Tips for Online Reputation Management

Online Reputation Management is a thing.  An important thing.  But not so important that the Rules of Professional Conduct go out the window when a lawyer manages her online reputation.

Rule 1.6 prohibits a lawyer from disclosing information relating to the representation of client.  The rule is much broader than the attorney-client privilege and applies to all information relating to the representation no matter the source.

There are exceptions to the rule.  They are:

• the client’s gives informed consent to the disclosure;
• disclosure is impliedly necessary to carry out the representation;
• disclosure is mandated by Rule 1.6(b);
• disclosure is permitted by Rule 1.6(c).

Rule 1.6(c)(3) permits a lawyer to disclose information related to the representation of client:

• to establish a claim or defense on behalf of the lawyer in a controversy between the lawyer and the client; or,
• to establish a defense to a criminal charge or civil claim against the lawyer based on conduct in which the client was involved; or,
• to respond to allegations in any proceeding concerning the lawyer’s representation of the client.

As I’ve previously blogged, a negative online review is not a “controversy between the lawyer and the client” that triggers the exception.  Neither is a negative online review a “proceeding” in which allegations have been made against the lawyer. My blog posts, which includes advisory opinions & disciplinary decisions, are here:

• Negative Online Review? What NOT to do
• Negative Online Review? UPDATE!
• Negative Online Review? More of what not to do

As the headlines suggest, the posts focus on what not to do.  For instance, don’t reveal client confidences in response to an online review.  Don’t post fake positive reviews.  Don’t create a fictitious lawsuit in order to get a court to order a website provider to take down a negative review.

Today’s ABA Journal has some great tips related to online clients reviews.  They appear in Kelly Newcomb’s post How lawyers can make positive – and negative – online reviews work for them.  

Whether on AirBnB, Yelp, Amazon, or myriad other sites, I suspect many lawyers have read through the reviews before making a purchase or reservation.  Odds are, potential clients are doing the same before hiring you.  Today’s post in the ABA Journal helps to frame not only a lawyer’s professional obligations when dealing with online reviews, but the marketing benefits that come with knowing how best to manage an online reputation.

       

Advertisements

Ethics: it’s all about the bad grades

A few weeks ago I posted C in ethics? You’re on the right track.  In it, I offered two cheat codes to stay on the right side of the rules.

The first was my own: don’t lie, cheat or steal.  Nearly every violation falls under one.

The second was Brian Faughnan’s recipe for ethical lawyering.  The recipe?  The 5 C’s:

• Competence
• Confidentiality
• Communication
• Candor
• Conflicts

Today I present a third: it’s all about the bad grades.

Alberto Bernabe is a professor at John Marshall Law School in Chicago.  Professor Bernabe teaches torts and professional responsibility.  He maintains a blog for each topic.  His torts blog is here, and his professional responsibility blog is here.  Professor Bernabe is also a frequent member of this blog’s #fiveforfriday Honor Roll in legal ethics.

In response to my post on the 5 C’s, Professor Bernabe shared a story with me.  He urges his students to remember the general principles behind the rules.  He does so by suggesting that they associate those principles with the grades that they do not want to earn in a semester:  4 C’s, 1 D, and 1 F.  That is:

• Competence
• Confidentiality
• Communication
• Conflicts
• Diligence
• Fiduciary

Professor Bernabe’s full blog post on bad grades is here.

I love the semi-mnemonic.  Diligence and the fiduciary duty to clients are as important as the 5 C’s.

Thank you Professor Bernabe for another arrow in the quiver.

• Don’t lie, cheat or steal
• Remember the 5 C’s
• Ethics: it’s all about the bad grades

              

 

 

 

Competence, Confidences and PDFs

In my view, Rules 1.1 and 1.6 impose a duty to act competently to prevent the unauthorized access to or disclosure of information relating to the representation of a client.  I’ve blogged on this issue many times:

• Protecting Client Data
• Encryption & The Evolving Duty to Safeguard Client Information
• The Cloud: What are Reasonable Precautions?

Next week, I’m presenting two seminars at the YLD Mid-Winter Thaw in Montreal.  In the first, I’m on a panel with Judge Hayes and the Judiciary’s Andy Stone.  Judge Hayes and Andy will introduce lawyers to the Judiciary’s new case management system.  My job will be to chime in on ethics issues that might arise with electronic filing.   My thoughts will focus on tech competence.

Imagine this scenario: whether in a filing or a communication to opposing counsel, a lawyer includes a PDF.  Prior to transmission, the lawyer redacted the PDF to keep certain information confidential.  Alas, the lawyer did not properly redact the PDF.  By highlighting the redacted the portions and pasting them into a new document, opposing counsel, or anyone else with access to the PDF, can discover what the lawyer intended to obscure.  The filing is here.

Did the lawyer take reasonable precautions to protect the information?  Was it a one-time mistake that doesn’t rise to the level of an ethics violation?  What if it was information that the court had ordered remain confidential and now is public?

Earlier this week, lawyers for Paul Manafort, President Trump’s former campaign chair, filed a response to special counsel Robert Mueller’s allegation that Manafort lied to Mueller’s investigators.  Due to what the ABA Journal described as a “technical oversight,” the filing was not properly redacted.  As such, the media was able to discover that Manafort is accused of sharing polling data with a Russian business person.  The story has been covered by the ABA Journal, BuzzFeed, Fox News, and the Washington Post.

(Update at 1:16 PM on January 10:  Above The Law’s Joe Patrice has a great recap here.)

Go back to the scenario I posited above: what if that’s you in a Vermont case?  What if you meant to redact a client’s proprietary information, or a witness’s mental health records, or a confidential informant’s identity? What if you didn’t do it right?

Jason Tashea writes for the ABA Journal. Today, he posted How to redact a PDF and protect your clients.  If this is an area of tech competence that interests or concerns you, I’d suggest giving Jason’s post a read.

 

Legal Ethics & Crowdfunding to pay legal fees

Professor Alberto Bernabe often appears on this blog’s #fiveforfriday Honor Roll.  He also has his own blog and, last week,  blogged on an advisory from the DC Bar. The opinion addresses the ethics issues that arise when a lawyer’s client crowdfunds legal fees.

The opinion is here. Professor Bernabe’s blog post is here.  He wrote more extensively on the topic in this article that pre-dates the DC advisory opinion.

I’ve also blogged on the topic. I did so here in response to an advisory opinion from the Philadelphia Bar Association.  I wrote:

• “That’s why the Philly opinion is great.  It doesn’t treat ‘crowdfunding platforms’ as new creatures that require new rules.  Rather, it reminds lawyers that the rules that apply when using a crowdfunding platform are the same rules that apply to any other representation.”

As Professor Bernabe notes, the DC Bar opinion is consistent with the Philadelphia opinion and others on crowdfunding.

I like the following statement from the DC Bar:

• “It is not unusual for clients to rely on money collected from family or friends to pay for legal services.”

Indeed, many Vermont lawyers accept payment from someone other than the client.  The most common situation?  A parent pays for a child’s lawyer in a criminal or family case.

When that happens, it’s critical for the lawyer to remember Rule 1.8(f):

• “A lawyer shall not accept compensation for representing a client from one other than the client unless (1) the client gives informed consent; (2) there is no interference with the lawyer’s independence of professional judgment or with the client-lawyer relationship; and (3) information relating to the representation of a client is protected as required by Rule 1.6.”

In other words, even if Parents are paying Lawyer to represent Child, they don’t get to direct the representation and, absent Child’s consent, Lawyer cannot disclose information relating to the representation to them.

Somewhat related, the DC Bar included a great tip in Ethics Opinion 375:

• “A lawyer should consider counseling his or her client regarding disclosures to third parties. Crowdfunding typically entails some level of disclosure to third parties about the predicate need for counsel. Because of their financial support, crowdfunding contributors may be interested in the status of or information about the client’s matter. Due to the risk of waiver of the attorney-client privilege, or simply for strategic reasons, a lawyer who knows that a client is crowdfunding should provide the appropriate level of guidance to the client regarding disclosures to third parties, whether such disclosures occur on a social media platform or privately in discussions with friends and family.”

In sum, nothing about using a social media platform to crowdfund legal fees is inherently unethical.  Oh, and as mentioned in both the Philadelphia and D.C. advisory opinions: crowdfunding helps provide access to legal services to those who otherwise might not be able to afford a lawyer.

Related:

• (Bernabe) DC Ethics Committee new opinion on crowdfunding
• (Bernabe) Is it ethical to use “crowdfunding” to finance the practice of law?
• (Kennedy) Crowdfunding: The More Things Change . . .
• DC Bar Ethics Opinion 375
• Philadelphia Bar Association Opinion 2015-06

 

 

 

 

 

 

ABA Addresses an Attorney’s Obligations in Response to a Data Breach

I’ve blogged often on a lawyer’s duty to act competently to safeguard client data.  Generally, an attorney must take reasonable precautions to protect against inadvertent or unauthorized disclosure of client information.  Some of my posts:

• Protecting Client Data
• Encryption & The Evolving Duty to Safeguard Client Information
• The Cloud: What are Reasonable Precautions?

Last month, the ABA’s Standing Committee on Ethics & Professional Responsibility issued Formal Opinion 483.  It sets out a lawyer’s obligations following an electronic data breach or cyber attack.

The opinion is detailed and technical.  It’s worth reading, or, at the very least, sharing with your IT support staff.  Also, various outlets have reported on the opinion, including The National Law Review, Louisiana Legal Ethics, and The ABA Journal.  I suggest each.

I’m going to try to stick to a summary.

•  Prior to a breach, a lawyer has a duty to act competently to safeguard client property and information.  This likely includes adopting an “incident response plan” that will kick in once a breach occurs.
• The duty includes an obligation “to monitor the security of electronically stored client property and information.”  In other words, there’s a duty to take reasonable efforts to monitor for and detect unauthorized access. This includes reasonable steps to ensure that vendors act in accordance with the lawyer’s professional obligations.
• A breach is not necessarily evidence that the lawyer failed to act competently to safeguard client information.
• If a breach occurs, a lawyer must take reasonable steps to stop it and mitigate the damage that results.
• If a breach occurs, a lawyer must assess its scope.  This includes determining what information, if any, was lost or accessed.
• A lawyer must notify current clients if the breach:
  • involves material, confidential client information; or,
  • impairs or prevents the lawyer from representing the client. For example, as would be the case in a ransomware attack.
• Lawyers must be aware that their ethical obligations are independent of any post-breach obligations imposed by law.  Compliance with professional obligations is not necessarily compliance with other law, and vice versa.

Again, the full opinion is here.

As usual, I like to analogize to non-tech issues.  For instance, when it comes to paper files, most lawyers probably know that there’s a duty to take reasonable safeguards to protect them.  Locked file cabinets.  Locked rooms.  Secure office space.

If a lawyer arrives at work and realizes that the office has been broken into, I imagine the lawyer would intuitively understand the need to determine what, if anything, was viewed or taken.  Then, as appropriate, will notify clients. I also imagine that the lawyer would replace the broken locks, doors, and windows.

Thus, in my view, the ABA opinion clarifies that very standards that most of us already apply to clients’ paper files also applies to their electronic files.

 

 

 

 

Siri, Alexa, and Client Confidences

Query: do Siri and Alexa get mad if a human accidentally calls one the other?  I don’t know, but, if not, I think a sarcastically angry response should be added to each’s algorithm.

Anyhow, without even having started yet, I digress.

My recent posts on client confidences spurred additional research.   The research led me to Alberto Bernabe’s Professional Responsibility Blog.  Professor Bernabe is a regular member of this blog’s #fiveforfriday Honor Roll.

Earlier this year, Professor Bernabe posted a link to this article.   The article appeared on the ABA’s Law Technology Today blog and details some of the issues about which lawyers should be aware when using digital voice assistants.  One of those issues: client confidences.  If you or your firm uses a digital voice assistant, I suggest giving the article a read.

Even if you don’t use a DVA, remember, your clients might and the duty of competence includes tech competence.  I can hear you now:  “Mike, how in the world might my client’s digital voice assistant affect the case?

Well, what if your client’s Echo might have recorded a murder?

Side note:  Kathleen Zellner, the defense lawyer quoted in the story about the Amazon Echo murder case, plays a prominent role in the recently released Season 2 of Making a Murderer.

And remember: it’s not just Echos and other digital voice assistants.  Our lives (and our clients’ lives) are replete with devices that record, collect and exchange data over the internet of things.  Data that may impact our clients’ matters.

But, for now, I’ll leave it at client confidences. Issues related to the internet of things can wait for another day.

Well, ok.  Here’s a teaser:

“Hey Siri! Did Encyclopedia Brown investigate the The Case of the Hacked Refrigerator.“

 

 

 

 

Don’t Post That

There was a time in my life when the MTV Video Music Awards were must see tv.  I refer to that era as “law school.”

In my first year of law school, Hammer’s U Can’t Touch This won the VMAs for Best Rap Video & Best Dance Video.  I loved that song.  I wore out my apartment’s carpet dancing to it.

Anyhow, the song came to mind yesterday upon reading the ABA Journal’s story about a lawyer who called a client an “idiot and terrible criminal” in a Facebook post.

Why did the story remind me of the song?

Because last week I announced the theorem Keep Quiet & Lawyer On. Today, I’m announcing its corollary:  Don’t Post That.  It’s pronounced as if you’re singing along with Hammer.

Don’t let the pop culture reference gloss over your eyes.  This is a serious post. The story that prompts it raises concerns about an issuet that troubles me: my perception that we’ve become too willing to share too much.

Here’s the backdrop:

Aaccording to an article in the Des Moines Register, the Associated Press obtained a screenshot of an attorney’s Facebook post. In it, the attorney recounted meeting with a client to prepare for trial on federal gun & drug charges.  The client expressed concern that the “blue-collar jurors” would not connect with the attorney.

Per the AP story, the attorney turned to social media, posting that he was “flabbergasted” that the client would even suggest such a thing.  The post went on to state that the client was an ” ‘(expletive) idiot and a terrible criminal . . . who needed to shut his mouth because he was the dumbest person in the conversation by 100 times.’ ”  The attorney’s post observed ” ‘you wonder why need jails, huh?’ ”

The post speaks for itself and probably wouldn’t require more than 3 seconds at a CLE:  Don’t Post That.  It’s the attorney’s response that I find noteworthy.

The AP interviewed the attorney.  He told the AP that “he shared the post only with his Facebook friends.”

In Vermont, Rule 1.6 addresses client confidences.  The rule sets out the general prohibition against disclosing information relating to the representation of a client, then lists some exceptions.

“You may tell your friends” is not one of the exceptions.  In fact, it’s kind of the point of the rule.

Again, this story presents a stark example and I think most lawyers recognize that there’s no “friends & family” exception to the duty to maintain confidences. But as I noted last week, I think we sometimes get a bit lax in how much we share about our cases and clients.  Even a little is too much.

Finally, the fact that the attorney’s disclosure was made on social media is almost a red herring.  To me, this is not “See! I told you that social media is bad!”  That is, my guess is that lawyers who improperly disclose client confidences on social media would likely do by other means as well.  If you’re willing to post confidences to social media, you’re probably also willing to drop them in casual conversation over dinner.

Don’t.  Remember our postulates:

• Theorem:  Keep Quiet & Lawyer On.
• Corollary:  Don’t Post That.

Now, I look forward to spending the weekend revising Hammer’s lyrics to create a parody version entitled Don’t Post That.  Maybe I’ll sing it at my next CLE.

And, if I’m feeling nostalgic, maybe I’ll dig out the parachute pants.

 

 

 

 

Yes!!!

I’m not a huge fan of the “Throwback Thursday” trope, but I am a huge fan of readers.  So, as it has, when blogger’s block strikes, I resort to the trope.

But not without reason.

I’m heading to Rutland tomorrow.  Two years ago, and a few days after heading to Rutland, I blogged on how I hoped never again to have to assuage lawyers that there’s nothing inherently unethical about storing client information in the cloud.

I’m happy to report that we seem to have accepted the premise.

Yes!!!

Thank you.

That being said, refreshers aren’t inherently bad either. Especially since the effective date of the recent amendment on tech competence is nigh.  So, here goes.

The original post ran on November 10, 2016.

*******************************************

Last Friday, I presented a CLE for the Rutland County Bar Association. My assigned topic: the ethics of storing client information in the cloud.  I started by saying that I hoped it was my final seminar on the topic.  I was serious.

Let’s walk through this.

In general, a lawyer has a duty not to disclose information relating to the representation of a client absent client consent.  See, Rule 1.6.  A lawyer also has a duty to keep client property safe.  See, Rule 1.15.

I view the cloud as the latest in a long line of different places to store information.  In that sense, the cloud is not different than manila folders, boxes, offices, attics, basements, barns, file cabinets, file cabinets with locks, storage facilities, hard drives, floppy disks, CDs, and thumb drives.

No matter where a lawyer stores client information, a lawyer must act competently to protect the information against inadvertent or unauthorized disclosure. See, Rule 1.6, Comment [16].  When transmitting client information, a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.  Rule 1.6, Comment [17].

So, think about cloud storage like this:  client information is electronically transmitted to a place where it will be kept.  Thus, a lawyer must take reasonable precautions to protect client information both while it is in transit and while it is at rest.

In fact, that’s almost exactly what the VBA’s Professional Responsibility Committee said – SIX YEARS AGO when it issued Advisory Ethics Opinion 2010-06.  Here’s the digest of the opinion:

• “Vermont attorneys can utilize Software as a Service in connection with confidential client information, property, and communications, including for storage, processing, transmission, and calendaring of such materials, as long as they take reasonable precautions to protect the confidentiality of and to ensure access to these materials.”

(Aside: for anyone wondering why I included an advisory opinion about “Software as a Service” in a post on cloud computing, I remind you that Rule 1.0’s duty of competence includes tech competence.)

The question I hear most often is this:  “what are reasonable precautions?”  In Rutland, I suggested to the audience that they already know the answer, if only by treating the cloud as if it were a storage facility out on Old County Road. Some questions you might ask when considering that facility:

• who do you let into this facility?
• do you require a passcode or badge for the gate?
• are there locks on the individual units?
• who besides me has a key or knows the combination?
• can i get into my unit whenever i want to?
• what happens to my files if I don’t pay or if you go out of business?

Indeed, take a look at page 6 of the VBA Opinion.  The Committee suggested some of those exact questions when considering a cloud vendor.

Or, take a look at this post from Robert Ambrogi.  He writes that “[s]ome basic questions to ask of a cloud vendor, distilled from various ethics opinions, include:

• Is it a solid company with a good reputation and record?
• Can you get access to your data whenever you want, without restrictions?
• If your service is terminated – by you or by the company – can you retrieve your data?
• Does it allow use of advanced password protocols and two-step verification?
• What are its internal policies regarding employee and third-party access to your data?
• Is your data encrypted both while in transit and while at rest on the company’s servers?
• How is your data backed up?
• What security protections are in place at the data centers the company uses?”

Finally, remember that asking the questions isn’t enough.  You need to understand the answers or find someone who does.  For example, imagine this:

• You:   Will my data be encrypted in transmission and at rest?
• Vendor:  Yes.  In transmission, we use a BTTF Flux Capacitor.  At rest, we use the latest cloaking technology from Romii.
• You.  Sounds awesome. Sign me up.

Umm, no.  You just signed up to star in the next entry in Was That Wrong.

In conclusion, you may store client information in the cloud so long as you take reasonable precautions.  This entry includes links that will help you determine what “reasonable precautions” are.  Don’t fear the cloud, but know what you don’t know.

Speaking of which, info on the BTTF Flux Capacitor is HERE. And, for more on Romii cloaking technology, go HERE.

Keep Quiet & Lawyer On

I often remind lawyers of something that Thomas Edison said:

“You will have many opportunities
to keep your mouth shut.
You should take advantage
of every one of them.”

I do so because Rule 1.6 is quite clear: a lawyer shall not disclose information relating to the representation of a client.

Of course, there are exceptions. In Vermont, the exceptions are:

• the client gives informed consent to the disclosure;
• disclosure is impliedly authorized to carry out the representation;
• disclosure is required by Rule 1.6(b);
• disclosure is permitted by Rule 1.6(c).

Among things that aren’t exceptions to the prohibition against disclosure:

• but Mike, it wasn’t privileged.

Comment [3] to Rule 1.6 makes it eminently clear that the professional duty of confidentiality is much broader than the privilege.  To wit:

• “[3] The principle of client-lawyer confidentiality is given effect by related bodies of law: the attorney-client privilege, the work product doctrine and the rule of confidentiality established in professional ethics. The attorney-client privilege and work product doctrine apply in judicial and other proceedings in which a lawyer may be called as a witness or otherwise required to produce evidence concerning a client. The rule of client-lawyer confidentiality applies in situations other than those where evidence is sought from the lawyer through compulsion of law.  The confidentiality rule, for example, applies not only to matters communicated in confidence by the client but also to all information relating to the representation, whatever its source.  A lawyer may not disclose such information except as authorized or required by the Rules of Professional Conduct.”

I think sometimes we get careless with how much information we share.  Or, maybe it’s not carelessness. Maybe it’s that we get too comfortable sharing any at all.  Here’s where that slope gets slippery.

Last week, and as reported by the ABA Journal and the Legal Profession Blog, the Ohio Supreme Court sanctioned two lawyers who shared client confidences.

The lawyers, who were in a romantic relationship, practiced the same type of law and did not work in the same firm.  It appears as if one would ask for help with various documents requested by clients, and the other would respond by sending documents prepared for similarly situated clients. Unfortunately, the requests for help & responses went well beyond “hey, do you have a standard Form A you could send me?”

Is this a stark example? Yes.  But, I seriously doubt that the conduct originated as follows:

(scene: Lawyer & Attorney having coffee in their kitchen (birds chirping, soft breeze flutters the curtain))

• Lawyer: Hey – you know what would be fun?
• Attorney:  What’s that?
• Lawyer:  Sharing confidential information with each other?
• Attorney:  Damn. Good point. Let’s do it.

Rather, I’m guessing that they got careless.  Their romantic relationship probably allowed them to.

Don’t get comfortable sharing information about your clients.  Whenever you can, keep quiet and lawyer on.

 

 

Secure Communications

Tech competence is an ever present theme on this blog.  Regular readers know the refrain:  “competence includes tech competence.”

The duty includes acting competently to protect the confidentiality of electronic communications.  I’ve blogged twice on e-mail encryption:

• To Encrypt or not to Encrypt
• Encryption and the Evolving Duty to Safeguard Client Information

At seminars, including this morning’s for the VBA’s Basic Skills Program, I’ve stated my opinion that lawyers should at least consider client portals.  Thus, it was with great joy that I stumbled upon this post in the ABA Journal:

• Alternatives to email give lawyers secure communications options

Give it a read. It’s a good intro to portals and other alternatives to e-mail.

Finally, don’t forget that it’s often the simple things that result in the accidental or inadvertent disclosure of client confidences.  For instance, not disabling auto-complete, or, exposing a client to the perils of an unintentional “reply-all.”