, and you talk about that
When the cat took your tongue, I say you took it right back
Your mouth is so big, one bite would kill a Big Mac.”

~ Run-DMC, “You Talk Too Much,” King of Rock, Track 3, 1985.

Image result for run dmc talk too much images

Related Posts

Safeguarding Client Data: Don’t Forget Email Safety.

Like Starship built a city on rock ‘n roll, I built this blog on tech competence.  More specifically, on a phrase that, while once my mantra, I’ve not typed in ages:

competence includes tech competence.

The story of a lawyer’s duty of tech competence includes many chapters.  Perhaps the most important is the chapter on the duty to take reasonable precautions against the unauthorized access to or inadvertent disclosure of information related to the representation of a client.  Given the feedback I’ve received here and at CLEs, lawyers seem to associate that duty most closely with cloud storage.

Yes, protecting client data this transmitted or stored electronically is important. So important that I’ve run my post The Cloud: What Are Reasonable Precautions? four different times.

But don’t forget e-mail security.  And, within the topic of e-mail security, don’t get so pre-occupied with whether there’s a duty to encrypt that you forget about some of the simple things.  For instance, whether a lawyer has a duty to disable autocomplete.

Almost two years ago, I posted Client Confidences: Disable Autocomplete?  Two “real-life” events inspired the post.

The first was a story that I repeated often on this spring’s CLE circuit.  As reported by Above The Law, it’s the story of a lawyer who meant to send a message to other lawyers in the firm, but mistakenly sent it to a Wall State Journal reporter in what appears to have been an autocomplete snafu.

The second hit closer to home.  Thanks to autocomplete, an email that a lawyer intended to send to me mistakenly went to Judge Michael Kainen.

Catherine Sanders Reach runs the North Carolina Bar Association’s Center for Practice Management.  Earlier this week, Catherine posted Make Email Less Dangerous.  It’s a fantastic piece on protecting client data when using email.  Catherine’s tips include instructions on:

  • disabling autocomplete
  • using “delay send” and “undo send”
  • Microsoft Add-Ins that protect against sending to the wrong recipient
  • keeping internal emails internal

I recommend Catherine’s blog.

After all, and to tie this back to the intro, better to spend some time with Catherine’s tips than to find yourself Knee Deep in the Hoopla that will certainly ensue if you inadvertently send confidential information to an unintended recipient.

Yes.  I’m quite aware that I posted a blog constructed around what some consider to be the worst song of all-time.





Redacting Confidential Info

In January, Paul Manafort’s lawyers made headlines for failing to take proper steps to redact a document.  Myriad outlets covered the story, including The Atlantic, BBC, and Legal Tech News.

In response, the ABA Journal posted How to redact a PDF and protect your clients.  A few days later, I recommended the ABA post in my blog Competence, Confidences and PDFs

Today, the ABA Journal published more helpful information: Redacting confidential client information: The devil is in the detailsThe post points out the risks in failing to understand how property to redact a document.  I recommend it.

One risk? Disciplinary action.  Lawyers have a duty not to disclose information relating to the representation of a client.  There’s also a duty to use reasonable safeguards to protect against unauthorized access to or inadvertent disclosure of confidential information.  In my view, employing a redaction method that fails to keep information confidential is not a reasonable safeguard.

Rather, it’s tech incompetence.

Image result for images of redacting confidential info