Proposed Florida Opinion would allow mobile payment of legal fees as long as lawyers protect client confidences and safeguard funds.

I know a guy who runs an NCAA tournament pool.  He told me that most participants paid via Venmo or PayPal.  A few, however, sent checks in the mail.  Hearing this made me realize that there are people who do not know how mobile payment apps work.

Last week, the Florida Bar’s Professional Ethics Committee approved Proposed Advisory Opinion 21-2.  The proposed opinion concludes that Florida’s ethics rules do not prohibit a lawyer from accepting payment via apps like Venmo & PayPal if the lawyer:

1. protects client confidentiality; and,
2. takes reasonable steps to safeguard funds held in connection with a representation.

This press release summarizes the proposed opinion. It now goes out for comment and will considered for final adoption in June.

Next week, I’ll blog about the opinion’s consideration of the trust account rules.  Today, I’m more interested in the first part of the opinion.  In my view, it provides helpful reminders and guidance on tech competence and client confidentiality.

Some of you might be wondering: what does a mobile payment app have to do with client confidentiality?  Well, there you have it: tech competence.  You need to know what you don’t know.

Like the Florida opinion, let’s use Venmo as an example.

Venmo is more than just a payment processor.  In a way, it’s a social media platform.  Here’s language from the Florida opinion:

• “For example, Venmo users, when making payment, are permitted to input a description of the transaction (e.g., ‘$200 for cleaning service’). Transactions are then published to the feed of each Venmo user who is party to the transaction. Depending on the privacy settings of each party to the transaction, other users of the application may view that transaction and even comment on it.”

To illustrate the point, if you download the Venmo app, here’s what you’ll see before you log-in or sign-up:

From the third transaction in the feed, we know that Skye F and John G had a virtual coffee date.  Let’s hope that their privacy settings are such that one or the other’s significant other didn’t find out.

As an aside, did the date not go well? Is that why Skye charged John??  Anyhow, I digress.

Now, apply this to real life.  Yes, accepting mobile payments might make it easier to run your law office.  However, things might become more difficult if your privacy settings are such that the entire world, including John G’s unsuspecting spouse, learns from Venmo that your firm charged John G. for “divorce consultation.”

Here’s the answer, courtesy of me logging into Venmo and opening my privacy settings:

Finally, here’s a great paragraph from Florida’s proposed opinion.  The first sentence aside, it applies to every single circumstance that involves information relating to the representation of a client:

• “For lawyers, accepting payment through a payment-processing service risks disclosure of information pertaining to the representation of a client in violation of Rule 4- 50 1.6(a) of the Rules Regulating The Florida Bar. Rule 4-1.6(a) prohibits a lawyer from revealing information relating to representation of a client absent the client’s informed consent. This prohibition is broader than the evidentiary attorney-client privilege invoked in judicial and other proceedings in which the lawyer may be called as a witness or otherwise required to produce evidence concerning a client. The ethical obligation of confidentiality applies in situations other than those in which information is sought from the lawyer by compulsion of law and extends not only to information communicated between the client and the lawyer in confidence but also to all information relating to the representation, whatever its source. Likewise, a lawyer must make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation. The obligation of confidentiality also arises from a lawyer’s ethical duty to provide the client with competent representation. This includes safeguarding information contained in electronic transmissions and communications.”

From there, the opinion makes several suggestions.  To me, they boil down to this one:

• “The lawyer must make reasonable efforts to understand the manner and extent of any publication of transactions conducted on the platform and how to manage applicable settings to preempt and control unwanted disclosures.”

That’s all for now.  Next week I’ll discuss the section of the opinion that deals with the trust account rules.

Related post:

• Mobile Payment & Legal Fees (11/12/19)

NJ Committee concludes that a lawyer who copies a client on an email to opposing counsel impliedly consents to “reply-all.”

Updated, 4:24 PM on 3/26/21 to include the advisory opinions linked at the end of the post.

Here’s the situation:

• Attorney represents Blue.
• Lawyer represents Red.
• Attorney emails Lawyer and copies Blue.

For years, lawyers in Lawyer’s shoes have informed me how much it bothers them for Attorney to copy Attorney’s own client on an email to opposing counsel.

Earlier this month, the New Jersey Supreme Court’s Advisory Committee on Professional Ethics issued ACPE Opinion 739.  The Committee concluded “that lawyers who include their clients in the ‘to’ or ‘cc’ line of a group email are deemed to have provided informed consent to a ‘reply all’ response from opposing counsel that will be received by the client.”  Thus, in my example, Lawyer would not violate Rule 4.2 by “replying-all” to Attorney’s email.

The opinion doesn’t surprise me.  Given the nature of email, I expected that someone would eventually conclude that “cc” invites a “reply-all.”  Still, I urge caution.

As the Committee acknowledges, New Jersey is the first jurisdiction to reach this conclusion.  The opinion cites to advisory opinions from five other states that reached the opposite.  The Committee states:

• “Many of these opinions caution the sending lawyer that it is inadvisable to include the client on the email, acknowledging that the sending lawyer may be ‘setting up’ opposing counsel for an ethics violation. The Committee finds that these opinions from other jurisdictions do not fully appreciate the informal nature of group email or recognize the unfairness of exposing responding lawyers to ethical sanctions for this conduct.”

In its coverage of the New Jersey opinion, JDSupra urges caution as well:

• “Best practices also suggest that attorneys should avoid copying their clients on emails they send to opposing counsel so as not to imply consent for opposing counsel to communicate with the client. Any email sent to opposing counsel can just as easily be forwarded to a client.”

I agree, albeit for a different reason.  I’m not as concerned that the receiving lawyer might reply-all as I am that the sending lawyer puts their client at risk of doing the same, thereby disclosing confidential information to opposing counsel. Thus, to me, the lawyer who copies a client on certain emails to opposing counsel risks running afoul of Rule 1.1 (competence) and Rule 1.6 (confidentiality).

Still, the New Jersey opinion is interesting.  First, the Committee compared letters to conference calls:

• “There is no question that a lawyer who receives a letter from opposing counsel on which the sending lawyer’s client is copied may not, consistent with Rule of Professional Conduct 4.2, send a responding letter to both the lawyer and the lawyer’s client. In contrast, if a lawyer were to initiate a conference call with opposing counsel and include the client on the call, the lawyer would be deemed to have impliedly consented to opposing counsel speaking on the call and thereby communicating both with the opposing lawyer and that lawyer’s client.”

Then, the Committee concluded that a group email is more like a conference call than a letter:

• “Email is an informal mode of communication. Group emails often have a conversational element with frequent back-and-forth responses. They are more similar to conference calls than to written letters. When lawyers copy their own clients on group emails to opposing counsel, all persons are aware that the communication is between the lawyers. The clients are mere bystanders to the group email conversation between the lawyers. A ‘reply all’ response by opposing counsel is principally directed at the other lawyer, not at the lawyer’s client who happens to be part of the email group. The goals that Rule of Professional Conduct 4.2 are intended to further – protection of the client from overreaching by opposing counsel and guarding the clients’ right to advice from their own lawyer – are not implicated when lawyers ‘reply all’ to group emails.”

In addition, the Committee concluded that it would be unfair to require the receiving lawyer to sort through the email addresses of those copied to determine who should and should not be included on the reply.  That is, that in this day & age, the general norm is that a “cc” invites a “reply-all.”

Unsurprisingly, the Committee cautioned receiving lawyers against replying directly to the copied client without including the sending lawyer on the reply.

As always, be careful out there.

Update:  here are six opinions from other states, each of which advises that the receiving lawyer may not “reply-all” to an email in which the sending lawyer copies sending lawyer’s client.  All but the Pennsylvania opinion are cited in the New Jersey opinion.

• Pennsylvania (Opinion 2020-100, 1/22/20)
• Alaska (Opinion 2018-1, 1/18/18)
• Kentucky (Ethics Opinion KBA E-442, 11/17/17)
• New York (Opinion 1076, 12/8/15)
• North Carolina (2012 Formal Ethics Opinion 7, adopted 10/25/13)
• New York City Bar Association (Formal Opinion 2009-01 1/2/09)

 

Wisconsin Advisory Opinion Offers Cybersecurity Tips on Working Remotely

In late January, the Wisconsin Bar issued Formal Ethics Opinion EF-21-02: Working Remotely.  The opinion makes three important points and shares helpful and practical guidance on cybersecurity practices, training & supervision, and preparing clients.

First, the important points.

I’m a fan of the opening line of the synopsis:

• “The basic responsibilities that a lawyer owes the client – competence, diligence, communication, and confidentiality – lie at the core of lawyer’s professional obligations and remain unchanged irrespective of the lawyer’s physical location.”

That’s critical: the pandemic hasn’t lessened or diminished our professional obligations.  Our responsibilities remain the same as in 2019 when we were working in our offices.  Further, our basic obligations to clients will not change once the pandemic ends. As the opinion points out, “it is expected that lawyers, like other professionals, will continue to work remotely in some form after the pandemic.” So, the guidance, while issued in response to the pandemic, will prove valuable in an increasingly remote post-pandemic workplace.

Next, the opinion reiterates what I’ve been blogging for years: competence includes tech competence.  Pages 2 and 3 include language that I’m certain will worry lawyers.  The language, however, is important to take to heart.

• “Basic technological competence includes, at a minimum, knowledge of the types of devices available for communication, software options for communication, preparation, transmission and storage of documents and other information, and the means to keep the devices and the information they transmit and store secure and private.”

As the opinion notes, large firms likely will employ IT professionals for these issues.  Small firms and solos are reminded that they “may need to retain the services of an expert if they lack the knowledge to personally manage the technological aspects of practice.”

Finally, the conclusion ties together the first two points in an important reminder:

• “The COVID-19 pandemic has dramatically changed how lawyers work and represent their clients. Some of these changes may be temporary but others are likely part of a movement towards increased reliance on technology in the practice of law. As working remotely has become the new normal, lawyers must develop new skills and knowledge to comply with their core responsibilities.”

Indeed.

I’ll finish by cutting and pasting the guidance and practical tips that begin on page 10 of the Wisconsin opinion.  I’ve reformatted & renumbered the footnotes to endnotes.

***

General Guidance

 It is impossible to provide specific requirements for working remotely because lawyers’ ethical duties are continually evolving as technology changes. It is possible, however, to provide some guidance. Cybersecurity Practices Because working remotely relies on technology, competence in technology and cybersecurity practices are essential. The following cybersecurity practices have been recommended by a number of ethics opinions[i] and other resources. None of these practices are new: they are reasonable precautions that have helped lawyers fulfill their ethical obligations, especially the duty of confidentiality, when working in the office and when working remotely, whether at home during evenings and weekends, or during travel for work or vacation.

• Require strong passwords to protect data and to access devices. The more complex the password, the less likely that an unauthorized user will be able to access data or devices by using password cracking techniques or software.
• Use two-factor or multi-factor authentication to access firm information and firm networks. Although requiring an additional authentication step, such as a six-digit code sent to the lawyer’s phone or email, may seem inconvenient or burdensome, it is a reasonable precaution that increases protection and reduces the likelihood of unauthorized access by providing an additional layer of security beyond a strong password.
• Avoid using unsecured or public WiFi when accessing or transmitting client information. Hackers can access unencrypted information on unsecured WiFi and can use unsecured WiFi to distribute malware.
• Use a virtual private network (VPN) when accessing or transmitting client information. A VPN encrypts information and allows users to create a secure connection to another network.
• Use firewalls and secure router settings. A firewall monitors and controls incoming and outgoing network traffic based on predetermined security rules: it establishes a barrier between a trusted network and an untrusted network. A router connects multiple devices to the Internet, and connects the devices to each other.
• Use and keep current anti-virus and anti-malware software. Anti-virus and anti-malware both refer to software designed to detect, protect against, and remove malicious software.
• Keep all software current: install updates immediately. Updates help patch security flaws or software vulnerabilities, which are security holes or weaknesses found in a software program or operating system.
• Supply or require employees to use secure and encrypted laptops. All lawyers and staff should use only firm issued devices with security protections and backup systems and prohibit storage of firm or client information on unauthorized devices. All devices used by the lawyer, such as desktop computers, laptops, tablets, portable drives, phones, and scanning and copy machines, should be protected.
• Do not use USB drives or other external devices unless they are owned by the firm or they are provided by a trusted source.
• Specify how and where data created remotely will be stored and how it will be backed up.
• Save data permanently only on the office network, not personal devices. If saved on personal devices, taking reasonable precautions to protect such information.
• Use reputable vendors for cloud services. Transmission and storage of firm and client information through a cloud service is appropriate provided the lawyer has made sufficient inquiry that the service is competent and reputable.[ii]
• Encrypt emails or use other security to protect sensitive information from unauthorized disclosure. A lawyer should balance the interests in determining when encryption is appropriate.
• Encrypt electronic records, including backups containing sensitive information such a personally identifiable information.
• Do not open suspicious attachments or click unusual links in messages, email, tweets, posts, online ads.
• Use websites have enhanced security whenever possible. Such websites begin with “HTTPS” in their address rather than “HTTP,” and encrypt the communication.
• Provide adequate security for video meetings or conferences. The FBI has recommended the following steps: use the up-to-date version of the application; do not make the meetings public; require a meeting password; do not share the link to the video meeting on an unrestricted publicly available social media post; provide the meeting link directly to the invited guests; and manage the screen-sharing options.[iii] In selecting a videoconferencing platform, the lawyer should make sure it is sufficiently secure both in its structure and its contractual terms of use, especially any terms on access to user information.[iv]
• Do not have work-related conversations in the presence of smart devices such as voice assistants. These devices may listen to and record conversations.[v]

Training and Supervision

To comply with the duties required by SCR 20:5.1 and 5.3, partners, managers and supervisory lawyers should consider whether the firm’s policies and procedures are adequate to address the specific challenges that may arise when lawyers and nonlawyer assistants are working remotely.

• Establish and implement policies and procedures for cybersecurity practices. These policies and procedures should be in writing and provided to all lawyers and nonlawyer assistants, and stress compliance.
• Establish and implement policies and procedures for the training and supervision of lawyers and nonlawyer assistants in the firm’s cybersecurity practices. Training is the most basic step in avoiding a cyberattack at a law firm. In other words, it is extremely important to develop a culture of awareness. The most serious vulnerabilities of a cybersecurity system are not the hardware or software, but rather the people who use it. It is estimated that 90% of cybersecurity breaches are due to human error.[vi]
• Establish and implement policies and procedures regarding remote workspaces to mitigate the risk of inadvertent or unauthorized disclosures of information relating to the representation of clients. Remote workspaces should be private to ensure that others do not have access to phone conversations, video conferences, or case-related materials.
• Hold sufficiently frequent remote meetings between supervising attorneys and supervised attorneys, and between supervising attorneys and supervised nonlawyer assistants to achieve effective supervision.

Preparing Clients

Representing a client remotely may present challenges to competent representation.[vii] Consequently, a lawyer should carefully consider whether the lawyer can adequately prepare the client to testify or for interviews while working remotely.

• The lawyer and the client should have sufficient ability with the technology.
• The lawyer and the client should have access to relevant documents.
• The lawyer and the client have adequate time and attention to ensure the client’s comfort with the communicating by the medium that will be used.

[i] See, e.g., Wisconsin Formal Ethics Opinion EF-15-01: Ethical Obligations of Attorneys Using Cloud Computing (Amended September 8, 2017).

[ii] Wisconsin Formal Ethics Opinion EF-15-01.

[iii] https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-ofteleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic

[iv] Lawyers must understand that if video conferences are recorded the vendor may retain a copy under the terms of service. See INSIGHT: Zooming and Attorney Client Privilege, https://www.bloomberglaw.com/exp/eyJjdHh0IjoiQ1ZOVyIsImlkIjoiMDAwMDAxNzEtZWExYy1kMDAwLWE5N2YtZ WE3ZTkwYWMwMDAxIiwic2lnIjoidVliaWhQR3J3ZmpWcDBKeE5KY1JYV1c0RlcwPSIsInRpbWUiOiIxNTkwMjQwMzM 1IiwidXVpZCI6IndNWHUzdVFGajBEWGxkZFBKcTNSVVE9PU1ZZmVtSkhLU0hBMWtPNG8rTE50eGc9PSIsInYiOiIxIn0= ?usertype=External&bwid=00000171-ea1c-d000-a97fea7e90ac0001&qid=6912181&cti=LSCH&uc=1320042032&et=SINGLE_ARTICLE&emc=bcvnw_cn%3A7&bna_news_ filter=true

[v] For example, Google and Amazon maintain those recordings on servers and hire people to review the recordings. Although the identities of the speakers are not disclosed to these reviewers, they might hear sufficient details to be able to connect a voice to a specific person. https://www.vox.com/recode/2020/2/21/21032140/alexa-amazongoogle-home-siri-applemicrosoft-cortana-recording .

[vi] https://www.techradar.com/news/90-percent-of-data-breaches-are-caused-by-humanerror#:~:text=A%20new%20report%20from%20Kaspersky,carried%20out%20by%20cloud%20providers .

[vii] The New York County Lawyers Association Formal Opinion 754-2020 at 3.

Vermont Supreme Court suspends lawyer for improper use & disclosure of information relating to the representation of current & former clients.

Prologue

In a disciplinary proceeding, the attorney’s state of mind – negligent, knowing, or intentional – is a critical factor in determining the appropriate sanction. Misconduct born of negligence generally results in a lesser sanction than knowing or intentional misconduct.  A few years ago, I blogged about the process by which the Vermont Supreme Court and hearing panels of the Professional Responsibility Board decide the sanction to impose.

Today’s Blog Post

Whether via inquiry or at a CLE, I’ve often cautioned lawyers about taking cases that may require them to depose or cross-examine a former client.  A common reply is “But, Mike, any information I might use against my former client is public record.”

Again “it’s public record,” is NOT one of the exceptions to the prohibition against using information relating to the representation of a current or former client to their disadvantage.  Simply, lawyers who believe that it is are mistaken.  And, as the Vermont Supreme Court indicated last week, it’s a mistake that might not mitigate in favor of a more lenient sanction if disciplinary charges are filed against the lawyer who makes it.

Please read the opinion.  There’s no substitute for doing so.

All I will say is this: at the trial level, a hearing panel of the Professional Responsibility Board concluded that the lawyer violated Rules 1.8(b)and 1.9(c)(2) of the Vermont Rules of Professional Conduct.  The former prohibits lawyers from using information relating to the representation of a current client to the client’s disadvantage.  The latter prohibits lawyers from revealing information relating to the representation of a former client.  Concluding that the violations were “knowing,” the panel suspended the lawyer’s law license for 3 months.

On appeal, the lawyer conceded having violated Rule 1.9(c)(2). However, the lawyer argued that he mistakenly believed that the public nature of the former client’s proceeding relieved him of a duty to keep the information confidential.  Thus, he argued, the violation was “negligent”, not “knowing”, and that his state of mind mitigated in favor of a lesser sanction that would not affect his privilege to practice.

The Court affirmed the hearing panel.  In so doing, the Court stated that lawyers are expected to know the rules.  In essence, ignorance of the rules is no defense to Disciplinary Counsel’s enforcement thereof.  Then, the Court stated that the lawyer:

• “acted knowingly in revealing details of former client’s divorce to [others]. His mistaken belief that the disclosure was appropriate under the Rules does nothing to change the fact that he knowingly disclosed the information.”

It would be a mistake to conclude that the public nature of information relating to the representation of a current or former client relieves a lawyer of the duty not to use the information to the current or former client’s disadvantage.  A mistake that may not mitigate in favor of a lesser sanction.

Related Posts

• ABA Issues Guidance on Responding to Online Criticism
• Stop Making Noise
• ABA and Client Confidences: It’s Déjà vu All Over Again
• Can’t keep quiet? Try harder

 For more on the “generally known” exception to Rule 1.9(c)(2), see ABA Formal Opinion 479.

 

ABA Issues Guidance on Responding to Online Criticism

I haven’t blogged since before Christmas. Alas, like tragic ancient romances, all good things must come to an end.

I’m going to ease back into it with a topic familiar to regular readers: a lawyer’s duties when responding to online criticism.  It’s an issue I’ve discussed often.  Links to my prior posts are below.  Here’s the nutshell version:

• when considering if or how to respond to a negative review, a lawyer should be as careful as Elmer Fudd was quiet when hunting rabbits: very, very.

Yesterday, the ABA’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 496: Responding to Online Criticism.  I like the opinion and urge you to read it.  Here are my thoughts.

In Vermont, Rule 1.6 prohibits a lawyer from disclosing information relating to the representation of client.  Our rule on former clients, Rule 1.9, incorporates Rule 1.6 by reference.

There are exceptions to the general prohibition. Of the exceptions, the so-called “self-defense” exception is most often cited as permitting a lawyer to disclose other confidential information in response to a negative review.  As I’ve long pointed out, it doesn’t.

In Vermont, the “self-defense” exception appears in Rule 1.6(c)(3).  It permits a lawyer to disclose information relating to the representation:

• to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client;
• to establish a defense to a criminal charge or civil claim against the lawyer based upon conduct in which the client was involved; or,
• to respond to allegations in any proceeding concerning the lawyer’s representation of the client.

As ABA Opinion 496 further makes clear, a negative review is not “a controversy” or “proceeding” that triggers the “self-defense” exception.

In short, “my client criticized me online” does not fall within the exceptions to the general prohibition on disclosure.

Finally, while I haven’t received many inquires about how to respond to online reviews, those I’ve received consistently include the lawyer saying something like “the client’s post waives the privilege, so I can respond, right?”

Hold up!!

Your ethical obligation is not to disclose information relating to the representation of a client or former client.  The obligation encompasses all information relating to the representation, no matter the source.  As such, it is much broader than the attorney-client privilege.

In addition, the privilege is asserted in response to demands that compel production of confidential information.  For example, discovery requests or a request to testify under oath.  Whether a client’s online review constitutes a waiver of an evidentiary privilege is for a court to decide. It is not for the lawyer to decide in posting a reply.  Or, as the committee notes at the very beginning of its analysis in Formal Opinion 496:

• “[t]he scope of the attorney-client privilege, as opposed to confidentiality, is a legal question that this Committee will not address in this opinion.”

So, what can a lawyer do when criticized online? Opinion 496 includes guidance.  From the summary:

• “As a best practice, lawyers should consider not responding to a negative post or review, because doing so may draw more attention to it and invite further response from an already unhappy critic. Lawyers may request that the website or search engine host remove the information. Lawyers who choose to respond online must not disclose information that relates to a client matter, or that could reasonably lead to the discovery of confidential information by another, in the response. Lawyers may post an invitation to contact the lawyer privately to resolve the matter. Another permissible online response would be to indicate that professional considerations preclude a response.”

Negative online reviews will happen.  Fight the urge! Think and long & hard before you respond.

RELATED MATERIAL

 My Blog Posts

Negative Online Review? How Not to Respond

Negative Online Review? Restrain Yourself!

Other Blog Posts

ABA Journal, How to ethically respond to negative reviews from clients, Cynthia Sharp (friend of this blog)

Responding to Negative Online Reviews, Catherine Reach, North Carolina Bar Association Center for Practice Management

Advisory Opinions

 North Carolina State Bar, Proposed Opinion 2020-1

New York State Bar Association Ethics Opinion 1032

The Bar Association of San Francisco, Ethics Opinion 2014-1

Los Angeles County Bar Association Ethics Opinion 525

 

 

Duties associated with the inadvertent receipt and production of information.

When talking professional responsibility, we sometimes focus so intently on the Rules of Professional Conduct that we overlook duties that arise under other law.  Prone to such laser-like focus is the discussion of the professional duties associated with the inadvertent production and receipt of privileged information.

I’ve previously mentioned Presnell on Privileges.  It’s a fantastic resource to stay up to date on all matters related to the attorney-client privilege.  Last week, a loyal reader forwarded me a post from the blog: EEOC Lawyer Reads GW’s Privileged Emails – Violates FRCP 26(b)(5)(B). What about Ethics Rules and Sanctions?

Let the discussion begin.

With respect to legal ethics, V.R.Pr.C. 4.4(b) governs.

“A lawyer who receives a document relating to the representation of the lawyer’s client and knows or reasonably should know that the document was inadvertently sent shall promptly notify the sender.”

Three observations:

• I’d caution against debating with yourself as to whether you received a “document.”  That strikes me as too fine a distinction when dealing with information that you know or should know was not meant for you. Indeed, Comment [2] indicates that “ ‘document’ includes email or other electronic modes of transmission subject to being read or put into readable form.”
• Nothing in the rule suggests that the duty to notify the sender turns on the recipient’s assessment of whether the document is privileged. Rather, “receipt” triggers the duty to notify.
• The rule applies no matter the sender.  That is, it’s not limited to “opposing counsel.”

As I’ve often mentioned, notification is the only duty that arises under Vermont’s rule.  Per Comment [2] “whether the lawyer is required to take additional steps, such as returning the original document, is a matter of law beyond the scope of these rules, as is the question of whether the privileged status of a document has been waived.”  Comment [3] goes on to indicate that even when not required by law to do so, the decision to return or destroy the document unread is a matter of professional judgment left to the lawyer.

But that doesn’t end the discussion.  There are duties that spring from other law, most notably the rules of civil procedure.

The link at the beginning of this post refers to the duties that arise under the federal rules in response to an assertion that a privileged document was inadvertently produced.  There’s also Rule 26(b)(6)(B) of the Vermont Rules of Civil Procedure. Under the rule, a party who is notified that privileged information was produced “must promptly return, sequester, or destroy the specified information and any copies it has and may not use or disclose the information until the claim is resolved.”

Is a violation of the civil rule an ethics violation?

Maybe.

V.R.Pr.C. 3.4(c) makes it a violation to “knowingly disobey an obligation under the rules of a tribunal.”  Further, when discussing privileged information, V.R.Pr.C. 4.4(b) prohibits “methods of obtaining evidence that violate the legal rights of [a] person.”  The Comment adds that while “it is impractical to catalogue all such rights . . . they include . . . unwarranted intrusions into privileged relationships, such as the client-lawyer relationship.” Finally, even if not an ethics violation, I’ve heard that discovery sanctions aren’t fun.

In conclusion, when discussing inadvertent production, don’t limit the discussion to the Rules of Professional Conduct.

Stop making noise.

“Noise
Yeah we scream, yeah we shout ’til we don’t have a voice
In the streets, in the crowds, it ain’t nothing but noise
Drowning out all the dreams of this Tennessee boy
Just tryna be heard in all this noise”

~ Kenny Chesney, Noise

**********************************

A common inquiry is “Mike, what can I say in my motion to withdraw?”  Channeling my inner Calvin Coolidge, I answer “not much.”

Seriously – take heed to avoid what, in the lingo, we call “noisy withdrawal.”  That is, don’t impermissibly disclose information relating to the representation of the client when moving to withdraw from the representation.

Before, I outline the analysis, perhaps I’ll pique interest by sharing a real-life example.

It’s the story of a Tennessee lawyer who was publicly censured for disclosing confidential information in a motion to withdraw.  Hat tip to Brian Faughnan for sharing the story in a recent post on his blog Faughnan On Ethics.  The disciplinary opinion is here.

I’ll return to the opinion in a bit. First, an outline of the relevant rules.

V.R.Pr.C. 1.16 governs withdrawal.  Paragraph (a) sets out the situations in which withdrawal is required, while paragraph (b) lists instances in which withdrawal is permitted.  Notably, nothing in Rule 1.16 requires or permits a withdrawing lawyer to disclose otherwise confidential information.  The rule is limited to withdrawal and the duties that follow the termination of a representation.

In short, the rule on client confidences remains in full effect throughout the withdrawal process.

And that rule is V.R.Pr.C. 1.6.  It prohibits lawyers from revealing information relating to the representation of a client.  Like the withdrawal rule, it includes exceptions that either mandate or permit disclosure in certain situations.  Finally, as regular readers know, a comment to Rule 1.6 makes clear that “information relating to the representation of a client” is much broader than “information that is subject to the attorney-client privilege.”

So, the ethical tap dance becomes complying with Rule 1.16 without violating Rule 1.6.  As was my Aunt Mary Ellen in her tap dance studio when I was a kid,  Tennessee case is instructive.  Here’s a quick summary.

Lawyer represented Client. The professional relationship deteriorated, so Lawyer filed a motion to withdraw.  Lawyer included an affidavit in support of the motion.  In the affidavit, Lawyer revealed that:

• Lawyer’s employees worry that Client will physically assault them.
• Twice, Lawyer called 911 for police assistance in dealing with Client.
• Client had not paid certain bills.
• Client was often aggressive, threatening, argumentative, and uncooperative.
• Client had recorded conversations with Lawyer

In sum, the affidavit disclosed information relating to Lawyer’s representation of Client.  From there, the Tennessee panel was clear:

• Yes, the Lawyer had grounds to move to withdraw pursuant to Rule 1.16.
• However, nothing in Rule 1.16 allowed Lawyer to disclose information protected by Rule 1.6 when moving to withdraw.
• Further, “when the lawyer withdraws” is not an exception to Rule 1.6’s prohibition on disclosing information relating to the representation of a client.
• And, finally, it doesn’t matter whether the information in the affidavit was privileged: Rule 1.6 covers  all information relating to teh representation, no matter the source.

Returning to the inquiry I shared at the beginning of this post, here’s the guidance that I typically provide when in a mood to utter more than 2 words.

Cite to the provision of Rule 1.16 that requires or permits withdrawal.  That’s it.

Then, there are two situations that would permit (but not require) you to provide more information that is otherwise confidential.

The first is covered by V.R.Pr.C. 1.6(c).  A lawyer may comply with a court order to disclose information relating to the representation of a client.  To me, that means that if a court orders you to provide more information on your motion to withdraw, you may do so.  I recommend treading lightly, disclosing only enough information as is necessary to establish that grounds for withdrawal exist.

The second is set out in Rule 1.6(c)(3) and, in my experience, is less likely to arise.  It’s the so-called “self-defense” exception.  It allows a lawyer to disclose otherwise confidential information in three situations, including “to respond to allegations in any proceeding concerning the lawyer’s representation of the client.”  I suppose that a hearing on a motion to withdraw might include the client making allegations about the lawyer’s representation.  If so, Rule 1.6(c)(3) would permit the lawyer to respond.  Again, the response must be constrained to the allegation.

In closing, and to paraphrase Kenny Chesney, when it comes to disclosing confidential information in a motion to withdraw, you’ll likely find that clients, disciplinary prosecutors, and disciplinary bodies won’t stand for your noise.

Negative Online Reviews: it’s the story, not the law.

Technically, this post isn’t about a lawyer’s response to a former client’s negative online review.  I don’t want to spoil the ending, so, for now, I won’t explain the technicality.

Instead, I’ll get business out of the way and remind lawyers about the rules to consider when responding to negative online reviews.

Rule 1.9(c)(2) prohibits a lawyer from revealing information relating to the representation of a former client except as permitted by other rules.  The key “other rule” is Rule 1.6, the rule that prohibits a lawyer from disclosing information relating the representation of a current client.  While the rule contains several exceptions, none of them is “unless the client gives you a bad review.”

Yes, Rule 1.6(c)(3) allows a lawyer to disclose otherwise confidential information “to establish a claim or defense in a controversy between the lawyer and client . . . or to respond to allegations in any proceedings concerning the lawyer’s representation of the client.”  However, the case law and numerous ethics opinions make clear that a negative review is not a “controversy” or “proceeding” that triggers the so called “self-defense exception” in Rule 1.6(c)(3).

For more on the business end, I recommend this great piece by Cynthia Sharp that ran in the ABA Journal earlier this year.

• aside: Cindy runs a fantastic attorney wellness resource – legalburnout.com

So, with business out of the way, I’m reminded of my first day of law school.

It was August 1990, orientation at the George Washington University’s National Law Center.  Speaking to the 1Ls, the then dean, Jack Friedenthal, urged us never to lose the facts for the law.  Meaning, when reading the assigned cases, yes, learn the legal lessons, but not at the expense of missing the stories – whether dramatic, tragic, comic, or truly incredible — that landed the parties to court.  I don’t remember many legal lessons from my law school days, but I’ve never forgotten, and always been thankful for, Dean Friedenthal’s suggestion to focus on the stories.

Today, I came across this post by Professor Frisch on the Legal Profession Blog. It’s the story of the lawyer whose response to a negative online review resulted in the Oklahoma Supreme Court suspending the lawyer’s license for two years and a day.

In posts like this one, I typically just link to the disciplinary opinion.  Not today.  The story is too incredible.  Here goes!

Lawyer practiced law with his Brother.  They feuded, and the partnership dissolved.  Litigation followed, with the result including an order that the brothers disable their firm’s website, and each create their own.  So, Lawyer hired Consultant to build a website. Worried that Brother would post bad things about him online, Lawyer also agreed to pay Consultant to provide online reputation management services.

A few days later, Consultant suggested that Lawyer should conduct an internet search of himself.  Lawyer did.  Lo’ and behold, Lawyer found a post on Website that described Lawyer as a “criminal.”  Lawyer asked Consultant how to get the post taken down.  Consultant replied that he knew someone who could “de-index” the post, essentially shoving it further down the list of results of a search of Lawyer.  Lawyer agreed to pay for the de-indexing.

• aside: if I’ve learned anything watching tv and movies, the “I know a guy” solution is rarely the best option.

Then, unbeknownst to Lawyer, Consultant commenced a form of DOS attack against Website and Website’s Attorneys. Consultant included emails indicating that the attack would stop only when Website took down the article that referred to Lawyer as a criminal. Consultant also threatened to launch a DOS attack against Website’s advertisers that would continue until the article was removed or the advertisers pulled their ads from Website.

Not wanting their client’s or their own servers to shut down, and not knowing who was behind the DOS attack, but realizing that it involved an article about Lawyer, Website’s Attorneys called Lawyer. Lawyer denied having any information that might help, and specifically denied having hired anyone for assistance with online reputation management. Then, when Website’s Attorneys told him they were turning the matter over to the FBI, Lawyer offered up a potential culprit.

Any guesses?

If you guessed “Consultant,”

The correct answer?

Brother!

That’s right, citing the partnership’s bitter breakup and ensuing litigation, Lawyer pinned Brother with motive. Then, when the conversation ended, Lawyer called Consultant and told to cease the DOS attack.  Nevertheless, Lawyer paid Consultant’s invoice for the, umm, service.

That’s not the end of the story.

A few months later, Lawyer made a startling discovery: it was Consultant who’d posted the article!  Consultant did so as part of a scheme to extort Lawyer.  So, Lawyer reported Consultant to the FBI.

That’s not the end of the story either.

The FBI investigation eventually revealed that Lawyer had withheld incriminating emails when making his report to the FBI.  In the end, Consultant and Lawyer were charged with federal crimes.  Lawyer pled guilty to being an accessory after the fact. Lawyer was sentenced to pay $430,500 in fines, restitution, and costs.  And, as I indicated above, Lawyer’s law license was suspended for 2 years and a day.  The opinion from the Oklahoma Supreme Court is here.

That’s the story.

Oh, and the legal lesson, be careful when responding to an online review.

Sometimes the story is far more interesting than the law.

Dean Friedenthal, you were right.  This one’s for you.

Additional Resources

My Blog Posts

Negative Online Review? How Not to Respond

Negative Online Review? Restrain Yourself!

Other Blog Posts

ABA Journal, How to ethically respond to negative reviews from clients, Cynthia Sharp

Responding to Negative Online Reviews, Catherine Reach, North Carolina Bar Association Center for Practice Management

Advisory Opinions

 North Carolina State Bar, Proposed Opinion 2020-1

New York State Bar Association Ethics Opinion 1032

The Bar Association of San Francisco, Ethics Opinion 2014-1

Los Angeles County Bar Association Ethics Opinion 525

Is there a duty to encrypt email?

Given that it’s Friday, I’ll start with a quiz question:

Which is most accurate? A lawyer must _____

• A.  encrypt an email that contains information related to the representation.
• B.  encrypt an email that contains “sensitive information.”
• C.  encrypt an email that contains privileged information.
• D.  act competently to protect the confidentiality of information related to the representation of a client, including by taking reasonable precautions to protect against the inadvertent disclosure of or unauthorized access to that information.

The answer is D.

I understand that practicing lawyers with professional responsibility inquiries want “yes” or “no” answers. However, bar counsel types who provide ethics guidance often don’t get as specific as lawyers would like. In no area is that more common than protecting client information.

Decades ago, I’m guessing that my predecessors didn’t answer “yes” or “no” when asked “am I required to buy one of those fancy new file cabinets that has locks on each drawer?”  Rather, they replied “you are required to take reasonable precautions to protect client information.”  Whether the inquirer’s personal circumstances made file cabinets sans locks unreasonable would’ve depended on the circumstances.  For instance, were the file cabinets in a locked closet to which only the lawyer and staff had access? Or were the file cabinets in storage room that the law firm shared with other businesses that rented space in the building?

Indeed, in 2017, the ABA’s Standing Committee on Ethics & Professional Responsibility declined to set “hard and fast rules” for storing client’s electronic information. In Formal Opinion 477, the Committee essentially announced that it’s not going to review every new advance in technology. No matter the next new thing, the duty remains the same: take reasonable precautions to protect client information.

Earlier this week, Professor Bernabe posted Does a lawyer have to encrypt e-mail messages? In it, he linked to LexBlog’s Encryption Ethics. I like the LexBlog post. The author makes clear that there will come a day when the failure to encrypt is deemed unreasonable. Here’s the post’s concluding sentence:

• “But as encryption and other safeguards get less expensive and cumbersome, your duty to implement these measures will undoubtedly increase.”

I’ve been saying the same thing for years. In 2015, I said it To encrypt or not to encrypt?  I said it again in 2017’s Encryption and the Evolving Duty to Safeguard Client Information.  In each post, I referenced various advisory opinions that make clear that, someday, technology will have evolved to the point at which it is no longer reasonable to choose not to encrypt email.  Similarly, there will come a time when it is not reasonable to use modes of information transmission or storage that do not encrypt the information in transit or at rest.

As I’ve run out of coffee and fret about having time to draft a Five for Friday post, I fear that I’ve lost focus.  So, I’ll leave you with this:  yesterday’s reasonable safeguards might be wholly unreasonable tomorrow. At the very least, take some time to think about how you and your firm are handling electronically stored client information.

Conflicts, Confidences & Prospective Clients

Long ago, I investigated this disciplinary complaint:

• Person met with Lawyer to discuss representation in a matter;
• Person shared information about the matter with Lawyer;
• Person opted not to retain Lawyer;
• Litigation ensued;
• Opposing Party retained Lawyer; and,
• Lawyer represented Opposing Party in the same matter about which Person had consulted with Lawyer.

Back then, Vermont had yet to adopt V.R.Pr.C. 1.18, the rule that sets out a lawyer’s duties to a prospective client.  Thus, as disciplinary counsel, I was left to analyze whether Lawyer had violated the rule that prohibits concurrent representation of clients with conflicting interests or the rule that prohibits representing a client whose interests are materially adverse to those of a in the same or a substantially related matter.

At the time, the general legal principle was that prospective clients were “neither fish nor fowl” for the purposes of the ethics rules.  Thus, conceding that Person was not a current or former client, I argued that the spirit and intent of the conflicts rules rendered Lawyer’s representation of Opposing Party a violation.

Alas, a hearing panel of the Professional Responsibility Board disagreed. The panel concluded that my decision to charge Lawyer with a violation was not supported by probable cause.  Thus, complaint dismissed.

Not long thereafter we got to work on proposing & promulgating V.R.Pr.C 1.18.  It took effect on September 1, 2009.

Under the rule, a “prospective client” is a person who, in good faith, discusses with a lawyer the possibility of forming client-lawyer relationship.  If no relationship ensues, the lawyer’s duty of loyalty is relaxed, but the duty of confidentiality is not.

That is, the lawyer must maintain the prospective client’s confidences as if the person had retained the lawyer.  However, the lawyer may represent someone whose interests are materially adverse to the prospective client, even in a matter that is the same as or substantially related to the matter that was the subject of the consultation, as long as the lawyer did not receive information that “could be significantly harmful” to the prospective client. Depending on the steps that the lawyer took to avoid or minimize the receipt of disqualification, lawyer’s conflict might not be imputed to lawyer’s firm.

Earlier this week, the ABA’s Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 492. The opinion addresses a lawyer’s obligations to prospective clients. The ABA Journal reported the opinion here.

In my view, the opinion provides clear and helpful guidance on (1) what constitutes a “consultation;” (2) the type of information that would be considered “significantly harmful” and thereby potentially disqualifying in a subsequent matter; and (3) the steps lawyers and firms can take to avoid receiving disqualifying information in an initial consultation.

I suggest reading it. Which is my way of saying that, as I ease back into blogging after the annual mini-hiatus that comes with the CLEs and training that take place this time of year, I’m not going to regurgitate an advisory opinion that is written far better than I could.

Aside: with the adoption of Rule 1.18, I assume that the prospective client has achieved fish or fowl status.  I’m not sure which.