When a client insists that a lawyer advance frivolous claims.

Last year, I ran the “Professional Responsibility Madness” challenge.  Modeled on the “March Madness” brackets associated with the NCAA basketball tournament, I seeded 64 concepts associated with professional responsibility & legal ethics into the bracket.  Round-by-round, lawyers voted.  The concepts (and their category) that advanced to the Final Four were:

  • Candor to the Tribunal (Duties to Others)
  • Former Client Conflicts: Substantially Related? (Conflicts & Confidences)
  • Who Decides? Lawyer or Client? (Duties to Clients)
  • Did you say “Utes?” (My Cousin Vinny)

I was surprised by the interest in “Who Decides? Lawyers or Client?”  Until then, it was an issue rarely raised in ethics inquiries.

Flash forward to 2021.

In the past month, two different lawyers have made inquiries that boiled down to the same question: “what do I when the client insists on presenting a claim that I think is frivolous?”

In short, my position is that the lawyer decides which facts and arguments will be advanced, and that the lawyer, not the client, decides which facts and arguments are frivolous.  Then, if the client insists that the lawyer present frivolous claims, the lawyer must move to withdraw. In responding to each inquiry, I cautioned the lawyers that there is a difference between a frivolous claim and one that has little chance of prevailing.[i]

My position derives from the following rules:

  • Rule 1.2(a), which leaves the objectives of the representation to the client and how those objectives are pursued to the lawyer’s discretion, in consultation with the client;
  • Rule 1.4(a)(5), which requires a lawyer to “consult with the client about any relevant limitation on the lawyer’s conduct when the lawyer knows that the client expects assistance not permitted by the Rules of Professional Conduct or other law;”
  • Rule 3.1, which prohibits a lawyer from bringing a claim or asserting a position “unless there is a basis in law or fact for doing so that is not frivolous;”
  • various provisions of Rule 1.16, most notably Rule 1.16(a)(1), which requires a lawyer to withdraw when continued representation will result in a violation of the rules; and,
  • the general duties of fairness to the opposing party and candor to the court.

Doing some follow-up research, I came across Ethics Opinion 1214 from the New York State Bar Association. Issued January 11, 2021, the opinion answers a question from a lawyer assigned to represent a person who had filed a pro se petition to vacate a judgment of foreclosure.  Upon reviewing the filing, the lawyer concluded that the person lacked a non-frivolous basis in law or fact to vacate the judgement.  The opinion concludes as follows:

  1. The lawyer may not argue or advance frivolous arguments.
  2. If the person insists, the lawyer may move to withdraw pursuant to:
    1. New York’s Rule 1.16(c)(4). The rule permits withdrawal when a “client insists on taking action with which a lawyer has a fundamental disagreement;”[ii] or,
    2. any other rule mandating or permitting withdrawal.
  3. In moving to withdraw, the lawyer must not disclose confidential information.[iii]
  4. If a motion to withdraw is denied, the lawyer must continue to represent the client, but without presenting frivolous claims.

Here’s the key language on the final point.  Even when withdrawal is not allowed, the lawyer:

  • “may still not engage in ‘frivolous conduct’ at the direction or behest of the homeowner. A client has no right to instruct a lawyer to violate a Rules of Professional Conduct, and a lawyer has no right to follow an instruction that the lawyer violate a Rule. Thus, the inquirer must find a means to competently represent the homeowner without putting forth frivolous arguments.”

As always, be careful out there.

[i] I suppose this might be referred to as the “Dumb & Dumber Corollary.”

Dumb and Dumber

[ii] Vermont’s Rule 1.16(b)(4) includes the same language.

[iii] For more on this issue, see my post Stop Making Noise. It discusses the peril of “noisy withdrawal.”

Proposed Florida Opinion would allow mobile payment of legal fees as long as lawyers protect client confidences and safeguard funds.

I know a guy who runs an NCAA tournament pool.  He told me that most participants paid via Venmo or PayPal.  A few, however, sent checks in the mail.  Hearing this made me realize that there are people who do not know how mobile payment apps work.

Last week, the Florida Bar’s Professional Ethics Committee approved Proposed Advisory Opinion 21-2.  The proposed opinion concludes that Florida’s ethics rules do not prohibit a lawyer from accepting payment via apps like Venmo & PayPal if the lawyer:

  1. protects client confidentiality; and,
  2. takes reasonable steps to safeguard funds held in connection with a representation.

This press release summarizes the proposed opinion. It now goes out for comment and will considered for final adoption in June.

Next week, I’ll blog about the opinion’s consideration of the trust account rules.  Today, I’m more interested in the first part of the opinion.  In my view, it provides helpful reminders and guidance on tech competence and client confidentiality.

Some of you might be wondering: what does a mobile payment app have to do with client confidentiality?  Well, there you have it: tech competence.  You need to know what you don’t know.

Like the Florida opinion, let’s use Venmo as an example.

Venmo is more than just a payment processor.  In a way, it’s a social media platform.  Here’s language from the Florida opinion:

  • “For example, Venmo users, when making payment, are permitted to input a description of the transaction (e.g., ‘$200 for cleaning service’). Transactions are then published to the feed of each Venmo user who is party to the transaction. Depending on the privacy settings of each party to the transaction, other users of the application may view that transaction and even comment on it.”

To illustrate the point, if you download the Venmo app, here’s what you’ll see before you log-in or sign-up:

IMG_5777

From the third transaction in the feed, we know that Skye F and John G had a virtual coffee date.  Let’s hope that their privacy settings are such that one or the other’s significant other didn’t find out.

As an aside, did the date not go well? Is that why Skye charged John??  Anyhow, I digress.

Now, apply this to real life.  Yes, accepting mobile payments might make it easier to run your law office.  However, things might become more difficult if your privacy settings are such that the entire world, including John G’s unsuspecting spouse, learns from Venmo that your firm charged John G. for “divorce consultation.”

Here’s the answer, courtesy of me logging into Venmo and opening my privacy settings:

IMG_5778

Finally, here’s a great paragraph from Florida’s proposed opinion.  The first sentence aside, it applies to every single circumstance that involves information relating to the representation of a client:

  • “For lawyers, accepting payment through a payment-processing service risks disclosure of information pertaining to the representation of a client in violation of Rule 4- 50 1.6(a) of the Rules Regulating The Florida Bar. Rule 4-1.6(a) prohibits a lawyer from revealing information relating to representation of a client absent the client’s informed consent. This prohibition is broader than the evidentiary attorney-client privilege invoked in judicial and other proceedings in which the lawyer may be called as a witness or otherwise required to produce evidence concerning a client. The ethical obligation of confidentiality applies in situations other than those in which information is sought from the lawyer by compulsion of law and extends not only to information communicated between the client and the lawyer in confidence but also to all information relating to the representation, whatever its source. Likewise, a lawyer must make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation. The obligation of confidentiality also arises from a lawyer’s ethical duty to provide the client with competent representation. This includes safeguarding information contained in electronic transmissions and communications.”

From there, the opinion makes several suggestions.  To me, they boil down to this one:

  • “The lawyer must make reasonable efforts to understand the manner and extent of any publication of transactions conducted on the platform and how to manage applicable settings to preempt and control unwanted disclosures.”

That’s all for now.  Next week I’ll discuss the section of the opinion that deals with the trust account rules.

Related post:

Tuesday Tips

On this morning’s run, I realized that I haven’t blogged in a while.  I tried to fool myself into thinking that I hadn’t had time.  However, I realized that blogging is no different than running, staying in touch with friends & family, or anything else that we tell ourselves we don’t have the time to do: it’s not so much that we don’t have the time, it’s that we don’t make the time.  So, in the middle of a gorgeous morning run, I vowed that the day would include a blog post.

Alas, too distracted by the perfect running weather, no topic popped to mind.  A few minutes ago, however, my brother texted to ask which steak tips I buy from the meat market that’s near my condo.  Somehow, thinking of steak “tips” got me thinking that I should post a blog with some quick tips on legal ethics.  Especially with the opportunity for an alliterative headline.

What follows is an old blogger’s trick when no original content jumps to mind: a potpourri of links to other sources, each loosely related to professional responsibility.

Reregulation

I’m interested in the emerging concept of “re-regulation.”  In a nutshell, the concept embraces reforming and revising the traditional system of legal regulation to spur innovation and to increase access to legal services. I first mentioned re-regulation here, a post in which I linked to this more helpful post from Jayne Reardon at 2Civility.  From the ABA Journal, a few updates related to regulation:

  • this story about a proposal in New York to allow social workers to provide clients with limited legal services.
  • this story about the Utah law firm that is the country’s first to be owned entirely by non-lawyers.

Competence

The duty of competence is the cornerstone upon which this blog was built.  Here are some links to recent ABA Journal articles that touch upon the duty:

  • If you practice in the United States Court of Appeals for the District of Columbia Circuit, make sure not to use the Garamond font in your briefs.
  • Tired of using (or reading) “citation baggage?” Those cites with endless parentheticals and quotations?   Last month, Justice Clarence Thomas endorsed using “cleaned up” to convey that citation baggage has been omitted.
  • Finally, there’s this story. It serves to caution us that when characterizing another’s legal argument as “sound and fury signifying nothing,” we’d do well to remember the entirety of MacBeth’s statement.

If you clicked on the final two links, you’ll understand my closing line:

Let it never be said that quoting Ricky Bobby is “citation baggage.”

Ricky Bobby

Wisconsin Advisory Opinion Offers Cybersecurity Tips on Working Remotely

In late January, the Wisconsin Bar issued Formal Ethics Opinion EF-21-02: Working Remotely.  The opinion makes three important points and shares helpful and practical guidance on cybersecurity practices, training & supervision, and preparing clients.

astronaut-sitting-moon-laptop

First, the important points.

I’m a fan of the opening line of the synopsis:

  • “The basic responsibilities that a lawyer owes the client – competence, diligence, communication, and confidentiality – lie at the core of lawyer’s professional obligations and remain unchanged irrespective of the lawyer’s physical location.”

That’s critical: the pandemic hasn’t lessened or diminished our professional obligations.  Our responsibilities remain the same as in 2019 when we were working in our offices.  Further, our basic obligations to clients will not change once the pandemic ends. As the opinion points out, “it is expected that lawyers, like other professionals, will continue to work remotely in some form after the pandemic.” So, the guidance, while issued in response to the pandemic, will prove valuable in an increasingly remote post-pandemic workplace.

Next, the opinion reiterates what I’ve been blogging for years: competence includes tech competence.  Pages 2 and 3 include language that I’m certain will worry lawyers.  The language, however, is important to take to heart.

  • “Basic technological competence includes, at a minimum, knowledge of the types of devices available for communication, software options for communication, preparation, transmission and storage of documents and other information, and the means to keep the devices and the information they transmit and store secure and private.”

As the opinion notes, large firms likely will employ IT professionals for these issues.  Small firms and solos are reminded that they “may need to retain the services of an expert if they lack the knowledge to personally manage the technological aspects of practice.”

Finally, the conclusion ties together the first two points in an important reminder:

  • “The COVID-19 pandemic has dramatically changed how lawyers work and represent their clients. Some of these changes may be temporary but others are likely part of a movement towards increased reliance on technology in the practice of law. As working remotely has become the new normal, lawyers must develop new skills and knowledge to comply with their core responsibilities.”

Indeed.

I’ll finish by cutting and pasting the guidance and practical tips that begin on page 10 of the Wisconsin opinion.  I’ve reformatted & renumbered the footnotes to endnotes.

***

General Guidance

 It is impossible to provide specific requirements for working remotely because lawyers’ ethical duties are continually evolving as technology changes. It is possible, however, to provide some guidance. Cybersecurity Practices Because working remotely relies on technology, competence in technology and cybersecurity practices are essential. The following cybersecurity practices have been recommended by a number of ethics opinions[i] and other resources. None of these practices are new: they are reasonable precautions that have helped lawyers fulfill their ethical obligations, especially the duty of confidentiality, when working in the office and when working remotely, whether at home during evenings and weekends, or during travel for work or vacation.

  • Require strong passwords to protect data and to access devices. The more complex the password, the less likely that an unauthorized user will be able to access data or devices by using password cracking techniques or software.
  • Use two-factor or multi-factor authentication to access firm information and firm networks. Although requiring an additional authentication step, such as a six-digit code sent to the lawyer’s phone or email, may seem inconvenient or burdensome, it is a reasonable precaution that increases protection and reduces the likelihood of unauthorized access by providing an additional layer of security beyond a strong password.
  • Avoid using unsecured or public WiFi when accessing or transmitting client information. Hackers can access unencrypted information on unsecured WiFi and can use unsecured WiFi to distribute malware.
  • Use a virtual private network (VPN) when accessing or transmitting client information. A VPN encrypts information and allows users to create a secure connection to another network.
  • Use firewalls and secure router settings. A firewall monitors and controls incoming and outgoing network traffic based on predetermined security rules: it establishes a barrier between a trusted network and an untrusted network. A router connects multiple devices to the Internet, and connects the devices to each other.
  • Use and keep current anti-virus and anti-malware software. Anti-virus and anti-malware both refer to software designed to detect, protect against, and remove malicious software.
  • Keep all software current: install updates immediately. Updates help patch security flaws or software vulnerabilities, which are security holes or weaknesses found in a software program or operating system.
  • Supply or require employees to use secure and encrypted laptops. All lawyers and staff should use only firm issued devices with security protections and backup systems and prohibit storage of firm or client information on unauthorized devices. All devices used by the lawyer, such as desktop computers, laptops, tablets, portable drives, phones, and scanning and copy machines, should be protected.
  • Do not use USB drives or other external devices unless they are owned by the firm or they are provided by a trusted source.
  • Specify how and where data created remotely will be stored and how it will be backed up.
  • Save data permanently only on the office network, not personal devices. If saved on personal devices, taking reasonable precautions to protect such information.
  • Use reputable vendors for cloud services. Transmission and storage of firm and client information through a cloud service is appropriate provided the lawyer has made sufficient inquiry that the service is competent and reputable.[ii]
  • Encrypt emails or use other security to protect sensitive information from unauthorized disclosure. A lawyer should balance the interests in determining when encryption is appropriate.
  • Encrypt electronic records, including backups containing sensitive information such a personally identifiable information.
  • Do not open suspicious attachments or click unusual links in messages, email, tweets, posts, online ads.
  • Use websites have enhanced security whenever possible. Such websites begin with “HTTPS” in their address rather than “HTTP,” and encrypt the communication.
  • Provide adequate security for video meetings or conferences. The FBI has recommended the following steps: use the up-to-date version of the application; do not make the meetings public; require a meeting password; do not share the link to the video meeting on an unrestricted publicly available social media post; provide the meeting link directly to the invited guests; and manage the screen-sharing options.[iii] In selecting a videoconferencing platform, the lawyer should make sure it is sufficiently secure both in its structure and its contractual terms of use, especially any terms on access to user information.[iv]
  • Do not have work-related conversations in the presence of smart devices such as voice assistants. These devices may listen to and record conversations.[v]

Training and Supervision

To comply with the duties required by SCR 20:5.1 and 5.3, partners, managers and supervisory lawyers should consider whether the firm’s policies and procedures are adequate to address the specific challenges that may arise when lawyers and nonlawyer assistants are working remotely.

  • Establish and implement policies and procedures for cybersecurity practices. These policies and procedures should be in writing and provided to all lawyers and nonlawyer assistants, and stress compliance.
  • Establish and implement policies and procedures for the training and supervision of lawyers and nonlawyer assistants in the firm’s cybersecurity practices. Training is the most basic step in avoiding a cyberattack at a law firm. In other words, it is extremely important to develop a culture of awareness. The most serious vulnerabilities of a cybersecurity system are not the hardware or software, but rather the people who use it. It is estimated that 90% of cybersecurity breaches are due to human error.[vi]
  • Establish and implement policies and procedures regarding remote workspaces to mitigate the risk of inadvertent or unauthorized disclosures of information relating to the representation of clients. Remote workspaces should be private to ensure that others do not have access to phone conversations, video conferences, or case-related materials.
  • Hold sufficiently frequent remote meetings between supervising attorneys and supervised attorneys, and between supervising attorneys and supervised nonlawyer assistants to achieve effective supervision.

Preparing Clients

Representing a client remotely may present challenges to competent representation.[vii] Consequently, a lawyer should carefully consider whether the lawyer can adequately prepare the client to testify or for interviews while working remotely.

  • The lawyer and the client should have sufficient ability with the technology.
  • The lawyer and the client should have access to relevant documents.
  • The lawyer and the client have adequate time and attention to ensure the client’s comfort with the communicating by the medium that will be used.

[i] See, e.g., Wisconsin Formal Ethics Opinion EF-15-01: Ethical Obligations of Attorneys Using Cloud Computing (Amended September 8, 2017).

[ii] Wisconsin Formal Ethics Opinion EF-15-01.

[iii] https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-ofteleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic

[iv] Lawyers must understand that if video conferences are recorded the vendor may retain a copy under the terms of service. See INSIGHT: Zooming and Attorney Client Privilege, https://www.bloomberglaw.com/exp/eyJjdHh0IjoiQ1ZOVyIsImlkIjoiMDAwMDAxNzEtZWExYy1kMDAwLWE5N2YtZ WE3ZTkwYWMwMDAxIiwic2lnIjoidVliaWhQR3J3ZmpWcDBKeE5KY1JYV1c0RlcwPSIsInRpbWUiOiIxNTkwMjQwMzM 1IiwidXVpZCI6IndNWHUzdVFGajBEWGxkZFBKcTNSVVE9PU1ZZmVtSkhLU0hBMWtPNG8rTE50eGc9PSIsInYiOiIxIn0= ?usertype=External&bwid=00000171-ea1c-d000-a97fea7e90ac0001&qid=6912181&cti=LSCH&uc=1320042032&et=SINGLE_ARTICLE&emc=bcvnw_cn%3A7&bna_news_ filter=true

[v] For example, Google and Amazon maintain those recordings on servers and hire people to review the recordings. Although the identities of the speakers are not disclosed to these reviewers, they might hear sufficient details to be able to connect a voice to a specific person. https://www.vox.com/recode/2020/2/21/21032140/alexa-amazongoogle-home-siri-applemicrosoft-cortana-recording .

[vi] https://www.techradar.com/news/90-percent-of-data-breaches-are-caused-by-humanerror#:~:text=A%20new%20report%20from%20Kaspersky,carried%20out%20by%20cloud%20providers .

[vii] The New York County Lawyers Association Formal Opinion 754-2020 at 3.

Court isn’t a social media platform.

It’s the rare inquiry that involves the rule that addresses trial publicity.  Alas, in that it’s becoming more and more rare to find a lawyer not on social media, I think today’s message bears mentioning.

Rule 3.6 is the trial publicity rule.  It prohibits “extrajudicial statements that the lawyer knows or reasonably should know will be disseminated by means of public communication and will have a substantial likelihood of materially prejudicing an adjudicative proceeding in the matter.”

Whoa.  Try saying that three times fast.

Anyhow, lately I’ve sensed a general feeling that arguments made in pleadings and court are seeping into lawyers’ social media posts, thereby raising Rule 3.6 concerns.

I disagree.

Based on the information I’ve reviewed when responding to inquiries and screening complaints over the past few years, I believe that the accepted norms of social media posts are seeping into pleadings and arguments.

I don’t say that with admiration for those causing the seepage.

Court is court.  It’s not the kitchen table, the town square, the bar, or Facebook. Give it the respect it deserves. Or, read Rule 3.5(d).

Last week, Professor Bernabe blogged about a Texas lawyer and client who were “’sanctioned $150,000 for the client’s ‘outright lies’ in litigation and ‘mountain of evasiveness’ in discovery.”  His post is here.  It links to this ABA Journal story, which, in turn, cites to a post on Law.com.

I’m not going to get into the misconduct that resulted in the sanction. For those interested in learning more about it, the court’s order imposing the sanction is here.

Rather, I want to highlight a statement made by the other lawyer.  Per the ABA Journal, “Opposing counsel Foster Johnson told Law.com that he hoped that the sanctions would be a warning to other lawyers.”

Then, the money quote:

  • “ ‘Lawyers at times forget filing motions and pleadings is not like using Twitter,’ Johnson said. ‘You can’t just say anything you want when you file a complaint. You can’t say anything you want when you file a summary judgment motion.’”

Indeed.

To paraphrase this blog’s muse, “say it in a Tweet it’s a knockout, but you say it in a court you’ll be kicked out.”

Remember, in pleadings & arguments:

1*wA1Vc082NU82zI64lp99Sg

Don’t say I didn’t say I didn’t warn ya.

Is there a duty to encrypt email?

Given that it’s Friday, I’ll start with a quiz question:

Which is most accurate? A lawyer must _____

  • A.  encrypt an email that contains information related to the representation.
  • B.  encrypt an email that contains “sensitive information.”
  • C.  encrypt an email that contains privileged information.
  • D.  act competently to protect the confidentiality of information related to the representation of a client, including by taking reasonable precautions to protect against the inadvertent disclosure of or unauthorized access to that information.

The answer is D.

I understand that practicing lawyers with professional responsibility inquiries want “yes” or “no” answers. However, bar counsel types who provide ethics guidance often don’t get as specific as lawyers would like. In no area is that more common than protecting client information.

Decades ago, I’m guessing that my predecessors didn’t answer “yes” or “no” when asked “am I required to buy one of those fancy new file cabinets that has locks on each drawer?”  Rather, they replied “you are required to take reasonable precautions to protect client information.”  Whether the inquirer’s personal circumstances made file cabinets sans locks unreasonable would’ve depended on the circumstances.  For instance, were the file cabinets in a locked closet to which only the lawyer and staff had access? Or were the file cabinets in storage room that the law firm shared with other businesses that rented space in the building?

Indeed, in 2017, the ABA’s Standing Committee on Ethics & Professional Responsibility declined to set “hard and fast rules” for storing client’s electronic information. In Formal Opinion 477, the Committee essentially announced that it’s not going to review every new advance in technology. No matter the next new thing, the duty remains the same: take reasonable precautions to protect client information.

Earlier this week, Professor Bernabe posted Does a lawyer have to encrypt e-mail messages? In it, he linked to LexBlog’s Encryption Ethics. I like the LexBlog post. The author makes clear that there will come a day when the failure to encrypt is deemed unreasonable. Here’s the post’s concluding sentence:

  • “But as encryption and other safeguards get less expensive and cumbersome, your duty to implement these measures will undoubtedly increase.”

I’ve been saying the same thing for years. In 2015, I said it To encrypt or not to encrypt?  I said it again in 2017’s Encryption and the Evolving Duty to Safeguard Client Information.  In each post, I referenced various advisory opinions that make clear that, someday, technology will have evolved to the point at which it is no longer reasonable to choose not to encrypt email.  Similarly, there will come a time when it is not reasonable to use modes of information transmission or storage that do not encrypt the information in transit or at rest.

As I’ve run out of coffee and fret about having time to draft a Five for Friday post, I fear that I’ve lost focus.  So, I’ll leave you with this:  yesterday’s reasonable safeguards might be wholly unreasonable tomorrow. At the very least, take some time to think about how you and your firm are handling electronically stored client information.

Safeguarding data

Buried Ledes, Hackers, and Protecting Client Data

A friend of mine used the word “lede” in a text she sent me earlier this week.  So impressed that she knew the proper spelling, the word has stayed on my mind ever since.  Good thing.  Because as I proofed this post, I realized that I almost buried the lede.

Even Vermont-sized law firms are vulnerable to hackers.

Image result for hackers data

In January, hackers stole data from five small firms.  From each, the hackers demanded 100 Bitcoin to restore access to the data and 100 Bitcoin not to sell it. Then, the hackers began publishing the data on the web. Among others, Law.Com, CoinTelegraph and the ABA Journal have the story.

Did I mention that, at the time, 100 Bitcoin cost $930,000?  Today it’s only $890,416.

I’ll return to the story in a moment.  First, however, I’d like to introduce Jim Knapp.

Jim is Vermont State Counsel for First American Title Insurance.  But the day I blog about underwriting will be the day I retire as a blogger.

For many years, Jim and Kevin Ryan presented their famed “Road Show” across Vermont. It was a CLE that included great tips on tech and data security. You know – tech competence!

I’ll start with the basic premise: lawyers have a duty to take reasonable precautions against the inadvertent disclosure of or unauthorized access to information relating to the representation of a client. The duty applies to the electronic transmission and storage of client information & data.

As I noted here, there is no set answer to “what are reasonable precautions?”  The ABA’s Standing Committee on Ethics and Professional Responsibility agrees. In Formal Opinion 477, the Committee advised:

  • “What constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors. In turn, those factors depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of electronic communications employed, and the types of available security measures for each method.”

With respect to cyber threats, the Committee stated:

  • “the reasonable efforts standard. . . rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”

Now, back to the story of the hackers.

Along with blogger’s bloc, the story made realize today is a great day for a Q&A with Jim Knapp. Jim was kind enough to agree.

MK: Thanks for doing this Jim. First reaction when you read about the hack?

Jim: So, this would be deemed a really bad day! First you are locked out of your system, and even if you had good recent backups, and could expend the money and time to restore everything, second, the bad actors are still threatening to sell / release your data. Not to mention, now you have a data breach and must satisfy all the legal requirements related to the analysis and notifications imposed by State laws. What a way to start a week!

MK: I’ll say. For me, this hit home because it didn’t involve one of the ginormous multi-national firms. The firms involved are similar in size to most Vermont firms. How do Vermont lawyers protect themselves?

Jim: As we’ve seen, 2020’s are barely a few weeks old and the news is not good. Ransomware has reached a new high(?) / low (low). The bad actors are not just encrypting your files, they are offering to publish your firm’s files to the public, or at least the public that uses the dark web.

You can no longer rely on having anti-virus software as your only means of protection. Backups are important to recover your data in the case of disaster, but a good backup won’t stop a bad actor from publishing data they have stolen from your firm. Acting reasonably is acting from a sufficient pool of knowledge to understand the risks and the potential solutions.

MK: I love the last sentence: “acting reasonably is acting from a sufficient pool of knowledge to understand the risks and the potential solutions.” Many lawyers, myself included, aren’t exactly tech savvy. My sense is that many firms “leave that to the IT person.” Of course, in the end, a lawyer is responsible for ensuring that the nonlawyer staff – including IT staff and vendors – are protecting client data. Anyhow, how do we move from toes-in-the-water to the deeper end of that pool of knowledge? Some states require tech CLE. In December 2018, I posted this blog wondering if we should.

Jim: While the idea of mandatory participation in professionalism, mindfulness, wellness, etc., are all good subjects, it seems to me that perhaps mandatory participation in cybersecurity training would be a worthy subject. Not just for lawyers but for all persons who work in a law office. As regards Vermont, out of the 2700+ lawyers, I’ll bet not more than 350-400 unique persons have attended a well prepared and presented program on cybersecurity. Of course, those folks will roll their eyes, if they have to hear one more presentation on “don’t click”; have good passwords etc.

MK: I agree. But I still run into lawyers who say, “I wouldn’t even know what the presenters are talking about.”

Jim: Gaining a suitable level of the essential elements of data security is a challenging task if you choose to pursue this on your own. The key is finding a suitable CLE program that can translate the arcane elements of information security into knowledge you can use to assess how safe your law office environment is. Everyone whose practice depends on the availability of information stored on a computer system owes it to their clients and to themselves to attend enough CLE programs to understand what options exist for protecting their digital information.

MK: Music to my ears! But it has to be more than just “go to a tech CLE,” right?

Jim: Training is a key element to protecting your digital environment. But training alone isn’t sufficient, as no matter how diligent you are in reminding all your colleagues not to open questionable emails, stay away from questionable websites, and to watch out for the social engineers looking to convince you to hand over key information like passwords, the bad actors will eventually find an opening and pounce.

Information security for a law office involves all kinds of elements, from

  • properly configuring the hardware included in your network, like the router that connects your office to the outside world; to,
  • running a suitable firewall; to,
  • using effective anti-malware software; to,
  • keeping your operating system and applications up to date with all patches (Note: if you are still using Windows 7 you must STOP now. Microsoft is no longer providing patches for Windows 7 and there are still numerous vulnerabilities that have never been fixed and now will not be fixed)
  • possibly running intrusion detection and intrusion prevention systems within your network;
  • and more.

MK: Good stuff! Last question before we lose everyone: I’ve often called you for tips on backing up client data. Can you give us the quick version that you’ve given me on backups, airgap, etc.?

Jim: Backup, like all tech issues, has lots of components. The right backup strategy depends on what kind of data you have, how much data you have, and where you store your data. But, everyone should consider at least the following elements:

  • Nearline – a backup that is connected to your network storage, or to your personal PC (wherever you store your day to day work product) all the time and periodically (hourly, every few hours, at least twice a day), duplicates the data in your data storage. Usually, an external USB hard drive purchased for less than $100.00 will suffice. This allows you to recover immediately, or nearly immediately from a problem with your storage device, e.g. your hard drive or SSD croaks at 3:30 and the response to the motion for summary judgment is due tomorrow.
  • Offline – a backup that is stored off-site. It can be cloud based, or a rotation of physical drives, one of which is stored off-site at all times. This provides a recovery option for the electrical surge that kills your onsite storage, a fire, a flood, or somebody breaks into your office and steals the computers. This backup is run at an interval calculated by how much work-product you are willing to lose and have to recreate. It could be measured in weeks, but I would offer that daily is a more reasonable assessment.
  • Airgap – this a backup device that is only connected to your network or the PC while the backup is running. This is one tool in the kit to address a ransomware attack on your systems. Again, an airgap backup will typically fit on a good quality external USB hard drive which is a $100 item. To run the back-up, you connect the device to the storage device you want to backup, and as soon as the backup is complete, you disconnect the backup device and store it safely away from any connection to your data storage systems.

MK: I lied, one more question: you & I bumped into each other at church on Ash Wednesday. Was that your cell phone that went off during mass? Tech competence is a thing at worship too.

Jim: Fortunately no, neither of my cell phones was that particular culprit.

MK:  Good.  The ringtone reflected a failure to act competently when choosing a ringtone.

Jim:  I have two cell phones because of the nature of the insurance business and my employer’s policies. Particularly, in the case of regulators, they can demand access to Company information, some of which may be stored on my phone. And, the Company retains the right to monitor and inspect all data stored on or passing through their data-stream. Now, while I have few secrets worth discovering, and after 40 years of practice in Vermont, net worth is not one of them, I have no desire to expose my personal information to either the regulators or the Company. Hence, I have a personal cell phone and a work cell phone. I would suggest that lawyers should consider the same analysis I did. If you were sued, do you really want opposing counsel and your appointed defense counsel rummaging through the materials on your phone?

MK:  It’s almost as if you’ve seen what’s on my phone.  No, I don’t want anyone rummaging through!  Good reminder though: as I blogged here, lawyers who travel abroad should consider leaving behind devices that contain client data.

Thanks Jim, this was great!

To be clear: being hacked isn’t necessarily an ethics violation.  Even reasonable security can be breached.  My point today is to encourage lawyers and firms to assess the measures that they have in place.  And, to encourage those who don’t know how to perform such an assessment to find someone who does.

Finally, if you or your firm has been breached, you should (1) read my post ABA Addresses Lawyer’s Duties in Response to a Data Breachand (2) review the Attorney General’s outline of duties that arise under Vermont’s Security Breach Notice Act.

As always, let’s be careful out there.

Bar Assistance Program: why I support it.

This morning, I blogged on the Vermont Supreme Court’s proposal to create a Bar Assistance Program that would be administered by bar counsel.  Here’s why I support the proposal to expand the assistance that the Professional Responsibility Program and bar counsel already provide.

A New Approach to Attorney Regulation

For too long, the prevailing thought was that an attorney regulation program had to focus on discipline to be effective.  States devoted more resources to responding to misconduct than to preventing it.  The focus, then, was not on enhancing the provision of competent legal services, a focus that, really, is the best form of (a) public protection; and, (b) promoting confidence in the bar’s ability to self-regulate.

Times have changed.

ABA Resolution 105 (2016)

In 2016, the ABA House of Delegates approved Resolution 105.  In it, the ABA adopted “Model Regulatory Objectives for the Provision of Legal Services” and encouraged states to do the same.  Among the objectives, the “efficient, competent, and ethical delivery of legal services.” While Resolution 105 did not come out of the wellness movement, its intent applies.

Simply, Resolution 105 recommends that each state supreme court decide what it wants the objectives of its attorney regulation program to be.  Per the report submitted to the House of Delegates in support of the proposed resolution, identifying and adopting regulatory objectives “serves many valuable benefits,” including:

  • Defining the purpose and parameters of the regulatory program;
  • Identifying the goals and objectives of the regulatory program; and,
  • Enhancing trust that lawyers have in regulators, as well as the trust and confidence that the public has in the profession’s ability to regulate itself.

The ABA adopted 10 model regulatory objectives.  They include the “[e]fficient, competent, and ethical delivery of legal services.”

The National Task Force on Lawyer Well-Being

Next, in 2017, the National Task Force on Lawyer Well-Being issued The Path to Lawyer Well-Being: Practical Recommendations for Positive Change (“The Report”).  The Report kickstarted the attorney wellness movement.

I will not go through the entire report. It is important, however, to review its purposes.  There are 5, each of which is listed in a letter written by the Task Force’s co-chairs when the report was announced.  Three are key here:

  1. Eliminating the stigma associated with help-seeking behaviors;
  2. Emphasizing that well-being is an indispensable part of a lawyer’s duty of competence;
  3. Taking small, incremental steps to change how law practice and how lawyers are regulated to instill greater well-being in the profession.

I want to emphasize the third: changing how lawyers are regulated to instill greater well-being in the profession.  Indeed, The Report itself recommends that regulators “develop their reputation as partners with practitioners.”

ABA Resolution 107 (2019)

Last  summer, the ABA House of Delegates adopted Resolution 107.  The resolution urges states to adopt Proactive Management Based Regulation (“PMBR”).  In short, PMBR encourages a system of attorney regulation that focuses more on promoting compliance than it does on responding to misconduct.  A core objective of PMBR is to promote the provision of competent legal services.

Vermont was ahead of the curve.  We adopted a version of PMBR in 2012.  As I blogged here, we know that it works.  Essentially, we – thanks to you – have created a culture of compliance.

A New Paradigm

The profession has come to recognize that proactive regulation is the future.  Gone are the days of a monolithic focus on responding to misconduct.  Now, it’s time for each state to look within, and identify, announce, and implement the objectives of its own regulatory system.

Since 1999, bar counsel’s role has been to “provide referrals, educational materials, and preventive advice and information to assist attorneys to achieve and maintain high standards of professional responsibility.”  Supreme Court Administrative Order 9, Rule 9. To me, that necessarily includes providing assistance, referrals, and preventive advice on behavioral health issues.

As a profession and a Professional Responsibility Program, our objectives should include doing whatever we can to help lawyers to develop and maintain the ethical infrastructure needed to provide competent legal services.  In that well-being is an aspect of competence, that necessarily includes making well-being an objective.

Here are two statements from the Executive Summary submitted with Resolution 107 when it was proposed:

  • “PMBR programs encourage professionalism and civility, and change for the better the relationship between the regulator and regulated.”
  • “PMBR programs are not one-size-fits-all, may be crafted to meet the needs of each
    jurisdiction, and are reasonable in cost.”

In my view, Vermont is well-suited to adopt the proposed Bar Assistance Program. We’re small enough to make it work and can add it without any corresponding increase to attorney licensing fee. Further, affirmatively decoupling assistance from discipline will only serve to improve the relationship between the regulator and the regulated.

These are among the reasons that I support expanding the assistance that the Professional Responsibility Program and bar counsel already provide to include assistance of the type traditionally referred to as “lawyer assistance.”

We might not get every starfish back to the water, but it will mean the world to the one that we do.

Image result for starfish image

Throwback Thursday: Social Media

Last week, I posted Comptence & E-Discovery.  It generated a few calls & emails on another topic that we touched upon in the seminar that’s referenced in the post: a lawyer’s professional obligations vis-a-vis ESI & social media.

I’ve blogged & spoken on the issue several times. To me, it comes down to this:

  • The duty of competence includes reviewing the publicly available social media presences of adversaries, witnesses, and jurors.
  • Knowing that others are looking, the duty of competence includes advising clients of the risks associated with making information publicly available on social media.

As to the former, please see this post from September 2019.  It includes links to several advisory ethics opinions that address a lawyer’s duties when reviewing social media evidence. As to the latter, please see this post, also from September 2019.

Image result for images of social media