Is there a duty to encrypt email?

Given that it’s Friday, I’ll start with a quiz question:

Which is most accurate? A lawyer must _____

  • A.  encrypt an email that contains information related to the representation.
  • B.  encrypt an email that contains “sensitive information.”
  • C.  encrypt an email that contains privileged information.
  • D.  act competently to protect the confidentiality of information related to the representation of a client, including by taking reasonable precautions to protect against the inadvertent disclosure of or unauthorized access to that information.

The answer is D.

I understand that practicing lawyers with professional responsibility inquiries want “yes” or “no” answers. However, bar counsel types who provide ethics guidance often don’t get as specific as lawyers would like. In no area is that more common than protecting client information.

Decades ago, I’m guessing that my predecessors didn’t answer “yes” or “no” when asked “am I required to buy one of those fancy new file cabinets that has locks on each drawer?”  Rather, they replied “you are required to take reasonable precautions to protect client information.”  Whether the inquirer’s personal circumstances made file cabinets sans locks unreasonable would’ve depended on the circumstances.  For instance, were the file cabinets in a locked closet to which only the lawyer and staff had access? Or were the file cabinets in storage room that the law firm shared with other businesses that rented space in the building?

Indeed, in 2017, the ABA’s Standing Committee on Ethics & Professional Responsibility declined to set “hard and fast rules” for storing client’s electronic information. In Formal Opinion 477, the Committee essentially announced that it’s not going to review every new advance in technology. No matter the next new thing, the duty remains the same: take reasonable precautions to protect client information.

Earlier this week, Professor Bernabe posted Does a lawyer have to encrypt e-mail messages? In it, he linked to LexBlog’s Encryption Ethics. I like the LexBlog post. The author makes clear that there will come a day when the failure to encrypt is deemed unreasonable. Here’s the post’s concluding sentence:

  • “But as encryption and other safeguards get less expensive and cumbersome, your duty to implement these measures will undoubtedly increase.”

I’ve been saying the same thing for years. In 2015, I said it To encrypt or not to encrypt?  I said it again in 2017’s Encryption and the Evolving Duty to Safeguard Client Information.  In each post, I referenced various advisory opinions that make clear that, someday, technology will have evolved to the point at which it is no longer reasonable to choose not to encrypt email.  Similarly, there will come a time when it is not reasonable to use modes of information transmission or storage that do not encrypt the information in transit or at rest.

As I’ve run out of coffee and fret about having time to draft a Five for Friday post, I fear that I’ve lost focus.  So, I’ll leave you with this:  yesterday’s reasonable safeguards might be wholly unreasonable tomorrow. At the very least, take some time to think about how you and your firm are handling electronically stored client information.

Safeguarding data

Updates on Leaving a Firm, Tech Competence, and Regulatory Reform.

Today’s post updates/revisits topics I’ve previously discussed:

  • duties to clients when a lawyer leaves a firm.
  • Tech competence: it’s been 16 years (!) since Zubulake.
  • Arizona adopts significant regulatory reform.

Duties to Clients when a Lawyer Leaves a Firm

In September, I posted Leaving A Law Firm: Breaking Up Is Hard To Do.  The post highlights the duties that a departing lawyer and firm owe to clients. It’s based (mostly) on a formal advisory opinion that the ABA issued in 1999.

Then, in December, I posted this update after the ABA Standing Committee On Ethics And Professional Responsibility issued Formal Opinion 489: Obligations Related to Notice When Lawyers Change Firms. 

Update: Last month, the Ohio Board of Professional Conduct issued Formal Opinion 2020-06: Lawyer Departing a Law Firm.  The opinion tracks the most recent ABA opinion.  Summary:

  1. When a lawyer with “principal responsibility” for a client matter departs a firm, the lawyer is required to communicate the impending departure.
  2. Preferably, notice should come from both the firm and the departing lawyer.
  3. The departing lawyer should not notify clients of the impending departure before notifying the firm.
  4. Neither the departing lawyer nor the firm should state or imply that the client is the firm’s or the lawyer’s or take any action that interferes with the client’s right to choose counsel (including a new firm altogether).  Client choice remains paramount!
  5. Given the prior professional relationship, both the departing lawyer and firm may indicate a willingness to continue to represent the client.
  6. If no remaining lawyers can provide competent representation to the client, or if a conflict at the new firm prohibits the client from following the departing lawyer, the firm and lawyer must work to assist the client to find new counsel.

Thank you Professor Bernabe for the tip.

Tech Competence: it’s been 16 years (!) since Zubulake

The blog was founded on the slogan “Competence Includes Tech Competence.”  In January, and following a CLE in which I was fortunate to present with a group of highly competent litigators, I posted Competence & E-Discovery. I think it’s an okay refresher.

Last week, I fell down a rabbit hole of old articles on legal ethics and found an ABA Journal post from 2014: Looking back on Zubulake, 10 years later.  To me, it’s an interesting and informative review of the landmark decision, a decision that, really, thrust “tech competence” into the parlance.

Arizona Adopts Regulatory Reform

Last week, I blogged about the Utah Supreme Court’s decision to adopt significant changes to the Rules of Professional Conduct and the manner in which the provision of legal services is regulated. In short, acknowledging that the rules can serve as a barrier to accessing affordable legal services, the Utah Court issued Standing Order 15 which:

  • allows lawyers to share fees with non-lawyers;
  • allows lawyers to practice in entities that are owned or managed by non-lawyers; and,
  • repeals the rule that prohibits sharing fees with lawyers in other firms.

Update: The day after my post, the Arizona Supreme Court adopted similar reform  Per this press release, the “goal is to improve access to justice and to encourage innovation in the delivery of legal services. The work of the task force adopted by the Court will make it possible for more people to access affordable legal services and for more individuals and families to get legal advice and help. These new rules will promote business innovation in providing legal services at affordable prices.”  The changes:

  • create a process to license paraprofessionals who will be authorized to provide limited legal services in certain types of cases, including going to court with clients;
  • repeal the rule that prohibits fee sharing with a lawyer in another firm; and,
  • repeal the rule that prohibits non-lawyers from having ownership interests in law firms.

Legal Ethics

Scam Alert: imposter pretending to be a lawyer you know.

Recently, many Vermont lawyers received a barrage of emails, texts messages, and phone calls from someone pretending to be Vermont Attorney.  The contacts did not come from numbers or accounts associated with Vermont Attorney.  In each, the recipient was asked to purchase gift cards for Vermont Attorney’s nieces and nephews.

One recipient replied that he would do anything to help Vermont Attorney, but only after speaking to Vermont Attorney.  The recipient immediately received a phone call from a number other than Vermont Attorney’s.  The caller was a male with a foreign accent who claimed to be Vermont Attorney.  Vermont Attorney is not male and does not have a foreign accent.

There’s a positive aspect to the story.  As Vermont Attorney noted in an email to me:

  • “The really amazing thing is most everyone immediately responded.  Such a great thing to have a bar that protects each other!”

Indeed!

For more:

COVID-19 scams target older adults, prey on fears | Local News ...

Buried Ledes, Hackers, and Protecting Client Data

A friend of mine used the word “lede” in a text she sent me earlier this week.  So impressed that she knew the proper spelling, the word has stayed on my mind ever since.  Good thing.  Because as I proofed this post, I realized that I almost buried the lede.

Even Vermont-sized law firms are vulnerable to hackers.

Image result for hackers data

In January, hackers stole data from five small firms.  From each, the hackers demanded 100 Bitcoin to restore access to the data and 100 Bitcoin not to sell it. Then, the hackers began publishing the data on the web. Among others, Law.Com, CoinTelegraph and the ABA Journal have the story.

Did I mention that, at the time, 100 Bitcoin cost $930,000?  Today it’s only $890,416.

I’ll return to the story in a moment.  First, however, I’d like to introduce Jim Knapp.

Jim is Vermont State Counsel for First American Title Insurance.  But the day I blog about underwriting will be the day I retire as a blogger.

For many years, Jim and Kevin Ryan presented their famed “Road Show” across Vermont. It was a CLE that included great tips on tech and data security. You know – tech competence!

I’ll start with the basic premise: lawyers have a duty to take reasonable precautions against the inadvertent disclosure of or unauthorized access to information relating to the representation of a client. The duty applies to the electronic transmission and storage of client information & data.

As I noted here, there is no set answer to “what are reasonable precautions?”  The ABA’s Standing Committee on Ethics and Professional Responsibility agrees. In Formal Opinion 477, the Committee advised:

  • “What constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors. In turn, those factors depend on the multitude of possible types of information being communicated (ranging along a spectrum from highly sensitive information to insignificant), the methods of electronic communications employed, and the types of available security measures for each method.”

With respect to cyber threats, the Committee stated:

  • “the reasonable efforts standard. . . rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.”

Now, back to the story of the hackers.

Along with blogger’s bloc, the story made realize today is a great day for a Q&A with Jim Knapp. Jim was kind enough to agree.

MK: Thanks for doing this Jim. First reaction when you read about the hack?

Jim: So, this would be deemed a really bad day! First you are locked out of your system, and even if you had good recent backups, and could expend the money and time to restore everything, second, the bad actors are still threatening to sell / release your data. Not to mention, now you have a data breach and must satisfy all the legal requirements related to the analysis and notifications imposed by State laws. What a way to start a week!

MK: I’ll say. For me, this hit home because it didn’t involve one of the ginormous multi-national firms. The firms involved are similar in size to most Vermont firms. How do Vermont lawyers protect themselves?

Jim: As we’ve seen, 2020’s are barely a few weeks old and the news is not good. Ransomware has reached a new high(?) / low (low). The bad actors are not just encrypting your files, they are offering to publish your firm’s files to the public, or at least the public that uses the dark web.

You can no longer rely on having anti-virus software as your only means of protection. Backups are important to recover your data in the case of disaster, but a good backup won’t stop a bad actor from publishing data they have stolen from your firm. Acting reasonably is acting from a sufficient pool of knowledge to understand the risks and the potential solutions.

MK: I love the last sentence: “acting reasonably is acting from a sufficient pool of knowledge to understand the risks and the potential solutions.” Many lawyers, myself included, aren’t exactly tech savvy. My sense is that many firms “leave that to the IT person.” Of course, in the end, a lawyer is responsible for ensuring that the nonlawyer staff – including IT staff and vendors – are protecting client data. Anyhow, how do we move from toes-in-the-water to the deeper end of that pool of knowledge? Some states require tech CLE. In December 2018, I posted this blog wondering if we should.

Jim: While the idea of mandatory participation in professionalism, mindfulness, wellness, etc., are all good subjects, it seems to me that perhaps mandatory participation in cybersecurity training would be a worthy subject. Not just for lawyers but for all persons who work in a law office. As regards Vermont, out of the 2700+ lawyers, I’ll bet not more than 350-400 unique persons have attended a well prepared and presented program on cybersecurity. Of course, those folks will roll their eyes, if they have to hear one more presentation on “don’t click”; have good passwords etc.

MK: I agree. But I still run into lawyers who say, “I wouldn’t even know what the presenters are talking about.”

Jim: Gaining a suitable level of the essential elements of data security is a challenging task if you choose to pursue this on your own. The key is finding a suitable CLE program that can translate the arcane elements of information security into knowledge you can use to assess how safe your law office environment is. Everyone whose practice depends on the availability of information stored on a computer system owes it to their clients and to themselves to attend enough CLE programs to understand what options exist for protecting their digital information.

MK: Music to my ears! But it has to be more than just “go to a tech CLE,” right?

Jim: Training is a key element to protecting your digital environment. But training alone isn’t sufficient, as no matter how diligent you are in reminding all your colleagues not to open questionable emails, stay away from questionable websites, and to watch out for the social engineers looking to convince you to hand over key information like passwords, the bad actors will eventually find an opening and pounce.

Information security for a law office involves all kinds of elements, from

  • properly configuring the hardware included in your network, like the router that connects your office to the outside world; to,
  • running a suitable firewall; to,
  • using effective anti-malware software; to,
  • keeping your operating system and applications up to date with all patches (Note: if you are still using Windows 7 you must STOP now. Microsoft is no longer providing patches for Windows 7 and there are still numerous vulnerabilities that have never been fixed and now will not be fixed)
  • possibly running intrusion detection and intrusion prevention systems within your network;
  • and more.

MK: Good stuff! Last question before we lose everyone: I’ve often called you for tips on backing up client data. Can you give us the quick version that you’ve given me on backups, airgap, etc.?

Jim: Backup, like all tech issues, has lots of components. The right backup strategy depends on what kind of data you have, how much data you have, and where you store your data. But, everyone should consider at least the following elements:

  • Nearline – a backup that is connected to your network storage, or to your personal PC (wherever you store your day to day work product) all the time and periodically (hourly, every few hours, at least twice a day), duplicates the data in your data storage. Usually, an external USB hard drive purchased for less than $100.00 will suffice. This allows you to recover immediately, or nearly immediately from a problem with your storage device, e.g. your hard drive or SSD croaks at 3:30 and the response to the motion for summary judgment is due tomorrow.
  • Offline – a backup that is stored off-site. It can be cloud based, or a rotation of physical drives, one of which is stored off-site at all times. This provides a recovery option for the electrical surge that kills your onsite storage, a fire, a flood, or somebody breaks into your office and steals the computers. This backup is run at an interval calculated by how much work-product you are willing to lose and have to recreate. It could be measured in weeks, but I would offer that daily is a more reasonable assessment.
  • Airgap – this a backup device that is only connected to your network or the PC while the backup is running. This is one tool in the kit to address a ransomware attack on your systems. Again, an airgap backup will typically fit on a good quality external USB hard drive which is a $100 item. To run the back-up, you connect the device to the storage device you want to backup, and as soon as the backup is complete, you disconnect the backup device and store it safely away from any connection to your data storage systems.

MK: I lied, one more question: you & I bumped into each other at church on Ash Wednesday. Was that your cell phone that went off during mass? Tech competence is a thing at worship too.

Jim: Fortunately no, neither of my cell phones was that particular culprit.

MK:  Good.  The ringtone reflected a failure to act competently when choosing a ringtone.

Jim:  I have two cell phones because of the nature of the insurance business and my employer’s policies. Particularly, in the case of regulators, they can demand access to Company information, some of which may be stored on my phone. And, the Company retains the right to monitor and inspect all data stored on or passing through their data-stream. Now, while I have few secrets worth discovering, and after 40 years of practice in Vermont, net worth is not one of them, I have no desire to expose my personal information to either the regulators or the Company. Hence, I have a personal cell phone and a work cell phone. I would suggest that lawyers should consider the same analysis I did. If you were sued, do you really want opposing counsel and your appointed defense counsel rummaging through the materials on your phone?

MK:  It’s almost as if you’ve seen what’s on my phone.  No, I don’t want anyone rummaging through!  Good reminder though: as I blogged here, lawyers who travel abroad should consider leaving behind devices that contain client data.

Thanks Jim, this was great!

To be clear: being hacked isn’t necessarily an ethics violation.  Even reasonable security can be breached.  My point today is to encourage lawyers and firms to assess the measures that they have in place.  And, to encourage those who don’t know how to perform such an assessment to find someone who does.

Finally, if you or your firm has been breached, you should (1) read my post ABA Addresses Lawyer’s Duties in Response to a Data Breachand (2) review the Attorney General’s outline of duties that arise under Vermont’s Security Breach Notice Act.

As always, let’s be careful out there.

Throwback Thursday: Social Media

Last week, I posted Comptence & E-Discovery.  It generated a few calls & emails on another topic that we touched upon in the seminar that’s referenced in the post: a lawyer’s professional obligations vis-a-vis ESI & social media.

I’ve blogged & spoken on the issue several times. To me, it comes down to this:

  • The duty of competence includes reviewing the publicly available social media presences of adversaries, witnesses, and jurors.
  • Knowing that others are looking, the duty of competence includes advising clients of the risks associated with making information publicly available on social media.

As to the former, please see this post from September 2019.  It includes links to several advisory ethics opinions that address a lawyer’s duties when reviewing social media evidence. As to the latter, please see this post, also from September 2019.

Image result for images of social media

Competence & E-Discovery

A lawyer’s professional responsibilties include:

  • providing clients with competent representation;
  • abiding by the rules of a tribunal;
  • acting competently to prevent the inadvertent disclosure of a client’s otherwise confidential or privileged information;
  • not assisting a client or another person unlawfully to obstruct access to evidence; and,
  • not assisting a client or another person unlawfully to alter, conceal, or destroy documents and material that have potential evidentiary value.

tech-ethics

At the YLD Thaw in Montreal, I sat on a panel that presented E-Discovery & Me: Facebook, Metadata & Beyond.  Kevin Lumpkin moderated, and I was joined by Jennifer McDonald, Daniel Martin, and Matthew Preedom.

The seminar left me with a new appreciation for the “tech” issues that lawyers confront daily.  It also left me incredibly impressed with the tech competence of my fellow panelists.  To say I was the weak link would be an understatement.

Thus, I hesitate to write this blog. Mostly from a competence perspective, but also because the topic is so vast that I could easily go too long & too far astray.  I’ll do my best to stay focused.  Today’s points:

  1. The duty of competence applies in discovery.
  2. The duty of competence includes providing clients with competent advice related to preserving & producing ESI.

Note, I intentionally used “discovery” instead of “e-discovery.” I’ve heard lawyers suggest that their duties are different, perhaps less stringent, with e-discovery.

Wrong.

Never have we presented, and never will we present, an ethics CLE in which we stress that the duty of competence includes providing clients with competent advice on the preservation & production of paper documents.  It’s a given.

It’s also a given with ESI.

In 2009, Vermont amended Rule 34(a) of the Rules of Civil Procedure. The amendment tracks the 2006 amendment to the Federal Rules of Civil Procedure.  The Reporter’s Note is not confusing.  The amendment:

  • “is intended ‘to confirm that discovery of electronically stored information stands on equal footing with paper documents’ and to make clear that a request for ‘documents’ that does not differentiate paper documents and electronically stored information should be understood as including the latter.”

No reasonable lawyer would conclude “I don’t really need to know how to advise my client on the preservation & production of paper documents.”  And, for more than a decade now, the discovery rule has been that ESI “stands on equal footing with paper documents.”

In short, ESI is discoverable, subject to the same discovery rules as information that is on paper. To produce ESI, your client must have preserved ESI.

For example: do you know whether:

  • your client has ESI that might be relevant to the representation;
  • the custodian(s) of that data;
  • the client’s policies on data storage/destruction.

In 2015, the State Bar of California issued Formal Opinion 2015-193.  The question presented: “what are an attorney’s duties in the handling of discovery of electronically stored information?”

I urge you to read the entire opinion.  In my view, the most important paragraph is this one:

  • “We start with the premise that ‘competent’ handling of e-discovery has many dimensions, depending upon the complexity of e-discovery in a particular case. The ethical duty of competence requires an attorney to assess at the outset of each case what electronic discovery issues might arise during the litigation, including the likelihood that e-discovery will or should be sought by either side. If e-discovery will probably be sought, the duty of competence requires an attorney to assess his or her own e-discovery skills and resources as part of the attorney’s duty to provide
    the client with competent representation. If an attorney lacks such skills and/or resources, the attorney must try to acquire sufficient learning and skill, or associate or consult with someone with expertise to assist.”

I appreciate the paragraph’s emphasis that lawyers need to know what they don’t know. I appreciate two other points.

First, the paragraph tells lawyers what they need to know:

“Attorneys handling e-discovery should be able to perform (either by themselves or in association with competent cocounsel or expert consultants) the following:

  • initially assess e-discovery needs and issues, if any;
  •  implement/cause to implement appropriate ESI preservation procedures;
  • analyze and understand a client’s ESI systems and storage;
  • advise the client on available options for collection and preservation of ESI;
  • identify custodians of potentially relevant ESI;
  • engage in competent and meaningful meet and confer with opposing counsel concerning an e-discovery plan;
  • perform data searches;
  • collect responsive ESI in a manner that preserves the integrity of that ESI; and,
  • produce responsive non-privileged ESI in a recognized and appropriate manner.”

(Aside: I’d add this: in between preservation and production, lawyers often take possession of a client’s information, whether in paper or electronic form.  The duties to clients include acting competently to safeguard the information while it’s in the lawyer’s possession.  With ESI, that includes competently assessing whether to store the ESI in-house or to retain a e-discovery vendor to host the ESI.)

Second, the paragraph makes it clear that it’s okay not to know how to do those things.  Of course, a lawyer who doesn’t must (1) associate with someone who can competently handle those tasks, whether a lawyer or nonlawyer; or (2) withdraw from or decline the representation.

In closing, I’ve never received a disciplinary complaint alleging that a lawyer failed to provide competent representation on issues related to the preservation and production of ESI.  Someday I will.

For now, keep in mind that the risk is greater than a disciplinary investigation. There’s risk to the client.

Here’s Rule 37(f) of the Vermont Rules of Civil Procedure:

  • Failure to Preserve Electronically Stored or Other Evidence.  If electronically stored or other evidence that should have been preserved in the anticipation or conduct of litigation is lost because a party failed to take reasonable steps to preserve it, and it cannot be restored or replaced through additional discovery, the court, upon finding prejudice to another party from the loss of the evidence, may order measures no greater than necessary to cure the prejudice.” (emphasis added).

I’ve often blogged that setting reasonable expectations early in the representation is a good way to avoid disciplinary complaints.

Another is to avoid “measures” ordered by a court against a client.

 

 

Mobile Payment & Legal Fees

I’m not what anyone would call “young.”  But you know what I don’t use anymore?

Checks.

I write one per month: to my homeowner’s association.  I pay my other bills via online payments options tied to my bank account or credit card.  If I owe anyone money, I either (a) buy them a beer and say, “let’s call it even;” or (b) send it via Venmo or PayPal after they question my definition of “even.”

I expect that this will be controversial:  I hope that the conduct rules are never interpreted or applied to prohibit lawyers and law firms from accepting payment – including retainers – via services like Venmo and PayPal.

As alluded to in the opening paragraph, it’s a question we need to resolve.  An ever-growing number of consumers of legal services do not use cash or checks. I think lawyers need to consider whether not having, say, a firm Venmo account will cost the firm a potential client who asks “to Venmo” the retainer.

I’m aware of only one advisory opinion directly on point.  It’s the South Carolina Bar’s Ethics Advisory Opinion 18-05.   (Note: this post is NOT about credit card payments or the numerous advisory opinions on credit card payments.)

Cutting to the chase, here’s the conclusion reached by the SC Bar:

  • “Accordingly, Lawyer may elect to establish a dedicated trust account via an online payment service provider, but funds received into that account are likely to be nominal or short-term, thus requiring in turn a transfer of those funds to an IOLTA account. Lawyer should be aware of an elevated risk of non-collection under these circumstances in making the individual determination as to whether he is willing to receive funds belonging to third parties via an online payment service
    provider, PayPal or otherwise.”

Makes sense to me.

Remember: “trust account” is a term that gets thrown loosely.  There’s a difference between a “trust account” and a “pooled interest-bearing trust account.”

If a lawyer represents me and is holding money in connection with the representation, there’s no question that the money must be held in trust.  The only question is this: are the funds reasonably expected to earn net dividends or interest?

If the answer is “yes,” the money must be held in a trust account.

If the answer is “no,” which it most often is, then the funds must be held in a “pooled interest-bearing trust account in a financial institution in Vermont that has been approved by the Professional Responsibility Board.”   This latter scenario involves what all of us refer to as “IOLTA accounts.” The interest generated by the “pooling” of my funds with funds that belong to my lawyer’s other clients is paid to the Vermont Bar Foundation.

With both this and the South Carolina opinion in my mind, I see no reason why a lawyer or firm can’t create a Venmo account to accept fees that are paid in advance.  Of course, all the other rules apply.  For instance,

  • the account must include a record-keeping system that complies with Rule 1.15A(a);
  • records of funds held in the account must be maintained for 6 years following the termination of a representation;
  • the account is subject to the compliance reviews and audits authorized by Rules 1.15A(b) and 1.15A(c) or audit; and,
  • the lawyer or firm cannot deposit its own fees into the account, except in an amount necessary to pay service charges or fees on the account.

Then, on a regular basis, the lawyer or firm must (1) transfer earned fees to the operating account; and (2) transfer to a pooled-interest bearing trust account (“IOLTA”) at an approved institution funds that otherwise would be deposited into the IOLTA if received by check, cash, or credit card.

In short, I’m on board with the SC opinion and think that the existing rules allow lawyers to accept advance payments via methods like PayPal and Venmo.  Of course, others might disagree with me. That’s fine.  If I’m wrong, we should change the rules and expressly allow lawyers and their clients to transact business in a way that society has deemed commercially reasonable.

One final note: if you or your firm has a Venmo account, you might want to suggest to clients who use it that they change their privacy settings.  I can imagine a few friends of mine reacting uncomfortably when confronted by spouses who saw a payment to a law firm on their Venmo feeds.

For more, here’s an Above The Law post that’s a primer of sorts on different methods of digital payments.  Finally, a related post: Bitcoin as Payment for Legal Fees.

Dollar Sign

 

 

Advising Clients on their Social Media Use

Earlier this week, I blogged on an advisory opinion issued by the North Carolina State Bar.  It’s an opinion that discusses a lawyer’s ethical duties when reviewing and accessing social media platforms maintained by adverse parties and witnesses.

Today, the flip side: what duties does a lawyer owe to clients regarding their social media use?

Many of you like to cut to the chase.  So, here’s the deal:

  1. Competent representation includes advising clients as to how their social media use will impact a matter.
  2. Yes, a lawyer can advise clients to make their privacy settings more restrictive.
  3. Whether a lawyer can advise clients to “clean-up” their social media posts is nuanced, and certainly not so simple as “that’s not allowed.”  Substantive law on preservation and spoliation will play a critical role.
  4. A lawyer may not advise a client to post false or misleading information on social media.
  5. Finally, it is no longer okay to choose to ignore the fact that your clients likely use multiple social media platforms.  If that means finding someone to help you discuss with clients something that you don’t know how to discuss, then so be it.

I find the Social Media Guidelines from the New York State Bar’s Commercial and Federal Litigation Section to be incredibly helpful.  The Guidelines were updated earlier this year.  If you click on only one link in this post, make sure it’s the introduction to the update.  It’s worth reading.

I’ll end there.   For those of you interested in more, below the image you’ll find links to helpful advisory ethics opinions with a few important quotes from each.

Image result for images of social media

Pennsylvania Bar Association Formal Opinion 2014-300

  • “The Rules do not prohibit an attorney from advising clients about their social networking websites. In fact, and to the contrary, a competent lawyer should advise clients about the content that they post publicly online and how it can affect a case or other legal dispute.”
  • “A lawyer may not instruct a client to alter, destroy, or conceal any relevant information, regardless whether that information is in paper or digital form.
    A lawyer may, however, instruct a client to delete information that may be damaging from the client’s page, provided the conduct does not constitute spoliation or is otherwise illegal, but must take appropriate action to preserve the information in the event it is discoverable or becomes relevant to the client’s matter.”
  • “Similarly, an attorney may not advise a client to post false or misleading information on a social networking website; nor may an attorney offer evidence from a social networking website that the attorney knows is false.”

Florida Bar Ethics Opinion 14-1

  • “In summary, [an attorney] may advise that a client change privacy settings on the client’s social media pages so that they are not publicly accessible. Provided that there is no violation of the rules or substantive law pertaining to the preservation and/or spoliation of evidence, the inquirer also may advise that a client remove information relevant to the foreseeable proceeding from social media pages as long as the social media information or data is preserved.”

North Carolina 2014 Formal Ethics Opinion 5

  • “competent representation includes advising the client of the legal ramifications of existing postings, future postings, and third party comments.”
  • “If removing postings does not constitute spoliation and is not otherwise illegal, or the removal is done in compliance with the rules and law on preservation and spoliation of evidence, the lawyer may instruct the client to remove existing postings on social media. The lawyer may take possession of printed or digital images of the client’s postings made for purposes of preservation.”

West Virginia Legal Ethics Opinion 2015-02

  • “Attorneys must have a general understanding as to how social media and social networking websites function.”
  • “Attorneys should ensure that their clients are aware of the consequences of their actions via social media and social networking websites, as it is reasonable to expect that their client’s activities will be monitored by opposing counsel and others.”
  • “Although attorneys may instruct their clients to delete information from the clients’ social media pages that may be damaging to the clients, provided the attorneys’ conduct does not constitute spoliation or is otherwise illegal, attorneys must take the appropriate steps to preserve the aforementioned information in the event that it is deemed discoverable or becomes relevant the clients’ cases.”

D.C. Bar Opinion 371

  • “Rules 1.1 and 1.3 require a lawyer to consider the potential risks and benefits that client social media could have on litigation, regulatory, and transactional matters undertaken by the lawyer, and Rule 1.4 requires a lawyer to discuss such risks and benefits with clients.”
  • “Because social media postings are subject to discovery and subpoenas, a lawyer may need to include social media in advice and instructions to clients about litigation holds, document preservation, and document collection.[23] A lawyer also may need to determine whether under applicable law, which varies from jurisdiction to jurisdiction, clients may modify their social media presence once litigation or regulatory proceedings are anticipated. For example, are clients permitted to change privacy settings or to remove information altogether from social media postings? Such analysis may need to include consideration of obstruction statutes, spoliation law,[24] and procedural rules applicable to criminal and regulatory investigations and cases; procedural rules and spoliation law in civil cases; and the duty under Rule 3.4(a) not to “[o]bstruct another party’s access to evidence or alter, destroy, or conceal evidence, or counsel or assist another person to do so. . . .”[25] Before any lawyer-counseled or lawyer-assisted removal or change in content of client social media, at a minimum, an accurate copy of such social media should be made and preserved, consistent with Rule 3.4(a).”

NC Advisory Opinion on Reviewing & Accessing Social Media Platforms

Yesterday, I came across the North Carolina State Bar’s 2018 Formal Ethics Opinion 5.  It “reviews a lawyer’s professional responsibilities when seeking access to a person’s profile, pages, and posts on a social network to investigate a client’s legal matter.”  As such, it’s blogworthy.

Social Media

The opinion opens with an important point: technology is ever evolving. Social networks and social media platforms are no different: their features “are constantly changing.”  The duty of competence includes keeping abreast of the benefits and risks of relevant technology.  This echoes Comment 8 to Vermont’s Rule 1.1 and is the exact point I’ve tried to make when addressing the duty to safeguard client information.

Next, the opinion addresses five questions.   My synopsis:

  1. Yes, it’s okay to look at information that is public.  Note, however, that repetitive viewing for no other reason than to cause the person to receive notice that you looked can rise to the level of impermissible harassment.  In other words, competence likely includes knowing which platforms notify a person that someone has viewed their profile.  I blogged on that very point here.
  2. No, you may not use deception to access a restricted (or private) portion of a person’s social network presence.
  3. Yes, it’s okay to request access to restricted (or private) portions of an unrepresented person’s social networks.  As long as the request does not include deception or dishonesty, and as long as you correct any misunderstanding that the unrepresented person has of your role.**
  4. No, you may not send a request for access to restricted (or private) portions of a represented person’s social networks.  To do so would violate the rule that prohibits communicating with a represented person on the subject of the representation.  Nor may you direct a third person to do the same.
  5. Yes, you may request and accept information from a third party who has access to the restricted (or private) portions of a person’s social networks.  You may not, however, direct or encourage a third person to use deception or misrepresentation to gain access.**

For more, check out the entire opinion.

** Note: the opinion makes quite clear that it does not “obviate” the Comment to Rule 8.4 that authorizes a lawyer to advise “a client or, in the case of a government lawyer, investigatory personnel, of action the client, or such investigatory personnel, is lawfully entitled to take.”

Other resources

I Love You, Now Die: what an HBO documentary can tell us about the duty of tech competence.

A few minutes ago, I finished HBO’s I Love You, Now Die: The Commonwealth v. Michelle Carter.  Directed by Erin Lee Carr, the two-part documentary delves into the relationship between teenagers Michelle Carter and Conrad Roy, and the involuntary manslaughter charge that was filed against Carter following Roy’s suicide.

As a person, I found the documentary disturbing, sad and disturbingly sad.  One life tragically lost, many others tragically altered, if not ruined.  I don’t have kids, but I imagine that anyone who does will be deeply affected by the story.

As bar counsel, I was struck differently.  In my professional capacity, the Carter trial serves as a compelling example of lawyers on both sides demonstrating tech competence.

I’m not going to divulge spoilers.  Suffice to say, at trial, both sides made extensive use of thousands of text messages that the defendant and decedent exchanged or sent to others.  The prosecution effectively putting the accused on the stand even though she did not testify, Carter’s lawyers essentially using the decedent’s own “words” to construct a defense.

Indeed, as you’ll learn if you watch, the verdict turned on a single text message.

From a professional responsibility perspective, the documentary makes me more certain than ever that the failure to understand that ESI exists, as well as the failure to understand how to access, review, and use it, likely violates the duty of competence.

Interested?  The trailer is here.

i love you now die