Have you heard the one about the $1 million fee award that walked into a spam filter?

It’s no joke.

UPDATE:  After reading my original post, a lawyer shared a story with me and authorized me to share it with you.  I’ve appended the story to this column. Because I think the story might serve as a valuable tip, I’m re-posting this blog to help draw attention to it. 

I’ve often blogged on the ethical duty of tech competence.  My posts on the topic are here.

Now, a cautionary tale from the real world.

Alberto Bernabe is a law professor at The John Marshall Law School. He’s also a regular presence on this blog’s #fiveforfriday Honor Roll.  Yesterday, on his own blog, Professor Bernabe posted ‘My computer ate my homework’ is not a good excuse.  His post links to a case that involves tech competence and a missed deadline to appeal an order awarding $1,000,000.00 in attorney’s fees.

The full story comes from Law For Lawyers Today.  The headline says it all: Deleted spam leads to missed appeal; not excusable, FL court of appeals holds.  Here’s the quick version:

• Ben sued Tom.
• Lawyer represented Ben.  Attorney, who works at Firm, represented Tom.
• Ben won.
• Lawyer moved for attorney’s fees.
• The court granted the motion.
• The court e-mailed the order to Attorney.
• Attorney’s Firm’s e-mail system “filtered out” the order as spam.
• Firm’s e-mail system was configured to delete spam after 30 days, without notice to a person.
• Firm’s e-mail system deleted the order.
• Tom moved for relief from judgment.
• Attorney argued that Firm did not receive the order in time to file an appeal.
• The trial court denied the motion.
• An appellate court affirmed the trial court’s decision.

At the hearing on Tom’s motion for relief from judgment, Firm’s former IT person testified that he had advised Firm against configuring its e-mail system to delete spam after 30 days and without notice to a person.  He also testified that he advised Firm to buy an e-mail backup system and to retain a tech vendor to deal with e-mail spam.  Firm did not take the advice, in part to save money.

The appellate court noted that Firm’s failure to learn about the order was not the result from “mistake, inadvertence, surprise or excusable neglect.”  Rather, Firm intentionally chose to use “a defective e-mail system without any safeguards or oversight to save money. Such a decision cannot constitute excusable neglect.”

Competence includes tech competence.  For now, I’ll leave you with the final paragraph from the blog post that’s on The Law for Lawyers Today:

• “The harsh result here may yet be ameliorated if the court of appeals grants rehearing.  In the meantime, however, the scary scenario points to the need to pay attention to your firm’s  technology and processes for handling spam.  And old-fashioned procedures like checking the court’s docket can also help avoid an unpalatable spam situation.”

UPDATE – here’s the abridged version of the story that a lawyer shared with me after reading my original post.

• Lawyer represented Client.
• Throughout matter, Lawyer & Client communicated via e-mail.
• Matter went to a bench trial.
• In a written decision, Trial Court found against Client.
• Lawyer scanned the decision and attached it to an e-mail to Client.  In the body of the e-mail, Lawyer asked “Do you want to appeal?”
• 31 days after decision was issued, Client called Lawyer and asked “have we heard anything from the trial court?”
• Lawyer investigated and determined that the e-mail to Client was stuck in outgoing mail and had never left Firm’s server.
• Over Opposing Party’s objection, Trial Court granted Lawyer & Client leave to file an untimely appeal.
• On appeal, the Vermont Supreme Court granted Opposing Party’s motion to dismiss the appeal as untimely.

Lawyer’s firm took two lessons from the experience: (1) Lawyer regularly checks Lawyer’s spam folder & outgoing mailbox; and, (2) rather than relying on e-mail silence, Firm adopted a protocol to call clients on important issues, such as the decision whether to appeal.

 

Advertisements

Competence, ESI, and E-Discovery

I’ll say it again: Rule 1.1’s duty of competence includes tech competence.

To me, the duty includes:

• knowing that that “it” exists,
• knowing that clients, their adversaries, and witnesses have “it;” and,
• knowing how to protect, preserve, produce, request, review, and use “it.”

What is “it?”

It is Electronically Stored Information (“ESI”).  Nearly every lawyer who has a client, has a client whose lawyer needs to know about ESI.  Indeed, I can’t think of a practice area in which a lawyer need not know about ESI.

• Whether civil, criminal, probate, or family court, with so many of us so active on social media, ESI is a treasure trove of evidence.  Wondering how to admit a text, tweet, or social media post into evidence?  Check out the Evidence in Practice seminar at next week’s Annual Meeting of the Vermont Bar Association.
• Wondering about your duties if a client asks about “scrubbing” or “taking down” social media posts?  The Pennsylvania Bar has issued some guidance.
• For those of you practicing in the Vermont Superior Court’s Civil & Family Divisions, VRCP 26(a) lists the methods by which a party may obtain discovery.  Among them: a Rule 34 request to produce ESI.  Rule 26(b)(2)(A) imposes specific limitations on the discovery of ESI.  The federal rules of civil procedure have similar provisions.
• Doing any estate work? There’s a new  Vermont law on digital assets.
• Those of you who are in-house or general counsel . . . do you have some idea as to what ESI your client has, where it’s stored, and how long it’s kept? Have you talked to your client about its policy on employees using personal devices to access company data? Today, Above The Law posted some practical tips on preservation letters, including tips related to preserving & producing ESI.

I could go on & on. It is everwhere.

In 2015, the State Bar of California’s Standing Committee on Professional Responsibility and Conduct issued Formal Opinion 2015-193.  The opinion responds to the question “[w]hat are an attorney’s ethical duties in the handling of discovery of electronically stored information?”  Here’s the digest:

• “An attorney’s obligations under the ethical duty of competence evolve as new
  technologies develop and become integrated with the practice of law. Attorney
  competence related to litigation generally requires, among other things, and at a
  minimum, a basic understanding of, and facility with, issues relating to e-discovery,
  including the discovery of electronically stored information (“ESI”). On a case-by-case basis, the duty of competence may require a higher level of technical knowledge and ability, depending on the e-discovery issues involved in a matter, and the nature of the ESI. Competency may require even a highly experienced attorney to seek assistance in some litigation matters involving ESI. An attorney lacking the required competence for e-discovery issues has three options: (1) acquire sufficient learning and skill before performance is required; (2) associate with or consult technical consultants or competent counsel; or (3) decline the client representation. Lack of competence in e-discovery issues also may lead to an ethical violation of an attorney’s duty of confidentiality.”

Give the full opinion a read.

I assume most lawyers understand this, but here’s the critical point I want to make:  ESI is something that can be preserved, produced, and used.  Not knowing how to handle the discovery of ESI is no different from not knowing how to handle the discovery of paper documents.

 

If you’re new to ESI, here’s a primer that the ABA issued several years ago.  It’s a good start, but only a start.

 

 

Protecting Data: Cybersecurity Tips

For those of you pressed for time, the tips are in this post from the ABA Journal.  For the rest of you, I will now return to our regularly scheduled programming.

The phishing scam I warned about yesterday turned out to be a false alarm; a case of the school that conducted a fire drill without notifying the fire department.

Still, I’ll channel my inner Dwight Schrute:

FACT: lawyers and law firms are frequent targets of phishing scams & malware/ransomware attacks.

Some readers asked what the perpetrators of a phishing scam hope to gain by targeting lawyers and law firms.

Access to information.  Either yours or your clients’.

For example, be wary of an unsolicited e-mail that asks you to click on a link and confirm an account number or password.  This is obvious, correct?  If you respond, what have you done?  That’s right – you’ve given out an account number and its password.

Lately, there’s been a rash of well-publicized phishing scams designed to release malware or ransomware. In some instances, the malware provides the scammer with access to data – account numbers, passwords, secure client information.  In other instances, ransomware encrypts an office’s data.   And by “encrypts” I mean “prevents the office from accessing the data unless or until a ransom is paid.”  Think I’m exaggerating?

The Providence Journal has this story about a firm that was locked out of its data for three months earlier this year.  The firm paid a ransom, then paid another, lost $700,000 in billings, and is in litigation with its cybersecurity carrier.  Oh yeah, and how about being in the news for  having had confidential information breached?  Probably not the marketing campaign most of us would choose.

Or, from the FindLaw blog: last year, a prosecutor’s office in Pennsylvania paid a ransom to release files that had been locked after an employee clicked on a link in an e-mail that the employee believed to be from another government agency.  Sound familiar?  It should – that was yesterday’s pseudo-scam: an invitation for lawyers to click on links in an e-mail that appeared to be from the “ethics board.”

It’s not just small firms and state agencies that are at risk.

DLA Piper is one of the largest firms in the U.S. and has offices all over the world.  Last June, DLA Piper issued this cybersecurity advice in response to a global ransomware attack.  Unfortunately, and as reported by Above The Law, DLA Piper fell victim to a similar attack shortly after issuing the warning.

Today, I came across a post in the ABA Journal: Practical cybersecurity for law firms: How to batten down the hatches.  Give it a read.  It’ll be worth your time.

Remember: the Rules of Professional Conduct impose a duty to act competently to safeguard client information.  I understand that some of you worry that your unfamiliarity with technology will make you look silly if you ask for help.  Stop worrying. Doing nothing other than hoping that it doesn’t happen to you is not a reasonable alternative.

 

 

 

 

 

 

 

Protecting Client Data

Next week, the Professional Responsibility Board will review several proposed amendments to the Vermont Rules of Professional Conduct, including proposals to change the rules that relate to the duty to act competently to protect client data.

I’ve blogged often on this issue.  Nevertheless, it bears re-visiting.

Rule 1.1 requires a lawyer to provide a client with competent representation.  I’ve asked the Board to recommend that the Court follow the ABA’s and add the underlined & bolded language to Comment [6]:

• [6] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

Per Robert Ambrogi’s Law Sites Blog, 28 states have adopted a duty of tech competence.

Rule 1.6 prohibits the disclosure of information relating to the representation of a client.  A few years ago, the ABA amended Model Rule 1.6 to include the following language:

• “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

I’ve asked the Board to recommend that the Court do the same.

I view Rules 1.1 and 1.6 as creating an affirmative duty to act competently to safeguard client information, including client information that is transmitted or stored electronically.

Now, if the proposals are adopted, will a lawyer need to know how to create an encryption key? Of course not.  Just like, right now, a lawyer does not have duty to know how to build a lock, a file cabinet, or a fob that opens & closes a keyless door.  But, a lawyer probably has a duty to understand the risks and benefits associated with leaving client files in a box that’s in a shared hallway, as opposed to in a locked file cabinet that’s in a room behind a keyless door to which only 2 firm employees have fobs.

Similarly, will a hack or data breach automatically lead to a disciplinary sanction? No. Again, if a lawyer has taken reasonable precautions to protect client data, whether by encrypting e-mail or exercising due diligence in choosing a cloud vendor, the fact of a breach likely is not a violation.

However, I believe we’re rapidly approaching, if we haven’t passed, the day when it will no longer be considered reasonable not to have encrypted email.  Further, if you’re considering a move to the cloud, while you don’t know how to build your own cloud server, the duty of tech competence includes a duty to know what you don’t know.

For example, let’s say you ask a potential cloud vendor whether your clients’ data will be encrypted.  The vendor replies “yes, we use a BTTF flux capacitor to encrypt data at rest.  For data in transmission, we guarantee it will make the Kessel Run in 12 parsecs or less.”

What’s your response?

To read more about a BTTF flux capacitor click HERE.  An update on the Kessel Run and parsecs (which are units of distance, not time) is HERE.

Finally, if adopted, my hope is that the new language in Rules 1.1 & 1.6 leads us away from re-evaluating the ethical duty with each technological advance that gives us a new method of transmitting and storing data.

As I’ve written, today’s cloud-based practice management systems are not much different than the businesses that lease storage units on the outskirts of damn near every town.  Before storing client information on or at either, a lawyer must review whether each affords reasonable precautions against unauthorized access and disclosure.

No, the question should not be “is this new way of storing information ethical?”  Nor should it be “is it okay to use smoke signals to communicate with my client?”  Rather, whenever the next big thing comes along, the question should be “does this means of transmitting and storing client information provide reasonable precautions and safeguards against unauthorized access and disclosure.”

For related posts:

• Encryption & The Evolving Duty to Safeguard Client Information
• The Cloud: What are Reasonable Precautions?
• To Encrypt or not to Encrypt? THAT is the question
• Competence Includes Tech Competence

 

The Next Eclipse: Plan Ahead

Thank you to a loyal reader from the NEK for tipping me off to the court order that inspires this column.

It’s been a week since the eclipse.  I doubt that it kept many Vermont lawyers from the office – at least not any more than “August” seems to.  In any event, the courts remained open for business and will be open for business when the next eclipse occurs on Monday, April 8, 2024.

Of course, next time, Northern Vermont will be in the totality zone.  So, if you don’t want a pesky court appearance to keep you from a viewing party, come up with a plan well in advance.  Otherwise, if this decision is any indication, a motion to continue will not succeed.

Happy Monday.

Monday Morning Answers #83

Friday’s questions are HERE.

Spoiler alert: the answers follow today’s Honor Roll in 5, 4, 3, 2, 1……if you don’t know, now you know.

Honor Roll

• Ed Adrian, Monaghan, Safar, Ducham
• Andrew Costello, Leeds Brown
• Robert Grundstein
• Keith Kasper, McCormick, Fitzpatrick, Kasper & Burchard
• Patrick Kennedy, First Brother, Dealer.Com
• Deborah Kirchwey, Law Offices of Deborah Kirchwey
• Elizabeth Kruska, Esq.
• Jeffrey Messina, Bergeron, Paradis, Fitzpatrick
• Hal Miller, First American
• Daniel Richardson, Tarrant Gillies & Richardson
• Kane Smart, Agency of Natural Resources, Office of General Counsel
• Emily Tredeau, Office of the Defender General, Prisoners’ Rights

Answers

Question 1

There’s only ONE thing that the rules require Vermont lawyers to keep for a period of years.  What is it?

• A.   Copies of advertisements for 2 years after they first run.
• B.   Client’s file for 7 years following the termination of the representation of Client.
• C.   Trust account records of funds held for Client for 6 years following the termination of the representation of Client.  Rule 1.15(a)(1).
• D.   Client’s confidences & secrets for 7 years following the termination of the representation of client.

Notes:  A is incorrect because the rule was repealed years ago.  B is NOT CORRECT.  The file must be delivered upon the termination of the representation.  See, Rule 1.16(d).  It’s a good idea to make a copy for yourself, but the rules do not require you to do so.  Your carrier probably does though.  Finally, D is not correct.  We stopped using the word “secrets” in 1999.  Also, information relating to the representation of a former client is governed by Rule 1.9(c) and is not subject to a 7-lear limit.

Question 2

Attorney called.  Among other questions on a single topic, she asked me whether the rules define “person of limited means.”  What general topic did Attorney call to discuss?

The pro bono rules.  Per rule 6.1, a majority of the 50 hours should go to providing representation to persons of limited means, or, to organizations that primarily address the needs of persons of limited means.  For more, including the definition of “persons of limited means” see this blog post.

Question 3

Speaking of encrypting email, if there is a duty to encrypt, it flows from two duties set out in the rules. One is the duty to maintain the confidentiality of information related to the representation.  What’s the other?  The duty to:

• A.  Safeguard client property & funds
• B.  Provide a client with diligent representation
• C.  Provide a client with competent representation.  See, Rule 1.1.  Also, the link to my blog on encrypting email was included with the questions.  It outlines how the duty of competence dovetails with the duty to maintain confidences to include a duty to act competently to safeguard information relating to the representation of a client.
• D.  Communicate with a client

 

Question 4

Lawyer represents Client.   Shortly before trial, opposing party discloses Witness. Lawyer determines that he has a conflict that prohibits him from representing Client in a matter in which Witness will testify for Opposing Party.

Lawyer moves to withdraw and discloses the conflict in both his motion and the argument on the motion.  The court denies the motion and Lawyer represents Client at trial.  Witness testifies, Lawyer cross-examines Witness.

True or False: Lawyer violated the Vermont Rules of Professional Conduct by representing Client at trial and cross-examining Witness.

False.  Rule 1.16(c).  (“When ordered to do so by a tribunal, a lawyer shall continue representation nothwithstanding good cause for terminating the representation.)

Question 5

I’m not making this up.

In Vermont, V.R.Pr.C. 3.1 is the equivalent of civil rule 11.  It prohibits lawyers from asserting a position unless there is a non-frivolous basis for doing so.

I’m not making this part up either.

In 2014, a New York lawyer was sued for allegedly helping a client to fraudulently transfer assets.  Let’s call the lawyer “Defendant.”

In 2015,  Defendant filed a motion in which he requested the he and plaintiff either have a duel or “trial by combat.”  When questioned by the media, he responded that “”I have a good-faith belief that this is still part of our state constitution. I want the law to be clear on this issue, and I have every right to ask for this.”

What’s Defendant’s favorite television show?

Game of Thrones.

The lawyer’s request was denied.  In an article on the denial, Staten Island Live has a fascinating quote from Attorney Richard Luthmann:

• “I believe that the court’s ruling is based upon my adversaries’ unequivocal statement that they would not fight me,” said Luthmann, who’s based in Castleton Corners.  “Under my reading of the law, the other side has forfeited because they have not met the call of battle. They have declared themselves as cowards in the face of my honorable challenge, and I should go to inquest on my claims.”

 

 

 

Online Legal Research: is there an affirmative duty to use more than one research platform?

Earlier this week, Robert Ambrogi posted Turns Out Legal Research Services Vary Widely in Results.  Ambrogi, one of the leading commentators on legal technology, wrote:

• “Call me naive, but I would have thought that entering the identical search query on, say, both Westlaw and Lexis Advance would return fairly similar results, at least among the cases ranked highest for relevance. After all, shouldn’t the cases that are most relevant to the query be largely the same, regardless of the research platform?”

Then, he added:

• “Turns out, the results they deliver vary widely — not just between Westlaw and Lexis Advance, but among several legal research platforms. In fact, in a comparison of six leading research platforms — Casetext, Fastcase, Google Scholar, Lexis Advance, Ravel and Westlaw — there was hardly any overlap in the cases that appeared in the top-10 results returned by each database.”

Ambrogi’s post referred to Susan Nevelow Mart’s research paper The Algorithm as a Human Artifact: Implications for Legal {Re}search.   Mart is the Director of the Law Library and an Associate Professor at the University of Colorado Law School.

In this column that he wrote for Above The Law, Ambrogi dove deeper in Professor Mart’s findings.  Before I talk about the findings, I want to go back to my post Are Robots Nonlawyer Assistants.  

In my post, I suggested that lawyers who use artificial intelligence to perform “mundane legal tasks” might have an affirmative duty under the Rules of Professional Conduct “to have some sort of understanding of the coder’s qualifications.”  Well, as it turns out, a similar notion underpins Professor Mart’s research.

As Ambrogi reports, several years ago, a senior VP at Westlaw informed Professor Mart that the company’s “algorithms are created by humans.”  Mart, then, theorized that the choices that a human makes in creating an algorithm will necessarily influence the results delivered by the algorithm.  In other words, that the coder’s biases & assumptions will find their way into the algorithm and impact the results.  She set out to study her hypothesis.

Mart’s findings are eye-opening.  Using the same query across 6 providers – Casetext, Fastcase, Google Scholar, LexisAdvance, Ravel and Westlaw – she found that among the top 10 cases returned by each:

• on average, 40% of the cases were returned by only 1 provider;
• 7% of the cases were returned by all 6 providers.

I could go on & on.  Here’s the upshot, in an excerpt of the abstract from Professor Mart’s paper:

• When legal researchers search in online databases for the information they need to solve a legal problem, they need to remember that the algorithms that are returning results to them were designed by humans. The world of legal research is a human-constructed world, and the biases and assumptions the teams of humans that construct the online world bring to the task are imported into the systems we use for research. This article takes a look at what happens when six different teams of humans set out to solve the same problem: how to return results relevant to a searcher’s query in a case database. When comparing the top ten results for the same search entered into the same jurisdictional case database in Casetext, Fastcase, Google Scholar, Lexis Advance, Ravel, and Westlaw, the results are a remarkable testament to the variability of human problem solving. There is hardly any overlap in the cases that appear in the top ten results returned by each database. An average of forty percent of the cases were unique to one database, and only about 7% of the cases were returned in search results in all six databases. It is fair to say that each different set of engineers brought very different biases and assumptions to the creation of each search algorithm. One of the most surprising results was the clustering among the databases in terms of the percentage of relevant results. The oldest database providers, Westlaw and Lexis, had the highest percentages of relevant results, at 67% and 57%, respectively. The newer legal database providers, Fastcase, Google Scholar, Casetext, and Ravel, were also clustered together at a lower relevance rate, returning approximately 40% relevant results.

Most importantly, here’s the ethics hook:  Rules 1.1 & 1.3 require lawyers to provide competent & diligent representation. Knowing that results vary widely by provider, do Rules 1.1 and 1.3 require lawyers to use more than one provider when conducting online legal research?

Although I’ve not yet had my daily requirement of coffee, my initial reaction is that it’d be much easier to argue “yes” than to argue “no.”  Actually, the real answer might be that it’s neither competent nor diligent for a lawyer to limit research to the first 10 results to a single query.

Indeed, in the abstract to her paper, Professor Mart notes:

• “Legal research has always been an endeavor that required redundancy in searching; one resource does not usually provide a full answer, just as one search will not provide every necessary result. The study clearly demonstrates that the need for redundancy in searches and resources has not faded with the rise of the algorithm. From the law professor seeking to set up a corpus of cases to study, the trial lawyer seeking that one elusive case, the legal research professor showing students the limitations of algorithms, researchers who want full results will need to mine multiple resources with multiple searches.”

Anyhow, I was excited to post this, but now I can’t think of a creative way to wrap it up or to make a point.  I guess my point is this: know that online legal research services aren’t perfect.

Finally, maybe Professor Mart’s findings are a new twist on something that’s been going on forever.   I’m reminded of thinking “what the _____?” when I pulled a case that did not “follow” the case that I’d been thrilled to find, even though Shepard’s had promised me (with an “f”) that it would.  The human who coded it was, in fact, only human.

 

Data Shows Significant Drop in Top LSAT Takers Applying to Law School

Paul Caron is the Dean of Pepperdine University’s School of Law.  He’s the editor of the popular TaxProf Blog.

Last week, Dean Caron blogged on new data that shows a significant decrease in the proportion of law school applications filed by those who score the highest on the LSAT.  Both the ABA Journal and Above The Law have more on Dean Caron’s post.

The key takeaway from the blog:

                                                              Percentage of Applications to Law School

LSAT Score                                          2010                                       2017

160 or >                                               40.8%                                    26.4%

150-159                                                45%                                        38.7%

< 150                                                     14.2%                                    34.9%     

 

These stories come on the heels of the ABA Journal’s post on a study in which two Pepperdine law professors linked low scores on the bar exam with disciplinary action.   The study is here.

I’ve been with the Professional Responsibility Program since 1998, and was the chief disciplinary prosecutor from 2000-2012.  We never once asked for an attorney’s bar exam score while investigating or prosecuting the attorney.  I wonder if the PRP and BBE will soon be asked to release the bar exam scores of attorneys who are (or have been) disciplined.

 

 

PRP Discusses Bias & Discrimination

The Professional Responsibility Program (PRP) held its Annual Meeting on May 31, 2017.  The meeting took place at Burlington’s Hotel Vermont.  Chief Justice Paul Reiber joined the Board, members of the PRP’s hearing & assistance panels, PRP staff, and several invited guests for a day of seminars and discussion.

The morning’s first seminar used the proposed amendment to Rule 8.4(g) as a launching point into a discussion of bias, discrimination, and legal ethics.  The audience heard from a fantastic panel of Vermont lawyers:

• Karen Richards, Executive Director of the Vermont Human Rights Commission,
• Jay Diaz, Staff Attorney at the ACLU of Vermont, and,
• Dan Maguire, President-Elect of the Vermont Bar Association’s Board of Managers

Using real-life experiences and studies on racial & implicit bias, the panel challenged the audience to consider:

• the biases that can influence hearing & assistance panel members as they sit on cases;
• the biases that can influences lawyers, witnesses, judges, and jurors; and,
• whether Rules 1.1 and 1.3 impose a duty to advise a client on the biases that can influence lawyers, witnesses, judges, and jurors involved in the client’s matter.

After hearing from the panel, many in the audience urged the Board to support the proposed amendment to Rule 8.4 and to commit the PRP to continue as part of the larger effort to educate on the topic of implicit bias.

Karen, Jay, and Dan – thank you so much for sharing your time, thoughts, and expertise with members of the PRP!

 

So You Want To Store Client Data in the Cloud….

. . . you should! Odd are it’ll make your law practice more efficient, which will help both you and your clients.

With the June 30 deadline to report CLE compliance, I’m asked to present at a lot of CLEs in May and June.  This year, several folks have asked me to talk about the ethics associated with storing client data in the cloud.

I will do as asked. Reluctantly.

Last November, I posted a blog in which I expressed my hope that I’d done my last seminar on the ethics of storing information in the cloud.  I think it’s time we move beyond “can I use the cloud?” to figuring out whether the cloud works for you & your firm and, if so, which vendor to choose.

Since my hope has not yet been realized, I’m re-posting my post. Two words to remember: “Reasonable Precautions.”

****

The Cloud:  What are Reasonable Precautions?

Last Friday, I presented a CLE for the Rutland County Bar Association. My assigned topic: the ethics of storing client information in the cloud.  I started by saying that I hoped it was my final seminar on the topic.  I was serious.

Let’s walk through this.

In general, a lawyer has a duty not to disclose information relating to the representation of a client absent client consent.  See, Rule 1.6.  A lawyer also has a duty to keep client property safe.  See,Rule 1.15.

I view the cloud as the latest in a long line of different places to store information.  In that sense, the cloud is not different than manila folders, boxes, offices, attics, basements, barns, file cabinets, file cabinets with locks, storage facilities, hard drives, floppy disks, CDs, and thumb drives.

No matter where a lawyer stores client information, a lawyer must act competently to protect the information against inadvertent or unauthorized disclosure. See, Rule 1.6, Comment [16].  When transmitting client information, a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.  Rule 1.6, Comment [17].

So, think about cloud storage like this:  client information is electronically transmitted to a place where it will be kept.  Thus, a lawyer must take reasonable precautions to protect client information both while it is in transit and while it is at rest.

In fact, that’s almost exactly what the VBA’s Professional Responsibility Committee said – SIX YEARS AGO when it issued Advisory Ethics Opinion 2010-06.  Here’s the digest of the opinion:

• “Vermont attorneys can utilize Software as a Service in connection with confidential client information, property, and communications, including for storage, processing, transmission, and calendaring of such materials, as long as they take reasonable precautions to protect the confidentiality of and to ensure access to these materials.”

(Aside: for anyone wondering why I included an advisory opinion about “Software as a Service” in a post on cloud computing, I remind you that Rule 1.0’s duty of competence includes tech competence.)

The question I hear most often is this:  “what are reasonable precautions?”  In Rutland, I suggested to the audience that they already know the answer, if only by treating the cloud as if it were a storage facility out on Old County Road. Some questions you might ask when considering that facility:

• who do you let into this facility?
• do you require a passcode or badge for the gate?
• are there locks on the individual units?
• who besides me has a key or knows the combination?
• can i get into my unit whenever i want to?
• what happens to my files if I don’t pay or if you go out of business?

Indeed, take a look at page 6 of the VBA Opinion.  The Committee suggested some of those exact questions when considering a cloud vendor.

Or, take a look at this post from Robert Ambrogi.  He writes that “[s]ome basic questions to ask of a cloud vendor, distilled from various ethics opinions, include:

• Is it a solid company with a good reputation and record?
• Can you get access to your data whenever you want, without restrictions?
• If your service is terminated – by you or by the company – can you retrieve your data?
• Does it allow use of advanced password protocols and two-step verification?
• What are its internal policies regarding employee and third-party access to your data?
• Is your data encrypted both while in transit and while at rest on the company’s servers?
• How is your data backed up?
• What security protections are in place at the data centers the company uses?”

Finally, remember that asking the questions isn’t enough.  You need to understand the answers or find someone who does.  For example, imagine this:

• You:   Will my data be encrypted in transmission and at rest?
• Vendor:  Yes.  In transmission, we use a BTTF Flux Capacitor.  At rest, we use the latest cloaking technology from Romii.
• You.  Sounds awesome. Sign me up.

Umm, no.  You just signed up to star in the next entry in Was That Wrong.

In conclusion, you may store client information in the cloud so long as you take reasonable precautions.  This entry includes links that will help you determine what “reasonable precautions” are.  Don’t fear the cloud, but know what you don’t know.

Speaking of which, info on the BTTF Flux Capacitor is HERE. And, for more on Romii cloaking technology, go HERE.