Talking culture, compliance, confidences & candor.

Flashback to 1994:  I was a brand new attorney.  Another attorney in my office mentioned Shelley Hill.  I asked, “who’s Shelley Hill?”  The attorney responded, “someone you never want to hear from.”

Back then, Shelley was Vermont’s disciplinary prosecutor.  The attorney’s answer to my question was the extent of the ethics guidance I received in my first ever job as a lawyer.

We’ve come a long way.  It’s no longer taboo to talk legal ethics.  We talk it.  A lot.  Not only does it help us do better for our clients, it improves the image of the profession.  To that end, one of my goals as bar counsel is to foster an ongoing and open dialogue about legal ethics and professional responsibility that helps to build a culture of compliance that we put out there for the world to see.

Reflective of the today’s world, the conversation happens in many forums.**  Today, I woke to having been mentioned in a tweet by a lawyer who was concerned by the news that Nikolas Cruz’s public defender disclosed Cruz’s potential inheritance in a motion to withdraw from representing him in the criminal case.  The lawyer tweeted:

“i would be interested to learn the circumstances of the public defender of Nikolas Cruz disclosing to the court in Mtn to Withdraw and on the record that his client inherited $430,000 (VERY vulnerable to civil suit if not exempt) – seems a bit problematic, eh @VTBarCounsel?”

The entire string is here.

Look at us.  We are talking legal ethics in public! THAT is professional responsibility.

I’ve blogged often on client confidences and Rule 1.6.  Basically, my position is that lawyers should STFU.  Or, to borrow a quote from Thomas Edison that my Dad instilled in me as a kid:

“You will have many opportunities
to keep your mouth shut.
You should take advantage
of everyone of them.”

Obviously, it’s far wiser to take my Dad out in public than his eldest son.

Anyhow, as indicated in my reply Tweet this morning, I don’t comment without hearing all sides to a story, not to mention that I have no idea what Florida’s rules are.  But it’s a great construct to use as a mini-refresher on Vermont’s rules.

By rule, “information relating to the representation of a client” is confidential.  The scope is broader than the privilege and includes all information related to the representation no matter the source.  Comment [3].  Such information shall not be disclosed unless:

• the client gives informed consent to the disclosure;
• disclosure is impliedly authorized to carry out the representation;
• disclosure is required by paragraph (b);
• disclosure is permitted by paragraph (c).

Returning to the Parkland case, if Vermont’s rules applied, the first possibility is that Cruz gave informed consent for his public defender to make the disclosure.

I’d be surprised if any of exceptions in paragraph (b) applied.  However, it’s possible that one of the exceptions in paragraph (c) applies.  That is, disclosure of the inheritance might be authorized by another rule.  Stay with me here.

This morning I did something rare: I did some research before I tweeted.  I learned that, as reported by the South Florida SunSentinel, a year ago Cruz’s inheritance was the subject of a hearing as to whether he qualified for public defender services.  Per the report, it appears as if it was represented to the court that Cruz stood to inherit far less than recent developments indicate.

If so, and again if Vermont’s rules applied, it’s possible that the new information required the public defender to make the disclosure pursuant to Rule 3.3.  The rule, entitled “Candor to a Tribunal,” requires a lawyer to correct a prior material statement of fact that was false.  Were the statements made in last year’s hearing on Cruz’s eligibility for public defender services “material” and “false?”  If so, one might argue that the public defender was required to make the disclosure in the motion to withdraw.

Finally, reading today’s reports left me with the impression that Cruz’s public defenders believe that, given the inheritance, the law precludes him from being eligible for their services.  Thus, it appears to me that they argued that they are required to withdraw.

In Vermont, Rule 1.16 governs withdrawal.  Perhaps most relevant here, Rule 1.16(a)(1) requires withdrawal when “the representation will result in violation of the rules of professional conduct or other law.”  So, it looks to me as if the argument is “by law, the inheritance prohibits us from representing him, thus withdrawal is required.”  The Florida courts will decide.

Aside: as some of you know from having called me or heard me speak.  When it comes to a motion to withdraw, I think it best to limit the motion to citing the text of whichever provision(s) of Rule 1.6 you’re arguing.  Then, if the court asks for more information, respond, but in such a way as to disclose no more information than is necessary to answer the court’s question.  Being mindful, the entire time, of a larger duty not to harm to your client’s interests on your way out.  Others may disagree with me, but that’s fine.

Indeed, that’s why it’s so important to continue to discuss legal ethics and professional responsibility.  The discussion makes us do better by our clients, the courts, and the profession.

Talk on.

** I couldn’t decide whether to go with “fora” or “forums.”  Flipped a coin.

 

Inadvertent Production

Edited at 9:05 PM to fix typos in a first edition that, sadly, I cannot honestly claim to have been inadvertently produced. 

In Vermont, what’s an attorney’s ethical duty when the attorney receives information that the attorney knows or should know was inadvertently sent?

The answer lies in Rule 4.4(b).

The lawyer’s ethical duty is to promptly notify the sender.

But Mike, what if the sender asks the attorney to destroy the information or return it unread?

Again, the ethical duty is to promptly notify the sender.

Indeed, per Comment [2], whether the lawyer has a duty to return the information “is a matter of law beyond the scope of these rules, as is the question of whether the privileged status of the document has been waived.”  Further, here’s Comment [3]:

• “Some lawyers may choose to return a document unread, for example, when the lawyer learns before receiving the document that it was inadvertently sent to the wrong address.  Where the lawyer is not required by applicable law to do so, the decision to voluntarily return such a document is a matter of professional judgment ordinarily reserved to the lawyer.”

But does that end the discussion?

Yes.  This blog is over.

Just kidding!  Of course it doesn’t end the discussion!

Don’t forget about the Rules of Evidence and the Rules of Civil Procedure.

In my view, the ethical duty to provide a client with competent representation includes understanding what to do upon (1) receiving information that was inadvertently produced; and, (2) learning that you inadvertently produced information.  In addition, Rule 3.4(c) imposes an ethical obligation to comply with court rules.

Also, here are 2 practical reasons not to forget about the interplay between inadvertent production, your ethical duty, the Rules of Evidence, and the Rules of Civil Procedure.

First, you do not want you firm to be named in a Bloomberg Law headline that announces that your firm conducted itself “poorly.”

Second, you do not want to be the attorney for either side in a matter in which a United States Magistrate’s ruling on a motion to disqualify begins like this:

“The facts underlying this disqualification motion establish that, unfortunately, lawyers on both sides of the litigation acted poorly.”

Especially when the Magistrate continues:

“At the heart of this dispute is a disappointing but obvious inability of opposing counsel in this case to talk and correspond with each other in good faith, to rely on each other’s representations, and to deal honestly and squarely with one another. From its inception, this case has been replete with numerous and extensive discovery disputes, myriad motions, lengthy hearings, and finger-pointing by opposing counsel against each other for various alleged bad acts. The Court does not know if this conduct and mistrust is based upon past dealings between counsel or due to other factors, but the attorneys should be aware that their conduct is not helping their respective clients’ positions in this litigation. In fact, it is downright unproductive and silly.”

The Bloomberg Law article is here.  The magistrate’s opinion is here.

I recommend reading the opinion, particularly if you litigate.  A quick summary:

• Just before Christmas, defense counsel produced over 14,000 documents in response to plaintiff’s discovery request;
• Shortly after Christmas, plaintiff’s counsel informed defense counsel that it appeared as if 100 of the documents were privileged, but that plaintiff’s counsel would assume that they were correctly produced and not privileged;
• The lawyers did not immediately reach an agreement as to whether plaintiff’s counsel would provide defense counsel with the Bates numbers of the documents that appeared to privileged, or, whether defense counsel should provide plaintiff’s counsel with the Bates numbers of all privileged documents that were inadvertently produced.

Long story short, three points:

1. The defense firm knew what to do – under both the Rules of Evidence and the Rules of Civil Procedure – to preserve the privilege of material that it had inadvertently produced.  Do you?
2. There is no such thing as “It appears as if you inadvertently produced documents. But I’m going to assume you meant to produce them. Therefore, they aren’t privileged.”
3. I am not convinced that a lawyer who receives information that the lawyer knows was inadvertently produced complies with Rule 4.4(b) by saying something to the effec that “100 of the 14,500 documents you produced look they might have been inadvertently produced, but I’m not going to tell you which ones.”

 

 

 

 

 

 

 

Tips for Online Reputation Management

Online Reputation Management is a thing.  An important thing.  But not so important that the Rules of Professional Conduct go out the window when a lawyer manages her online reputation.

Rule 1.6 prohibits a lawyer from disclosing information relating to the representation of client.  The rule is much broader than the attorney-client privilege and applies to all information relating to the representation no matter the source.

There are exceptions to the rule.  They are:

• the client’s gives informed consent to the disclosure;
• disclosure is impliedly necessary to carry out the representation;
• disclosure is mandated by Rule 1.6(b);
• disclosure is permitted by Rule 1.6(c).

Rule 1.6(c)(3) permits a lawyer to disclose information related to the representation of client:

• to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client; or,
• to establish a defense to a criminal charge or civil claim against the lawyer based on conduct in which the client was involved; or,
• to respond to allegations in any proceeding concerning the lawyer’s representation of the client.

As I’ve previously blogged, a negative online review is not a “controversy between the lawyer and the client” that triggers the exception.  Neither is a negative online review a “proceeding” in which allegations have been made against the lawyer. My blog posts, which includes advisory opinions & disciplinary decisions, are here:

• Negative Online Review? What NOT to do
• Negative Online Review? UPDATE!
• Negative Online Review? More of what not to do

As the headlines suggest, the posts focus on what not to do.  For instance, don’t reveal client confidences in response to an online review.  Don’t post fake positive reviews.  Don’t create a fictitious lawsuit in order to get a court to order a website provider to take down a negative review.

Today’s ABA Journal has some great tips related to online clients reviews.  They appear in Kelly Newcomb’s post How lawyers can make positive – and negative – online reviews work for them.  

Whether on AirBnB, Yelp, Amazon, or myriad other sites, I suspect many lawyers have read through the reviews before making a purchase or reservation.  Odds are, potential clients are doing the same before hiring you.  Today’s post in the ABA Journal helps to frame not only a lawyer’s professional obligations when dealing with online reviews, but the marketing benefits that come with knowing how best to manage an online reputation.

       

Ethics: it’s all about the bad grades

A few weeks ago I posted C in ethics? You’re on the right track.  In it, I offered two cheat codes to stay on the right side of the rules.

The first was my own: don’t lie, cheat or steal.  Nearly every violation falls under one.

The second was Brian Faughnan’s recipe for ethical lawyering.  The recipe?  The 5 C’s:

• Competence
• Confidentiality
• Communication
• Candor
• Conflicts

Today I present a third: it’s all about the bad grades.

Alberto Bernabe is a professor at John Marshall Law School in Chicago.  Professor Bernabe teaches torts and professional responsibility.  He maintains a blog for each topic.  His torts blog is here, and his professional responsibility blog is here.  Professor Bernabe is also a frequent member of this blog’s #fiveforfriday Honor Roll in legal ethics.

In response to my post on the 5 C’s, Professor Bernabe shared a story with me.  He urges his students to remember the general principles behind the rules.  He does so by suggesting that they associate those principles with the grades that they do not want to earn in a semester:  4 C’s, 1 D, and 1 F.  That is:

• Competence
• Confidentiality
• Communication
• Conflicts
• Diligence
• Fiduciary

Professor Bernabe’s full blog post on bad grades is here.

I love the semi-mnemonic.  Diligence and the fiduciary duty to clients are as important as the 5 C’s.

Thank you Professor Bernabe for another arrow in the quiver.

• Don’t lie, cheat or steal
• Remember the 5 C’s
• Ethics: it’s all about the bad grades

              

 

 

 

Competence, Confidences and PDFs

In my view, Rules 1.1 and 1.6 impose a duty to act competently to prevent the unauthorized access to or disclosure of information relating to the representation of a client.  I’ve blogged on this issue many times:

• Protecting Client Data
• Encryption & The Evolving Duty to Safeguard Client Information
• The Cloud: What are Reasonable Precautions?

Next week, I’m presenting two seminars at the YLD Mid-Winter Thaw in Montreal.  In the first, I’m on a panel with Judge Hayes and the Judiciary’s Andy Stone.  Judge Hayes and Andy will introduce lawyers to the Judiciary’s new case management system.  My job will be to chime in on ethics issues that might arise with electronic filing.   My thoughts will focus on tech competence.

Imagine this scenario: whether in a filing or a communication to opposing counsel, a lawyer includes a PDF.  Prior to transmission, the lawyer redacted the PDF to keep certain information confidential.  Alas, the lawyer did not properly redact the PDF.  By highlighting the redacted the portions and pasting them into a new document, opposing counsel, or anyone else with access to the PDF, can discover what the lawyer intended to obscure.  The filing is here.

Did the lawyer take reasonable precautions to protect the information?  Was it a one-time mistake that doesn’t rise to the level of an ethics violation?  What if it was information that the court had ordered remain confidential and now is public?

Earlier this week, lawyers for Paul Manafort, President Trump’s former campaign chair, filed a response to special counsel Robert Mueller’s allegation that Manafort lied to Mueller’s investigators.  Due to what the ABA Journal described as a “technical oversight,” the filing was not properly redacted.  As such, the media was able to discover that Manafort is accused of sharing polling data with a Russian business person.  The story has been covered by the ABA Journal, BuzzFeed, Fox News, and the Washington Post.

(Update at 1:16 PM on January 10:  Above The Law’s Joe Patrice has a great recap here.)

Go back to the scenario I posited above: what if that’s you in a Vermont case?  What if you meant to redact a client’s proprietary information, or a witness’s mental health records, or a confidential informant’s identity? What if you didn’t do it right?

Jason Tashea writes for the ABA Journal. Today, he posted How to redact a PDF and protect your clients.  If this is an area of tech competence that interests or concerns you, I’d suggest giving Jason’s post a read.

 

Legal Ethics & Crowdfunding to pay legal fees

Professor Alberto Bernabe often appears on this blog’s #fiveforfriday Honor Roll.  He also has his own blog and, last week,  blogged on an advisory from the DC Bar. The opinion addresses the ethics issues that arise when a lawyer’s client crowdfunds legal fees.

The opinion is here. Professor Bernabe’s blog post is here.  He wrote more extensively on the topic in this article that pre-dates the DC advisory opinion.

I’ve also blogged on the topic. I did so here in response to an advisory opinion from the Philadelphia Bar Association.  I wrote:

• “That’s why the Philly opinion is great.  It doesn’t treat ‘crowdfunding platforms’ as new creatures that require new rules.  Rather, it reminds lawyers that the rules that apply when using a crowdfunding platform are the same rules that apply to any other representation.”

As Professor Bernabe notes, the DC Bar opinion is consistent with the Philadelphia opinion and others on crowdfunding.

I like the following statement from the DC Bar:

• “It is not unusual for clients to rely on money collected from family or friends to pay for legal services.”

Indeed, many Vermont lawyers accept payment from someone other than the client.  The most common situation?  A parent pays for a child’s lawyer in a criminal or family case.

When that happens, it’s critical for the lawyer to remember Rule 1.8(f):

• “A lawyer shall not accept compensation for representing a client from one other than the client unless (1) the client gives informed consent; (2) there is no interference with the lawyer’s independence of professional judgment or with the client-lawyer relationship; and (3) information relating to the representation of a client is protected as required by Rule 1.6.”

In other words, even if Parents are paying Lawyer to represent Child, they don’t get to direct the representation and, absent Child’s consent, Lawyer cannot disclose information relating to the representation to them.

Somewhat related, the DC Bar included a great tip in Ethics Opinion 375:

• “A lawyer should consider counseling his or her client regarding disclosures to third parties. Crowdfunding typically entails some level of disclosure to third parties about the predicate need for counsel. Because of their financial support, crowdfunding contributors may be interested in the status of or information about the client’s matter. Due to the risk of waiver of the attorney-client privilege, or simply for strategic reasons, a lawyer who knows that a client is crowdfunding should provide the appropriate level of guidance to the client regarding disclosures to third parties, whether such disclosures occur on a social media platform or privately in discussions with friends and family.”

In sum, nothing about using a social media platform to crowdfund legal fees is inherently unethical.  Oh, and as mentioned in both the Philadelphia and D.C. advisory opinions: crowdfunding helps provide access to legal services to those who otherwise might not be able to afford a lawyer.

Related:

• (Bernabe) DC Ethics Committee new opinion on crowdfunding
• (Bernabe) Is it ethical to use “crowdfunding” to finance the practice of law?
• (Kennedy) Crowdfunding: The More Things Change . . .
• DC Bar Ethics Opinion 375
• Philadelphia Bar Association Opinion 2015-06

 

 

 

 

 

 

ABA Addresses an Attorney’s Obligations in Response to a Data Breach

I’ve blogged often on a lawyer’s duty to act competently to safeguard client data.  Generally, an attorney must take reasonable precautions to protect against inadvertent or unauthorized disclosure of client information.  Some of my posts:

• Protecting Client Data
• Encryption & The Evolving Duty to Safeguard Client Information
• The Cloud: What are Reasonable Precautions?

Last month, the ABA’s Standing Committee on Ethics & Professional Responsibility issued Formal Opinion 483.  It sets out a lawyer’s obligations following an electronic data breach or cyber attack.

The opinion is detailed and technical.  It’s worth reading, or, at the very least, sharing with your IT support staff.  Also, various outlets have reported on the opinion, including The National Law Review, Louisiana Legal Ethics, and The ABA Journal.  I suggest each.

I’m going to try to stick to a summary.

•  Prior to a breach, a lawyer has a duty to act competently to safeguard client property and information.  This likely includes adopting an “incident response plan” that will kick in once a breach occurs.
• The duty includes an obligation “to monitor the security of electronically stored client property and information.”  In other words, there’s a duty to take reasonable efforts to monitor for and detect unauthorized access. This includes reasonable steps to ensure that vendors act in accordance with the lawyer’s professional obligations.
• A breach is not necessarily evidence that the lawyer failed to act competently to safeguard client information.
• If a breach occurs, a lawyer must take reasonable steps to stop it and mitigate the damage that results.
• If a breach occurs, a lawyer must assess its scope.  This includes determining what information, if any, was lost or accessed.
• A lawyer must notify current clients if the breach:
  • involves material, confidential client information; or,
  • impairs or prevents the lawyer from representing the client. For example, as would be the case in a ransomware attack.
• Lawyers must be aware that their ethical obligations are independent of any post-breach obligations imposed by law.  Compliance with professional obligations is not necessarily compliance with other law, and vice versa.

Again, the full opinion is here.

As usual, I like to analogize to non-tech issues.  For instance, when it comes to paper files, most lawyers probably know that there’s a duty to take reasonable safeguards to protect them.  Locked file cabinets.  Locked rooms.  Secure office space.

If a lawyer arrives at work and realizes that the office has been broken into, I imagine the lawyer would intuitively understand the need to determine what, if anything, was viewed or taken.  Then, as appropriate, will notify clients. I also imagine that the lawyer would replace the broken locks, doors, and windows.

Thus, in my view, the ABA opinion clarifies that very standards that most of us already apply to clients’ paper files also applies to their electronic files.

 

 

 

 

Siri, Alexa, and Client Confidences

Query: do Siri and Alexa get mad if a human accidentally calls one the other?  I don’t know, but, if not, I think a sarcastically angry response should be added to each’s algorithm.

Anyhow, without even having started yet, I digress.

My recent posts on client confidences spurred additional research.   The research led me to Alberto Bernabe’s Professional Responsibility Blog.  Professor Bernabe is a regular member of this blog’s #fiveforfriday Honor Roll.

Earlier this year, Professor Bernabe posted a link to this article.   The article appeared on the ABA’s Law Technology Today blog and details some of the issues about which lawyers should be aware when using digital voice assistants.  One of those issues: client confidences.  If you or your firm uses a digital voice assistant, I suggest giving the article a read.

Even if you don’t use a DVA, remember, your clients might and the duty of competence includes tech competence.  I can hear you now:  “Mike, how in the world might my client’s digital voice assistant affect the case?

Well, what if your client’s Echo might have recorded a murder?

Side note:  Kathleen Zellner, the defense lawyer quoted in the story about the Amazon Echo murder case, plays a prominent role in the recently released Season 2 of Making a Murderer.

And remember: it’s not just Echos and other digital voice assistants.  Our lives (and our clients’ lives) are replete with devices that record, collect and exchange data over the internet of things.  Data that may impact our clients’ matters.

But, for now, I’ll leave it at client confidences. Issues related to the internet of things can wait for another day.

Well, ok.  Here’s a teaser:

“Hey Siri! Did Encyclopedia Brown investigate the The Case of the Hacked Refrigerator.“

 

 

 

 

Don’t Post That

There was a time in my life when the MTV Video Music Awards were must see tv.  I refer to that era as “law school.”

In my first year of law school, Hammer’s U Can’t Touch This won the VMAs for Best Rap Video & Best Dance Video.  I loved that song.  I wore out my apartment’s carpet dancing to it.

Anyhow, the song came to mind yesterday upon reading the ABA Journal’s story about a lawyer who called a client an “idiot and terrible criminal” in a Facebook post.

Why did the story remind me of the song?

Because last week I announced the theorem Keep Quiet & Lawyer On. Today, I’m announcing its corollary:  Don’t Post That.  It’s pronounced as if you’re singing along with Hammer.

Don’t let the pop culture reference gloss over your eyes.  This is a serious post. The story that prompts it raises concerns about an issuet that troubles me: my perception that we’ve become too willing to share too much.

Here’s the backdrop:

Aaccording to an article in the Des Moines Register, the Associated Press obtained a screenshot of an attorney’s Facebook post. In it, the attorney recounted meeting with a client to prepare for trial on federal gun & drug charges.  The client expressed concern that the “blue-collar jurors” would not connect with the attorney.

Per the AP story, the attorney turned to social media, posting that he was “flabbergasted” that the client would even suggest such a thing.  The post went on to state that the client was an ” ‘(expletive) idiot and a terrible criminal . . . who needed to shut his mouth because he was the dumbest person in the conversation by 100 times.’ ”  The attorney’s post observed ” ‘you wonder why need jails, huh?’ ”

The post speaks for itself and probably wouldn’t require more than 3 seconds at a CLE:  Don’t Post That.  It’s the attorney’s response that I find noteworthy.

The AP interviewed the attorney.  He told the AP that “he shared the post only with his Facebook friends.”

In Vermont, Rule 1.6 addresses client confidences.  The rule sets out the general prohibition against disclosing information relating to the representation of a client, then lists some exceptions.

“You may tell your friends” is not one of the exceptions.  In fact, it’s kind of the point of the rule.

Again, this story presents a stark example and I think most lawyers recognize that there’s no “friends & family” exception to the duty to maintain confidences. But as I noted last week, I think we sometimes get a bit lax in how much we share about our cases and clients.  Even a little is too much.

Finally, the fact that the attorney’s disclosure was made on social media is almost a red herring.  To me, this is not “See! I told you that social media is bad!”  That is, my guess is that lawyers who improperly disclose client confidences on social media would likely do by other means as well.  If you’re willing to post confidences to social media, you’re probably also willing to drop them in casual conversation over dinner.

Don’t.  Remember our postulates:

• Theorem:  Keep Quiet & Lawyer On.
• Corollary:  Don’t Post That.

Now, I look forward to spending the weekend revising Hammer’s lyrics to create a parody version entitled Don’t Post That.  Maybe I’ll sing it at my next CLE.

And, if I’m feeling nostalgic, maybe I’ll dig out the parachute pants.

 

 

 

 

Yes!!!

I’m not a huge fan of the “Throwback Thursday” trope, but I am a huge fan of readers.  So, as it has, when blogger’s block strikes, I resort to the trope.

But not without reason.

I’m heading to Rutland tomorrow.  Two years ago, and a few days after heading to Rutland, I blogged on how I hoped never again to have to assuage lawyers that there’s nothing inherently unethical about storing client information in the cloud.

I’m happy to report that we seem to have accepted the premise.

Yes!!!

Thank you.

That being said, refreshers aren’t inherently bad either. Especially since the effective date of the recent amendment on tech competence is nigh.  So, here goes.

The original post ran on November 10, 2016.

*******************************************

Last Friday, I presented a CLE for the Rutland County Bar Association. My assigned topic: the ethics of storing client information in the cloud.  I started by saying that I hoped it was my final seminar on the topic.  I was serious.

Let’s walk through this.

In general, a lawyer has a duty not to disclose information relating to the representation of a client absent client consent.  See, Rule 1.6.  A lawyer also has a duty to keep client property safe.  See, Rule 1.15.

I view the cloud as the latest in a long line of different places to store information.  In that sense, the cloud is not different than manila folders, boxes, offices, attics, basements, barns, file cabinets, file cabinets with locks, storage facilities, hard drives, floppy disks, CDs, and thumb drives.

No matter where a lawyer stores client information, a lawyer must act competently to protect the information against inadvertent or unauthorized disclosure. See, Rule 1.6, Comment [16].  When transmitting client information, a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.  Rule 1.6, Comment [17].

So, think about cloud storage like this:  client information is electronically transmitted to a place where it will be kept.  Thus, a lawyer must take reasonable precautions to protect client information both while it is in transit and while it is at rest.

In fact, that’s almost exactly what the VBA’s Professional Responsibility Committee said – SIX YEARS AGO when it issued Advisory Ethics Opinion 2010-06.  Here’s the digest of the opinion:

• “Vermont attorneys can utilize Software as a Service in connection with confidential client information, property, and communications, including for storage, processing, transmission, and calendaring of such materials, as long as they take reasonable precautions to protect the confidentiality of and to ensure access to these materials.”

(Aside: for anyone wondering why I included an advisory opinion about “Software as a Service” in a post on cloud computing, I remind you that Rule 1.0’s duty of competence includes tech competence.)

The question I hear most often is this:  “what are reasonable precautions?”  In Rutland, I suggested to the audience that they already know the answer, if only by treating the cloud as if it were a storage facility out on Old County Road. Some questions you might ask when considering that facility:

• who do you let into this facility?
• do you require a passcode or badge for the gate?
• are there locks on the individual units?
• who besides me has a key or knows the combination?
• can i get into my unit whenever i want to?
• what happens to my files if I don’t pay or if you go out of business?

Indeed, take a look at page 6 of the VBA Opinion.  The Committee suggested some of those exact questions when considering a cloud vendor.

Or, take a look at this post from Robert Ambrogi.  He writes that “[s]ome basic questions to ask of a cloud vendor, distilled from various ethics opinions, include:

• Is it a solid company with a good reputation and record?
• Can you get access to your data whenever you want, without restrictions?
• If your service is terminated – by you or by the company – can you retrieve your data?
• Does it allow use of advanced password protocols and two-step verification?
• What are its internal policies regarding employee and third-party access to your data?
• Is your data encrypted both while in transit and while at rest on the company’s servers?
• How is your data backed up?
• What security protections are in place at the data centers the company uses?”

Finally, remember that asking the questions isn’t enough.  You need to understand the answers or find someone who does.  For example, imagine this:

• You:   Will my data be encrypted in transmission and at rest?
• Vendor:  Yes.  In transmission, we use a BTTF Flux Capacitor.  At rest, we use the latest cloaking technology from Romii.
• You.  Sounds awesome. Sign me up.

Umm, no.  You just signed up to star in the next entry in Was That Wrong.

In conclusion, you may store client information in the cloud so long as you take reasonable precautions.  This entry includes links that will help you determine what “reasonable precautions” are.  Don’t fear the cloud, but know what you don’t know.

Speaking of which, info on the BTTF Flux Capacitor is HERE. And, for more on Romii cloaking technology, go HERE.