Protect Client Info When Traveling Abroad

Given the proximity of the Canadian border, and with the YLD Thaw in mind, this article strikes home.

As reported by the ABA Journal in this post, ABA President Linda Klein recently authored a letter to DHS in which she expressed “serious concern about standards that permit searches of lawyer laptops and other electronic devices at the border in the absence of reasonable suspicion.”  President Klein’s letter is here.

Let me be clear: I am NOT suggesting that Vermont lawyers have an affirmative duty to refrain from bringing devices that contain client data to Montreal when traveling for the weekend. However, understand what might happen upon your return.  And, as I often say in response to inquiries, avoiding problems is a great way not to have any.  So, if you don’t need your device that contains work & client data while you’re wandering the Old Port, consider not bringing it.

Somewhat related, I’ve previously posted a blog Subpoena to Disclose Client Info?

 

 

 

Phising Scheme Alert: Google Docs

A phishing scheme is making the rounds today. It’s an attack in which an email invites the target to edit a document in Google Docs.

Adi Robertson at The Verge has the details here.

Let’s be careful out there.

So You Want To Store Client Data in the Cloud….

. . . you should! Odd are it’ll make your law practice more efficient, which will help both you and your clients.

With the June 30 deadline to report CLE compliance, I’m asked to present at a lot of CLEs in May and June.  This year, several folks have asked me to talk about the ethics associated with storing client data in the cloud.

I will do as asked. Reluctantly.

Last November, I posted a blog in which I expressed my hope that I’d done my last seminar on the ethics of storing information in the cloud.  I think it’s time we move beyond “can I use the cloud?” to figuring out whether the cloud works for you & your firm and, if so, which vendor to choose.

Since my hope has not yet been realized, I’m re-posting my post. Two words to remember: “Reasonable Precautions.”

****

The Cloud:  What are Reasonable Precautions?

Last Friday, I presented a CLE for the Rutland County Bar Association. My assigned topic: the ethics of storing client information in the cloud.  I started by saying that I hoped it was my final seminar on the topic.  I was serious.

Let’s walk through this.

In general, a lawyer has a duty not to disclose information relating to the representation of a client absent client consent.  See, Rule 1.6.  A lawyer also has a duty to keep client property safe.  See,Rule 1.15.

I view the cloud as the latest in a long line of different places to store information.  In that sense, the cloud is not different than manila folders, boxes, offices, attics, basements, barns, file cabinets, file cabinets with locks, storage facilities, hard drives, floppy disks, CDs, and thumb drives.

No matter where a lawyer stores client information, a lawyer must act competently to protect the information against inadvertent or unauthorized disclosure. See, Rule 1.6, Comment [16].  When transmitting client information, a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.  Rule 1.6, Comment [17].

So, think about cloud storage like this:  client information is electronically transmitted to a place where it will be kept.  Thus, a lawyer must take reasonable precautions to protect client information both while it is in transit and while it is at rest.

In fact, that’s almost exactly what the VBA’s Professional Responsibility Committee said – SIX YEARS AGO when it issued Advisory Ethics Opinion 2010-06.  Here’s the digest of the opinion:

• “Vermont attorneys can utilize Software as a Service in connection with confidential client information, property, and communications, including for storage, processing, transmission, and calendaring of such materials, as long as they take reasonable precautions to protect the confidentiality of and to ensure access to these materials.”

(Aside: for anyone wondering why I included an advisory opinion about “Software as a Service” in a post on cloud computing, I remind you that Rule 1.0’s duty of competence includes tech competence.)

The question I hear most often is this:  “what are reasonable precautions?”  In Rutland, I suggested to the audience that they already know the answer, if only by treating the cloud as if it were a storage facility out on Old County Road. Some questions you might ask when considering that facility:

• who do you let into this facility?
• do you require a passcode or badge for the gate?
• are there locks on the individual units?
• who besides me has a key or knows the combination?
• can i get into my unit whenever i want to?
• what happens to my files if I don’t pay or if you go out of business?

Indeed, take a look at page 6 of the VBA Opinion.  The Committee suggested some of those exact questions when considering a cloud vendor.

Or, take a look at this post from Robert Ambrogi.  He writes that “[s]ome basic questions to ask of a cloud vendor, distilled from various ethics opinions, include:

• Is it a solid company with a good reputation and record?
• Can you get access to your data whenever you want, without restrictions?
• If your service is terminated – by you or by the company – can you retrieve your data?
• Does it allow use of advanced password protocols and two-step verification?
• What are its internal policies regarding employee and third-party access to your data?
• Is your data encrypted both while in transit and while at rest on the company’s servers?
• How is your data backed up?
• What security protections are in place at the data centers the company uses?”

Finally, remember that asking the questions isn’t enough.  You need to understand the answers or find someone who does.  For example, imagine this:

• You:   Will my data be encrypted in transmission and at rest?
• Vendor:  Yes.  In transmission, we use a BTTF Flux Capacitor.  At rest, we use the latest cloaking technology from Romii.
• You.  Sounds awesome. Sign me up.

Umm, no.  You just signed up to star in the next entry in Was That Wrong.

In conclusion, you may store client information in the cloud so long as you take reasonable precautions.  This entry includes links that will help you determine what “reasonable precautions” are.  Don’t fear the cloud, but know what you don’t know.

Speaking of which, info on the BTTF Flux Capacitor is HERE. And, for more on Romii cloaking technology, go HERE.

 

Guest Pass: Peter Zuk on Data Security

I’m rolling out a new column: Guest Pass.  Like Captain Kirk and the bridge, it’s a column in which I hand over control to a guest.

The first recipient of a Guest Pass is old friend Peter Zuk.  Many of you remember Peter from his title insurance days.  In my early years as disciplinary counsel, Peter was instrumental in helping me to learn the importance of a swift and serious response to a violation of the trust accounting rules.  He also served as an invaluable resource and sounding board when I found myself confronted with trust accounting issues that, having come from the AG’s office, I’d never encountered.

These days, Peter works for Kyocera Document Solutions and serves as a member of one of the Professional Responsibility Program’s hearing panels. Peter’s Guest Pass serves up an important reminder on tech competence & maintaining the security and confidentiality of client data.

Mr. Zuk, you’ve got the bridge.

**********

Data Security: Don’t Forget the Copier

by Peter Zuk

Michael:

I’m selling copiers and secure networks to lawyers many of whom were former title insurance customers.  It’s great to be able to serve my old clientele again.

In working through the purchase of a new copier or multi-function printer (MFP, as we like to say), the question frequently arises as to how to dispose of the old machine.  Big and heavy, they’re impossible to lift and few have a car big enough to haul it to a recycling facility.

Fortunately for most business customers the answer is an easy one:  The new company takes the old copier as a condition of the sale.

But what about law offices?  Is there anything else that they should consider?

The answer is “maybe”.

To understand this answer you have to know how the modern MFP works.

While they don’t look like much, copiers come packed with technology these days.  Part of that technology is a large capacity hard drive.  To provide you with a crisp, clear copy or scanned image, the MFP takes a picture of your document, digitizes it and saves it to an internal hard disk located within the machine.  From there, the internal computer then copies that image from the drive to a photo-statically charged drum which transfers the charged image to paper.

What happens to the image on the hard disk you may be asking?  Fortunately most machines now overwrite the image at the completion of each job obscuring its discovery.

Lawyers may be ok with that level of security.  To be sure though, the prudent attorney may wish to request that the copier company remove the hard disk from the old machine on premises and surrender it to a member of the firm for proper and documentable destruction.  On premises removal of hard disks is becoming requested more and more and should be considered as part of an overall data security plan for the firm.

Firms wishing to do this should notify their leasing company prior to removal as they may ask to be reimbursed for the cost of the hard drive.

******************

Thank you Peter!  For those of you saying to your selves “self, this isn’t a very big deal,” check out this 2010 story from CBS News: Digital Photocopiers Loaded With Secrets. 

 

 

Withdrawing? Remember this Disco Tune

So, you want to withdraw because your client hasn’t paid.  There’s a rule for that: Rule 1.16.

Specifically, Rule 1.16(b)(5) permits withdrawal when:

• “the client fails substantially to fulfill an obligation to the lawyer regarding the lawyer’s services and has been given reasonable warning that the lawyer will withdraw unless the obligation is fulfilled.”

Per Comment 8, this includes a client’s failure to abide by the terms of a fee agreement.

This is where disco comes in.

As I was driving to work this morning, Thelma Houston’s version of Don’t Leave Me This Way came on the radio.  I admit: it caused me to dance in the driver’s seat as I carpool-karaoked south on 89.

But the chorus provides a great lesson: when you withdraw, don’t violate a client’s confidences on your way out.  A client’s failure to abide by the terms of a fee agreement does not relieve a lawyer of his or her obligations under Rule 1.6, the rule that prohibits disclosure of information relating to a representation.

Last December, the ABA’s Standing Committee on Ethics & Professional Responsibility issued Formal Opinion 476: Confidentiality Issues when Moving to Withdraw for Nonpayment of Fees in Civil Litigation.  In an excellent article on the advisory opinion, the ABA Journal warned that Lawyers should tread carefully before quitting a troublesome client.

Don’t leave your clients pleading for you not to leave them this way.

 

Tips for Choosing a Practice Management System

Most of you know that when it comes to legal tech, I highly recommend Robert Ambrogi’s Law Sites Blog.  Ambrogi also writes a This Week In Legal Tech column for Above The Law.

Here’s the most recent column: 6 Questions To Ask Before Selecting A Practice Management Platform.

Read it.

A summary of the 6 questions:

1. Do you want a cloud platform or a platform installed on site?
2. How much do you want to pay?
3. Does the system comply with security requirements and obligations under the Rules of Professional Conduct?
4. Does it have the basic features that you need?
5. Does it have the advanced features that you need?
6. Does it feel right when you try it?

Again, read the article.

For part 2 of question 3, my view is that a lawyer’s obligation under the Rules of Professional Conduct is to take reasonable precautions to protect client data, whether the data is in transmission or at rest.  What are reasonable precautions?  I addressed that question HERE.

Still drinking coffee this morning?  You’ve got time to try this week’s legal ethics quiz before you hit the trails or slopes.

 

Web Bugs: An Update.

Update:  So, I  received an e-mail stating that I’m “way off base” in “endorsing” the use of web bugs. Please review each of the posts I’ve made on the topic.  One is HERE, the other is HERE.  

I have not endorsed the use of web bugs or spy mail.

What I intended to convey is this: the fact that it may be wrong for someone to try to access information relating to the representation of your clients doesn’t relieve you from the duty to take reasonable precautions to prevent unauthorized access to that information. See, Rule 1.6, Comments 16 and 17.  

Do you have to store your paper files in a subterranean vault that’s equipped to survive an RPG attack?  No.  But you probably shouldn’t leave your file cabinets unlocked in a shared hallway, trusting that passersby will remember not to look at things that aren’t theirs.

Imagine a passerby looks through the files.  Are you willing to roll with the “but he shouldn’t have been looking!” defense to a formal charge that you violated Rule 1.6 by keeping your files unlocked in the hallway? If so, take a look at this decision from a hearing panel of the PRB.

Is there an affirmative duty to use available technology to protect against spy mail? I don’t know.  No matter the type of technology, including a type we can’t even imagine today, it will boil down to this: have you taken reasonable precautions to protect against the unauthorized disclosure of client information?

I will not be surprised if, someday, someone concludes that the duty to take reasonable precautions to protect against the unauthorized disclosure of information relating to the representation of a client includes using reasonably available technology to protect against web bugs & spy mail. In fact, as I mentioned in the first post, that’s almost exactly how the debates over metadata and encrypted e-mail have evolved.

 

 

Web Bugs

One of the questions at Thaw Bowl IV involved Web Bugs.  Due to several blank looks, I thought I’d re-visit the issue.

What are Web Bugs? I first blogged about them  HERE.  Think of them as e-mail tracking.  Some might call it ” spy mail.” Essentially, a web bug is a tool that allows a sender to track when an e-mail is opened, the device used to open it, and whether the e-mail is forwarded.

Last week, Chad Gillies posted an article on LinkedIn entitled “E-Mail Tracking: Is It Ethical? Is it Even Legal?”  His article had previously appeared in the January 11, 2017, issue of Bloomberg’s ABA/BNA Lawyer’s Manual on Professional Conduct.  Mr. Gillies made a PDF of the article available on LinkedIn. It’s HERE.  It includes a lengthy quote from my blog post on Web Bugs.

Mr. Gillies handles customer strategy and legal affairs for a MailControl.net .  The company’s website, which is HERE, bills it as a “the leader in enterprise and anti spy mail solutions.”

Anyhow, if you read my original blog post, you’ll not see anything in which I endorse the use of web bugs, e-mail tracking, or spy mail as ethical or consistent with the rules.  Rather, as Mr. Gillies points out, you’ll see a section in which I remark upon an advisory ethics opinion issued by the Alaska Bar Association.

The Alaska opinion is HERE.  The opinion concludes that the use of web bugs violates Alaska’s Rules of Professional Conduct.  It also includes the following language:

• “The Committee notes that Rule 1.6(c) requires a lawyer to take ‘reasonable precautions’ transmitting a communication that includes a client confidence or secret so as to avoid allowing the information to come into the possession of unintended recipients, including information in electronic form.  The Committee does not interpret this duty as requiring the lawyer to presume that opposing lawyer will seek to ‘bug’ communications and requiring the lawyer to take active steps to detect and prevent such tracking devices.  As a practical matter, with rapidly changing technology and software that may be impractical or even impossible for the receiving lawyer to accomplish.  The Committee believes that the only reasonable means of protecting attorney-client communications and work product in this situation is to bar the lawyer sending the communication from using these types of tracking devices.”

This paragraph stood out to me.  Why?  As anyone who attended my CLEs on digital security in Montreal, Rutland, or Brattleboro knows, I’ve stressed that Vermont lawyers have a duty to take reasonable precautions to protect client data, whether the data is in transmission or at rest.   For more on reasonable precautions, click HERE.

With that in mind, here’s what I wrote in my original blog post:

• ” I find this final point somewhat interesting.  It’s quite different from the evolving view of a lawyer’s duties with respect to the electronic storage and transmission of client information.  It’s also the exact opposite of what we’re telling lawyers with respect to metadata & track changes. With metadata & track changes, we’ve clearly stated that it’s perfectly okay to look for information that goes to the heart of the attorney-client relationship.  In so doing, we’ve said that if you don’t know about metadata and don’t take steps to prevent it from being accessed, it’s your problem, not the lawyer’s who looks for it without telling you that she’s looking.”

From there, I added:

• “No, I’m not arguing that a lawyer has a duty to sweep the office for bugs or listening devices once opposing counsel departs after visiting.  Rather, I simply wonder whether technology soon will have evolved to the point where it is not unreasonable for a lawyer to check an email for a web bug.”

So, I want to be clear: by suggesting that lawyers have a duty to protect against web bugs and spy mail, I am not suggesting that the rules allow a lawyer to use web bugs and spy mail.

That being said, I remain struck by the language in the Alaska Opinion.

I’ll close by repeating myself:

• Lawyers have a duty to take reasonable precautions to protect client information.
• There are bad people out there using spy mail and web bugs.
• Lawyers have a duty to stay abreast of the benefits and risks of relevant technology.
• There is technology available to protect against spy mail and web bugs.

So, as I wrote in my original blog post on web bugs:

“No, I’m not arguing that a lawyer has a duty to sweep the office for bugs or listening devices once opposing counsel departs after visiting.  Rather, I simply wonder whether technology soon will have evolved to the point where it is not unreasonable for a lawyer to check an email for a web bug.”

 

 

CC & Reply-All: Is Bcc the Answer?

This week’s post on issues that can arise when a lawyer copies a client on an e-mail sent to opposing counsel generated signficant discussion.

In the post, I referred to this advisory opinion from the New York State Bar Association. The opinion suggests that a more prudent course of action is for a lawyer to send the e-mail to opposing counsel, then forward it to the client from the lawyer’s “sent” items.

Several readers suggested that a “bcc” to the client is simpler and avoids any concerns about opposing counsel replying directly to the client.

Maybe.

A “bcc” to the client certainly prevents opposing counsel from concluding that you, the sender, have consented to opposing counsel having direct contact with your client.  But, do you know what happens if the blind-copied client uses “reply-all?”

I’ve tested this twice. Once at CLE in Rutland, and again yesterday with two co-workers.  Each time, we “proved” the result.  Still, I suspect many of you will run the test yourselves.

I work with Deb and Brandy.  For purposes of the test, pretend that I represent Brandy and that Deb is opposing counsel.  Yesterday, I sent an e-mail to Deb and blind copied Brandy. In other words, I sent an e-mail to opposing counsel and blind copied my client.

I asked each to try to “reply-all.”

• Deb’s reply went only to me, not to Brandy, my client. Indeed, when Deb clicked “reply-all,” the only address that appeared in the window was mine.  So, yes, the bcc to my client prevented opposing counsel from replying to my client.

My client was another story.

• Brandy replied to all.  By “all”, her reply went to me AND to Deb.  That’s right: even though Brandy had been bcc’ed on my email to Deb, Brandy was able to “reply-all” to me and to Deb.

Now, I know lawyers love blanket statements. I’m not making one.  That is, I am not saying “a lawyer violates the Rules of Professional Conduct by blind copying a client on an e-mail to opposing counsel.”  Here’s what I’m saying: it’s not the magic bullet you might think it is.

Let’s say that my e-mail to Deb indicated that Brandy would settle a civil claim for $100,000, but nothing less.  Imagine that Brandy, intending to reply only to me, accidentally used “reply-all” to write “Awesome! Do you think it will work? Even if it doesn’t, no big deal. I’ve said all along that I’d take $33,000 in a heart beat. By the way, what happens if they find out I was texting when it happened?”

I can hear you now.  “Mike, what are the odds?”  Well, here’s an excerpt from the NYSBA advisory opinion:

• “12. Although sending the client a ‘bcc:’ may initially avoid the problem of disclosing the client’s email address, it raises other problems if the client mistakenly responds to the e-mail by hitting “reply all.”  For example, if the inquirer and opposing counsel are communicating about a possible settlement of litigation,  the inquirer bccs his or her client, and the client hits ‘reply all’ when commenting on the proposal, the client may inadvertently disclose to opposing counsel confidential information otherwise protected by Rule 1.6.  See Charm v. Kohn, 27 Mass L. Rep. 421, 2010 (Mass. Super. Sept. 30, 2010) (stating that blind copying a client on lawyer’s email to adversary “gave rise to the foreseeable risk” that client would respond without ‘tak[ing] careful note of the list of addressees to which he directed his reply’).”

So, yes: a bcc to a client eliminates the risk that opposing counsel will conclude that you’ve consented to opposing counsel communicating directly with your client.  However, it does not eliminate the risk that your client accidentally discloses confidential and privileged information in a “reply-all.” Indeed, per the Massachusetts case, it creates a “foreseeable risk” that the client will do exactly that.  The opinion is HERE.

If you bcc a client on an e-mail to opposing counsel, make sure the client understands that “reply-all” will not be for your eyes only.

 

 

Unsolicited E-Mail: What now? Part 3

Update: This post was completed before last night’s College Football Championship game ended.  Congrats to Clemson…and to my Dad.  He lives in Flat Rock, NC, just over an hour from Clemson.  Last week he entered his first “Five for Friday” and in his entry wrote “Clemson by 6.”

Lawyer receives an unsolicited email from a prospective client who, as it turns out, is adverse to one of Lawyer’s current clients.  What now?

Part 1 of this series is HERE.

Part 2 of this series is HERE.

For part 3, I’ll focus again on this hypothetical:

“Dear Lawyer – I heard that you’re an expert in labor law.  Well, I’m about to blow the whistle on my employer for all the illegal stuff that goes on over there.  I’d like to talk to you before I do.  One thing that worries me is that they’ll fire me. And, on that, I’ve been running a fantasy football league for the last 5 years. Each week, I spend about 8 hours of work time on the league and I use my work computer and email to send league updates.  My manager is in the league. She told me that as I long as I get all my regular work done, it’s okay to do the league stuff but still put in for 40 hours. Is she right? Or will that give them an out? Please respond so we can set up a meeting.  Thank you. Sincerely, Person.”

Of course, Employer is a current client of Lawyer’s.

In part 2, I posited that Rule 1.18(b) prohibits Lawyer from forwarding the e-mail to Employer. Today, let’s look at this scenario: Employer asks Lawyer for legal advice related to Person’s employment.

What now?

Again, Rule 1.18 applies.  Rule 1.18(c) states that a lawyer cannot:

• represent a client with interests materially adverse to those of a prospective client’s
• in the same or substantially related matter
• if the lawyer received information that could be significantly harmful to the prospective client.

So, in our scenario, if the two matters are the same or substantially related, and if the e-mail constitutes information that could be significantly harmful to Person, then Lawyer cannot represent Employer.

There are two exceptions to the general rule.

The first is in Rule 1.18(d)(1).  For the purposes of our scenario, even if Lawyer received information that could be significantly harmful to Person,

• Lawyer may represent Employer in the same or substantially related matter
• if both Person & Employer give informed consent, confirmed in writing.   

Why Person would give informed consent is beyond me and might lead someone to question whether the “consent” was, in fact, informed.  “Informed consent” is defined in Rule 1.0(e).

The second exception is in Rule 1.18(d)(2).  Turning again to our scenario, even if Lawyer received information that could be significantly harmful to Person,

• Lawyer may represent Employer in the same or substantially related matter if:

1. Lawyer took reasonable measures to review no more information from Person than was reasonably necessary to determine whether to represent Person; and,
2. Lawyer is timely screened from participation in the matter and is apportioned no portion of the fee from the matter; and,
3. written notice is promptly given to Person.

A few thoughts.

1. “Reasonable measures to review no more information from prospective clients than is reasonably necessary to determine whether to represent client.” To me, this suggests a rigorous process for reviewing incoming e-mails.  One idea: having a non-lawyer assistant conduct an initial conflict screening.  Here, it would’ve been obvious that Employer was a current client.
2. “Lawyer is timely screened .”  Clearly, this provides no solace for the sole practitioner who reads too much before realizing that there’s a conflict.

Finally, don’t forget about Rule 1.7.  It’s the general conflict rule and prohibits a lawyer from representing a client if there is a significant risk that the representation will be materially limited by the lawyer’s duties to another client, former client, or third person.

Returning to our scenario one last time: in Part 2, we established that Lawyer most likely owes a duty of confidentiality to Person.  Thus, under Rule 1.7, if there is a significant risk that representation of Employer will be materially limited by complying with that duty, Lawyer has a conflict.