Competence, Confidences and PDFs

In my view, Rules 1.1 and 1.6 impose a duty to act competently to prevent the unauthorized access to or disclosure of information relating to the representation of a client.  I’ve blogged on this issue many times:

Next week, I’m presenting two seminars at the YLD Mid-Winter Thaw in Montreal.  In the first, I’m on a panel with Judge Hayes and the Judiciary’s Andy Stone.  Judge Hayes and Andy will introduce lawyers to the Judiciary’s new case management system.  My job will be to chime in on ethics issues that might arise with electronic filing.   My thoughts will focus on tech competence.

expos

Imagine this scenario: whether in a filing or a communication to opposing counsel, a lawyer includes a PDF.  Prior to transmission, the lawyer redacted the PDF to keep certain information confidential.  Alas, the lawyer did not properly redact the PDF.  By highlighting the redacted the portions and pasting them into a new document, opposing counsel, or anyone else with access to the PDF, can discover what the lawyer intended to obscure.  The filing is here.

Did the lawyer take reasonable precautions to protect the information?  Was it a one-time mistake that doesn’t rise to the level of an ethics violation?  What if it was information that the court had ordered remain confidential and now is public?

Earlier this week, lawyers for Paul Manafort, President Trump’s former campaign chair, filed a response to special counsel Robert Mueller’s allegation that Manafort lied to Mueller’s investigators.  Due to what the ABA Journal described as a “technical oversight,” the filing was not properly redacted.  As such, the media was able to discover that Manafort is accused of sharing polling data with a Russian business person.  The story has been covered by the ABA Journal, BuzzFeed, Fox News, and the Washington Post.

(Update at 1:16 PM on January 10:  Above The Law’s Joe Patrice has a great recap here.)

Go back to the scenario I posited above: what if that’s you in a Vermont case?  What if you meant to redact a client’s proprietary information, or a witness’s mental health records, or a confidential informant’s identity? What if you didn’t do it right?

Jason Tashea writes for the ABA Journal. Today, he posted How to redact a PDF and protect your clients.  If this is an area of tech competence that interests or concerns you, I’d suggest giving Jason’s post a read.

 

Advertisements

Legal Ethics & Crowdfunding to pay legal fees

Professor Alberto Bernabe often appears on this blog’s #fiveforfriday Honor Roll.  He also has his own blog and, last week,  blogged on an advisory from the DC Bar. The opinion addresses the ethics issues that arise when a lawyer’s client crowdfunds legal fees.

The opinion is here. Professor Bernabe’s blog post is here.  He wrote more extensively on the topic in this article that pre-dates the DC advisory opinion.

I’ve also blogged on the topic. I did so here in response to an advisory opinion from the Philadelphia Bar Association.  I wrote:

  • “That’s why the Philly opinion is great.  It doesn’t treat ‘crowdfunding platforms’ as new creatures that require new rules.  Rather, it reminds lawyers that the rules that apply when using a crowdfunding platform are the same rules that apply to any other representation.”

As Professor Bernabe notes, the DC Bar opinion is consistent with the Philadelphia opinion and others on crowdfunding.

I like the following statement from the DC Bar:

  • “It is not unusual for clients to rely on money collected from family or friends to pay for legal services.”

Indeed, many Vermont lawyers accept payment from someone other than the client.  The most common situation?  A parent pays for a child’s lawyer in a criminal or family case.

When that happens, it’s critical for the lawyer to remember Rule 1.8(f):

  • “A lawyer shall not accept compensation for representing a client from one other than the client unless (1) the client gives informed consent; (2) there is no interference with the lawyer’s independence of professional judgment or with the client-lawyer relationship; and (3) information relating to the representation of a client is protected as required by Rule 1.6.”

In other words, even if Parents are paying Lawyer to represent Child, they don’t get to direct the representation and, absent Child’s consent, Lawyer cannot disclose information relating to the representation to them.

Somewhat related, the DC Bar included a great tip in Ethics Opinion 375:

  • “A lawyer should consider counseling his or her client regarding disclosures to third parties. Crowdfunding typically entails some level of disclosure to third parties about the predicate need for counsel. Because of their financial support, crowdfunding contributors may be interested in the status of or information about the client’s matter. Due to the risk of waiver of the attorney-client privilege, or simply for strategic reasons, a lawyer who knows that a client is crowdfunding should provide the appropriate level of guidance to the client regarding disclosures to third parties, whether such disclosures occur on a social media platform or privately in discussions with friends and family.”

In sum, nothing about using a social media platform to crowdfund legal fees is inherently unethical.  Oh, and as mentioned in both the Philadelphia and D.C. advisory opinions: crowdfunding helps provide access to legal services to those who otherwise might not be able to afford a lawyer.

See the source image

Related:

 

 

 

 

 

 

ABA Addresses an Attorney’s Obligations in Response to a Data Breach

I’ve blogged often on a lawyer’s duty to act competently to safeguard client data.  Generally, an attorney must take reasonable precautions to protect against inadvertent or unauthorized disclosure of client information.  Some of my posts:

Last month, the ABA’s Standing Committee on Ethics & Professional Responsibility issued Formal Opinion 483.  It sets out a lawyer’s obligations following an electronic data breach or cyber attack.

The opinion is detailed and technical.  It’s worth reading, or, at the very least, sharing with your IT support staff.  Also, various outlets have reported on the opinion, including The National Law Review, Louisiana Legal Ethics, and The ABA Journal.  I suggest each.

I’m going to try to stick to a summary.

  •  Prior to a breach, a lawyer has a duty to act competently to safeguard client property and information.  This likely includes adopting an “incident response plan” that will kick in once a breach occurs.
  • The duty includes an obligation “to monitor the security of electronically stored client property and information.”  In other words, there’s a duty to take reasonable efforts to monitor for and detect unauthorized access. This includes reasonable steps to ensure that vendors act in accordance with the lawyer’s professional obligations.
  • A breach is not necessarily evidence that the lawyer failed to act competently to safeguard client information.
  • If a breach occurs, a lawyer must take reasonable steps to stop it and mitigate the damage that results.
  • If a breach occurs, a lawyer must assess its scope.  This includes determining what information, if any, was lost or accessed.
  • A lawyer must notify current clients if the breach:
    • involves material, confidential client information; or,
    • impairs or prevents the lawyer from representing the client. For example, as would be the case in a ransomware attack.
  • Lawyers must be aware that their ethical obligations are independent of any post-breach obligations imposed by law.  Compliance with professional obligations is not necessarily compliance with other law, and vice versa.

Again, the full opinion is here.

As usual, I like to analogize to non-tech issues.  For instance, when it comes to paper files, most lawyers probably know that there’s a duty to take reasonable safeguards to protect them.  Locked file cabinets.  Locked rooms.  Secure office space.

If a lawyer arrives at work and realizes that the office has been broken into, I imagine the lawyer would intuitively understand the need to determine what, if anything, was viewed or taken.  Then, as appropriate, will notify clients. I also imagine that the lawyer would replace the broken locks, doors, and windows.

Thus, in my view, the ABA opinion clarifies that very standards that most of us already apply to clients’ paper files also applies to their electronic files.

Image result for images of a data breach

 

 

 

 

Estate Planning: Crypto Competence

I blog often on the duty of competence.  It’s in the very first rule.

Until today, I’d not considered Rule 1.1’s application to lawyers who provide estate planning services to clients who own cryptocurrencies.  Rather, with cryptocurrency, I’d only considered the ethics issues associated with accepting it as payment for legal fees.

Today, I came across this post in the ABA Journal.  It includes tips for lawyers who want to provide estate planning services to clients who own crypto assets.

My gut tells me that limiting an estate plan to a client’s non-crypto assets likely isn’t a reasonable limitation.  Even if it was, as a practical matter, I don’t know that many clients would be interested in an estate plan that excludes some of their assets.  Thus, it strikes me that, if it isn’t already, “crypto competence” soon will be a thing for lawyers who provide estate planning services.

See the source image

 

 

Siri, Alexa, and Client Confidences

Query: do Siri and Alexa get mad if a human accidentally calls one the other?  I don’t know, but, if not, I think a sarcastically angry response should be added to each’s algorithm.

Anyhow, without even having started yet, I digress.

My recent posts on client confidences spurred additional research.   The research led me to Alberto Bernabe’s Professional Responsibility Blog.  Professor Bernabe is a regular member of this blog’s #fiveforfriday Honor Roll.

Earlier this year, Professor Bernabe posted a link to this article.   The article appeared on the ABA’s Law Technology Today blog and details some of the issues about which lawyers should be aware when using digital voice assistants.  One of those issues: client confidences.  If you or your firm uses a digital voice assistant, I suggest giving the article a read.

Even if you don’t use a DVA, remember, your clients might and the duty of competence includes tech competence.  I can hear you now:  “Mike, how in the world might my client’s digital voice assistant affect the case?

Well, what if your client’s Echo might have recorded a murder?

Side note:  Kathleen Zellner, the defense lawyer quoted in the story about the Amazon Echo murder case, plays a prominent role in the recently released Season 2 of Making a Murderer.

And remember: it’s not just Echos and other digital voice assistants.  Our lives (and our clients’ lives) are replete with devices that record, collect and exchange data over the internet of things.  Data that may impact our clients’ matters.

But, for now, I’ll leave it at client confidences. Issues related to the internet of things can wait for another day.

Well, ok.  Here’s a teaser:

“Hey Siri! Did Encyclopedia Brown investigate the The Case of the Hacked Refrigerator.

 

See the source image

 

 

 

Yes!!!

I’m not a huge fan of the “Throwback Thursday” trope, but I am a huge fan of readers.  So, as it has, when blogger’s block strikes, I resort to the trope.

But not without reason.

I’m heading to Rutland tomorrow.  Two years ago, and a few days after heading to Rutland, I blogged on how I hoped never again to have to assuage lawyers that there’s nothing inherently unethical about storing client information in the cloud.

I’m happy to report that we seem to have accepted the premise.

Yes!!!

Thank you.

That being said, refreshers aren’t inherently bad either. Especially since the effective date of the recent amendment on tech competence is nigh.  So, here goes.

The original post ran on November 10, 2016.

*******************************************

Last Friday, I presented a CLE for the Rutland County Bar Association. My assigned topic: the ethics of storing client information in the cloud.  I started by saying that I hoped it was my final seminar on the topic.  I was serious.

Let’s walk through this.

In general, a lawyer has a duty not to disclose information relating to the representation of a client absent client consent.  See, Rule 1.6.  A lawyer also has a duty to keep client property safe.  See, Rule 1.15.

I view the cloud as the latest in a long line of different places to store information.  In that sense, the cloud is not different than manila folders, boxes, offices, attics, basements, barns, file cabinets, file cabinets with locks, storage facilities, hard drives, floppy disks, CDs, and thumb drives.

No matter where a lawyer stores client information, a lawyer must act competently to protect the information against inadvertent or unauthorized disclosure. See, Rule 1.6, Comment [16].  When transmitting client information, a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.  Rule 1.6, Comment [17].

So, think about cloud storage like this:  client information is electronically transmitted to a place where it will be kept.  Thus, a lawyer must take reasonable precautions to protect client information both while it is in transit and while it is at rest.

In fact, that’s almost exactly what the VBA’s Professional Responsibility Committee said – SIX YEARS AGO when it issued Advisory Ethics Opinion 2010-06.  Here’s the digest of the opinion:

  • “Vermont attorneys can utilize Software as a Service in connection with confidential client information, property, and communications, including for storage, processing, transmission, and calendaring of such materials, as long as they take reasonable precautions to protect the confidentiality of and to ensure access to these materials.”

(Aside: for anyone wondering why I included an advisory opinion about “Software as a Service” in a post on cloud computing, I remind you that Rule 1.0’s duty of competence includes tech competence.)

The question I hear most often is this:  “what are reasonable precautions?”  In Rutland, I suggested to the audience that they already know the answer, if only by treating the cloud as if it were a storage facility out on Old County Road. Some questions you might ask when considering that facility:

  • who do you let into this facility?
  • do you require a passcode or badge for the gate?
  • are there locks on the individual units?
  • who besides me has a key or knows the combination?
  • can i get into my unit whenever i want to?
  • what happens to my files if I don’t pay or if you go out of business?

Indeed, take a look at page 6 of the VBA Opinion.  The Committee suggested some of those exact questions when considering a cloud vendor.

Or, take a look at this post from Robert Ambrogi.  He writes that “[s]ome basic questions to ask of a cloud vendor, distilled from various ethics opinions, include:

  • Is it a solid company with a good reputation and record?
  • Can you get access to your data whenever you want, without restrictions?
  • If your service is terminated – by you or by the company – can you retrieve your data?
  • Does it allow use of advanced password protocols and two-step verification?
  • What are its internal policies regarding employee and third-party access to your data?
  • Is your data encrypted both while in transit and while at rest on the company’s servers?
  • How is your data backed up?
  • What security protections are in place at the data centers the company uses?”

Finally, remember that asking the questions isn’t enough.  You need to understand the answers or find someone who does.  For example, imagine this:

  • You:   Will my data be encrypted in transmission and at rest?
  • Vendor:  Yes.  In transmission, we use a BTTF Flux Capacitor.  At rest, we use the latest cloaking technology from Romii.
  • You.  Sounds awesome. Sign me up.

Umm, no.  You just signed up to star in the next entry in Was That Wrong.

In conclusion, you may store client information in the cloud so long as you take reasonable precautions.  This entry includes links that will help you determine what “reasonable precautions” are.  Don’t fear the cloud, but know what you don’t know.

Speaking of which, info on the BTTF Flux Capacitor is HERE. And, for more on Romii cloaking technology, go HERE.

cloud

Court Adopts Comment on Tech Competence

The first rule in the Vermont Rules of Professional Conduct requires lawyers to provide clients with competent representation.  I’ve long argued that Rule 1.1’s duty of competence includes tech competence.

Last week, the Vermont supreme Court promulgated amendments to Rule 1.1.  The amendments add three new comments, including one that makes it clear that, in fact, the duty of competence includes tech competence.  As amended, Comment [8] now reads:

Maintaining Competence

[8] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technologygy, engage in continuing study and education and comply with all continuing legal education requirements to which a lawyer is subject.

As reported by Robert Ambrogi’s LawSitesBlog, Vermont becomes the 32nd state to adopt the duty of tech competence.

Take a look at the picture that Bob uses on his blog:

Image result for lawyer technology competence

No more.

Don’t confuse the meaning of the new comment. It does not require lawyers to know how to use every new gizmo, gadget, or app.  It’s far more practical than that.

For instance, do you understand the risks and benefits of using certain technologies to transmit confidential communications? Or the risks and benefits of mobile payment services? Have you thought about disabling autocomplete? Do you advise clients against being too social?

Also, don’t sleep on the other new comments. As legal outsourcing becomes more prevalent, the new comments provide helpful guidance.

The new comments take effect on December 10.

Related Posts

 

 

Social Clients

Earlier this month, the ABA Journal posted a blog in its “ethics” section: Celebrity attorneys face challenges, ethical pitfalls.   I enjoyed it as much from the pop culture slant as I did from the “it’s my job” slant.

However, speaking of the “it’s my job” slant, I want to mention three things.

First, over the past year, the news has been filled with lawyers making public statements about their clients and former clients.  So much so that several times I’ve been asked what I think about it.

Regular readers know what I think it.  I’m a big believer in two concepts:

  1. Hey Lawyers! STFU!!!
  2. Can’t Keep Quiet? Try Harder.  

As Thomas Edison said:

“You will have many opportunities
to keep your mouth shut.
You should take advantage
of everyone of them.”

(aside: choosing not to blog is probably one of the opportunities of which I should take advantage.)

Second, despite my big belief that silence is a virtue, I was intrigued by two arguments in the ABA Journal’s post.  Specifically, the arguments that (1) at times, the duties of competence & diligence require a lawyer to speak out in a client’s defense;  and (2) the rules prohibiting such conduct run afoul of the First Amendment.  Alas, I can count on 2 fingers the number of Rule 3.6 complaints we’ve received in the past 15 years.  So, I am not so intrigued to do more than mention my intrigue.

Finally, there’s a little nugget in the article that, in my view, is great advice not just for lawyers who represent celebrities, but for lawyers who represent, well, clients.

Referring to lawyers who represent famous people, the article says:

  • “Client and entourage use of social media can compromise a defense. Ethically, attorneys have to make sure their clients and their team understand ground rules and place limitations on social media use related to the case.”

Trust me, I understand that very few of my readers represent the Vinny Chases of the world.  Nonetheless, I think the second sentence is critically important even for lawyers whose clients don’t have their own versions of E, Turtle, and Johnny Drama.

Why?

Because these days, entourage or not, what client isn’t on social media???  And that’s where the very next paragraph in the ABA Journal post comes in.  Quoting Ann Murphy, a professor at Gonzaga University School of Law, the post notes:

  • ” ‘Attorneys, as part of their ethical duties, must now counsel their clients on the use of social media,’ Murphy says. ‘Once it is out there, it is out there. Even if someone deletes a Facebook post—it likely has been saved as a screenshot and is of course subject to discovery,’ she adds. ‘Personally, I think the best advice is tell the client that any posts about his or her case must be viewed in advance by the attorney.’ “

That’s a fantastic tip.  Professor Murphy – if perchance you find this blog, In Few I Trust. Go Zags! 2019 national champs!

See the source image

Now, I can hear some of you now – “mike, am I supposed to know what my client puts on social media?”

Well, opposing counsel will.  So unless you’re comfortable finding out about that damning tweet or post at deposition or in mediation, then my response is:

See the source image

At the very least – and by “very least” I mean “barest of bare minimums” – I think lawyers have a duty to communicate to their clients the risks associated with posting info to a public forum.

Hmm…I guess this is where I can finally reference Hall & Oates.  When it comes to advising clients on the risks of posting too much to social media, it might be this:

  • Private eyes, they’re watching you.  They see your every move.  And they definitely see what you put out there to be seen.

Anyhow, while the ABA Journal article focuses on the risks associated with representing famous clients, it includes a tidbit that applies to any lawyer who has a client on social media: what happens on social media rarely stays on social media.

Tech competence.  It’s a thing.

By the way, among my friends, I’m definitely E.  My brother is almost definitely Drama.  Alas, while we have several candidates for Turtle, not many for Vinny.   And at risk of offending my friends, the “many” in that previous sentence?  It’s pronounced with a silent “m.”

Hint: this post doesn’t mention Ari Gold.  Which means his name might be of utmost importance later in the week.

Image result for entourage

 

 

Cybersecurity for Lawyers: learn from other professions

I’ve blogged often on tech competence and the duty to safeguard client data.  In short, lawyers have a duty to take reasonable precautions against the inadvertent disclosure of or unauthorized access to confidential client information.

So, people often ask “what are reasonable precautions?”

It depends.

Nobody likes that answer.  But it’s correct.

For instance, do you mean “what are reasonable precautions when it comes to cloud storage?”  Or, are you asking whether a lawyer has a duty to encrypt e-mail? Wait, maybe you’re talking about your duties when crossing the border? No, no, I get it now:  you’re asking if a lawyer has a duty to disable auto-complete. Oh my gosh, no – you’re referring to the hallmarks of trust account scams.

No matter the mode of communication, no matter the place that information is stored, a lawyer must safeguard client information. And, as I explained here, it makes perfect sense not to get into the habit of re-evaulating a lawyer’s duty with every new technology.  Whatever the next new thing is, a lawyer’s duty will remain the same: to take reasonable precautions against the inadvertent disclosure of or unauthorized access to client information.

But, as this post in the ABA Journal points out, lawyers and law firms aren’t sailing into uncharted waters.  There are lessons to be drawn from other professions.  Per the post, those lessons include:

  • Encryption is important.  I’d even venture to opine that if it isn’t already, we aren’t long for the day when the failure to encrypt is tantamount to a failure to take reasonable precautions.
  • Partners and more senior lawyers have to follow the same rules as everyone else. “I don’t do tech” isn’t reasonable. It’s no different from saying “I don’t do ‘protecting client information.’ “
  • Employees and 3rd party vendors need to be trained on the importance of data security.

There’s a great quote in the article. It’s from Michael Mason, chief of security for Verizon Communications: law firms should foster, grow, and ” ‘develop a culture of security.’ ”

A culture premised on “we hope it doesn’t happen to us” is not a culture of security.

With “it” being a breach, the dreaded “it” has happened not just to lawyers and law firms, but to many other professions.  As the ABA Journal suggests, lawyers would be wise to take heed of the lessons learned by those other professions.

Image result for data security

Hot Topics in Legal Ethics

I’m in Chicago at the Annual Meeting of the National Organization of Bar Counsel.

First things first: no, Cook County is not one of Vermont’s 14 counties.  However, very early this morning, I knocked out 11.5 miles in Cook County.  I ran a beautiful route from my hotel to Wrigley Field and back.  Most of the route was on the Lakeshore Trail along Lake Michigan. One lap around Wrigley made me feel very, very guilty . . . the setting is much nicer than Fenway.

Anyhow, back to business. One of tomorrow’s seminars is “Hot Cases in Ethics Opinions.” The material is posted online (NOBC membership required, so I’m not linking to it.)  Anyhow, from the material, it looks like the seminar will address 6 advisory opinions. The first 4 are:

  • Nebraska Ethics Advisory Opinion for Lawyers 17-03 (Cryptocurrency)
  • ABA Formal Opinion 477 (Securing Communication of Protected Client Information)
  • Illinois State Bar Professional Conduct Advisory Opinion 18-01 (Web Bugs)
  • ABA Formal Opinion 479 (The “generally known” exception to Rule 1.6)

Guess what? If you’re a regular reader of this blog, it’s like you’ve already attended tomorrow’s seminar!  That’s right, I’ve written about each of the first 4 advisory opinions!

So, what about the two others?

#5 in the material is a recent report from the Attorney Registration and Discipline Commission of the Supreme Court of Illinois. In the report, the ARDC seeks comment on its recommendation that Illinois relax its rules against attorney participation in for-profit referral services.  Robert Ambrogi blogged about the report for Above the Law.

I’ve not yet followed suit.  Why? Well, the report is 124 pages long.  Further, about a month after the ARDC issued the report, the company that recently acquired Avvo announced that it would discontinue Avvo Legal Services.  The ABA Journal reported on the announcement here.

I’ve yet to fully flesh out a blog that will cover both the ARDC report and the news that Avvo’s fixed-fee legal services plan has been discontinued. That being said: I’ve blogged a topic related to each: Fixed-Fee Legal Services: A Conversation Starter

Finally, #6 in the material is ABA Formal Opinion 472: Communication with Person Receiving Limited-Scope Legal Services. I’ve not yet blogged on the opinion. But I’ve discussed it at many seminars!  Also, the material suggests that discussion of the opinion will include a discussion the ethics of ghostwriting. As you know, I ain’t afraid of no ghost! I’ve tackled the topic a few times, most recently in Ghostwriting as Access.

Want to know what’s hot in legal ethics? Follow this blog!!

Ethics