Buried Ledes, Hackers, and Protecting Client Data

A friend of mine used the word “lede” in a text she sent me earlier this week.  So impressed that she knew the proper spelling, the word has stayed on my mind ever since.  Good thing.  Because as I proofed this post, I realized that I almost buried the lede.

Even Vermont-sized law firms are vulnerable to hackers.

Image result for hackers data

In January, hackers stole data from five small firms.  From each, the hackers demanded 100 Bitcoin to restore access to the data and 100 Bitcoin not to sell it. Then, the hackers began publishing the data on the web. Among others, Law.Com, CoinTelegraph and the ABA Journal have the story.

Did I mention that, at the time, 100 Bitcoin cost $930,000?  Today it’s only $890,416.

I’ll return to the story in a moment.  First, however, I’d like to introduce Jim Knapp.

Jim is Vermont State Counsel for First American Title Insurance.  But the day I blog about underwriting will be the day I retire as a blogger.

For many years, Jim and Kevin Ryan presented their famed “Road Show” across Vermont. It was a CLE that included great tips on tech and data security. You know – tech competence!

I’ll start with the basic premise: lawyers have a duty to take reasonable precautions against the inadvertent disclosure of or unauthorized access to information relating to the representation of a client. The duty applies to the electronic transmission and storage of client information & data.

As I noted here, there is no set answer to “what are reasonable precautions?”  The ABA’s Standing Committee on Ethics and Professional Responsibility agrees. In Formal Opinion 477, the Committee advised:

  • “What constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors. In turn, those factors depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of electronic communications employed, and the types of available security measures for each method.”

With respect to cyber threats, the Committee stated:

  • “the reasonable efforts standard. . . rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”

Now, back to the story of the hackers.

Along with blogger’s bloc, the story made realize today is a great day for a Q&A with Jim Knapp. Jim was kind enough to agree.

MK: Thanks for doing this Jim. First reaction when you read about the hack?

Jim: So, this would be deemed a really bad day! First you are locked out of your system, and even if you had good recent backups, and could expend the money and time to restore everything, second, the bad actors are still threatening to sell / release your data. Not to mention, now you have a data breach and must satisfy all the legal requirements related to the analysis and notifications imposed by State laws. What a way to start a week!

MK: I’ll say. For me, this hit home because it didn’t involve one of the ginormous multi-national firms. The firms involved are similar in size to most Vermont firms. How do Vermont lawyers protect themselves?

Jim: As we’ve seen, 2020’s are barely a few weeks old and the news is not good. Ransomware has reached a new high(?) / low (low). The bad actors are not just encrypting your files, they are offering to publish your firm’s files to the public, or at least the public that uses the dark web.

You can no longer rely on having anti-virus software as your only means of protection. Backups are important to recover your data in the case of disaster, but a good backup won’t stop a bad actor from publishing data they have stolen from your firm. Acting reasonably is acting from a sufficient pool of knowledge to understand the risks and the potential solutions.

MK: I love the last sentence: “acting reasonably is acting from a sufficient pool of knowledge to understand the risks and the potential solutions.” Many lawyers, myself included, aren’t exactly tech savvy. My sense is that many firms “leave that to the IT person.” Of course, in the end, a lawyer is responsible for ensuring that the nonlawyer staff – including IT staff and vendors – are protecting client data. Anyhow, how do we move from toes-in-the-water to the deeper end of that pool of knowledge? Some states require tech CLE. In December 2018, I posted this blog wondering if we should.

Jim: While the idea of mandatory participation in professionalism, mindfulness, wellness, etc., are all good subjects, it seems to me that perhaps mandatory participation in cybersecurity training would be a worthy subject. Not just for lawyers but for all persons who work in a law office. As regards Vermont, out of the 2700+ lawyers, I’ll bet not more than 350-400 unique persons have attended a well prepared and presented program on cybersecurity. Of course, those folks will roll their eyes, if they have to hear one more presentation on “don’t click”; have good passwords etc.

MK: I agree. But I still run into lawyers who say, “I wouldn’t even know what the presenters are talking about.”

Jim: Gaining a suitable level of the essential elements of data security is a challenging task if you choose to pursue this on your own. The key is finding a suitable CLE program that can translate the arcane elements of information security into knowledge you can use to assess how safe your law office environment is. Everyone whose practice depends on the availability of information stored on a computer system owes it to their clients and to themselves to attend enough CLE programs to understand what options exist for protecting their digital information.

MK: Music to my ears! But it has to be more than just “go to a tech CLE,” right?

Jim: Training is a key element to protecting your digital environment. But training alone isn’t sufficient, as no matter how diligent you are in reminding all your colleagues not to open questionable emails, stay away from questionable websites, and to watch out for the social engineers looking to convince you to hand over key information like passwords, the bad actors will eventually find an opening and pounce.

Information security for a law office involves all kinds of elements, from

  • properly configuring the hardware included in your network, like the router that connects your office to the outside world; to,
  • running a suitable firewall; to,
  • using effective anti-malware software; to,
  • keeping your operating system and applications up to date with all patches (Note: if you are still using Windows 7 you must STOP now. Microsoft is no longer providing patches for Windows 7 and there are still numerous vulnerabilities that have never been fixed and now will not be fixed)
  • possibly running intrusion detection and intrusion prevention systems within your network;
  • and more.

MK: Good stuff! Last question before we lose everyone: I’ve often called you for tips on backing up client data. Can you give us the quick version that you’ve given me on backups, airgap, etc.?

Jim: Backup, like all tech issues, has lots of components. The right backup strategy depends on what kind of data you have, how much data you have, and where you store your data. But, everyone should consider at least the following elements:

  • Nearline – a backup that is connected to your network storage, or to your personal PC (wherever you store your day to day work product) all the time and periodically (hourly, every few hours, at least twice a day), duplicates the data in your data storage. Usually, an external USB hard drive purchased for less than $100.00 will suffice. This allows you to recover immediately, or nearly immediately from a problem with your storage device, e.g. your hard drive or SSD croaks at 3:30 and the response to the motion for summary judgment is due tomorrow.
  • Offline – a backup that is stored off-site. It can be cloud based, or a rotation of physical drives, one of which is stored off-site at all times. This provides a recovery option for the electrical surge that kills your onsite storage, a fire, a flood, or somebody breaks into your office and steals the computers. This backup is run at an interval calculated by how much work-product you are willing to lose and have to recreate. It could be measured in weeks, but I would offer that daily is a more reasonable assessment.
  • Airgap – this a backup device that is only connected to your network or the PC while the backup is running. This is one tool in the kit to address a ransomware attack on your systems. Again, an airgap backup will typically fit on a good quality external USB hard drive which is a $100 item. To run the back-up, you connect the device to the storage device you want to backup, and as soon as the backup is complete, you disconnect the backup device and store it safely away from any connection to your data storage systems.

MK: I lied, one more question: you & I bumped into each other at church on Ash Wednesday. Was that your cell phone that went off during mass? Tech competence is a thing at worship too.

Jim: Fortunately no, neither of my cell phones was that particular culprit.

MK:  Good.  The ringtone reflected a failure to act competently when choosing a ringtone.

Jim:  I have two cell phones because of the nature of the insurance business and my employer’s policies. Particularly, in the case of regulators, they can demand access to Company information, some of which may be stored on my phone. And, the Company retains the right to monitor and inspect all data stored on or passing through their data-stream. Now, while I have few secrets worth discovering, and after 40 years of practice in Vermont, net worth is not one of them, I have no desire to expose my personal information to either the regulators or the Company. Hence, I have a personal cell phone and a work cell phone. I would suggest that lawyers should consider the same analysis I did. If you were sued, do you really want opposing counsel and your appointed defense counsel rummaging through the materials on your phone?

MK:  It’s almost as if you’ve seen what’s on my phone.  No, I don’t want anyone rummaging through!  Good reminder though: as I blogged here, lawyers who travel abroad should consider leaving behind devices that contain client data.

Thanks Jim, this was great!

To be clear: being hacked isn’t necessarily an ethics violation.  Even reasonable security can be breached.  My point today is to encourage lawyers and firms to assess the measures that they have in place.  And, to encourage those who don’t know how to perform such an assessment to find someone who does.

Finally, if you or your firm has been breached, you should (1) read my post ABA Addresses Lawyer’s Duties in Response to a Data Breachand (2) review the Attorney General’s outline of duties that arise under Vermont’s Security Breach Notice Act.

As always, let’s be careful out there.

Throwback Thursday: Social Media

Last week, I posted Comptence & E-Discovery.  It generated a few calls & emails on another topic that we touched upon in the seminar that’s referenced in the post: a lawyer’s professional obligations vis-a-vis ESI & social media.

I’ve blogged & spoken on the issue several times. To me, it comes down to this:

  • The duty of competence includes reviewing the publicly available social media presences of adversaries, witnesses, and jurors.
  • Knowing that others are looking, the duty of competence includes advising clients of the risks associated with making information publicly available on social media.

As to the former, please see this post from September 2019.  It includes links to several advisory ethics opinions that address a lawyer’s duties when reviewing social media evidence. As to the latter, please see this post, also from September 2019.

Image result for images of social media

Competence & E-Discovery

A lawyer’s professional responsibilties include:

  • providing clients with competent representation;
  • abiding by the rules of a tribunal;
  • acting competently to prevent the inadvertent disclosure of a client’s otherwise confidential or privileged information;
  • not assisting a client or another person unlawfully to obstruct access to evidence; and,
  • not assisting a client or another person unlawfully to alter, conceal, or destroy documents and material that have potential evidentiary value.

tech-ethics

At the YLD Thaw in Montreal, I sat on a panel that presented E-Discovery & Me: Facebook, Metadata & Beyond.  Kevin Lumpkin moderated, and I was joined by Jennifer McDonald, Daniel Martin, and Matthew Preedom.

The seminar left me with a new appreciation for the “tech” issues that lawyers confront daily.  It also left me incredibly impressed with the tech competence of my fellow panelists.  To say I was the weak link would be an understatement.

Thus, I hesitate to write this blog. Mostly from a competence perspective, but also because the topic is so vast that I could easily go too long & too far astray.  I’ll do my best to stay focused.  Today’s points:

  1. The duty of competence applies in discovery.
  2. The duty of competence includes providing clients with competent advice related to preserving & producing ESI.

Note, I intentionally used “discovery” instead of “e-discovery.” I’ve heard lawyers suggest that their duties are different, perhaps less stringent, with e-discovery.

Wrong.

Never have we presented, and never will we present, an ethics CLE in which we stress that the duty of competence includes providing clients with competent advice on the preservation & production of paper documents.  It’s a given.

It’s also a given with ESI.

In 2009, Vermont amended Rule 34(a) of the Rules of Civil Procedure. The amendment tracks the 2006 amendment to the Federal Rules of Civil Procedure.  The Reporter’s Note is not confusing.  The amendment:

  • “is intended ‘to confirm that discovery of electronically stored information stands on equal footing with paper documents’ and to make clear that a request for ‘documents’ that does not differentiate paper documents and electronically stored information should be understood as including the latter.”

No reasonable lawyer would conclude “I don’t really need to know how to advise my client on the preservation & production of paper documents.”  And, for more than a decade now, the discovery rule has been that ESI “stands on equal footing with paper documents.”

In short, ESI is discoverable, subject to the same discovery rules as information that is on paper. To produce ESI, your client must have preserved ESI.

For example: do you know whether:

  • your client has ESI that might be relevant to the representation;
  • the custodian(s) of that data;
  • the client’s policies on data storage/destruction.

In 2015, the State Bar of California issued Formal Opinion 2015-193.  The question presented: “what are an attorney’s duties in the handling of discovery of electronically stored information?”

I urge you to read the entire opinion.  In my view, the most important paragraph is this one:

  • “We start with the premise that ‘competent’ handling of e-discovery has many dimensions, depending upon the complexity of e-discovery in a particular case. The ethical duty of competence requires an attorney to assess at the outset of each case what electronic discovery issues might arise during the litigation, including the likelihood that e-discovery will or should be sought by either side. If e-discovery will probably be sought, the duty of competence requires an attorney to assess his or her own e-discovery skills and resources as part of the attorney’s duty to provide
    the client with competent representation. If an attorney lacks such skills and/or resources, the attorney must try to acquire sufficient learning and skill, or associate or consult with someone with expertise to assist.”

I appreciate the paragraph’s emphasis that lawyers need to know what they don’t know. I appreciate two other points.

First, the paragraph tells lawyers what they need to know:

“Attorneys handling e-discovery should be able to perform (either by themselves or in association with competent cocounsel or expert consultants) the following:

  • initially assess e-discovery needs and issues, if any;
  •  implement/cause to implement appropriate ESI preservation procedures;
  • analyze and understand a client’s ESI systems and storage;
  • advise the client on available options for collection and preservation of ESI;
  • identify custodians of potentially relevant ESI;
  • engage in competent and meaningful meet and confer with opposing counsel concerning an e-discovery plan;
  • perform data searches;
  • collect responsive ESI in a manner that preserves the integrity of that ESI; and,
  • produce responsive non-privileged ESI in a recognized and appropriate manner.”

(Aside: I’d add this: in between preservation and production, lawyers often take possession of a client’s information, whether in paper or electronic form.  The duties to clients include acting competently to safeguard the information while it’s in the lawyer’s possession.  With ESI, that includes competently assessing whether to store the ESI in-house or to retain a e-discovery vendor to host the ESI.)

Second, the paragraph makes it clear that it’s okay not to know how to do those things.  Of course, a lawyer who doesn’t must (1) associate with someone who can competently handle those tasks, whether a lawyer or nonlawyer; or (2) withdraw from or decline the representation.

In closing, I’ve never received a disciplinary complaint alleging that a lawyer failed to provide competent representation on issues related to the preservation and production of ESI.  Someday I will.

For now, keep in mind that the risk is greater than a disciplinary investigation. There’s risk to the client.

Here’s Rule 37(f) of the Vermont Rules of Civil Procedure:

  • Failure to Preserve Electronically Stored or Other Evidence.  If electronically stored or other evidence that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery, the court, upon finding prejudice to another party from the loss of the evidence, may order measures no greater than necessary to cure the prejudice.” (emphasis added).

I’ve often blogged that setting reasonable expectations early in the representation is a good way to avoid disciplinary complaints.

Another is to avoid “measures” ordered by a court against a client.

 

 

Mobile Payment & Legal Fees

I’m not what anyone would call “young.”  But you know what I don’t use anymore?

Checks.

I write one per month: to my homeowner’s association.  I pay my other bills via online payments options tied to my bank account or credit card.  If I owe anyone money, I either (a) buy them a beer and say, “let’s call it even;” or (b) send it via Venmo or PayPal after they question my definition of “even.”

I expect that this will be controversial:  I hope that the conduct rules are never interpreted or applied to prohibit lawyers and law firms from accepting payment – including retainers – via services like Venmo and PayPal.

As alluded to in the opening paragraph, it’s a question we need to resolve.  An ever-growing number of consumers of legal services do not use cash or checks. I think lawyers need to consider whether not having, say, a firm Venmo account will cost the firm a potential client who asks “to Venmo” the retainer.

I’m aware of only one advisory opinion directly on point.  It’s the South Carolina Bar’s Ethics Advisory Opinion 18-05.   (Note: this post is NOT about credit card payments or the numerous advisory opinions on credit card payments.)

Cutting to the chase, here’s the conclusion reached by the SC Bar:

  • “Accordingly, Lawyer may elect to establish a dedicated trust account via an online payment service provider, but funds received into that account are likely to be nominal or short-term, thus requiring in turn a transfer of those funds to an IOLTA account. Lawyer should be aware of an elevated risk of non-collection under these circumstances in making the individual determination as to whether he is willing to receive funds belonging to third parties via an online payment service
    provider, PayPal or otherwise.”

Makes sense to me.

Remember: “trust account” is a term that gets thrown loosely.  There’s a difference between a “trust account” and a “pooled interest-bearing trust account.”

If a lawyer represents me and is holding money in connection with the representation, there’s no question that the money must be held in trust.  The only question is this: are the funds reasonably expected to earn net dividends or interest?

If the answer is “yes,” the money must be held in a trust account.

If the answer is “no,” which it most often is, then the funds must be held in a “pooled interest-bearing trust account in a financial institution in Vermont that has been approved by the Professional Responsibility Board.”   This latter scenario involves what all of us refer to as “IOLTA accounts.” The interest generated by the “pooling” of my funds with funds that belong to my lawyer’s other clients is paid to the Vermont Bar Foundation.

With both this and the South Carolina opinion in my mind, I see no reason why a lawyer or firm can’t create a Venmo account to accept fees that are paid in advance.  Of course, all the other rules apply.  For instance,

  • the account must include a record-keeping system that complies with Rule 1.15A(a);
  • records of funds held in the account must be maintained for 6 years following the termination of a representation;
  • the account is subject to the compliance reviews and audits authorized by Rules 1.15A(b) and 1.15A(c) or audit; and,
  • the lawyer or firm cannot deposit its own fees into the account, except in an amount necessary to pay service charges or fees on the account.

Then, on a regular basis, the lawyer or firm must (1) transfer earned fees to the operating account; and (2) transfer to a pooled-interest bearing trust account (“IOLTA”) at an approved institution funds that otherwise would be deposited into the IOLTA if received by check, cash, or credit card.

In short, I’m on board with the SC opinion and think that the existing rules allow lawyers to accept advance payments via methods like PayPal and Venmo.  Of course, others might disagree with me. That’s fine.  If I’m wrong, we should change the rules and expressly allow lawyers and their clients to transact business in a way that society has deemed commercially reasonable.

One final note: if you or your firm has a Venmo account, you might want to suggest to clients who use it that they change their privacy settings.  I can imagine a few friends of mine reacting uncomfortably when confronted by spouses who saw a payment to a law firm on their Venmo feeds.

For more, here’s an Above The Law post that’s a primer of sorts on different methods of digital payments.  Finally, a related post: Bitcoin as Payment for Legal Fees.

Dollar Sign

 

 

Advising Clients on their Social Media Use

Earlier this week, I blogged on an advisory opinion issued by the North Carolina State Bar.  It’s an opinion that discusses a lawyer’s ethical duties when reviewing and accessing social media platforms maintained by adverse parties and witnesses.

Today, the flip side: what duties does a lawyer owe to clients regarding their social media use?

Many of you like to cut to the chase.  So, here’s the deal:

  1. Competent representation includes advising clients as to how their social media use will impact a matter.
  2. Yes, a lawyer can advise clients to make their privacy settings more restrictive.
  3. Whether a lawyer can advise clients to “clean-up” their social media posts is nuanced, and certainly not so simple as “that’s not allowed.”  Substantive law on preservation and spoliation will play a critical role.
  4. A lawyer may not advise a client to post false or misleading information on social media.
  5. Finally, it is no longer okay to choose to ignore the fact that your clients likely use multiple social media platforms.  If that means finding someone to help you discuss with clients something that you don’t know how to discuss, then so be it.

I find the Social Media Guidelines from the New York State Bar’s Commercial and Federal Litigation Section to be incredibly helpful.  The Guidelines were updated earlier this year.  If you click on only one link in this post, make sure it’s the introduction to the update.  It’s worth reading.

I’ll end there.   For those of you interested in more, below the image you’ll find links to helpful advisory ethics opinions with a few important quotes from each.

Image result for images of social media

Pennsylvania Bar Association Formal Opinion 2014-300

  • “The Rules do not prohibit an attorney from advising clients about their social networking websites. In fact, and to the contrary, a competent lawyer should advise clients about the content that they post publicly online and how it can affect a case or other legal dispute.”
  • “A lawyer may not instruct a client to alter, destroy, or conceal any relevant information, regardless whether that information is in paper or digital form.
    A lawyer may, however, instruct a client to delete information that may be damaging from the client’s page, provided the conduct does not constitute spoliation or is otherwise illegal, but must take appropriate action to preserve the information in the event it is discoverable or becomes relevant to the client’s matter.”
  • “Similarly, an attorney may not advise a client to post false or misleading information on a social networking website; nor may an attorney offer evidence from a social networking website that the attorney knows is false.”

Florida Bar Ethics Opinion 14-1

  • “In summary, [an attorney] may advise that a client change privacy settings on the client’s social media pages so that they are not publicly accessible. Provided that there is no violation of the rules or substantive law pertaining to the preservation and/or spoliation of evidence, the inquirer also may advise that a client remove information relevant to the foreseeable proceeding from social media pages as long as the social media information or data is preserved.”

North Carolina 2014 Formal Ethics Opinion 5

  • “competent representation includes advising the client of the legal ramifications of existing postings, future postings, and third party comments.”
  • “If removing postings does not constitute spoliation and is not otherwise illegal, or the removal is done in compliance with the rules and law on preservation and spoliation of evidence, the lawyer may instruct the client to remove existing postings on social media. The lawyer may take possession of printed or digital images of the client’s postings made for purposes of preservation.”

West Virginia Legal Ethics Opinion 2015-02

  • “Attorneys must have a general understanding as to how social media and social networking websites function.”
  • “Attorneys should ensure that their clients are aware of the consequences of their actions via social media and social networking websites, as it is reasonable to expect that their client’s activities will be monitored by opposing counsel and others.”
  • “Although attorneys may instruct their clients to delete information from the clients’ social media pages that may be damaging to the clients, provided the attorneys’ conduct does not constitute spoliation or is otherwise illegal, attorneys must take the appropriate steps to preserve the aforementioned information in the event that it is deemed discoverable or becomes relevant the clients’ cases.”

D.C. Bar Opinion 371

  • “Rules 1.1 and 1.3 require a lawyer to consider the potential risks and benefits that client social media could have on litigation, regulatory, and transactional matters undertaken by the lawyer, and Rule 1.4 requires a lawyer to discuss such risks and benefits with clients.”
  • “Because social media postings are subject to discovery and subpoenas, a lawyer may need to include social media in advice and instructions to clients about litigation holds, document preservation, and document collection.[23] A lawyer also may need to determine whether under applicable law, which varies from jurisdiction to jurisdiction, clients may modify their social media presence once litigation or regulatory proceedings are anticipated. For example, are clients permitted to change privacy settings or to remove information altogether from social media postings? Such analysis may need to include consideration of obstruction statutes, spoliation law,[24] and procedural rules applicable to criminal and regulatory investigations and cases; procedural rules and spoliation law in civil cases; and the duty under Rule 3.4(a) not to “[o]bstruct another party’s access to evidence or alter, destroy, or conceal evidence, or counsel or assist another person to do so. . . .”[25] Before any lawyer-counseled or lawyer-assisted removal or change in content of client social media, at a minimum, an accurate copy of such social media should be made and preserved, consistent with Rule 3.4(a).”

NC Advisory Opinion on Reviewing & Accessing Social Media Platforms

Yesterday, I came across the North Carolina State Bar’s 2018 Formal Ethics Opinion 5.  It “reviews a lawyer’s professional responsibilities when seeking access to a person’s profile, pages, and posts on a social network to investigate a client’s legal matter.”  As such, it’s blogworthy.

Social Media

The opinion opens with an important point: technology is ever evolving. Social networks and social media platforms are no different: their features “are constantly changing.”  The duty of competence includes keeping abreast of the benefits and risks of relevant technology.  This echoes Comment 8 to Vermont’s Rule 1.1 and is the exact point I’ve tried to make when addressing the duty to safeguard client information.

Next, the opinion addresses five questions.   My synopsis:

  1. Yes, it’s okay to look at information that is public.  Note, however, that repetitive viewing for no other reason than to cause the person to receive notice that you looked can rise to the level of impermissible harassment.  In other words, competence likely includes knowing which platforms notify a person that someone has viewed their profile.  I blogged on that very point here.
  2. No, you may not use deception to access a restricted (or private) portion of a person’s social network presence.
  3. Yes, it’s okay to request access to restricted (or private) portions of an unrepresented person’s social networks.  As long as the request does not include deception or dishonesty, and as long as you correct any misunderstanding that the unrepresented person has of your role.**
  4. No, you may not send a request for access to restricted (or private) portions of a represented person’s social networks.  To do so would violate the rule that prohibits communicating with a represented person on the subject of the representation.  Nor may you direct a third person to do the same.
  5. Yes, you may request and accept information from a third party who has access to the restricted (or private) portions of a person’s social networks.  You may not, however, direct or encourage a third person to use deception or misrepresentation to gain access.**

For more, check out the entire opinion.

** Note: the opinion makes quite clear that it does not “obviate” the Comment to Rule 8.4 that authorizes a lawyer to advise “a client or, in the case of a government lawyer, investigatory personnel, of action the client, or such investigatory personnel, is lawfully entitled to take.”

Other resources

I Love You, Now Die: what an HBO documentary can tell us about the duty of tech competence.

A few minutes ago, I finished HBO’s I Love You, Now Die: The Commonwealth v. Michelle Carter.  Directed by Erin Lee Carr, the two-part documentary delves into the relationship between teenagers Michelle Carter and Conrad Roy, and the involuntary manslaughter charge that was filed against Carter following Roy’s suicide.

As a person, I found the documentary disturbing, sad and disturbingly sad.  One life tragically lost, many others tragically altered, if not ruined.  I don’t have kids, but I imagine that anyone who does will be deeply affected by the story.

As bar counsel, I was struck differently.  In my professional capacity, the Carter trial serves as a compelling example of lawyers on both sides demonstrating tech competence.

I’m not going to divulge spoilers.  Suffice to say, at trial, both sides made extensive use of thousands of text messages that the defendant and decedent exchanged or sent to others.  The prosecution effectively putting the accused on the stand even though she did not testify, Carter’s lawyers essentially using the decedent’s own “words” to construct a defense.

Indeed, as you’ll learn if you watch, the verdict turned on a single text message.

From a professional responsibility perspective, the documentary makes me more certain than ever that the failure to understand that ESI exists, as well as the failure to understand how to access, review, and use it, likely violates the duty of competence.

Interested?  The trailer is here.

i love you now die

Social Media & Legal Ethics

It’s been a while since I’ve blogged, and even longer since I’ve subjected readers to the mantra upon which this blog was built:  competence includes tech competence.

With that in mind, an update!

A few weeks ago, the Commercial and Federal Litigation Section of the New York State Bar Association released its updated Social Media and Legal Ethics Guidelines.  First released in 2014, the Guidelines are one of the leading resources on a lawyer’s obligations under the rules of professional conduct with respect to social media.  While based on New York’s rules, the Guidelines cite to advisory ethics opinions from across the country. Here’s an outline distilled from the table of contents:

  1. Attorney Competence
  2. Attorney Advertising and Communications Concerning a Lawyer’s Services
  3. Furnishing of Legal Advice through Social Media
  4. Review and Us of Evidence from Social Media
  5. Communicating with Clients
  6. Researching Jurors and Reporting Juror Misconduct
  7. Using Social Media to Communicate with a Judicial Officer

There’s also an Appendix that includes a list of some of the more popular social media platforms, as well as a glossary of social media’s more commonly used words & phrases.

(no, I’m not sure that “social media’s more commonly used words & phrases” is proper grammar.  But I tend to write like I speak, and if I said it out loud, you’d know exactly what I meant.)

Anyhow, the Guidelines are a great resource.  I recommend bookmarking the link.

Finally, thank you Dave Carpenter for the h/t that the Guidelines had been updated!

Social Media

Redacting Confidential Info

In January, Paul Manafort’s lawyers made headlines for failing to take proper steps to redact a document.  Myriad outlets covered the story, including The Atlantic, BBC, and Legal Tech News.

In response, the ABA Journal posted How to redact a PDF and protect your clients.  A few days later, I recommended the ABA post in my blog Competence, Confidences and PDFs

Today, the ABA Journal published more helpful information: Redacting confidential client information: The devil is in the detailsThe post points out the risks in failing to understand how property to redact a document.  I recommend it.

One risk? Disciplinary action.  Lawyers have a duty not to disclose information relating to the representation of a client.  There’s also a duty to use reasonable safeguards to protect against unauthorized access to or inadvertent disclosure of confidential information.  In my view, employing a redaction method that fails to keep information confidential is not a reasonable safeguard.

Rather, it’s tech incompetence.

Image result for images of redacting confidential info

 

 

 

Court Martials, Web Bugs, and Tech Competence

This blog was built on the idea that competence includes tech competence.  As I’ve hammered home that point over the years, I’ve touched upon the ethics issues associated with web bugs.

My most recent post on the issue is here: Don’t Let the Web Bugs Bite It discusses an advisory opinion issued by the Illinois State Bar Association. I wrote:

  • “The ISBA concluded that an attorney who uses email tracking software engages in dishonest & deceitful conduct, and impermissibly intrudes on opposing counsel’s attorney-client relationship.  As such, the use web bugs violates Rules 8.4(c) and 4.4(a). The ISBA’s conclusions track (pun intended) conclusions reached by New YorkAlaska, and Pennsylvania.”

Web bugs and legal ethics are in the news this week.  Navy lawyers prosecuting the high-profile court martials two former SEALS allegedly inserted email tracking software into emails sent to the defense team and media outlets.  The Military Times, the ABA Journal, the Guardian, and the Associated Press covered the story.

First, what’s a web bug?  For the purposes of this post, a web bug is email tracking software.

Ok, so why is that important?  Read the articles on the Navy cases.  The ABA Journal headline sums it up: “Defense lawyers accuse military prosecutor of sending them emails with tracking software.”

More specifically, imagine yourself representing one of the accused. Now, further imagine yourself receiving an email from the prosecutor.  An email that includes the type of tracking software at issue in the ISBA advisory opinion.  Per the ISBA:

  • “The present inquiry involves the use of email ‘tracking’ software, applications that
    permit the sender of an email message to secretly monitor the receipt and subsequent handling of the message, including any attachments.  The specific technology, operation, and other features of such software appear to vary among vendors. Typically, however, tracking software inserts an invisible image or code into an email message that is automatically activated when the email is opened. Once activated, the software reports to the sender, without the knowledge of the recipient, detailed information regarding the recipient’s use of the message. Depending on the vendor, the information reported back to the sender may include: when the email was opened; who opened the email; the type of device used to open the email; how long the email was open; whether and how long any attachments, or individual pages of an attachment, were opened; when and how often the email or any attachments, or individual pages of an attachment, were reopened; whether and what attachments were downloaded; whether and when the email or any attachments were forwarded; the email address of any subsequent recipient; and the general geographic location of the device that received the forwarded message or attachment.”

A few thoughts.

To date, nearly everyone agrees that it’s a violation of the Rules of Professional Conduct to insert web bugs into emails sent to an opposing party or counsel.

The SEAL story raises a perfect example of tech competence.   Earlier this month, one of the lead defense attorneys received an email from the prosecutor.  Unlike prior emails from the prosecutor, it contained an unusual logo below the prosecutor’s signature.  The logo was of a bald eagle and American flag perched on the scales of justice.  The image aroused the attorney’s suspicions.  So much so that he wrote to the prosecutor:

  • “I am writing regarding your emails from yesterday, which contained an embedded image that was not contained in any of your previous emails. At the risk of sounding paranoid, this image is not an attachment, but rather a link to an unsecured server which, if downloaded, can be used to track emails, including forwards. I would hope that you aren’t looking to track emails of defense counsel, so I wanted to make sure there wasn’t a security breach on your end. Given the leaks in this case, I am sure you can understand.”

Well, here we are.  Sometimes they are out to get you.

Finally, I want to reiterate a point I made when I first blogged about the Illinois advisory opinion.

I do not disagree with any of the four opinions that have concluded that a lawyer’s surreptitious intrusion into a privileged relationship violates the rules. However, I differ with one aspect of the Illinois opinion.

The ISBA noted that “there do not appear to be any generally available or consistently reliable devices or programs capable of detecting or blocking email tracking software.”  As I stated then, I am not certain that I agree.  Indeed, shortly after I posted my blog, several tech vendors who follow me on social media either commented on the post or reached out to me privately.  Without exception, they agreed that there are a host of reasonably available countermeasures for law firms to employ against web bugs.

Moreover, I think it’s risky for a lawyer to rely on the old “well, they shouldn’t be unethically spying on me.”

I agree, nobody should be spying on you. And, when it comes to web bugs and email traacking software, the spies might always remain one step ahead.

But that does not relieve you of the duty to stay abreast of developments in technology and to take reasonable precautions against the unauthorized access to or inadvertent disclosure of information related to the representation of a client.

Bugs