Tech Competence: Tips and a Conference

As Olivia might sing, let’s get techical, techical.

Last week, the Professional Responsibility Board voted to recommend a series of amendments to the Vermont Rules of Professional Conduct.  The package will be forwarded to the Supreme Court for publication for comment.

Rule 1.1 requires lawyers to provide clients with competent representation.  Among other things, the Board will recommend that the Court amend Comment [6] to Rule 1.1 so as to add language that is highlighted & underlined:

  • “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”

As of September 2017, 28 states have adopted the amendment.

If you’re concerned about tech competence, fear not!

  • On May 16, 2018, the Vermont Bar Association will present its inaugural Tech Day. Save the date! It’s scheduled to take place at the Sheraton-Burlington and will include several practical seminars.
  • Yesterday, Robert Ambrogi’s LawSites blog posted tips related to tech security, including a suggestion to consider client portals.

Finally, I’ve blogged often on this topic.  Related posts include:

As Olivia might sing, let’s get techical, techical.

 

Advertisements

Confidences, Conflicts & Electronically Stored Information

To answer ATCQ, this is the scenario:

  • Lawyer works at Firm and represents Kennedy.
  • No other attorney at Firm works on Kennedy’s matter.
  • Lawyer leaves Firm.
  • Kennedy decides to go with Lawyer.
  • Firm sends hard copy of Kennedy’s file to Lawyer.

Ok.  That’s the easy part and isn’t very complicated.  Since easy & uncomplicated make for boring blogs, let’s add this:

  • Lawyer represents Kennedy in matter against Brady.
  • Brady seeks to retain Firm.
  • Kennedy v. Brady is the same or substantially related to a matter in which Lawyer represented Kennedy while working at Firm.

Can Firm represent Brady?

The fact that the matter is the same or substantially related to a matter in which Lawyer represented Kennedy while working at Firm does not end the analysis.  Nor does the fact that Firm delivered the paper file to Lawyer.

Rule 1.10 applies.  Subsection (b) says:

  • “When a lawyer has terminated association with a firm, the firm is not thereafter prohibited from representing a person with interests materially adverse to those of a client represented by the formerly associated lawyer and not currently represented by the firm, unless:
    • (1) the matter is the same or substantially related to that in which the formally associated represented the client; and,
    • (2) any lawyer remaining in the firm has information protected by Rules 1.6 and 1.9(c) that is material to the matter.”

In the hypo, Firm will argue that none of its lawyers has information protected by Rules 1.6 and 1.9(c) because (1) none of them worked on Kennedy matters; and, (2) Firm delivered the file when Lawyer left.

But do they?

What if an electronic version of Kennedy’s file (or a portion of thereof) remains on Firm’s servers?  If the information is “material” to the matter, does Firm “have” that information as contemplated by Rule 1.10(b)?

Here’s an opinion from New Jersey.  The answer is “maybe.”  Essentially,  the court said that Firm “has” the information if a remaining lawyer has actual knowledge of the information and has accessed substantive portions of the electronic file.  The court, however, indicated that limited access made to investigate a potential conflict is not necessarily disqualifying.

If you’re interested, give the opinion a read.  Also, to avoid this dilemma, it might be worth a self-assessment as to how your firm handles electronically stored information when clients follow a departing lawyer.

By the way, if you missed it yesterday, here are the results of the poll question: Who is on your Mt. Rushmore of U.S. Supreme Court justices?  The post includes this week’s question: your top 3 fiction novels focused on the law or a lawyer/lawyers.

Laptop-and-computer-file-folders

 

 

Technology Predicts How Jurors Will Vote

I’ll get my soapbox moment out of the way early in this post: Rule 1.1’s duty of competence includes tech competence.

There.

Now, here’s another area in which technology might impact the scope of the duty.  The ABA Journal has this story about Voltaire, a tech company that developed software that “can search through billions of data points, including public records and social media posts, and—within a matter of minutes—pull up all kinds of information on prospective jurors.”  Per the article, the company’s origins are in its CEO’s realization “that law firms didn’t do a very good job using technology to assist them in their cases.”

Hmm. Sounds familiar.

Anyhow, if you’re interested, check it out.  Seems we’ve come a long way from the days of Gene Hackman’s use of technology as a jury consultant.

Voltaire interests me not only from the perspective of a lawyer’s duty of competence, but from a social media standpoint.  Two years ago, I served on jury duty.  Much to my chagrin, I wasn’t picked for a single case.  I presume because the attorneys knew all they needed to know about me.  Still, had they used Voltaire, what more would they have learned about me?

Anyway, I digress.  Back to competence.

Rule 1.1 states that “[c]ompetent representation requires the legal knowledge, skill, thoroughness, and preparation reasonably necessary for the representation.” I am NOT saying that the duty of competence requires an attorney to use Voltaire (or a service like it) when picking a jury.  At least not yet.

Someday, a client who loses at trial will ask their attorney why the attorney didn’t make use available technology.  And that “ask” might be in the form of a disciplinary complaint or malpractice claim.  Then, the question will become whether reasonably necessary thoroughness and preparation for a jury trial includes using a technology like Voltaire’s.

Voltaire

 

Have you heard the one about the $1 million fee award that walked into a spam filter?

It’s no joke.

UPDATE:  After reading my original post, a lawyer shared a story with me and authorized me to share it with you.  I’ve appended the story to this column. Because I think the story might serve as a valuable tip, I’m re-posting this blog to help draw attention to it. 

I’ve often blogged on the ethical duty of tech competence.  My posts on the topic are here.

Now, a cautionary tale from the real world.

Alberto Bernabe is a law professor at The John Marshall Law School. He’s also a regular presence on this blog’s #fiveforfriday Honor Roll.  Yesterday, on his own blog, Professor Bernabe posted ‘My computer ate my homework’ is not a good excuse.  His post links to a case that involves tech competence and a missed deadline to appeal an order awarding $1,000,000.00 in attorney’s fees.

The full story comes from Law For Lawyers Today.  The headline says it all: Deleted spam leads to missed appeal; not excusable, FL court of appeals holds.  Here’s the quick version:

  • Ben sued Tom.
  • Lawyer represented Ben.  Attorney, who works at Firm, represented Tom.
  • Ben won.
  • Lawyer moved for attorney’s fees.
  • The court granted the motion.
  • The court e-mailed the order to Attorney.
  • Attorney’s Firm’s e-mail system “filtered out” the order as spam.
  • Firm’s e-mail system was configured to delete spam after 30 days, without notice to a person.
  • Firm’s e-mail system deleted the order.
  • Tom moved for relief from judgment.
  • Attorney argued that Firm did not receive the order in time to file an appeal.
  • The trial court denied the motion.
  • An appellate court affirmed the trial court’s decision.

At the hearing on Tom’s motion for relief from judgment, Firm’s former IT person testified that he had advised Firm against configuring its e-mail system to delete spam after 30 days and without notice to a person.  He also testified that he advised Firm to buy an e-mail backup system and to retain a tech vendor to deal with e-mail spam.  Firm did not take the advice, in part to save money.

The appellate court noted that Firm’s failure to learn about the order was not the result from “mistake, inadvertence, surprise or excusable neglect.”  Rather, Firm intentionally chose to use “a defective e-mail system without any safeguards or oversight to save money. Such a decision cannot constitute excusable neglect.”

Competence includes tech competence.  For now, I’ll leave you with the final paragraph from the blog post that’s on The Law for Lawyers Today:

  • “The harsh result here may yet be ameliorated if the court of appeals grants rehearing.  In the meantime, however, the scary scenario points to the need to pay attention to your firm’s  technology and processes for handling spam.  And old-fashioned procedures like checking the court’s docket can also help avoid an unpalatable spam situation.”

UPDATE – here’s the abridged version of the story that a lawyer shared with me after reading my original post.

  • Lawyer represented Client.
  • Throughout matter, Lawyer & Client communicated via e-mail.
  • Matter went to a bench trial.
  • In a written decision, Trial Court found against Client.
  • Lawyer scanned the decision and attached it to an e-mail to Client.  In the body of the e-mail, Lawyer asked “Do you want to appeal?”
  • 31 days after decision was issued, Client called Lawyer and asked “have we heard anything from the trial court?”
  • Lawyer investigated and determined that the e-mail to Client was stuck in outgoing mail and had never left Firm’s server.
  • Over Opposing Party’s objection, Trial Court granted Lawyer & Client leave to file an untimely appeal.
  • On appeal, the Vermont Supreme Court granted Opposing Party’s motion to dismiss the appeal as untimely.

Lawyer’s firm took two lessons from the experience: (1) Lawyer regularly checks Lawyer’s spam folder & outgoing mailbox; and, (2) rather than relying on e-mail silence, Firm adopted a protocol to call clients on important issues, such as the decision whether to appeal.

 

Tech Incompetence

Have you heard the one about the $1 million fee award that walked into a spam filter?

It’s no joke.

I’ve often blogged on the ethical duty of tech competence.  My posts on the topic are here.

Now, a cautionary tale from the real world.

Alberto Bernabe is a law professor at The John Marshall Law School. He’s also a regular presence on this blog’s #fiveforfriday Honor Roll.  Yesterday, on his own blog, Professor Bernabe posted ‘My computer ate my homework’ is not a good excuse.  His post links to a case that involves tech competence and a missed deadline to appeal an order awarding $1,000,000.00 in attorney’s fees.

The full story comes from Law For Lawyers Today.  The headline says it all: Deleted spam leads to missed appeal; not excusable, FL court of appeals holds.  Here’s the quick version:

  • Ben sued Tom.
  • Lawyer represented Ben.  Attorney, who works at Firm, represented Tom.
  • Ben won.
  • Lawyer moved for attorney’s fees.
  • The court granted the motion.
  • The court e-mailed the order to Attorney.
  • Attorney’s Firm’s e-mail system “filtered out” the order as spam.
  • Firm’s e-mail system was configured to delete spam after 30 days, without notice to a person.
  • Firm’s e-mail system deleted the order.
  • Tom moved for relief from judgment.
  • Attorney argued that Firm did not receive the order in time to file an appeal.
  • The trial court denied the motion.
  • An appellate court affirmed the trial court’s decision.

At the hearing on Tom’s motion for relief from judgment, Firm’s former IT person testified that he had advised Firm against configuring its e-mail system to delete spam after 30 days and without notice to a person.  He also testified that he advised Firm to buy an e-mail backup system and to retain a tech vendor to deal with e-mail spam.  Firm did not take the advice, in part to save money.

The appellate court noted that Firm’s failure to learn about the order was not the result from “mistake, inadvertence, surprise or excusable neglect.”  Rather, Firm intentionally chose to use “a defective e-mail system without any safeguards or oversight to save money. Such a decision cannot constitute excusable neglect.”

Competence includes tech competence.  For now, I’ll leave you with the final paragraph from the blog post that’s on The Law for Lawyers Today:

  • “The harsh result here may yet be ameliorated if the court of appeals grants rehearing.  In the meantime, however, the scary scenario points to the need to pay attention to your firm’s  technology and processes for handling spam.  And old-fashioned procedures like checking the court’s docket can also help avoid an unpalatable spam situation.”

Tech Incompetence

 

 

 

Competence, ESI, and E-Discovery

I’ll say it again: Rule 1.1’s duty of competence includes tech competence.

To me, the duty includes:

  • knowing that that “it” exists,
  • knowing that clients, their adversaries, and witnesses have “it;” and,
  • knowing how to protect, preserve, produce, request, review, and use “it.”

What is “it?”

It is Electronically Stored Information (“ESI”).  Nearly every lawyer who has a client, has a client whose lawyer needs to know about ESI.  Indeed, I can’t think of a practice area in which a lawyer need not know about ESI.

  • Whether civil, criminal, probate, or family court, with so many of us so active on social media, ESI is a treasure trove of evidence.  Wondering how to admit a text, tweet, or social media post into evidence?  Check out the Evidence in Practice seminar at next week’s Annual Meeting of the Vermont Bar Association.
  • Wondering about your duties if a client asks about “scrubbing” or “taking down” social media posts?  The Pennsylvania Bar has issued some guidance.
  • For those of you practicing in the Vermont Superior Court’s Civil & Family Divisions, VRCP 26(a) lists the methods by which a party may obtain discovery.  Among them: a Rule 34 request to produce ESI.  Rule 26(b)(2)(A) imposes specific limitations on the discovery of ESI.  The federal rules of civil procedure have similar provisions.
  • Doing any estate work? There’s a new  Vermont law on digital assets.
  • Those of you who are in-house or general counsel . . . do you have some idea as to what ESI your client has, where it’s stored, and how long it’s kept? Have you talked to your client about its policy on employees using personal devices to access company data? Today, Above The Law posted some practical tips on preservation letters, including tips related to preserving & producing ESI.

I could go on & on. It is everwhere.

In 2015, the State Bar of California’s Standing Committee on Professional Responsibility and Conduct issued Formal Opinion 2015-193.  The opinion responds to the question “[w]hat are an attorney’s ethical duties in the handling of discovery of electronically stored information?”  Here’s the digest:

  • “An attorney’s obligations under the ethical duty of competence evolve as new
    technologies develop and become integrated with the practice of law. Attorney
    competence related to litigation generally requires, among other things, and at a
    minimum, a basic understanding of, and facility with, issues relating to e-discovery,
    including the discovery of electronically stored information (“ESI”). On a case-by-case basis, the duty of competence may require a higher level of technical knowledge and ability, depending on the e-discovery issues involved in a matter, and the nature of the ESI. Competency may require even a highly experienced attorney to seek assistance in some litigation matters involving ESI. An attorney lacking the required competence for e-discovery issues has three options: (1) acquire sufficient learning and skill before performance is required; (2) associate with or consult technical consultants or competent counsel; or (3) decline the client representation. Lack of competence in e-discovery issues also may lead to an ethical violation of an attorney’s duty of confidentiality.”

Give the full opinion a read.

I assume most lawyers understand this, but here’s the critical point I want to make:  ESI is something that can be preserved, produced, and used.  Not knowing how to handle the discovery of ESI is no different from not knowing how to handle the discovery of paper documents.

 

If you’re new to ESI, here’s a primer that the ABA issued several years ago.  It’s a good start, but only a start.

E Discovery

 

 

Protecting Data: Cybersecurity Tips

For those of you pressed for time, the tips are in this post from the ABA Journal.  For the rest of you, I will now return to our regularly scheduled programming.

The phishing scam I warned about yesterday turned out to be a false alarm; a case of the school that conducted a fire drill without notifying the fire department.

Still, I’ll channel my inner Dwight Schrute:

FACT: lawyers and law firms are frequent targets of phishing scams & malware/ransomware attacks.

Some readers asked what the perpetrators of a phishing scam hope to gain by targeting lawyers and law firms.

Access to information.  Either yours or your clients’.

For example, be wary of an unsolicited e-mail that asks you to click on a link and confirm an account number or password.  This is obvious, correct?  If you respond, what have you done?  That’s right – you’ve given out an account number and its password.

Lately, there’s been a rash of well-publicized phishing scams designed to release malware or ransomware. In some instances, the malware provides the scammer with access to data – account numbers, passwords, secure client information.  In other instances, ransomware encrypts an office’s data.   And by “encrypts” I mean “prevents the office from accessing the data unless or until a ransom is paid.”  Think I’m exaggerating?

The Providence Journal has this story about a firm that was locked out of its data for three months earlier this year.  The firm paid a ransom, then paid another, lost $700,000 in billings, and is in litigation with its cybersecurity carrier.  Oh yeah, and how about being in the news for  having had confidential information breached?  Probably not the marketing campaign most of us would choose.

Or, from the FindLaw blog: last year, a prosecutor’s office in Pennsylvania paid a ransom to release files that had been locked after an employee clicked on a link in an e-mail that the employee believed to be from another government agency.  Sound familiar?  It should – that was yesterday’s pseudo-scam: an invitation for lawyers to click on links in an e-mail that appeared to be from the “ethics board.”

It’s not just small firms and state agencies that are at risk.

DLA Piper is one of the largest firms in the U.S. and has offices all over the world.  Last June, DLA Piper issued this cybersecurity advice in response to a global ransomware attack.  Unfortunately, and as reported by Above The Law, DLA Piper fell victim to a similar attack shortly after issuing the warning.

Today, I came across a post in the ABA Journal: Practical cybersecurity for law firms: How to batten down the hatches.  Give it a read.  It’ll be worth your time.

Remember: the Rules of Professional Conduct impose a duty to act competently to safeguard client information.  I understand that some of you worry that your unfamiliarity with technology will make you look silly if you ask for help.  Stop worrying. Doing nothing other than hoping that it doesn’t happen to you is not a reasonable alternative.

Safeguarding data

 

 

 

 

 

 

 

Protecting Client Data

Next week, the Professional Responsibility Board will review several proposed amendments to the Vermont Rules of Professional Conduct, including proposals to change the rules that relate to the duty to act competently to protect client data.

I’ve blogged often on this issue.  Nevertheless, it bears re-visiting.

Rule 1.1 requires a lawyer to provide a client with competent representation.  I’ve asked the Board to recommend that the Court follow the ABA’s and add the underlined & bolded language to Comment [6]:

  • [6] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.

Per Robert Ambrogi’s Law Sites Blog, 28 states have adopted a duty of tech competence.

Rule 1.6 prohibits the disclosure of information relating to the representation of a client.  A few years ago, the ABA amended Model Rule 1.6 to include the following language:

  • “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

I’ve asked the Board to recommend that the Court do the same.

I view Rules 1.1 and 1.6 as creating an affirmative duty to act competently to safeguard client information, including client information that is transmitted or stored electronically.

Now, if the proposals are adopted, will a lawyer need to know how to create an encryption key? Of course not.  Just like, right now, a lawyer does not have duty to know how to build a lock, a file cabinet, or a fob that opens & closes a keyless door.  But, a lawyer probably has a duty to understand the risks and benefits associated with leaving client files in a box that’s in a shared hallway, as opposed to in a locked file cabinet that’s in a room behind a keyless door to which only 2 firm employees have fobs.

Similarly, will a hack or data breach automatically lead to a disciplinary sanction? No. Again, if a lawyer has taken reasonable precautions to protect client data, whether by encrypting e-mail or exercising due diligence in choosing a cloud vendor, the fact of a breach likely is not a violation.

However, I believe we’re rapidly approaching, if we haven’t passed, the day when it will no longer be considered reasonable not to have encrypted email.  Further, if you’re considering a move to the cloud, while you don’t know how to build your own cloud server, the duty of tech competence includes a duty to know what you don’t know.

For example, let’s say you ask a potential cloud vendor whether your clients’ data will be encrypted.  The vendor replies “yes, we use a BTTF flux capacitor to encrypt data at rest.  For data in transmission, we guarantee it will make the Kessel Run in 12 parsecs or less.”

What’s your response?

To read more about a BTTF flux capacitor click HERE.  An update on the Kessel Run and parsecs (which are units of distance, not time) is HERE.

Finally, if adopted, my hope is that the new language in Rules 1.1 & 1.6 leads us away from re-evaluating the ethical duty with each technological advance that gives us a new method of transmitting and storing data.

As I’ve written, today’s cloud-based practice management systems are not much different than the businesses that lease storage units on the outskirts of damn near every town.  Before storing client information on or at either, a lawyer must review whether each affords reasonable precautions against unauthorized access and disclosure.

No, the question should not be “is this new way of storing information ethical?”  Nor should it be “is it okay to use smoke signals to communicate with my client?”  Rather, whenever the next big thing comes along, the question should be “does this means of transmitting and storing client information provide reasonable precautions and safeguards against unauthorized access and disclosure.”

For related posts:

cyber-security

 

So A Lawyer & Judge Are Facebook Friends . . .

So a lawyer & judge are Facebook friends.

So what?

The ABA Journal has the story of an appellate court’s decision that a Facebook friendship with a lawyer, without more, is not a sufficient basis to disqualify a judge.   The order is here.

This makes sense to me.  As with almost everything tech-related, I try to use analogies to non-tech stuff.  For example, if you learned that a lawyer who regularly appeared before a judge belonged to the same health club, or went to the same church, or was in the same law school class as the judge my guess is that you wouldn’t reflexively yell “conflict! disqualify the judge!”

No, you might ask something as simple as, “do they actually know each other? If so, how well? Do they do stuff together?”

In my view, Facebook is no different.  Florida’s Third District Court of Appeal agrees. (there’s no “s” – maybe the court only hears one case at at time).  The opinion presents a fantastic analysis of what it means, if anything, to be Facebook friends with someone.

Here are my favorite paragraphs from the ABA Journal’s post.  They include a quote from the opinion.

“Though a Facebook friendship may have once given the impression of a close friendship, that’s no longer the case, the Third District Court of Appeal said in explaining its disagreement with the other appeals court. Facebook uses data mining and network algorithms to suggest potential friends, and many Facebook users have thousands of friends, the appeals court said.

“ ‘To be sure,’ the opinion said, ‘some of a member’s Facebook ‘friends’ are undoubtedly friends in the classic sense of person for whom the member feels particular affection and loyalty. The point is, however, many are not. A random name drawn from a list of Facebook ‘friends’ probably belongs to casual friend, an acquaintance, an old classmate, a person with whom the member shares a common hobby, a ‘friend of a friend’ or even a local celebrity like a coach.’ ”

Ab, yes. A local celebrity.  Like a coach.  Music to my ears.

Legal Ethics, Cloud Storage, and . . . Game of Thrones?

So, you want to store client data in the cloud? Excellent! Odds are it’ll make you more efficient.

What are your duties under the rules of professional conduct?  Good question.

In my view, a lawyer has a duty to take reasonable precautions to protect client information from unauthorized access or disclosure.   The duty applies no matter the “place” that the information is stored.  That is, the cloud is a “place to store client information” in the exact same sense as a storage facility out on the old county road.

For more, here’s my post The Cloud: What Are Reasonable Precautions?

Now, about that headline.

Jeff Bennion has a great post over at Above The Law: How Are Lawyers Supposed  To Have More Security Than HBO?  It’s well-worth the few minutes you’ll need to read it.  A summary of his tips:

  • Know your duties
  • Don’t make unnecessary copies of things
  • Know that some client data is more sensitive than other data
  • Secure all devices & places where client data is stored.

Only 109 hours, 44 minutes until The Dragon & The Wolf.  Until then, just as I’m sure you’ll take reasonable precautions to avoid spoilersdo the same to avoid the inadvertent or unauthorized disclosure of client information.

Thrones