So You Want To Store Client Data in the Cloud….

. . . you should! Odd are it’ll make your law practice more efficient, which will help both you and your clients.

With the June 30 deadline to report CLE compliance, I’m asked to present at a lot of CLEs in May and June.  This year, several folks have asked me to talk about the ethics associated with storing client data in the cloud.

I will do as asked. Reluctantly.

Last November, I posted a blog in which I expressed my hope that I’d done my last seminar on the ethics of storing information in the cloud.  I think it’s time we move beyond “can I use the cloud?” to figuring out whether the cloud works for you & your firm and, if so, which vendor to choose.

Since my hope has not yet been realized, I’m re-posting my post. Two words to remember: “Reasonable Precautions.”

****

The Cloud:  What are Reasonable Precautions?

Last Friday, I presented a CLE for the Rutland County Bar Association. My assigned topic: the ethics of storing client information in the cloud.  I started by saying that I hoped it was my final seminar on the topic.  I was serious.

Let’s walk through this.

In general, a lawyer has a duty not to disclose information relating to the representation of a client absent client consent.  See, Rule 1.6.  A lawyer also has a duty to keep client property safe.  See,Rule 1.15.

I view the cloud as the latest in a long line of different places to store information.  In that sense, the cloud is not different than manila folders, boxes, offices, attics, basements, barns, file cabinets, file cabinets with locks, storage facilities, hard drives, floppy disks, CDs, and thumb drives.

No matter where a lawyer stores client information, a lawyer must act competently to protect the information against inadvertent or unauthorized disclosure. See, Rule 1.6, Comment [16].  When transmitting client information, a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.  Rule 1.6, Comment [17].

So, think about cloud storage like this:  client information is electronically transmitted to a place where it will be kept.  Thus, a lawyer must take reasonable precautions to protect client information both while it is in transit and while it is at rest.

In fact, that’s almost exactly what the VBA’s Professional Responsibility Committee said – SIX YEARS AGO when it issued Advisory Ethics Opinion 2010-06.  Here’s the digest of the opinion:

  • “Vermont attorneys can utilize Software as a Service in connection with confidential client information, property, and communications, including for storage, processing, transmission, and calendaring of such materials, as long as they take reasonable precautions to protect the confidentiality of and to ensure access to these materials.”

(Aside: for anyone wondering why I included an advisory opinion about “Software as a Service” in a post on cloud computing, I remind you that Rule 1.0’s duty of competence includes tech competence.)

The question I hear most often is this:  “what are reasonable precautions?”  In Rutland, I suggested to the audience that they already know the answer, if only by treating the cloud as if it were a storage facility out on Old County Road. Some questions you might ask when considering that facility:

  • who do you let into this facility?
  • do you require a passcode or badge for the gate?
  • are there locks on the individual units?
  • who besides me has a key or knows the combination?
  • can i get into my unit whenever i want to?
  • what happens to my files if I don’t pay or if you go out of business?

Indeed, take a look at page 6 of the VBA Opinion.  The Committee suggested some of those exact questions when considering a cloud vendor.

Or, take a look at this post from Robert Ambrogi.  He writes that “[s]ome basic questions to ask of a cloud vendor, distilled from various ethics opinions, include:

  • Is it a solid company with a good reputation and record?
  • Can you get access to your data whenever you want, without restrictions?
  • If your service is terminated – by you or by the company – can you retrieve your data?
  • Does it allow use of advanced password protocols and two-step verification?
  • What are its internal policies regarding employee and third-party access to your data?
  • Is your data encrypted both while in transit and while at rest on the company’s servers?
  • How is your data backed up?
  • What security protections are in place at the data centers the company uses?”

Finally, remember that asking the questions isn’t enough.  You need to understand the answers or find someone who does.  For example, imagine this:

  • You:   Will my data be encrypted in transmission and at rest?
  • Vendor:  Yes.  In transmission, we use a BTTF Flux Capacitor.  At rest, we use the latest cloaking technology from Romii.
  • You.  Sounds awesome. Sign me up.

Umm, no.  You just signed up to star in the next entry in Was That Wrong.

In conclusion, you may store client information in the cloud so long as you take reasonable precautions.  This entry includes links that will help you determine what “reasonable precautions” are.  Don’t fear the cloud, but know what you don’t know.

Speaking of which, info on the BTTF Flux Capacitor is HERE. And, for more on Romii cloaking technology, go HERE.

 

Cloud for Lawyers

Are Robots Nonlawyer Assistants?

Seyfarth Shaw is a law firm with an impressive list of accolades.  And, now, the firm appears poised to be the first major law firm to use robots to handle tasks presently performed by lawyers.

In a joint press release with a company called Blue Prism, Seyfarth Shaw announced:

  • “We’re excited about the opportunity this creates to free our lawyers from some of the more mundane legal tasks so they can focus on helping our clients solve their most complex business issues,” explained Seyfarth’s chair emeritus Stephen Poor. “In testing various use cases, we’ve already seen how Blue Prism’s RPA software can help us create exponential gains in productivity, and we’ve only begun to scratch the surface of possibilities.”

The ABA Journal has the full story here.

A phrase stood out:  “[w]e’re excited about the opportunity this creates to free our lawyers from some of the more mundane legal tasks . . ..”

So, it looks to me as if robots will be performing “mundane legal tasks.”

I’m not the least bit surprised.  But, from a regulatory perspective, what if the robot gets it wrong?

In Vermont, Rules 5.3(a) & (b) impose responsibilities regarding nonlawyer assistants.  Rule 5.3(c) holds a lawyer ethically liable for the conduct of a nonlawyer assistant if the lawyer orders or ratifies it, or if the lawyer has knowledge of a nonlawyer assistant’s conduct and fails to take reasonable remedial action at a time when the consequences can be avoided or mitigated.

As I’ve often said, Rule 1.1’s duty of competence includes tech competence.  Read together, do Rules 1.1 and 5.3 require lawyers who use robots to have some sort of understanding of the coder’s qualifications?  Perhaps we will eventually treat the purchase of robots as we do the selection of a cloud vendor and hold that “a lawyer must take reasonable precautions in choosing a robot that will perform mundane legal tasks.”

Even beyond choosing the robot, is there a duty to “trust but verify” the robot’s work?  I have no idea what “mundane legal tasks” the robots will be doing.  However, absent random quality assurance checks, it’s conceivable that the robots could get a task wrong for quite a period of time before anyone realizes it.  Not only that, I’d assume that a mistake would result from a programing error and, therefore, could be repeated over & over & over again.  Or, will this have been addressed in the testing phase?

The profession’s eventual replacement of humans with machines intrigues me, even if only from an ethics perspective.  Are machines burdened by notions of loyalty?  If not, will the conflict of interest rules apply to robots?

In any event, this is only the beginning.  As the press release goes on to state:

  • “Blue Prism provides an anchor around which we can refine and test the types of robotics that immediately make our lawyers better and faster,” said Byong Kim, director of technology innovations, SeyfarthLean Consulting. “At its core, this is about arming lawyers with the best technology, and software robots are the latest evolution.

tech-ethics

 

 

Service by Social Media

I’m at the mid-winter meeting of the National Organization of Bar Counsel. The program starts later today and I expect to learn lots of  blog-worthy info.

In the meantime, here’s something related to tech competence.

Earlier today, the ABA Legal Technology Resource Center shared a link from the ABA’sLaw Practice Group. The link, which is here, is to an update on the evolving area of using social media to effect service.

Competence includes tech competence. img_1938

Tips for Choosing a Practice Management System

Most of you know that when it comes to legal tech, I highly recommend Robert Ambrogi’s Law Sites Blog.  Ambrogi also writes a This Week In Legal Tech column for Above The Law.

Here’s the most recent column: 6 Questions To Ask Before Selecting A Practice Management Platform.

Read it.

A summary of the 6 questions:

  1. Do you want a cloud platform or a platform installed on site?
  2. How much do you want to pay?
  3. Does the system comply with security requirements and obligations under the Rules of Professional Conduct?
  4. Does it have the basic features that you need?
  5. Does it have the advanced features that you need?
  6. Does it feel right when you try it?

Again, read the article.

For part 2 of question 3, my view is that a lawyer’s obligation under the Rules of Professional Conduct is to take reasonable precautions to protect client data, whether the data is in transmission or at rest.  What are reasonable precautions?  I addressed that question HERE.

Still drinking coffee this morning?  You’ve got time to try this week’s legal ethics quiz before you hit the trails or slopes.

tech-ethics

 

Clients: Ease Their Experience

I’m not sure how to tie this to legal ethics, but I wanted to share it.  So, I’ll say this: Rule 1.1 of the Rules of Professional Conduct requires lawyers to provide competent representation.  I’m about to share with you an article that, at some level, suggests it’s possible that clients perceive competent representation as including a smooth ride along the way.  By “smooth ride,” I’m not talking results.  Rather, I’m referring to the ease of the client experience.

The post is HERE. It’s by Jack Newton, founder and CEO of Clio.  It appears on the ABA Journal’s site.

Referring to a survey conducted by CEB, Inc., of more than 75,000 consumers, Newton writes:

  • “CEB found that modern consumers are not seeking exceptional customer experiences. Instead, they prefer effortless experiences.”

From there, Newton referenced Uber and Amazon, noting that:

  • “For examples of a smooth experience, we can look to innovators of the 21st century. These companies have disrupted deep-pocketed incumbents by delivering truly effortless experiences.”

Check out the post.  Some of you might find it helpful.  You might ask yourself, “self, am I delivering an effortless experience to my clients?”  Indeed, as the Judiciary, we should be asking the same question: are we delivering an effortless experience to our consumers? If not, how can we make it closer to the type of experience that consumers expect?

Newton’s post also includes fascinating thoughts on data.  I’ve always been struck how resistant the legal profession is to using data. With respect to collecting fees, Newton notes that the:

  • “data paints a bleak picture: Out of an eight-hour workday, the average firm collects payment on only 1.5 hours of billable time. These unit economics would be devastating to almost any industry, and they help explain why—despite charging an average of $232 per billable hour—the average small-to-midsize firm struggles to make ends meet.”

Imagine representing a restraunt owner who tells you that of every 8 meals served, she only collects payment for 1.5?

Again, take a look at Newton’s post. It includes some excellent tips on using data to make your practice more efficient.

I agree with Newton’s conclusion:

  • “The winning law firms of the future will take a page from the disrupter’s playbook: Deliver truly effortless customer experiences while advancing a ruthlessly data-driven culture of continuous improvement internally. Combined, these two forces will reshape the face of legal services.”

In the end, I suspect it will be the lawyers who figure out how to make the client experience effortless who see a significant increase in the number of billable hours collected.  In that sense, competent representation will not only benefit your clients, it will benefit you.

 

CC & Reply-All: Is Bcc the Answer?

This week’s post on issues that can arise when a lawyer copies a client on an e-mail sent to opposing counsel generated signficant discussion.

In the post, I referred to this advisory opinion from the New York State Bar Association. The opinion suggests that a more prudent course of action is for a lawyer to send the e-mail to opposing counsel, then forward it to the client from the lawyer’s “sent” items.

Several readers suggested that a “bcc” to the client is simpler and avoids any concerns about opposing counsel replying directly to the client.

Maybe.

A “bcc” to the client certainly prevents opposing counsel from concluding that you, the sender, have consented to opposing counsel having direct contact with your client.  But, do you know what happens if the blind-copied client uses “reply-all?”

I’ve tested this twice. Once at CLE in Rutland, and again yesterday with two co-workers.  Each time, we “proved” the result.  Still, I suspect many of you will run the test yourselves.

I work with Deb and Brandy.  For purposes of the test, pretend that I represent Brandy and that Deb is opposing counsel.  Yesterday, I sent an e-mail to Deb and blind copied Brandy. In other words, I sent an e-mail to opposing counsel and blind copied my client.

I asked each to try to “reply-all.”

  • Deb’s reply went only to me, not to Brandy, my client. Indeed, when Deb clicked “reply-all,” the only address that appeared in the window was mine.  So, yes, the bcc to my client prevented opposing counsel from replying to my client.

My client was another story.

  • Brandy replied to all.  By “all”, her reply went to me AND to Deb.  That’s right: even though Brandy had been bcc’ed on my email to Deb, Brandy was able to “reply-all” to me and to Deb.

Now, I know lawyers love blanket statements. I’m not making one.  That is, I am not saying “a lawyer violates the Rules of Professional Conduct by blind copying a client on an e-mail to opposing counsel.”  Here’s what I’m saying: it’s not the magic bullet you might think it is.

Let’s say that my e-mail to Deb indicated that Brandy would settle a civil claim for $100,000, but nothing less.  Imagine that Brandy, intending to reply only to me, accidentally used “reply-all” to write “Awesome! Do you think it will work? Even if it doesn’t, no big deal. I’ve said all along that I’d take $33,000 in a heart beat. By the way, what happens if they find out I was texting when it happened?”

I can hear you now.  “Mike, what are the odds?”  Well, here’s an excerpt from the NYSBA advisory opinion:

  • “12. Although sending the client a ‘bcc:’ may initially avoid the problem of disclosing the client’s email address, it raises other problems if the client mistakenly responds to the e-mail by hitting “reply all.”  For example, if the inquirer and opposing counsel are communicating about a possible settlement of litigation,  the inquirer bccs his or her client, and the client hits ‘reply all’ when commenting on the proposal, the client may inadvertently disclose to opposing counsel confidential information otherwise protected by Rule 1.6.  See Charm v. Kohn, 27 Mass L. Rep. 421, 2010 (Mass. Super. Sept. 30, 2010) (stating that blind copying a client on lawyer’s email to adversary “gave rise to the foreseeable risk” that client would respond without ‘tak[ing] careful note of the list of addressees to which he directed his reply’).”

So, yes: a bcc to a client eliminates the risk that opposing counsel will conclude that you’ve consented to opposing counsel communicating directly with your client.  However, it does not eliminate the risk that your client accidentally discloses confidential and privileged information in a “reply-all.” Indeed, per the Massachusetts case, it creates a “foreseeable risk” that the client will do exactly that.  The opinion is HERE.

If you bcc a client on an e-mail to opposing counsel, make sure the client understands that “reply-all” will not be for your eyes only.

For your eyes only.jpg

 

 

Moneyball: Are Lawyers Required to Scout Judges?

As many of you know, I coached high school basketball for a long, long time.  Contrary to popular belief, high school coaches do far more than cut your kid, bench your kid, or play your kid, but without letting him take every shot. One of the things that coaches do is scout opponents.

Scouting entails going to a future opponent’s game and studying the opponent.  What defense does the team play?  If the coach calls timeout, what play is the team likely to run next? Which players do we force to dribble to the left – because they can’t? Which players are such poor shooters that we don’t need to worry about guarding them? Stuff like that.

Coaches also scout referees.  Which refs call hand-checking?  Which refs don’t care about physical play in the lane?  Which refs call moving screens?  Stuff like that.

Knowing “stuff like that” is considered MINIMAL competence in the coaching world.

And now it may have (officially) entered the attorney ethics world.

Again, lawyers must provide clients with competent and diligent representation. Many of you have informally scouted judges.  You know which judges are inclined to stick to the letter of the law.  You know which judges are inclinded to respond to “fairness” arguments.  You know which judges are likely to grant motions to suppress, and, you know which judges aren’t.  Stuff like that.

But even if you don’t know stuff like that, I’m not aware of anything that says you’re less than diligent or competent.  That might be changing.

Earlier this week, Robert Ambrogi posted this entry to his fabulous Law Sites blog.  Here’s a quick summary: Ravel Law launched a service that allows lawyers to scout judges. It’s called “Court Analytics.”  Describing the service,  Ambrogi notes:

  • “you can see, for example, a court’s most-cited opinions and judges, as well as the opinions and courts it most frequently cites. It also lets you identify how courts and judges have ruled in the past on particular issues or motion types.”

Ambrogi added:

  • “How would an attorney use these analytics? I put that question last week to Daniel Lewis, the co-founder and chief executive officer of Ravel Law. He described two primary use cases:
    • Forum comparison. If an attorney is forum shopping and wants to compare how different jurisdictions have dealt with a particular issue or motion.
    • Argument crafting. If an attorney is arguing a matter to a court, the argument can be made more persuasive by knowing which authorities that court or judge finds most persuasive.

    ‘Attorneys will be able to use it to see how a court has dealt with cases on a particular topic or motion, what they key cases are they should know about, and the particular rules, standards and language that are most important in that venue,’ Lewis said.”

Frankly, I’m surprised it has taken so long for analytics to arrive in the legal profession.  As any baseball or movie fan knows, using analytics is now considered minimal competence in baseball. Show me an industry, I’ll show you an industry in which analyzing data is considered minimal competence.

Except, until now, the law.

It makes me wonder: as the data that drives Ravel’s “Court Analytics” app becomes more freely available, will the duty of competence include a duty to make use of that data? It will, right?  After all, what will your response be when asked “why didn’t you?”

By the way, for those of you thinking “there’s no way that this impacts Vermont,” think again.  As Ambrogi notes:

  • “Thanks to Ravel’s digitization partnership with Harvard Law School, its case law collection includes all federal and state courts.”

 

Social Media & Legal Ethics

The Washington D.C. bar recently released Ethics Opinion 371 – Social Media II: Use of Social Media in Providing Legal Services.   

The opinion is thorough. I recommend reading it because it touches on so many areas in which a lawyer’s lack of a basic understanding of social media & how it works could lead to an ethics violation.

Some of you might be thinking: “I know how I’ll avoid violations: I won’t use social media at all.”  If so, I cannot stress this enough:  THINK AGAIN!  

Don’t want to use social media?  Ok.  What, though, is your response if:

  • an ethics complaint (or malpractice claim) is filed against you in which a client alleges that you refused to review an opposing party’s social media platforms?
  • opposing counsel informs the judge that your client’s social media postings are wholly inconsistent with claims & contentions you’ve made to the court on the client’s behalf?
  • opposing counsel places a litigation hold on a client’s ESI, including social media postings?
  • a client asks if her company’s social media postings comply with SEC, FTC, or FDA regulatory guidelines?
  • a client asks if her heightened settings create a reasonable expectation of privacy?
  • a juror’s social media posts would’ve caused a reasonable attorney to think twice about keeping the juror?
  • your employee is using a fake social media account to review your clients’ adversaries’ social media platforms?

If those questions aren’t enough to make your read the D.C. Opinion, at least consider this paragraph:

  • “Because the practice of law involves use or potential use of social media in many ways, competent representation under Rule 1.1 requires a lawyer to understand how social media work and how they can be used to represent a client zealously and diligently under Rule 1.3. Recognizing the pervasive use of social media in modern society, lawyers must at least consider whether and how social media may benefit or harm client matters in a variety of circumstances. We do not advise that every legal representation requires a lawyer to use social media. What is required is the ability to exercise informed professional judgment reasonably necessary to carry out the representation. Such understanding can be acquired and exercised with the assistance of other lawyers and staff.”

In other words, as I’ve blogged before, competence includes tech competence.

 

 

 

Florida Mandates Tech CLE

I’ve blogged often on tech competence.  If you missed the posts, here are a few:

Today, the ABA Journal reported that the Florida Supreme Court approved a proposal to mandate tech CLE.

Gov’t Lawyers & Tech Competence

Regular readers recognize my refrain:  Rule 1.1’s duty of competence includes tech competence.  Indeed, I expect the Civil Rules Committee soon to recommend that the Court follow the ABA’s lead and adopt a comment directed towards tech competence.   At least 24 states have already done so.

I’ve blogged often on tech competence.  If you missed the posts, here’s a list of a few:

Not many (if any) of these posts referenced tech competence and government attorneys.

Some of you might know my friend and colleague Brian Martin.  Brian is licensed to practice in Vermont, but recently moved to D.C. to take a job with Consumer Financial Protection Bureau.  Earlier this week, Brian sent me an article that highlights the dangers of government attorneys not understanding technology.

Note: if you click on the article, the “warnings” aren’t real. They’re part of the article’s graphics.  The article is HERE. It raises serious questions  not only about the application of the ethics rules to government attorneys, but about the harm that could result from a government attorney’s failure to understand technology.

The article hit home.

As recently as June 2012, I was the disciplinary prosecutor.  I never had occasion to, for example, have to review a lawyer’s hard drive and introduce into evidence data that it contained.  Or to prosecute a lawyer for failing to take reasonable precautions to protect electronically stored information.  Very candidly, I don’t know that I would have known how to handle either situation.  Following the theme in the article Brian sent me, would I have ruined a lawyer’s reputation & career by prosecuting a tech-related violation that I did not understand? Conversely, might I have dismissed a complaint that deserved prosecution merely because I did not understand a tech issue that, in fact, was clear evidence of a violation of the rules?

Anyhow, the article that Brian sent is another reminder that the duty of competence includes tech competence, no matter the area of law in which an attorney practices.