Siri, Alexa, and Client Confidences

Query: do Siri and Alexa get mad if a human accidentally calls one the other?  I don’t know, but, if not, I think a sarcastically angry response should be added to each’s algorithm.

Anyhow, without even having started yet, I digress.

My recent posts on client confidences spurred additional research.   The research led me to Alberto Bernabe’s Professional Responsibility Blog.  Professor Bernabe is a regular member of this blog’s #fiveforfriday Honor Roll.

Earlier this year, Professor Bernabe posted a link to this article.   The article appeared on the ABA’s Law Technology Today blog and details some of the issues about which lawyers should be aware when using digital voice assistants.  One of those issues: client confidences.  If you or your firm uses a digital voice assistant, I suggest giving the article a read.

Even if you don’t use a DVA, remember, your clients might and the duty of competence includes tech competence.  I can hear you now:  “Mike, how in the world might my client’s digital voice assistant affect the case?

Well, what if your client’s Echo might have recorded a murder?

Side note:  Kathleen Zellner, the defense lawyer quoted in the story about the Amazon Echo murder case, plays a prominent role in the recently released Season 2 of Making a Murderer.

And remember: it’s not just Echos and other digital voice assistants.  Our lives (and our clients’ lives) are replete with devices that record, collect and exchange data over the internet of things.  Data that may impact our clients’ matters.

But, for now, I’ll leave it at client confidences. Issues related to the internet of things can wait for another day.

Well, ok.  Here’s a teaser:

“Hey Siri! Did Encyclopedia Brown investigate the The Case of the Hacked Refrigerator.“

 

 

 

 

Advertisements

Don’t Post That

There was a time in my life when the MTV Video Music Awards were must see tv.  I refer to that era as “law school.”

In my first year of law school, Hammer’s U Can’t Touch This won the VMAs for Best Rap Video & Best Dance Video.  I loved that song.  I wore out my apartment’s carpet dancing to it.

Anyhow, the song came to mind yesterday upon reading the ABA Journal’s story about a lawyer who called a client an “idiot and terrible criminal” in a Facebook post.

Why did the story remind me of the song?

Because last week I announced the theorem Keep Quiet & Lawyer On. Today, I’m announcing its corollary:  Don’t Post That.  It’s pronounced as if you’re singing along with Hammer.

Don’t let the pop culture reference gloss over your eyes.  This is a serious post. The story that prompts it raises concerns about an issuet that troubles me: my perception that we’ve become too willing to share too much.

Here’s the backdrop:

Aaccording to an article in the Des Moines Register, the Associated Press obtained a screenshot of an attorney’s Facebook post. In it, the attorney recounted meeting with a client to prepare for trial on federal gun & drug charges.  The client expressed concern that the “blue-collar jurors” would not connect with the attorney.

Per the AP story, the attorney turned to social media, posting that he was “flabbergasted” that the client would even suggest such a thing.  The post went on to state that the client was an ” ‘(expletive) idiot and a terrible criminal . . . who needed to shut his mouth because he was the dumbest person in the conversation by 100 times.’ ”  The attorney’s post observed ” ‘you wonder why need jails, huh?’ ”

The post speaks for itself and probably wouldn’t require more than 3 seconds at a CLE:  Don’t Post That.  It’s the attorney’s response that I find noteworthy.

The AP interviewed the attorney.  He told the AP that “he shared the post only with his Facebook friends.”

In Vermont, Rule 1.6 addresses client confidences.  The rule sets out the general prohibition against disclosing information relating to the representation of a client, then lists some exceptions.

“You may tell your friends” is not one of the exceptions.  In fact, it’s kind of the point of the rule.

Again, this story presents a stark example and I think most lawyers recognize that there’s no “friends & family” exception to the duty to maintain confidences. But as I noted last week, I think we sometimes get a bit lax in how much we share about our cases and clients.  Even a little is too much.

Finally, the fact that the attorney’s disclosure was made on social media is almost a red herring.  To me, this is not “See! I told you that social media is bad!”  That is, my guess is that lawyers who improperly disclose client confidences on social media would likely do by other means as well.  If you’re willing to post confidences to social media, you’re probably also willing to drop them in casual conversation over dinner.

Don’t.  Remember our postulates:

• Theorem:  Keep Quiet & Lawyer On.
• Corollary:  Don’t Post That.

Now, I look forward to spending the weekend revising Hammer’s lyrics to create a parody version entitled Don’t Post That.  Maybe I’ll sing it at my next CLE.

And, if I’m feeling nostalgic, maybe I’ll dig out the parachute pants.

 

 

 

 

Yes!!!

I’m not a huge fan of the “Throwback Thursday” trope, but I am a huge fan of readers.  So, as it has, when blogger’s block strikes, I resort to the trope.

But not without reason.

I’m heading to Rutland tomorrow.  Two years ago, and a few days after heading to Rutland, I blogged on how I hoped never again to have to assuage lawyers that there’s nothing inherently unethical about storing client information in the cloud.

I’m happy to report that we seem to have accepted the premise.

Yes!!!

Thank you.

That being said, refreshers aren’t inherently bad either. Especially since the effective date of the recent amendment on tech competence is nigh.  So, here goes.

The original post ran on November 10, 2016.

*******************************************

Last Friday, I presented a CLE for the Rutland County Bar Association. My assigned topic: the ethics of storing client information in the cloud.  I started by saying that I hoped it was my final seminar on the topic.  I was serious.

Let’s walk through this.

In general, a lawyer has a duty not to disclose information relating to the representation of a client absent client consent.  See, Rule 1.6.  A lawyer also has a duty to keep client property safe.  See, Rule 1.15.

I view the cloud as the latest in a long line of different places to store information.  In that sense, the cloud is not different than manila folders, boxes, offices, attics, basements, barns, file cabinets, file cabinets with locks, storage facilities, hard drives, floppy disks, CDs, and thumb drives.

No matter where a lawyer stores client information, a lawyer must act competently to protect the information against inadvertent or unauthorized disclosure. See, Rule 1.6, Comment [16].  When transmitting client information, a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.  Rule 1.6, Comment [17].

So, think about cloud storage like this:  client information is electronically transmitted to a place where it will be kept.  Thus, a lawyer must take reasonable precautions to protect client information both while it is in transit and while it is at rest.

In fact, that’s almost exactly what the VBA’s Professional Responsibility Committee said – SIX YEARS AGO when it issued Advisory Ethics Opinion 2010-06.  Here’s the digest of the opinion:

• “Vermont attorneys can utilize Software as a Service in connection with confidential client information, property, and communications, including for storage, processing, transmission, and calendaring of such materials, as long as they take reasonable precautions to protect the confidentiality of and to ensure access to these materials.”

(Aside: for anyone wondering why I included an advisory opinion about “Software as a Service” in a post on cloud computing, I remind you that Rule 1.0’s duty of competence includes tech competence.)

The question I hear most often is this:  “what are reasonable precautions?”  In Rutland, I suggested to the audience that they already know the answer, if only by treating the cloud as if it were a storage facility out on Old County Road. Some questions you might ask when considering that facility:

• who do you let into this facility?
• do you require a passcode or badge for the gate?
• are there locks on the individual units?
• who besides me has a key or knows the combination?
• can i get into my unit whenever i want to?
• what happens to my files if I don’t pay or if you go out of business?

Indeed, take a look at page 6 of the VBA Opinion.  The Committee suggested some of those exact questions when considering a cloud vendor.

Or, take a look at this post from Robert Ambrogi.  He writes that “[s]ome basic questions to ask of a cloud vendor, distilled from various ethics opinions, include:

• Is it a solid company with a good reputation and record?
• Can you get access to your data whenever you want, without restrictions?
• If your service is terminated – by you or by the company – can you retrieve your data?
• Does it allow use of advanced password protocols and two-step verification?
• What are its internal policies regarding employee and third-party access to your data?
• Is your data encrypted both while in transit and while at rest on the company’s servers?
• How is your data backed up?
• What security protections are in place at the data centers the company uses?”

Finally, remember that asking the questions isn’t enough.  You need to understand the answers or find someone who does.  For example, imagine this:

• You:   Will my data be encrypted in transmission and at rest?
• Vendor:  Yes.  In transmission, we use a BTTF Flux Capacitor.  At rest, we use the latest cloaking technology from Romii.
• You.  Sounds awesome. Sign me up.

Umm, no.  You just signed up to star in the next entry in Was That Wrong.

In conclusion, you may store client information in the cloud so long as you take reasonable precautions.  This entry includes links that will help you determine what “reasonable precautions” are.  Don’t fear the cloud, but know what you don’t know.

Speaking of which, info on the BTTF Flux Capacitor is HERE. And, for more on Romii cloaking technology, go HERE.

Keep Quiet & Lawyer On

I often remind lawyers of something that Thomas Edison said:

“You will have many opportunities
to keep your mouth shut.
You should take advantage
of every one of them.”

I do so because Rule 1.6 is quite clear: a lawyer shall not disclose information relating to the representation of a client.

Of course, there are exceptions. In Vermont, the exceptions are:

• the client gives informed consent to the disclosure;
• disclosure is impliedly authorized to carry out the representation;
• disclosure is required by Rule 1.6(b);
• disclosure is permitted by Rule 1.6(c).

Among things that aren’t exceptions to the prohibition against disclosure:

• but Mike, it wasn’t privileged.

Comment [3] to Rule 1.6 makes it eminently clear that the professional duty of confidentiality is much broader than the privilege.  To wit:

• “[3] The principle of client-lawyer confidentiality is given effect by related bodies of law: the attorney-client privilege, the work product doctrine and the rule of confidentiality established in professional ethics. The attorney-client privilege and work product doctrine apply in judicial and other proceedings in which a lawyer may be called as a witness or otherwise required to produce evidence concerning a client. The rule of client-lawyer confidentiality applies in situations other than those where evidence is sought from the lawyer through compulsion of law.  The confidentiality rule, for example, applies not only to matters communicated in confidence by the client but also to all information relating to the representation, whatever its source.  A lawyer may not disclose such information except as authorized or required by the Rules of Professional Conduct.”

I think sometimes we get careless with how much information we share.  Or, maybe it’s not carelessness. Maybe it’s that we get too comfortable sharing any at all.  Here’s where that slope gets slippery.

Last week, and as reported by the ABA Journal and the Legal Profession Blog, the Ohio Supreme Court sanctioned two lawyers who shared client confidences.

The lawyers, who were in a romantic relationship, practiced the same type of law and did not work in the same firm.  It appears as if one would ask for help with various documents requested by clients, and the other would respond by sending documents prepared for similarly situated clients. Unfortunately, the requests for help & responses went well beyond “hey, do you have a standard Form A you could send me?”

Is this a stark example? Yes.  But, I seriously doubt that the conduct originated as follows:

(scene: Lawyer & Attorney having coffee in their kitchen (birds chirping, soft breeze flutters the curtain))

• Lawyer: Hey – you know what would be fun?
• Attorney:  What’s that?
• Lawyer:  Sharing confidential information with each other?
• Attorney:  Damn. Good point. Let’s do it.

Rather, I’m guessing that they got careless.  Their romantic relationship probably allowed them to.

Don’t get comfortable sharing information about your clients.  Whenever you can, keep quiet and lawyer on.

 

 

Secure Communications

Tech competence is an ever present theme on this blog.  Regular readers know the refrain:  “competence includes tech competence.”

The duty includes acting competently to protect the confidentiality of electronic communications.  I’ve blogged twice on e-mail encryption:

• To Encrypt or not to Encrypt
• Encryption and the Evolving Duty to Safeguard Client Information

At seminars, including this morning’s for the VBA’s Basic Skills Program, I’ve stated my opinion that lawyers should at least consider client portals.  Thus, it was with great joy that I stumbled upon this post in the ABA Journal:

• Alternatives to email give lawyers secure communications options

Give it a read. It’s a good intro to portals and other alternatives to e-mail.

Finally, don’t forget that it’s often the simple things that result in the accidental or inadvertent disclosure of client confidences.  For instance, not disabling auto-complete, or, exposing a client to the perils of an unintentional “reply-all.”

E-mail Ethics

This issue continues to arise.

• Lawyer represents Client.  Lawyer copies Client on an e-mail to Opposing Counsel.

As the South Carolina Bar concluded earlier this year, it is well-settled that “the mere fact that a lawyer copies his own client on an email does not, without more, constitute implied consent to a ‘reply to all’ responsive email.”   The opinion is here.  It’s the most recent (that I know of) to address the issue.  It came out shortly after I posted a blog entitled CC, BCC, and a lawyer’s duty of competence.

To those of you who copy your clients on emails to opposing counsel, be wary!  Yes, the opinion says that your “cc” isn’t necessarily permission for opposing counsel to reply to your client.  However, it also makes clear that, depending on the circumstances, the fact that you copy your client might imply that you consent to opposing counsel responding to your client.

But that’s not why I’m blogging.  I’m blogging because of a footnote in the South Carolina opinion.

You’d be surprised how many lawyers have informed me that it drives them batty to receive an e-mail from another attorney that the other attorney has copied to his or her client.  Per the reports i receive, when they ask the other attorney to stop, the attorney replies with something like “i’ll copy my client if I damn please.”

Of course you will.

And you’ll do so at your own risk. Because, what happens if your client accidentally uses “reply-all” to send what was intended to be a confidential and privileged communication for your eyes only?*

That’s where the footnote comes in.  Here’s what it says:

• “[1] Although not before the Committee, the practice of copying one’s client – by either ‘cc’ or ‘bcc’ – when emailing with opposing counsel poses some risks. With a ‘cc’, a lawyer is disclosing his client’s email address, and with both ‘cc’ and ‘bcc’, the lawyer risks having the client ‘reply to all’ and potentially disclose confidential or other information. See, e.g., N.Y. State Bar Ass’n Comm. on Prof’l Ethics, Op. 1076 at ¶¶10 – 13. It is also not uncommon for a recipient of a group email to ‘reply to all’ unintentionally or without knowing the identity of each recipient, which in this context might expose the client to what were intended to be lawyer-to-lawyer communications. For these reasons, it is generally unwise to ‘cc’ a client on email communications to opposing counsel.”

As always, let’s be careful out there.

 

* I’d completely forgotten that Sheena Easton sang the theme song.  She remains the only musician ever to appear on-screen in the opening to a Bond movie.

 

Cybersecurity for Lawyers: learn from other professions

I’ve blogged often on tech competence and the duty to safeguard client data.  In short, lawyers have a duty to take reasonable precautions against the inadvertent disclosure of or unauthorized access to confidential client information.

So, people often ask “what are reasonable precautions?”

It depends.

Nobody likes that answer.  But it’s correct.

For instance, do you mean “what are reasonable precautions when it comes to cloud storage?”  Or, are you asking whether a lawyer has a duty to encrypt e-mail? Wait, maybe you’re talking about your duties when crossing the border? No, no, I get it now:  you’re asking if a lawyer has a duty to disable auto-complete. Oh my gosh, no – you’re referring to the hallmarks of trust account scams.

No matter the mode of communication, no matter the place that information is stored, a lawyer must safeguard client information. And, as I explained here, it makes perfect sense not to get into the habit of re-evaulating a lawyer’s duty with every new technology.  Whatever the next new thing is, a lawyer’s duty will remain the same: to take reasonable precautions against the inadvertent disclosure of or unauthorized access to client information.

But, as this post in the ABA Journal points out, lawyers and law firms aren’t sailing into uncharted waters.  There are lessons to be drawn from other professions.  Per the post, those lessons include:

• Encryption is important.  I’d even venture to opine that if it isn’t already, we aren’t long for the day when the failure to encrypt is tantamount to a failure to take reasonable precautions.
• Partners and more senior lawyers have to follow the same rules as everyone else. “I don’t do tech” isn’t reasonable. It’s no different from saying “I don’t do ‘protecting client information.’ “
• Employees and 3rd party vendors need to be trained on the importance of data security.

There’s a great quote in the article. It’s from Michael Mason, chief of security for Verizon Communications: law firms should foster, grow, and ” ‘develop a culture of security.’ ”

A culture premised on “we hope it doesn’t happen to us” is not a culture of security.

With “it” being a breach, the dreaded “it” has happened not just to lawyers and law firms, but to many other professions.  As the ABA Journal suggests, lawyers would be wise to take heed of the lessons learned by those other professions.

Hot Topics in Legal Ethics

I’m in Chicago at the Annual Meeting of the National Organization of Bar Counsel.

First things first: no, Cook County is not one of Vermont’s 14 counties.  However, very early this morning, I knocked out 11.5 miles in Cook County.  I ran a beautiful route from my hotel to Wrigley Field and back.  Most of the route was on the Lakeshore Trail along Lake Michigan. One lap around Wrigley made me feel very, very guilty . . . the setting is much nicer than Fenway.

Anyhow, back to business. One of tomorrow’s seminars is “Hot Cases in Ethics Opinions.” The material is posted online (NOBC membership required, so I’m not linking to it.)  Anyhow, from the material, it looks like the seminar will address 6 advisory opinions. The first 4 are:

• Nebraska Ethics Advisory Opinion for Lawyers 17-03 (Cryptocurrency)
• ABA Formal Opinion 477 (Securing Communication of Protected Client Information)
• Illinois State Bar Professional Conduct Advisory Opinion 18-01 (Web Bugs)
• ABA Formal Opinion 479 (The “generally known” exception to Rule 1.6)

Guess what? If you’re a regular reader of this blog, it’s like you’ve already attended tomorrow’s seminar!  That’s right, I’ve written about each of the first 4 advisory opinions!

• Bitcoin as Payment for Legal Fees
• Encryption and the Evolving Duty to Safeguard Client Information
• Tech Competence: Don’t Let the Web Bugs Bite
• ABA & Client Confidences: It’s Deja Vu All Over Again

So, what about the two others?

#5 in the material is a recent report from the Attorney Registration and Discipline Commission of the Supreme Court of Illinois. In the report, the ARDC seeks comment on its recommendation that Illinois relax its rules against attorney participation in for-profit referral services.  Robert Ambrogi blogged about the report for Above the Law.

I’ve not yet followed suit.  Why? Well, the report is 124 pages long.  Further, about a month after the ARDC issued the report, the company that recently acquired Avvo announced that it would discontinue Avvo Legal Services.  The ABA Journal reported on the announcement here.

I’ve yet to fully flesh out a blog that will cover both the ARDC report and the news that Avvo’s fixed-fee legal services plan has been discontinued. That being said: I’ve blogged a topic related to each: Fixed-Fee Legal Services: A Conversation Starter

Finally, #6 in the material is ABA Formal Opinion 472: Communication with Person Receiving Limited-Scope Legal Services. I’ve not yet blogged on the opinion. But I’ve discussed it at many seminars!  Also, the material suggests that discussion of the opinion will include a discussion the ethics of ghostwriting. As you know, I ain’t afraid of no ghost! I’ve tackled the topic a few times, most recently in Ghostwriting as Access.

Want to know what’s hot in legal ethics? Follow this blog!!

 

 

Bouchons, Cybersecurity & Ransomware

Yesterday, I met with lawyers from the Lamoille County Bar Association.  Leslie Black, president-emeritus (by my proclamation) of the LCBA, had me up to talk legal ethics.

As an aside, Leslie stole the show by showing up with a fresh batch of bouchons.  You might have heard of Thomas Keller and the Bouchon Bakery.   Fine stuff, I’m sure.

Well, Leslie’s lemon bouchons, with a hint of cinnamon, are better.  And that, my friends, is not mere puffery.   The trick, je pense, is her brown butter recipe.

Leslie – les bouchons etait magnifique!

Now, back to business.

First off, I hope I’ve dispelled those who are less tech competent than others of the notion that “bouchon” has something to do with cybersecurity & ransomware.

Next, yesterday, we had an interesting discussion on cybersecurity & ransomware.  I’ve blogged previously on the issue here.  I’m blogging again for a few reasons.  Mainly, to stress a key point that David Polow made at the CLE:  back-up.  Storing info only in the cloud isn’t enough.

My prior blog post includes links to several helpful articles.  I failed to link to this one from the ABA Journal: Ransomware is a growing threat, but there are things you can do to protect your firm.  A critical point in the article echoes David:

• ” The panelists say that the core of ransomware protection is a robust backup system. However, Simek said that backups need to be tested on a periodic basis.If a firm’s backup is in the cloud, then redundancies of that backup system should be made as well—in other words, one backup is insufficient. For the truly business-critical data, McNew said a backup should be stored offsite and ‘air gapped,’ meaning it is not able to connect to the internet.”

Or, as Jim Knapp says, when it comes to backup “onsite, online, air-gap.”

Are you likely to be targeted? I don’t know.  It happened to one of the nation’s largest firms.  And, a Vermont firm was targeted in April.  The firm did not have sufficient back-up and data was at risk.

If it’s an issue that concerns you, talk to someone with a tech background.  Here are a few links from my original post that might be helpful:

• in March, TechWorld posted Best anti-ransomware tools & decryptors for 2018;
• here in Burlington, Champlain College’s Senator Leahy Center for Digital Investigation is an excellent resource for issues related to cybercrime, digital forensics, and information assurance; and,
• the most recent edition of the ABA Journal has this informative post: Are you covered? Cyber insurance market is highly unstable and lacks uniformity

As always, let’s be careful out there.

Montreal?

There’s a lot going on in Montreal this summer.  Go! Be a #WellLawyer!

But, if you go, make sure you take reasonable precautions to protect client data at the border.

Today, I’m going to share a few old posts, as well as an updated advisory ethics opinion from the New York City Bar Association.

My old posts:

• Thaw Bound? Protect Client Data at the Border
• Crossing the Border?  Consider bringing only what you really need

Last summer, the New York City Bar Association issued Formal Opinion 2017-5.  In short, and as reported by the ABA Journal, lawyers should take reasonable precautions to avoid the disclosure of client information during a border crossing.

Here are some highlights from the NYC Opinion:

• Rules 1.1 (competence) and 1.6 (confidences) impose a duty to act competently to safeguard client information.
• The duty includes taking reasonable precautions against disclosing information that should not be disclosed.
• The duty requires “attorneys to make reasonable efforts prior to crossing the U.S. border to avoid or minimize the risk that government agents will review or seize client confidences that are carried on, or accessible on, electronic devices that attorneys carry across the border.”

Last month, the NYCBA reissued the opinion.  Some other takeaways:

• Odds that a device will be searched might be low.  But, don’t discount the possibility.
• The safest way to protect client data is not to bring any.  This might not be feasible given the increasingly blurred lines between “work” and “personal” devices, but it remains an option.
• If asked to produce a device, an attorney should inform the border agent that it contains confidential & privileged information.  This triggers additional duties by the border agent before the search is conducted.
• Finally, if a device is searched, an attorney likely has a duty to notify clients.

For more, see the opinion.

Adieu et bon voyage!