Buried Ledes, Hackers, and Protecting Client Data

A friend of mine used the word “lede” in a text she sent me earlier this week.  So impressed that she knew the proper spelling, the word has stayed on my mind ever since.  Good thing.  Because as I proofed this post, I realized that I almost buried the lede.

Even Vermont-sized law firms are vulnerable to hackers.

In January, hackers stole data from five small firms.  From each, the hackers demanded 100 Bitcoin to restore access to the data and 100 Bitcoin not to sell it. Then, the hackers began publishing the data on the web. Among others, Law.Com, CoinTelegraph and the ABA Journal have the story.

Did I mention that, at the time, 100 Bitcoin cost $930,000?  Today it’s only $890,416.

I’ll return to the story in a moment.  First, however, I’d like to introduce Jim Knapp.

Jim is Vermont State Counsel for First American Title Insurance.  But the day I blog about underwriting will be the day I retire as a blogger.

For many years, Jim and Kevin Ryan presented their famed “Road Show” across Vermont. It was a CLE that included great tips on tech and data security. You know – tech competence!

I’ll start with the basic premise: lawyers have a duty to take reasonable precautions against the inadvertent disclosure of or unauthorized access to information relating to the representation of a client. The duty applies to the electronic transmission and storage of client information & data.

As I noted here, there is no set answer to “what are reasonable precautions?”  The ABA’s Standing Committee on Ethics and Professional Responsibility agrees. In Formal Opinion 477, the Committee advised:

• “What constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors. In turn, those factors depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of electronic communications employed, and the types of available security measures for each method.”

With respect to cyber threats, the Committee stated:

• “the reasonable efforts standard. . . rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”

Now, back to the story of the hackers.

Along with blogger’s bloc, the story made realize today is a great day for a Q&A with Jim Knapp. Jim was kind enough to agree.

MK: Thanks for doing this Jim. First reaction when you read about the hack?

Jim: So, this would be deemed a really bad day! First you are locked out of your system, and even if you had good recent backups, and could expend the money and time to restore everything, second, the bad actors are still threatening to sell / release your data. Not to mention, now you have a data breach and must satisfy all the legal requirements related to the analysis and notifications imposed by State laws. What a way to start a week!

MK: I’ll say. For me, this hit home because it didn’t involve one of the ginormous multi-national firms. The firms involved are similar in size to most Vermont firms. How do Vermont lawyers protect themselves?

Jim: As we’ve seen, 2020’s are barely a few weeks old and the news is not good. Ransomware has reached a new high(?) / low (low). The bad actors are not just encrypting your files, they are offering to publish your firm’s files to the public, or at least the public that uses the dark web.

You can no longer rely on having anti-virus software as your only means of protection. Backups are important to recover your data in the case of disaster, but a good backup won’t stop a bad actor from publishing data they have stolen from your firm. Acting reasonably is acting from a sufficient pool of knowledge to understand the risks and the potential solutions.

MK: I love the last sentence: “acting reasonably is acting from a sufficient pool of knowledge to understand the risks and the potential solutions.” Many lawyers, myself included, aren’t exactly tech savvy. My sense is that many firms “leave that to the IT person.” Of course, in the end, a lawyer is responsible for ensuring that the nonlawyer staff – including IT staff and vendors – are protecting client data. Anyhow, how do we move from toes-in-the-water to the deeper end of that pool of knowledge? Some states require tech CLE. In December 2018, I posted this blog wondering if we should.

Jim: While the idea of mandatory participation in professionalism, mindfulness, wellness, etc., are all good subjects, it seems to me that perhaps mandatory participation in cybersecurity training would be a worthy subject. Not just for lawyers but for all persons who work in a law office. As regards Vermont, out of the 2700+ lawyers, I’ll bet not more than 350-400 unique persons have attended a well prepared and presented program on cybersecurity. Of course, those folks will roll their eyes, if they have to hear one more presentation on “don’t click”; have good passwords etc.

MK: I agree. But I still run into lawyers who say, “I wouldn’t even know what the presenters are talking about.”

Jim: Gaining a suitable level of the essential elements of data security is a challenging task if you choose to pursue this on your own. The key is finding a suitable CLE program that can translate the arcane elements of information security into knowledge you can use to assess how safe your law office environment is. Everyone whose practice depends on the availability of information stored on a computer system owes it to their clients and to themselves to attend enough CLE programs to understand what options exist for protecting their digital information.

MK: Music to my ears! But it has to be more than just “go to a tech CLE,” right?

Jim: Training is a key element to protecting your digital environment. But training alone isn’t sufficient, as no matter how diligent you are in reminding all your colleagues not to open questionable emails, stay away from questionable websites, and to watch out for the social engineers looking to convince you to hand over key information like passwords, the bad actors will eventually find an opening and pounce.

Information security for a law office involves all kinds of elements, from

• properly configuring the hardware included in your network, like the router that connects your office to the outside world; to,
• running a suitable firewall; to,
• using effective anti-malware software; to,
• keeping your operating system and applications up to date with all patches (Note: if you are still using Windows 7 you must STOP now. Microsoft is no longer providing patches for Windows 7 and there are still numerous vulnerabilities that have never been fixed and now will not be fixed)
• possibly running intrusion detection and intrusion prevention systems within your network;
• and more.

MK: Good stuff! Last question before we lose everyone: I’ve often called you for tips on backing up client data. Can you give us the quick version that you’ve given me on backups, airgap, etc.?

Jim: Backup, like all tech issues, has lots of components. The right backup strategy depends on what kind of data you have, how much data you have, and where you store your data. But, everyone should consider at least the following elements:

• Nearline – a backup that is connected to your network storage, or to your personal PC (wherever you store your day to day work product) all the time and periodically (hourly, every few hours, at least twice a day), duplicates the data in your data storage. Usually, an external USB hard drive purchased for less than $100.00 will suffice. This allows you to recover immediately, or nearly immediately from a problem with your storage device, e.g. your hard drive or SSD croaks at 3:30 and the response to the motion for summary judgment is due tomorrow.
• Offline – a backup that is stored off-site. It can be cloud based, or a rotation of physical drives, one of which is stored off-site at all times. This provides a recovery option for the electrical surge that kills your onsite storage, a fire, a flood, or somebody breaks into your office and steals the computers. This backup is run at an interval calculated by how much work-product you are willing to lose and have to recreate. It could be measured in weeks, but I would offer that daily is a more reasonable assessment.
• Airgap – this a backup device that is only connected to your network or the PC while the backup is running. This is one tool in the kit to address a ransomware attack on your systems. Again, an airgap backup will typically fit on a good quality external USB hard drive which is a $100 item. To run the back-up, you connect the device to the storage device you want to backup, and as soon as the backup is complete, you disconnect the backup device and store it safely away from any connection to your data storage systems.

MK: I lied, one more question: you & I bumped into each other at church on Ash Wednesday. Was that your cell phone that went off during mass? Tech competence is a thing at worship too.

Jim: Fortunately no, neither of my cell phones was that particular culprit.

MK:  Good.  The ringtone reflected a failure to act competently when choosing a ringtone.

Jim:  I have two cell phones because of the nature of the insurance business and my employer’s policies. Particularly, in the case of regulators, they can demand access to Company information, some of which may be stored on my phone. And, the Company retains the right to monitor and inspect all data stored on or passing through their data-stream. Now, while I have few secrets worth discovering, and after 40 years of practice in Vermont, net worth is not one of them, I have no desire to expose my personal information to either the regulators or the Company. Hence, I have a personal cell phone and a work cell phone. I would suggest that lawyers should consider the same analysis I did. If you were sued, do you really want opposing counsel and your appointed defense counsel rummaging through the materials on your phone?

MK:  It’s almost as if you’ve seen what’s on my phone.  No, I don’t want anyone rummaging through!  Good reminder though: as I blogged here, lawyers who travel abroad should consider leaving behind devices that contain client data.

Thanks Jim, this was great!

To be clear: being hacked isn’t necessarily an ethics violation.  Even reasonable security can be breached.  My point today is to encourage lawyers and firms to assess the measures that they have in place.  And, to encourage those who don’t know how to perform such an assessment to find someone who does.

Finally, if you or your firm has been breached, you should (1) read my post ABA Addresses Lawyer’s Duties in Response to a Data Breach; and (2) review the Attorney General’s outline of duties that arise under Vermont’s Security Breach Notice Act.

As always, let’s be careful out there.

Bar Assistance Program: why I support it.

This morning, I blogged on the Vermont Supreme Court’s proposal to create a Bar Assistance Program that would be administered by bar counsel.  Here’s why I support the proposal to expand the assistance that the Professional Responsibility Program and bar counsel already provide.

A New Approach to Attorney Regulation

For too long, the prevailing thought was that an attorney regulation program had to focus on discipline to be effective.  States devoted more resources to responding to misconduct than to preventing it.  The focus, then, was not on enhancing the provision of competent legal services, a focus that, really, is the best form of (a) public protection; and, (b) promoting confidence in the bar’s ability to self-regulate.

Times have changed.

ABA Resolution 105 (2016)

In 2016, the ABA House of Delegates approved Resolution 105.  In it, the ABA adopted “Model Regulatory Objectives for the Provision of Legal Services” and encouraged states to do the same.  Among the objectives, the “efficient, competent, and ethical delivery of legal services.” While Resolution 105 did not come out of the wellness movement, its intent applies.

Simply, Resolution 105 recommends that each state supreme court decide what it wants the objectives of its attorney regulation program to be.  Per the report submitted to the House of Delegates in support of the proposed resolution, identifying and adopting regulatory objectives “serves many valuable benefits,” including:

• Defining the purpose and parameters of the regulatory program;
• Identifying the goals and objectives of the regulatory program; and,
• Enhancing trust that lawyers have in regulators, as well as the trust and confidence that the public has in the profession’s ability to regulate itself.

The ABA adopted 10 model regulatory objectives.  They include the “[e]fficient, competent, and ethical delivery of legal services.”

The National Task Force on Lawyer Well-Being

Next, in 2017, the National Task Force on Lawyer Well-Being issued The Path to Lawyer Well-Being: Practical Recommendations for Positive Change (“The Report”).  The Report kickstarted the attorney wellness movement.

I will not go through the entire report. It is important, however, to review its purposes.  There are 5, each of which is listed in a letter written by the Task Force’s co-chairs when the report was announced.  Three are key here:

1. Eliminating the stigma associated with help-seeking behaviors;
2. Emphasizing that well-being is an indispensable part of a lawyer’s duty of competence;
3. Taking small, incremental steps to change how law practice and how lawyers are regulated to instill greater well-being in the profession.

I want to emphasize the third: changing how lawyers are regulated to instill greater well-being in the profession.  Indeed, The Report itself recommends that regulators “develop their reputation as partners with practitioners.”

ABA Resolution 107 (2019)

Last  summer, the ABA House of Delegates adopted Resolution 107.  The resolution urges states to adopt Proactive Management Based Regulation (“PMBR”).  In short, PMBR encourages a system of attorney regulation that focuses more on promoting compliance than it does on responding to misconduct.  A core objective of PMBR is to promote the provision of competent legal services.

Vermont was ahead of the curve.  We adopted a version of PMBR in 2012.  As I blogged here, we know that it works.  Essentially, we – thanks to you – have created a culture of compliance.

A New Paradigm

The profession has come to recognize that proactive regulation is the future.  Gone are the days of a monolithic focus on responding to misconduct.  Now, it’s time for each state to look within, and identify, announce, and implement the objectives of its own regulatory system.

Since 1999, bar counsel’s role has been to “provide referrals, educational materials, and preventive advice and information to assist attorneys to achieve and maintain high standards of professional responsibility.”  Supreme Court Administrative Order 9, Rule 9. To me, that necessarily includes providing assistance, referrals, and preventive advice on behavioral health issues.

As a profession and a Professional Responsibility Program, our objectives should include doing whatever we can to help lawyers to develop and maintain the ethical infrastructure needed to provide competent legal services.  In that well-being is an aspect of competence, that necessarily includes making well-being an objective.

Here are two statements from the Executive Summary submitted with Resolution 107 when it was proposed:

• “PMBR programs encourage professionalism and civility, and change for the better the relationship between the regulator and regulated.”
• “PMBR programs are not one-size-fits-all, may be crafted to meet the needs of each
  jurisdiction, and are reasonable in cost.”

In my view, Vermont is well-suited to adopt the proposed Bar Assistance Program. We’re small enough to make it work and can add it without any corresponding increase to attorney licensing fee. Further, affirmatively decoupling assistance from discipline will only serve to improve the relationship between the regulator and the regulated.

These are among the reasons that I support expanding the assistance that the Professional Responsibility Program and bar counsel already provide to include assistance of the type traditionally referred to as “lawyer assistance.”

We might not get every starfish back to the water, but it will mean the world to the one that we do.

Throwback Thursday: Social Media

Last week, I posted Comptence & E-Discovery.  It generated a few calls & emails on another topic that we touched upon in the seminar that’s referenced in the post: a lawyer’s professional obligations vis-a-vis ESI & social media.

I’ve blogged & spoken on the issue several times. To me, it comes down to this:

• The duty of competence includes reviewing the publicly available social media presences of adversaries, witnesses, and jurors.
• Knowing that others are looking, the duty of competence includes advising clients of the risks associated with making information publicly available on social media.

As to the former, please see this post from September 2019.  It includes links to several advisory ethics opinions that address a lawyer’s duties when reviewing social media evidence. As to the latter, please see this post, also from September 2019.

Competence & E-Discovery

A lawyer’s professional responsibilties include:

• providing clients with competent representation;
• abiding by the rules of a tribunal;
• acting competently to prevent the inadvertent disclosure of a client’s otherwise confidential or privileged information;
• not assisting a client or another person unlawfully to obstruct access to evidence; and,
• not assisting a client or another person unlawfully to alter, conceal, or destroy documents and material that have potential evidentiary value.

At the YLD Thaw in Montreal, I sat on a panel that presented E-Discovery & Me: Facebook, Metadata & Beyond.  Kevin Lumpkin moderated, and I was joined by Jennifer McDonald, Daniel Martin, and Matthew Preedom.

The seminar left me with a new appreciation for the “tech” issues that lawyers confront daily.  It also left me incredibly impressed with the tech competence of my fellow panelists.  To say I was the weak link would be an understatement.

Thus, I hesitate to write this blog. Mostly from a competence perspective, but also because the topic is so vast that I could easily go too long & too far astray.  I’ll do my best to stay focused.  Today’s points:

1. The duty of competence applies in discovery.
2. The duty of competence includes providing clients with competent advice related to preserving & producing ESI.

Note, I intentionally used “discovery” instead of “e-discovery.” I’ve heard lawyers suggest that their duties are different, perhaps less stringent, with e-discovery.

Wrong.

Never have we presented, and never will we present, an ethics CLE in which we stress that the duty of competence includes providing clients with competent advice on the preservation & production of paper documents.  It’s a given.

It’s also a given with ESI.

In 2009, Vermont amended Rule 34(a) of the Rules of Civil Procedure. The amendment tracks the 2006 amendment to the Federal Rules of Civil Procedure.  The Reporter’s Note is not confusing.  The amendment:

• “is intended ‘to confirm that discovery of electronically stored information stands on equal footing with paper documents’ and to make clear that a request for ‘documents’ that does not differentiate paper documents and electronically stored information should be understood as including the latter.”

No reasonable lawyer would conclude “I don’t really need to know how to advise my client on the preservation & production of paper documents.”  And, for more than a decade now, the discovery rule has been that ESI “stands on equal footing with paper documents.”

In short, ESI is discoverable, subject to the same discovery rules as information that is on paper. To produce ESI, your client must have preserved ESI.

For example: do you know whether:

• your client has ESI that might be relevant to the representation;
• the custodian(s) of that data;
• the client’s policies on data storage/destruction.

In 2015, the State Bar of California issued Formal Opinion 2015-193.  The question presented: “what are an attorney’s duties in the handling of discovery of electronically stored information?”

I urge you to read the entire opinion.  In my view, the most important paragraph is this one:

• “We start with the premise that ‘competent’ handling of e-discovery has many dimensions, depending upon the complexity of e-discovery in a particular case. The ethical duty of competence requires an attorney to assess at the outset of each case what electronic discovery issues might arise during the litigation, including the likelihood that e-discovery will or should be sought by either side. If e-discovery will probably be sought, the duty of competence requires an attorney to assess his or her own e-discovery skills and resources as part of the attorney’s duty to provide
  the client with competent representation. If an attorney lacks such skills and/or resources, the attorney must try to acquire sufficient learning and skill, or associate or consult with someone with expertise to assist.”

I appreciate the paragraph’s emphasis that lawyers need to know what they don’t know. I appreciate two other points.

First, the paragraph tells lawyers what they need to know:

“Attorneys handling e-discovery should be able to perform (either by themselves or in association with competent cocounsel or expert consultants) the following:

• initially assess e-discovery needs and issues, if any;
•  implement/cause to implement appropriate ESI preservation procedures;
• analyze and understand a client’s ESI systems and storage;
• advise the client on available options for collection and preservation of ESI;
• identify custodians of potentially relevant ESI;
• engage in competent and meaningful meet and confer with opposing counsel concerning an e-discovery plan;
• perform data searches;
• collect responsive ESI in a manner that preserves the integrity of that ESI; and,
• produce responsive non-privileged ESI in a recognized and appropriate manner.”

(Aside: I’d add this: in between preservation and production, lawyers often take possession of a client’s information, whether in paper or electronic form.  The duties to clients include acting competently to safeguard the information while it’s in the lawyer’s possession.  With ESI, that includes competently assessing whether to store the ESI in-house or to retain a e-discovery vendor to host the ESI.)

Second, the paragraph makes it clear that it’s okay not to know how to do those things.  Of course, a lawyer who doesn’t must (1) associate with someone who can competently handle those tasks, whether a lawyer or nonlawyer; or (2) withdraw from or decline the representation.

In closing, I’ve never received a disciplinary complaint alleging that a lawyer failed to provide competent representation on issues related to the preservation and production of ESI.  Someday I will.

For now, keep in mind that the risk is greater than a disciplinary investigation. There’s risk to the client.

Here’s Rule 37(f) of the Vermont Rules of Civil Procedure:

• “Failure to Preserve Electronically Stored or Other Evidence.  If electronically stored or other evidence that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery, the court, upon finding prejudice to another party from the loss of the evidence, may order measures no greater than necessary to cure the prejudice.” (emphasis added).

I’ve often blogged that setting reasonable expectations early in the representation is a good way to avoid disciplinary complaints.

Another is to avoid “measures” ordered by a court against a client.

 

 

Legal Ethics & Cannabis Clients’ Money

A few weeks ago, I presented at the VBA’s Basic Skills program.  It’s a day-long program that focuses on the basics of Vermont practice & procedure and that is designed to provide new attorneys an opportunity to comply with the CLE components of Rules 12 and15 of the Rules of Admission.

My presentation focuses on wellness, civility, and the nuances of Vermont’s Rules of Professional Conduct.  On the latter, and to assist the lawyers who are waiving in from other states, I point out instances in which our rules might differ from the rules in other jurisdictions.  True to my Friday form, I do so via the pub quiz method.  Question 3 is relevant to today’s blog post.  Here it is:

Question 3

Rule 1.2(d) prohibits a lawyer from assisting or advising a client to
engage in conduct that violates the law. In Vermont, the rule poses issues for lawyers whose clients are involved with a particular industry.

What’s the industry?

The answer: cannabis.

Rule 1.2(d) draws no distinction between state and federal law, or between laws that are enforced more vigorously than others.  As such, in 2016, the Vermont Supreme Court adopted Comment [14] to Rule 1.2:

• “[14] With respect to paragraph (d), a lawyer may counsel and assist a client regarding the validity, scope and meaning of Title 18, chapters 84, 84A, and 86 of the Vermont Statutes Annotated, and may assist a client in conduct that the lawyer reasonably believes is permitted by these statutes and the rules, regulations, orders, and other state and local provisions implementing the statutes.  In these circumstances, the lawyer shall also advise the client regarding the potential consequences of the client’s conduct under related federal law and policy.”

I’ve presented entire seminars on the legal ethics issues that arise when representing clients involved in the cannabis industry.  Sometimes new lawyers, as well as experienced lawyers who are not involved with the industry, chuckle at the notion that CLE is required or available on “smoking weed.”  Umm, it’s neither that simple nor a laughing matter.

As I point out: let’s say you represent a client who wants to apply for a zoning permit to open a cannabis-related business that is legal under Vermont law.  By assisting the client to apply for the permit are you assisting the client to violate federal law?

Hence Comment 14.

Last June, I posted Cannabis Competence.  My main point was that, as with any client, a lawyer owes a duty of competent representation to clients involved with the cannabis industry.  Near the end, I wrote:

• “Finally, I’d argue that competent representation includes thorough advice on money.  As Vermont Biz points out, for businesses that are otherwise legal under state law, federal law can create hurdles to financing.

Then, once financed, there’s the issue of what to do with the revenue.  At the end of May, Governing posted Despite State Support, Marijuana Banking Bill May Sink Again in Congress.  To me, the post highlights the need for attorneys – whether representing businesses or banks – to have a firm grasp of banking laws and regulations insofar as they relate to the cannabis industry.”

Today, I have an update on the banking bill.

Thomas Wilkinson is a lawyer at Cozen O’Connor and a regular member of this blog’s #fiveforfriday Honor Roll.  We’re connected on LinkedIn.  Today, Tom shared via LinkedIn a blog authored by an associate at his firm: Cannabis and CBD Companies One Step Closer to Federally Legal Banking Services.  It’s an excellent update on the status of the Secure and Fair Enforcement (SAFE) Banking Act of 2019.  And, therefore, relevant to the duty of competence owed to cannabis clients.

Related Posts:

• Cannabis Competence
• Was That Wrong?  Cannabis Incompetence

 

 

The Future of Attorney Regulation is Proactive.

Within the world of attorney regulation, there is a trend towards Proactive Management Based Regulation (“PMBR”).  In this post, the Legal Ethics Forum provided one of the more concise descriptions of PMBR that I’ve seen:

• “With PMBR, the regulator works with lawyers to address risks to avoid problems, rather than reacting to attorney misconduct after it has occurred.”

In other words, focusing as much on preventing fires as putting them out.

To date, PMBR has been implemented in Australia and Canada.  Two states, Colorado and Illinois, have formally adopted it.  Many other states are moving towards it.

The PMBR movement received a welcome boost last week.  The ABA’s House of Delegates approved Resolution 107.   The text:

“RESOLVED: That the American Bar Association urges each state’s highest court, and those of each territory and tribe, to study and adopt proactive management-based regulatory programs appropriate for their jurisdiction, as a way to enhance compliance 4 with applicable rules of professional conduct and supplement existing disciplinary enforcement mechanisms, and to:

a. assist lawyers, law firms, and other entities in which lawyers practice law in the development and maintenance of ethical infrastructures that help to prevent violations of applicable rules of professional conduct;

b. reduce complaints to lawyer disciplinary authorities;

c. enhance lawyers’ provision of competent and cost-effective legal services; and

d. encourage professionalism and civility in the profession.”

The sponsors’ Executive Summary (page 83) urges adoption of “proactive
management-based regulatory (PMBR) programs to enhance compliance with
applicable rules of professional conduct and supplement existing disciplinary
enforcement mechanisms.”

I culled some additional statements from the Executive Summary and will present them as bullet points:

• “PMBR programs operate separately from the disciplinary process.”
• “PMBR programs offer a systemic preventive approach to help lawyers, and the entities where they practice law, develop ethical infrastructures to improve the delivery of competent and cost-effective legal services.”
• “PMBR programs encourage professionalism and civility, and change for the better the relationship between the regulator and regulated.”
• “PMBR programs provide lawyers with an array tools, including self-assessment
  checklists and online programming, to help them and the entities where they
  practice law develop ethical infrastructures and identify where they may need
  additional skills, training, and education.”
• “PMBR programs are not one-size-fits-all, may be crafted to meet the needs of each
  jurisdiction, and are reasonable in cost.”

Here in Vermont, we’ve not formally adopted PMBR.  However, we’ve made several of its principles central to the Professional Responsibility Program’s mission.

For example, many of you know that I was disciplinary counsel from 2000-2012.  That entire time, I had a full-time deputy and we reviewed, on average, 246 new disciplinary complaints per year.  During the same period, bar counsel was half-time and responded to, on average, 234 ethics inquiries per year.

Our default, indeed our very set-up, was to react.

In 2012, under the leadership of then-chair Jan Eastman, the Professional Responsibility Board recommended that the Court reallocate resources with the PRP.  The crux: make bar counsel a full-time position, reduce deputy disciplinary counsel to a half-time position.

It worked.

FY                         Disciplinary Complaints                               Inquiries of Bar Counsel 2013                                    285                                                                                   627            2014                                    243                                                                                   750               2015                                    208                                                                                   827               2016                                    181                                                                                   1,100               2017                                    140                                                                                   1,109               2018                                    149                                                                                   1,263

(I’ve previously blogged on the inquiry process and the changes that we made in 2012.)

This is without getting into the sizeable increase in the number of continuing legal education seminars that we present, our focus on issues like civility, wellness, and tech competence, and the fact that, now, we resolve most complaints at screening without referring them to disciplinary counsel, thereby freeing up disciplinary counsel to focus on serious misconduct.

But there’s more we can do for you.

I’ve followed the programs implemented in Colorado and Illinois.  Further, I’m a member of the National Organization of Bar Counsel, one of the strongest leaders in the PMBR movement.  I’ve got some ideas.  Stay tuned.

For now, remember: the future of regulation is proactive.

 

The bar exam, a lawyer shortage, Suits, and a few thoughts on leaked essay topics.

Vermont’s administration of the Uniform Bar Exam begins today.  76 aspiring lawyers will gather at a hotel in Burlington.  As made clear by this piece that ran on WCAX yesterday, we need a lot of them not only to pass, but to stay in Vermont.

If you weren’t aware, Vermont switched to the Uniform Bar Exam in 2016.  Today, the examinees will tackle the Multistate Performance Test and Multistate Essay Examination.  Then, tomorrow, one of the last bastions of the #2 pencil takes center stage: the Multistate Bar Examination, aka “the multiple choice.”

I went into the nuts & bolts of the Uniform Bar Exam in more details in this post.   Also, last February, I posted this Q&A with the examiners.  Finally, talk about a bizarre situation: this past weekend, California bar authorities discovered that the essay topics might have been inadvertently revealed.  So, as I blogged here, they sent an email to all examinees informing them what the essay topics would be.

I understand that there was no good solution.  Logistically, it was far too late to postpone the exam or draft new questions.  Sharing the topics with everyone was likely the best way to level the playing field.

A gut reaction might be “it’d be great to know the topics!” I’m not so sure.

For instance, my personal choice would have been to get my studying done by last Friday, then take the weekend to rest, relax, and get my mind right for the exam.  I’d likely not have had the discipline – or courage – to stick to my approach if, on Saturday, I’d learned what the essay topics would be.  Rather, I’d likely have felt compelled to study them, even if I’d already done enough preparation on each over the past few months.

And what about the examinee who takes my approach and then got off the grid for the weekend?

Also, the essays are intended to distinguish examinees from each other.  For many years, I graded bar exams.  In my experience, some were fantastic, some awful, and the vast majority in the vast middle. It’s difficult to perceive and assign a distinction between the many that are solidly average.  I wonder whether the fact that all examinees know the topics will result in essays that are even more difficult to differentiate than in a normal year.

Finally, I look forward to the day when we have a full-fledged discussion as to whether a two-day test is the best way to determine who gets a ticket to practice law.  Maybe it’s the Mike Ross in me.  Or, maybe it’s the fact that we have evidence – albeit in an infinitesimal sample size – that success (or a lack thereof) on the bar exam is not necessarily the only predictor of competence.

 

Well-Being Is An Aspect Of Competence

Two years ago, the National Task Force on Lawyer Well Being published The Path to Lawyer Well-Being: Practical Recommendations for Positive Change.  The report issued in response to two studies that revealed alarming statistics with respect to the well-being of the legal profession.

In their letter introducing the report, the Task Force’s co-chairs noted the report’s “five central themes:

1. identifying stakeholders and the role each of us can play in reducing the level of toxicity in our profession,
2. eliminating the stigma associated with helpseeking behaviors,
3. emphasizing that well-being is an indispensable part of a lawyer’s duty of competence,
4. educating lawyers, judges, and law students on lawyer well-being issues, and
5. taking small, incremental steps to change how law is practiced and how lawyers are regulated to instill greater well-being in the profession.”

Among other proposals aimed at furthering the third (bolded) theme, the report recommended modifying the Rules of Professional Conduct “to endorse well-being as part of a lawyer’s duty of competence.”

The Vermont Supreme Court has done exactly that.

Yesterday, the Court promulgated an amendment to Comment [9] to Rule 1.1.  The new comment reads:

• “[9] A lawyer’s mental, emotional, and physical well-being may impact the lawyer’s ability to represent clients and to make responsible choices in the practice of law. Maintaining the mental, emotional, and physical well-being necessary for the representation of a client is an important aspect of maintaining competence to practice law.”

Two questions jump to mind: what is well-being and how does a legal professional maintain it?

As to the former, the Task Force wrote:

• “We define lawyer well-being as a continuous process whereby lawyers seek to thrive in each of the following areas: emotional health, occupational pursuits, creative or intellectual endeavors, sense of spirituality or greater purpose in life, physical health, and social connections with others. Lawyer well-being is part of a lawyer’s ethical duty of competence. It includes lawyers’ ability to make healthy, positive work/life choices to assure not only a quality of life within their families and communities, but also to help them make responsible decisions for their clients. It includes maintaining their own long-term well-being. This definition highlights that complete health is not defined solely by the absence of illness; it includes a positive state of wellness.”

In addition, the Task Force noted that:

• “The concept of well-being in social science research is multi-dimensional and includes, for example, engagement in interesting activities, having close relationships and a sense of belonging, developing confidence through mastery, achieving goals that matter to us, meaning and purpose, a sense of autonomy and control, self-acceptance, and personal growth. This multi-dimensional approach underscores that a positive state of well-being is not synonymous with feeling happy or experiencing positive emotions. It is much broader.”

Finally, the Task Force explained that it:

• “chose the term ‘well-being’ based on the view that the terms ‘health’ or ‘wellness’ connote only physical health or the absence of illness. Our definition of ‘lawyer well-being’ embraces the multi-dimensional concept of mental health and the importance of context to complete health.”

With the definition in mind, how does a legal professional maintain well-being?  It strikes me that the answer depends on the individual. A place for everyone to start, however, is the ABA’s Well-Being Toolkit for Lawyers and Legal Employers.  Its 99 pages are chock full o’ helpful tips and guidance.

I can hear you now:

• “Ummm, what’s that you say Mike? 99 pages? I don’t have that much time to work on my well-being!”

Fear not!  Besides the full toolkit, and perhaps with my law school career in mind, the ABA also created the Well-Being Toolkit Nutshell: 80 Tips For Lawyer Thriving.  It’s only 2 pages.  No excuses!

Well-being is important.  Take the time to understand what it is, how to achieve it, and how to maintain it.  As you do, try not to get caught up in “I’m only doing this because the new comment says I should.”  Rather, get caught up in the first of the Well-Being Nutshell’s 3 reasons to care about well-being:

“It’s the right thing to do.”

 

 

 

Social Media & Legal Ethics

It’s been a while since I’ve blogged, and even longer since I’ve subjected readers to the mantra upon which this blog was built:  competence includes tech competence.

With that in mind, an update!

A few weeks ago, the Commercial and Federal Litigation Section of the New York State Bar Association released its updated Social Media and Legal Ethics Guidelines.  First released in 2014, the Guidelines are one of the leading resources on a lawyer’s obligations under the rules of professional conduct with respect to social media.  While based on New York’s rules, the Guidelines cite to advisory ethics opinions from across the country. Here’s an outline distilled from the table of contents:

1. Attorney Competence
2. Attorney Advertising and Communications Concerning a Lawyer’s Services
3. Furnishing of Legal Advice through Social Media
4. Review and Us of Evidence from Social Media
5. Communicating with Clients
6. Researching Jurors and Reporting Juror Misconduct
7. Using Social Media to Communicate with a Judicial Officer

There’s also an Appendix that includes a list of some of the more popular social media platforms, as well as a glossary of social media’s more commonly used words & phrases.

(no, I’m not sure that “social media’s more commonly used words & phrases” is proper grammar.  But I tend to write like I speak, and if I said it out loud, you’d know exactly what I meant.)

Anyhow, the Guidelines are a great resource.  I recommend bookmarking the link.

Finally, thank you Dave Carpenter for the h/t that the Guidelines had been updated!

Redacting Confidential Info

In January, Paul Manafort’s lawyers made headlines for failing to take proper steps to redact a document.  Myriad outlets covered the story, including The Atlantic, BBC, and Legal Tech News.

In response, the ABA Journal posted How to redact a PDF and protect your clients.  A few days later, I recommended the ABA post in my blog Competence, Confidences and PDFs. 

Today, the ABA Journal published more helpful information: Redacting confidential client information: The devil is in the details.  The post points out the risks in failing to understand how property to redact a document.  I recommend it.

One risk? Disciplinary action.  Lawyers have a duty not to disclose information relating to the representation of a client.  There’s also a duty to use reasonable safeguards to protect against unauthorized access to or inadvertent disclosure of confidential information.  In my view, employing a redaction method that fails to keep information confidential is not a reasonable safeguard.

Rather, it’s tech incompetence.