Tech Competence

A Tool to Track Court Orders & Local Rules on the Use of AI.

Michael Leave a comment

In January, the Duke Center on Law & Tech launched Responsible AI in Legal Services (RAILS). The initiative’s mission is to:

  • “Bring together a cross-industry group of leaders (judiciary, corporations, law firms, tech providers, access to justice orgs, etc.) to support the responsible, ethical, and safe use of AI to advance the practice of law and delivery of legal services to all.”

Although I only learned about RAILS today, I’m already appreciative of the tab Resource: AI OrdersIt includes a link to the RAILS AI Use in Courts Tracker.  The Tracker “contains court orders, local rules, and guidelines from the U.S. and other countries [and] allows for search and filtering capabilities based on factors such as jurisdiction, date, and other key terms.”[1]

I’m not aware of any court orders, local rules, or guidelines having been issued in Vermont. So, why is the tracker important?

The Honorable Paul Grimm is a retired federal judge and current law professor at Duke Law School.  The RAILS resource page includes words from Judge Grimm. 

First, Judge Grimm noted:

  • “the headlines in the last year in particular have included many stories about litigants and attorneys who faced or were subjected to sanctions for having filed court papers prepared by GenAI applications that contained citations to fictitious legal authority, or cited actual cases, but which did not actually support the argument for which they were cited.”

He added:

  • “These were entirely self-inflicted injuries because no lawyer or party should file any court paper without independently confirming the accuracy of the facts and legal authority cited.”[2]

Finally:

  • “In reaction to these lapses, an increasing number of judges and courts have issued a profusion of standing orders, pretrial orders, court rules, general orders, and case management orders that imposed various obligations on litigants and counsel to certify the use of AI technology and the accuracy of their filings. While well intentioned, the sheer number of these orders and lack of uniformity their provisions can cause considerable confusion to litigants and practitioners who may have to appear in many different courts. In this dynamic environment, what is needed is a ‘one-stop’ source for finding all of these orders that will allow litigants and attorneys to make sure they are aware of, and comply with, these court requirements.” (emphasis in the original).

While most readers practice here, some likely practice elsewhere. So, to the extent the tracker might help them, I’m highlighting it today.

I appreciate two other aspects of the RAILS resource page. 

The first is that it calls attention to the difference between “AI” and “Generative AI.” 

Tech competence indeed.

The second is that it acknowledges that “few” of the court orders and local rules identified by the tracker “govern behaviors that are not already addressed by existing rules of professional responsibility.”  I appreciate this acknowledgement because while I agree with RAILS that “the lack of consistency in terminology and scope of these orders may create confusion and compliance challenges for attorneys navigating the AI landscape,” I also believe that the current Rules of Professional Conduct encompass the scope of misconduct that might result from the use of AI, as well as the use of whatever new “thing” that technology brings us next and next and after that.

As always, let’s be careful out there.

[1] Notably, RAILS takes no pride of ownership.  Their resources page also links to the Ropes & Gray Court Order Tracker, another tool to track “standing orders and local rules on the use of AI.”

[2] As I’ve repeatedly argued, it’s often not technology that’s the problem. Imagine that a partner asks an associate to draft a memorandum of law.  If the partner submits the memo without checking the cases cited by the associate, and if those cases are fictitious, we wouldn’t focus on whether to adopt orders regarding the use of associates.  We’d focus on the partner’s failure to check the cites!

RELATED POSTS

NYSBA Task Force issues guidelines on a lawyer’s use of artificial intelligence.

Michael 2 Comments

More and more guidance on a lawyer’s use of artificial intelligence is emerging.  Last December, I blogged here about advisory opinions issued by the Florida and California bars. Today, I write to share the recently released Report and Recommendations of the New York State Bar Association Task Force on Artificial Intelligence.

The report is thorough. It includes the following sections:

  • Evolution of AI & Generative AI
  • Benefits and Risks of AI and Generative AI Use
  • Legal Profession Impact
  • Legislative Overview and Recommendations
  • AI & Generative AI Guidelines

Legal ethics and professional responsibility figure prominently in two sections.

The section titled “Legal Profession Impact” includes a sub-section devoted to “Ethical Impact.” In turn, the sub-section addresses seven areas:

  • Duty of Competence
  • Duty of Confidentiality & Privacy
  • Duty of Supervision
  • Unauthorized Practice of Law
  • Attorney-Client Privilege and Attorney-Work Product
  • Candor to the Court
  • Judges’ Ethical Obligations.

I don’t want to use block quotes or regurgitate the report. Rather, if interested, I suggest reading the report.  That said, I want to draw attention to two aspects of the section on “Ethical Impact.”

The first is the quote used to open the discussion of the Duty of Competence.  The quote serves as an important reminder to any lawyer who thinks they can ignore developments in technology:

  • A refusal to use technology that makes legal work more accurate and efficient may be considered a refusal to provide competent legal representation to clients.”[1]

Next, any lawyer or legal professional who uses generative AI would be well served by reviewing the examples of how “attorney-client privileged information or attorney-work product [could] be revealed when directing and indirectly using generative AI tools such as ChatGPT or GPT-4.”[2]

Now I’ll move on to the next section in which legal ethics figures prominently.

The “AI and Generative AI Guidelines” appear on pages 57-60. Each guideline cites to a specific conduct rule – 14 in total – and then shares a tip on how to ensure compliance with the rule when using AI. Again, I’m not going to regurgitate the rules or guidelines here. Read them.  However, as a former chair of the VBA’s Pro Bono Committee, I’ll happily reshare this. 

New York’s pro bono rule states that “[l]awyers are strongly encourage to provide pro bono legal services to benefit poor persons” and goes on to suggest that lawyers aspire to provide 50 hours of pro bono legal services per year.[3]  The Task Force’s guideline related Rule 6.1 states that artificial intelligence

  • “may enable you to substantially increase the amount and scope of the pro bono legal services that you can offer. Considering Rule 6.1, you are encouraged to use [AI or generative AI] to enhance your pro bono work.”

Finally, with AI and generative AI so entwined with a lawyer’s duty of competence and the responsibility to stay abreast of the benefits and risks of relevant technology,[4] I’m struck by how incompetent I am to blog about the topic. If anyone should be authoring this post, it’s The First Brother. PK works for Amazon Web Services. His title is “Generative AI Lead Engineer.” In a nutshell, he writes AI that allows AWS clients to automate their workflows. 

I guarantee you this: The First Brother is far more equipped to wax intelligently on legal ethics & professional responsibility than I am on generative AI.[5]  Who knows what will happen as both technology and our understanding of who should be authorized to provide legal services evolve? Maybe the legal profession will be so disrupted that the First Brother replaces me as bar counsel.[6]

You heard it here first!

As always, let’s be careful out there.

[1] Footnote 123 attributes the quote to Nicole Yamane, Artificial Intelligence in the Legal Field and the Indispensable Human Element Legal Ethics Demands, Sept. 24, 2020, Georgetown Univ. Law Center, https://www.law.georgetown.edu/legal-ethics-journal/wp-content/uploads/sites/24/2020/09/GT-GJLE200038.pdf

[2] Citation omitted. The examples appear on pages 34 and 35 of the Task Force’s Report & Recommendations.

[3] Vermont’s rule, which is similar, is here.

[4] V.R.Pr.C. 1.1, Cmt. [8]

[5] The Judiciary recently swapped out my old laptop for a new HP ProBook. It worked great in the office after the tech person set it up. At home? Different story. Took me a few hours to find the power button. Turns out, it’s a button in between “prt scr” and “delete.”

[6] More likely, AI will replace me. As I blogged here, it’s already pretty darn good at providing legal ethics guidance.

Related Posts

A lawyer’s duties when using artificial intelligence

Artificial intelligence & fabricated case law: a lesson in tech competence

ABA resolution on cybersecurity reminds us that competence includes tech competence and to ask for help with what we don’t know.

Michael

Earlier this month, the ABA House of Delegates adopted Resolution 609.  Intended to remind lawyers of their duty to protect client data “from unauthorized access, use, and modification,” the resolution “urges all lawyers to keep informed about new and emerging technologies” and “to enhance to enhance their cybersecurity and infrastructure to protect confidential client information.”

In other words, Resolution 609 is a reminder of the mantra upon which this blog was built: competence includes tech competence.[1]

The report that accompanied the resolution begins with a statement unlikely to surprise readers:

  • “Attorneys and law firms have become increasingly attractive targets for criminals engaged in cybercrimes, and this trend has unfortunately been increasing over time – despite the warnings, more robust training, and initiatives to raise awareness within the legal profession.”

After referencing various studies and surveys, the report offers another statement unlikely to surprise anyone:

  • “The obvious conclusions are that law firms present attractive targets, many lawyers are unaware of the daily threats to their practice and their clients, and the sophistication and harm from these attacks are ever increasing.”

The report goes on to recount the evolution of cyberthreats, describe the more common threats, and share “best practices” to defend against those threats.  I’ve excerpted the “major threats’ and “best practices” below the footnotes.  However, they’re not my focus.  Rather, I write today to highlight two points that the report drives home:

  1. Competence includes tech competence.
  2. Ask for help with what you don’t know.

Competence Includes Tech Competence

Resolution 609 focuses on data security.  What’s that got to do with competence? 

V.R.Pr.C. 1.1 requires a lawyer to provide competent representation.  The rule states that “competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.”  Comment 8 adds that “to maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

Turning to data security, V.R.Pr.C. 1.6 prohibits a lawyer from disclosing “information relating to the representation of a client.”  Last year, the Vermont Supreme Court amended Rule 1.6 to include this paragraph:

  • “(d) A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.”

I’ve long argued that, read together, Rules 1.1 and 1.6 impose a duty to act competently to safeguard client information, no matter the format in which the information is stored.  I’ve done so, both here and at seminars, under the rubric of “competence includes tech competence.”[2]

My sense is that the vast majority of lawyers agree that the duty exists.  Still, it’s not uncommon to receive “push back.”  The report that accompanied Resolution 609 should end the “push back.”  Specifically, the first sentence on page 12:

  • “Lawyers do not get a free pass when it comes to data security.”

In other words, competence includes tech competence.

End of story.[3]

Ask for help with what you don’t know.

The “push back” I referenced above often includes something like this: “But Mike, how I’m supposed to know how all that tech stuff works?” 

You aren’t. But you’re expected to know what you don’t know.  As I blogged in 2016’s The Cloud: what are “reasonable precautions?”:

Finally, remember that asking the questions isn’t enough.  You need to understand the answers or find someone who does.  For example, imagine this:

  • You:   Will my data be encrypted in transmission and at rest?
  • Vendor:  Yes.  In transmission, we use a BTTF Flux Capacitor.  At rest, we use the latest cloaking technology from Romii.
  • You.  Sounds awesome. Sign me up.

Umm, no.  You just signed up to star in the next entry in Was That Wrong.

The report that accompanied Resolution 609 makes the same point in a more lawyerly way:

  • “The point is this: a lawyer’s ethical obligation extends to acquiring sufficient knowledge to know when to request guidance from third parties or internal resources to implement the necessary safeguards for complying with the ethical architecture in place (such as protecting client confidential information that comes within a lawyer’s reach). Ethical competence requires acquiring knowledge and skill from third parties or internal resources to maintain ethical obligations for the protection of clients’ interests.”

For those of you who already know what you don’t know and are thinking of contacting a professional, email me. I have a list of people/vendors who work with lawyers and law firms on cybersecurity.

In closing, when it comes to acting competently to protect client data, competence includes tech competence, and you should ask for help with what you don’t know.

As always, let’s be careful out there.

[1] On November 9, 2015, I posted Competence Includes Tech Competence.  It was my 7th post ever and came 3 days after the inaugural Five for Friday quiz.  The topic went on to dominate the early years of this blog.

[2] Most recently History’s Best “Worst” Song and Tips on Protecting Client Data.

[3] But not the end of the journey.  Here’s an excerpt from the ABA Journal’s report on the adoption of Resolution 609:  Ruth Hill Bro, a special adviser the Cybersecurity Legal Task Force, discussed how the need for education is ongoing.  “Cybersecurity is a journey, and you never really arrive,” she said. “We do have obligations to remain abreast of these threats that are happening and to respond to them.”

Excerpts from the Report that Accompanied Resolution 609

On page 6, the report lists “the major cyber threats” as:

“1. Ransomware. This is a form of malware (malicious software) that attempts to encrypt (scramble) your data and then extort a ransom to receive a decryption key that will unlock your data. Cybercriminals often spend days or weeks navigating the targeted firm’s network before they “drop” the ransomware executable file on their way out.

2. Phishing. Cybercriminals send emails that appear to be from legitimate sources, such as clients, colleagues, or financial institutions, to trick employees into clicking on malicious links or downloading malware-infected attachments. Once clicked, these links or attachments can give cybercriminals access to the law firm’s computer systems.

3. Social engineering. Cybercriminals use social engineering techniques, such as impersonating a client or employee, to gain the trust of employees and trick them into revealing sensitive information or providing access to computer systems.

4. Data leakage. While maintaining cybersecurity within the physical confines of an office may seem challenging, it is essential to understand in the post-pandemic hybrid work environment we now inhabit that security extends well beyond the office. Smart phones, laptops, and tablets have replaced the standard desktop PC. The abundant and cheap nature of portable storage devices makes them a useful tool for the backup and transportation of data. Theft and misplacement of small mobile devices add to the headaches of firm IT administrators.

5. Unsecured networks. Cybercriminals can gain access to law firms’ computer systems through unsecured wireless networks, especially those that do not require a password or use weak encryption.

6. Weak passwords. Cybercriminals can use brute-force attacks or password guessing techniques to gain access to law firms’ computer systems, especially if employees use weak or easily guessable passwords.

7. Malware. Cybercriminals use various types of malware, such as viruses, trojans, and ransomware, to gain unauthorized access to law firms’ computer systems. Once installed, malware can steal data, destroy files, or provide backdoor access to cybercriminals.

8. Third-party vendors. Cybercriminals can gain access to law firms’ computer systems through third-party vendors or contractors that have access to the firms’ systems. If these vendors or contractors have weak security measures in place, cybercriminals can use their access to infiltrate the law firms’ systems.

9. Insider threats. If your organization employs staff (full time or as contractors), they might leak data by mistake or maliciously. The potential damage from a leak of documents cannot be underestimated.”

Then, on page 8, the report states:

Once you understand your vulnerabilities and capabilities, firms should implement as many of the following best practices as makes sense for their operations:

  • Implement multifactor authentication
  • Mandate Virtual Private Networks (VPNs) for remote access to firm networks (critical for a dispersed and/or work-from-home workforce)
  • Deploy endpoint detection and response (EDRs will detect and prevent most incidents automatically and do so 24/7/365)
  • Implement Incident Response Plans
  • Encrypt confidential and sensitive data both at rest and in transit
  • Back up data (encrypted) and secure that backup off-site
  • Turn on logging so that the cybercriminals’ tracks are traceable if there is a cyber incident • Segment data across IT networks
  • Control access credentials only to need-to-have individuals
  • Implement periodic training for all
  • Maintain comprehensive cyber insurance
  • Maintain physical security controls
  • Conduct periodic external and internal vulnerability scans”

Artificial Intelligence & Fabricated Case Law: a lesson in tech competence.

Michael

Last week, the world learned of the Avianca case and the lawyer who used ChatGPT to draft a response to a motion to dismiss. Now, the lawyer is facing a sanctions hearing as a result of filing a motion that cited to and relied upon cases that were fabricated by the AI assistant. Numerous outlets covered the story, including the New York Times, the ABA Journal, and The Verge.

Many lawyers sent me the story.  So many that I feel compelled to respond.

My initial response was by this video episode of Morning Grounds.  My thoughts haven’t changed since.

As I mentioned in the video, my sense is that the Avianca story caused some lawyers to conclude that it’s a per se violation of the Rules of Professional Conduct for a lawyer to use artificial intelligence to assist with client matters.

It is not.

AI is a tool that is available to lawyers.  Like any other tool, it comes with risks and benefits. A lawyer’s obligation is to understand those risks & benefits and how they might impact the lawyer’s representation of clients.

Are there ethical issues associated with a lawyer’s use of AI? 

Yes. 

Others have done fantastic work highlighting those issues.  For instance, last month, Mark Palmer, Chief Counsel for 2Civility, posted The Rise of ChatGPT: Ethical Considerations for Legal Professionals.  

But the mere fact that there are ethical considerations doesn’t mean that the use of AI is unethical.  Indeed, there are ethical considerations with cloud computing, email, and online banking.  But (thankfully) nobody is demanding that we rid the profession of those tools.

Rather, to me, the key takeaway from the Avianca case is competence.  Specifically, tech competence. 

Here in Vermont, V.R.Pr.C. 1.1 requires lawyers to provide competent representation to their clients.  Comment 8 indicates that competence includes keeping “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”

And that’s exactly what AI is: relevant technology with both risks and benefits.

Interestingly, it’s not news that there are benefits.  SIX years ago the ABA Journal shared 7 ways artificial intelligence can benefit your law firmMore recently, the ABA Journal posted How lawyers can take advantage of ChatGPT and other large language models disrupting the legal industry.  Catherine Reach is the Director of the North Carolina State Bar Center for Practice Management. Yesterday, Catherine posted Using AI for Conversational Q&A and Knowledge Management.  The post concludes by stating that there are many ways that AI driven chatbots can “help lawyers get work done.”

Getting work done seems like a benefit.

Of course, there are also risks.  The Avianca case shows that “fabricated case law” is among them.  While recent headlines might suggest otherwise, this risk has been apparent for some time now.  In January, Mark Palmer, mentioned above, shared this series of tweets:

The answer, in my opinion, is not to prohibit lawyers from using AI to research and draft legal memos. For instance, if a lawyer asked a paralegal to draft a brief, filed it without checking the paralegal’s work, and then learned that the paralegal had fabricated case law, we wouldn’t be clamoring to prohibit lawyers from employing paralegals.

Rather, if we even heard of the story, we’d remind lawyers to check their paralegals’ work, caution lawyers that the work a lawyer files in court is considered the lawyer’s own, and reinforce the idea that lawyers are expected to have in place measures that ensure that the conduct of their nonlawyer assistants is compatible with their own.[1]

AI is a tool that is available to lawyers.  Like any other tool, it comes with risks and benefits. A lawyer’s obligation is to understand those risks & benefits and how they might impact the lawyer’s representation of clients.

As always, let’s be careful out there.

[1] See, V.R.Pr.C. 5.3

Arkansas lawyer suspended for 6-months for misconduct while representing a cannabis client.

Michael

Today’s story doesn’t surprise me.

It involves one of the first cases I’ve heard of in which a lawyer was sanctioned for misconduct while representing a client in the cannabis industry. 

What doesn’t surprise me is that the misconduct had nothing to do with a lawyer violating federal law or assisting a client to do so.

By way of background, I’ve often cautioned Vermont lawyers against dabbling in cannabis law.  Not out of concern that they might assist cannabis clients to violate federal law.[1]  Rather, because I worry that some lawyers equate “I know a bit about marijuana” with “I’m equipped to provide competent advice to businesses that are participating in a complex and highly regulated industry.”  These businesses, like any other client, are entitled to competent representation.[2] 

They’re also entitled to conflict-free representation.  Indeed, at seminars and in blog posts, I’ve posed this question:

  • “Can you represent multiple applicants for the same type of license?  What if the clients agree to waive the conflict?  Then, what if one mentions to you a ‘trick of the trade’ that makes the application ‘more appealing’?”

I’m not aware of this situation arising [yet] in Vermont.  Which gets me back to today’s story.

Two weeks ago, a panel of the Arkansas Committee on Professional Conduct issued this order suspending a lawyer’s law license for 6 months.[3] The suspension followed the panel’s conclusion that the lawyer violated the confidentiality and conflict rules by representing two clients who were each seeking one of a limited number of cultivation licenses.[4]  Here’s what happened.

In November 2016, the company Courageous Ann applied for a license to cultivate medical marijuana in Arkansas.  Courageous Ann retained the firm at which Lawyer worked.  Soon thereafter, Courageous Ann also retained Canna, a consulting firm, to assist with the application process.  Throughout, Canna made documents available to Courageous Ann via Dropbox.  In turn, Courageous Ann provided Dropbox access to Lawyer.

In early July 2017, Lawyer left his firm.  The Arkansas disciplinary decision indicates that while Courageous Ann remained a client of the firm, Lawyer advised the company “that he remained their attorney.”  One of the owners understood that Lawyer continued to represent Courageous Ann in the application process, throughout which Lawyer continued to have access to the files in Dropbox.

In late July 2017, without informing Courageous Ann, Lawyer agreed to represent Delta Cannabis Company (Delta), a competitor of Courageous Ann that was also seeking an Arkansas license to cultivate medical marijuana.

In August 2017, Courageous Ann filed an application for a cultivation license. 

In September 2017, Delta filed an application for a cultivation license. 

In 2018, the Arkansas Medical Marijuana Commission issued five licenses. 

As you might have guessed, Delta received a license, but Courageous Ann did not. 

The application process included ranking the applicants.  According to the disciplinary decision:

  • “Shortly after information became public regarding rankings and licenses awarded, Courageous Ann discovered, from information they obtained from many sources, that Delta’s application mirror Courage Ann’s application in several sections.”

A few months later, the Arkansas Democrat-Gazette published Parts of application from firm awarded medical-pot growing license nearly identical to rival group’s materialThe article states:

  • “Electronic fingerprints on Delta Medical’s internal documents and company emails — provided by sources — show how the contents of Courageous Ann’s application funneled into Delta Medical’s hands through accounts linked to its previous attorney, [Lawyer].”

The article goes on to highlight the similarities between the two applications.[5]  Then, it reports that:

  • “The Democrat-Gazette obtained a copy of the Microsoft Word document that Delta Medical Cannabis used to complete its cultivation license application. The newspaper used the metadata buried in the document file to trace its apparent edit history. The data show that someone using the sign-on of [Lawyer] replaced Courageous Ann’s name and biographical information with the same information for Delta Medical Cannabis Co.”

The article continues:

  • “For instance, the Microsoft document data reveal that the person using Lawyer’s sign-on deleted Courageous Ann’s information from the section detailing its business plan and replaced it with Delta Medical Cannabis’ name while keeping the wording roughly the same.”

In the end, the Arkansas disciplinary panel concluded that Lawyer violated Arkansas’s rules on confidentiality[6] and concurrent conflict interests.[7] The 6-month suspension will be followed by 18 months of disciplinary probation.

Again, I’m not surprised.

The case serves as a reminder of what should be obvious: cannabis clients are no different than other clients. 

Does the area of law have its own complexities? 

Yes. 

Do the other rules continue to apply?

Yes.  Just as they would when a lawyer represents a client in any other area of the law.

As always, let’s be careful out there.

[1] Rule 1.2(d) of the Vermont Rules of Professional Conduct states that a “lawyer shall not counsel a client to engage, or assist a client, in conduct that the lawyer knows is criminal or fraudulent, but a lawyer may discuss the legal consequences of any proposed course of conduct with a client and may counsel or assist a client to make a good faith effort to determine the validity, scope, meaning or application of the law.”  The rule draws no distinction between state and federal law, or between laws that are more vigorously enforced than others.  And, for now, marijuana and THC remain Schedule 1 drugs under the Controlled Substances Act.  However, Comment [14] to Rule 1.2 makes clear that a lawyer does not violate Rule 1.2(d) by advising clients on matters that are legal under Vermont’s regulatory scheme.

[2] Thus, the questions I ask of lawyers who I suspect are interested in dabbling in cannabis law include:

  • Do you know the different types of licenses available in Vermont?
  • Do you know whether there are any requirements for the buildings in which a licensee locates a business? 
  • If your client is a cultivator or manufacturer, does the THC level remain the same throughout the process?  Does it even matter?
  • Whether in Vermont or a state to which your client will ship product, do the food laws apply.
  • Oh, and speaking of interstate transportation, does your client intend to accept payment by credit card?
  • What if your client’s labels or advertisements over or understate a product’s potency? 
  • What if your cultivator client wants to trademark a name for a new ‘product?
  • What’s your client going to do with revenue (cash) generated from the business?

[3] H/T David Kluft for sharing the order here via LinkedIn.

[4] The panel also concluded that the lawyer committed misconduct by agreeing to pay $10,000 to an expert consultant without the client’s consent.  The money was returned to the client.  Today’s post focuses on the confidentiality and conflict rules, not this failure to communicate with the client.

[5] Despite the similarities, the Commission ranked Delta’s application 5th and Courageous Ann’s 46th.  To compare, the Arkansas Democrat-Gazette published the applications here.

[6]  Like Vermont’s, Arkansas’s confidentiality rule prohibits a lawyer from disclosing information relating to the representation of a client without the client’s consent. The panel concluded that Lawyer violated the rule by sharing information related to Courageous Ann’s application with Delta without Courageous Ann’s consent.  Among other things, the panel found that as Delta was preparing its application, one of its constituents sent an internal email advising others associated with Delta that Lawyer had agreed to “provide assistance with [the application] by providing a dispensary summary from an application he has already turned in.”

[7] The panel concluded that Lawyer violated the conflict rule by representing Delta without Courageous Ann’s consent in a matter in which the two were in “direct competition” for a cultivation license.  Again, the Arkansas rule mirrors Vermont’s. Both state that a concurrent conflict exists if “(1) the representation of one client will be directly adverse to another client; or (2) there is a significant risk that the representation of one or more clients will be materially limited by the lawyer’s responsibilities to another client, a former client or a third person or by a personal interest of the lawyer.”

RELATED POSTS

A refresher on a lawyer’s duties when working remotely.

Michael

It’s rare that I think about legal ethics & professional responsibility while at a basketball game. However, it happened last night.

I went to the UVM game. It was the final regular season game, with the Cats set to open play in the conference tournament on Saturday.  Pre-game, I found myself thinking of a regular reader’s recent suggestion that I blog about a lawyer’s duties when working remotely.[1]  Here’s why the thought popped into my head.

In March 2020, I was in Patrick Gymnasium to witness Vermont’s victory in the semi-finals of the America East conference tournament.  It was one of the last things that I did before the pandemic changed everything.[2]

I’m confident that, as of that night, I’d never put much thought into the ethics of remote work. Back then, what little guidance I’d been asked to give on the issue wasn’t much more than “it’s risky to conduct client business on public WiFi.”

Three years later, remote work is here to stay. So, the reader is right: it’s a good time to highlight the key issues. For many reasons, I’m not going to get too in-depth. Rather, I’ll share some resources that do.  Generally, those resources focus on:

  • Rule 1.1 and the duty of competence, including tech competence;
  • Rule 1.3 and the duty of diligence;
  • Rule 1.4 and the duty to communicate;
  • Rule 1.6 and the duty of confidentiality;
  • Rule 5.1 and the duties of supervisory lawyers;
  • Rule 5.3 and a lawyer’s responsibilities vis-a-vis non-lawyer assistants; and,
  • Rule 5.5’s prohibition against the unauthorized practice of law.

I’ll begin with the last. Then, I’ll end with something not on the list: the connection between remote practice and wellness.

First, UPL.

Imagine a lawyer who is licensed only in New York and whose office is in New York.  If the lawyer lives in Vermont, does the lawyer engage in the unauthorized practice of law by working remotely from home?

No. 

Last year, the Supreme Court adopted Comment [22] to V.R.Pr.C. 5.5.  The ABA and several states have endorsed similar stances.[3]  That said, before departing for warmer climes or powderier slopes to conduct your Vermont practice, check with the local jurisdiction.

Now, with the pesky issue of licensure out of the way, here’s where to find more information on the other duties most likely to be implicated by remote practice.

Some of you might remember the Garage Videos.  In April 2020, I recorded Safeguarding Client Data While Working Remotely. In it, I share a PowerPoint that draws liberally from this formal advisory opinion issued by the Pennsylvania Bar Association’s Committee on Legal Ethics and Professional Responsibility.  Section 3 of the PA opinion, which begins on page 7, includes several tech tips styled as “best practices.”

Next, in January 2021, the Wisconsin State Bar released Formal Opinion EF-21-02: Working Remotely.[4] Tips on cybersecurity, training & supervision, and preparing clients begin on page 10.

A few months later, the ABA’s Standing Committee on Ethics & Professional Responsibility published Formal Opinion 498: Virtual Practice.  The opinion provides a helpful overview, including “particular virtual practice technologies and considerations” that begin on page 4.

Finally, I’d be remiss if I didn’t share my thoughts on the connection between remote work & wellness. 

In 2018, the Vermont Commission on the Well-Being of the Legal Profession issued its State Action Plan. I’ve blogged (and spoken) often about my support for the report issued by the Commission’s Legal Employers Committee.[5]  Here’s one of the Committee’s many outstanding recommendations:

  • “Create and expand telecommuting opportunities wherever possible. When implemented properly and within appropriate limits telecommuting is a critical component of well-being and healthy work-life balance in the digital age, with particular benefits in rural state such as Vermont. Adopt attitudes and policies of trusting attorney employees to get the work done, wherever and whenever they do it.”

Here, here!

As always, let’s be careful out there.

[1] (My mom and I have season tickets) Mom: I was also listening to you. I’m able to multi-task and think while listening.

[2] Today, it’s surreal to read the Burlington Free Press article about the game.  It doesn’t include a single mention of “COVID-19.” Two days later, the Free Press reported that both the America East conference championship and NCAA Tournament had been canceled.    

[3] See, V.R.Pr.C. 5.5, Reporter’s Note to the 2022 Amendment. .

[4] I blogged about the Wisconsin opinion here.

[5]  See, this post, this post, and this post.

History’s best “worst” song, and tips on acting reasonably to safeguard client data.

Michael

Yesterday was this blog’s 7th birthday.  We entered the world with Competence Includes Tech Competence.  The theme dominated back then.  Indeed, one could reasonably argue that tech competence is to this blog, as rock & roll is to Starship’s city.[1]

The rules related to tech competence have evolved since then.  In 2018, we adopted language that makes clear that maintaining competence includes keeping “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”[2] More recently, we amended V.R.Pr.C. 1.6, the confidentiality rule, to include this paragraph:

  • (d) A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.

The amendment, which takes effect next week, addresses the duty to act competently to safeguard client information, no matter the format in which the information is stored.  Here’s the Reporter’s Note:

  • “Subdivision (d) is added to reflect that the modern practice of law includes possession of information related to the representation of client in many forms, including information that is stored electronically or digitally. A lawyer is under a duty to act competently to safeguard client information, no matter its format. See V.R.Pr.C. 1.1. Paragraph (d) tracks the ABA Model Rule, clarifies that V.R.Pr.C. 1.6 applies to the electronic transmission and storage of information relating to a representation, and makes explicit that the duty under Rule 1.6 is broader than avoiding affirmative disclosures of information relating to the representation of a client.”

With the new rule, a question that arises is “what are reasonable efforts?”  As I indicated here, it’s not my role to issue a formal opinion as to what’s reasonable and what isn’t.  My stance finds support in ABA Formal Opinion 477.  Among other things, the opinion concludes that “[w]hat constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors.”  It goes on to state that “the reasonable efforts standard:

  • “. . . rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement
    appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.

That said, it’s undisputed that my role includes providing guidance.  To that end, here are two resources.

In September, Jim Knapp and I presented “Tech Competence & Cybersecurity” at the VBA’s Annual Meeting.  I began with a short overview of the new rule, then Jim provided a boatload of cyber and tech tips.  You can access the material here.

In addition, Catherine Reach is the Director of the North Carolina Bar Association’s Center for Practice Management.  Two days ago, Catherine posted “Protecting Portable Devices.”  Like Jim’s material, Catherine’s post is chock full o’ helpful tips on securing data.

As always, let’s be careful out there.

[1] Those of you who remember the 80s music scene might question including We Built This City in a post on competence. Your skepticism is warranted. After all, a few years ago, GQ named it “the Worst Song of All Time.” However, I’ll say this: on the rare occasion that I listen to the song, I turn the volume to 11, sing along enthusiastically, and find myself particularly thrilled to belt out (with proper intonation that doesn’t come through in a blog post) “knee deep in the hoopla” and “Marconi plays the Mamba.”  So, for giggles, a trip down memory lane is here.

[2] V.R.Pr.C. 1.1, Cmt. [8].

ABA joins chorus, concludes that sending lawyer who includes client on electronic communication to opposing counsel impliedly consents to “reply all.”

Michael 1 Comment

Hot off the presses!

This morning, the American Bar Association’s Standing Committee on Ethics and Professional Responsibility issued Formal Advisory Opinion 503: “Reply All” in Electronic Communication.  The ABA Journal reported the news, with the ABA issuing this press release.

Regular readers won’t be surprised by the conclusion:

  • ‘In the absence of special circumstances, lawyers who copy their clients on an electronic communication sent to counsel representing another person in the matter impliedly consent to receiving counsel’s ‘reply all’ to the communication.”

I find the opinion important for several reasons.

First,  it is consistent with the recent trend, with Virginia and New Jersey having reached the same conclusion within the past 18 months.

Second, it specifically rejects an approach that, frankly, hasn’t been too helpful. As I blogged here, “[f]or many years, advisory opinions cautioned against copying a client on an email to opposing counsel but stopped short of concluding that, by doing so, the sending lawyer consents to a ‘reply-all’ by the receiving lawyer.”  Jurisdictions that adopted this approach often advised that “whether consent has been implied will depend on the circumstances.”  Today’s opinion from the ABA is music to my ears, stating that the “it depends” approach “muddies the interpretation of the Rule, making it difficult for receiving counsel to discern the proper course of action or leaving room for disputes.”

Third, I like that the opinion is NOT limited to email. It deals with “electronic communications” and specifically references text messages.

Fourth, the opinion makes a point that people like Brian Faughnan and me have been making for years: While the advisory opinions focus on the receiving lawyer’s duties, a critical issue is the risk that the sending lawyer takes by including a client on an electronic communication to opposing counsel. As the ABA advises today:

  • “By copying their clients on emails and texts to receiving counsel, sending lawyers risk an imprudent reply all from their clients. Email and text messaging replies are often generated quickly, and the client may reply hastily with sensitive or compromising information. Thus, the better practice is not to copy the client on an email or text to receiving counsel; instead, the lawyer generally should separately forward any pertinent emails or texts to the client.” (internal citations omitted).

Finally, the opinion describes two situations in which consent to reply-all is not implied:

  1. When the initial communication is traditional paper sent by U.S. Mail; and,
  2. When the sending lawyer instructs the receiving lawyer that the sending lawyer has not consented to “reply-all.”

As always, let’s be careful out there.

Related posts:

Advisory Opinions

Virginia advisory opinion concludes that sending lawyer who includes client in email to opposing counsel consents to “reply-all.”

Michael 5 Comments

Last week, the Virginia Supreme Court approved Legal Ethics Opinion 1897.  Regular readers will recognize the title topic: “RULE 4.2 – REPLYING ALL TO AN EMAIL WHEN THE OPPOSING PARTY IS COPIED.” 

I’ve blogged and spoken on this issue often.  I’ll continue to do so as long as lawyers continue to contact me to express concern about receiving emails from opposing counsel that are copied to opposing counsel’s client.

Here’s V.R.Pr.C. 4.2:

  • “In representing a client, a lawyer shall not communicate about the subject of the representation with a person the lawyer knows to be represented by another lawyer in the matter, unless the lawyer has the consent of the other lawyer or is authorized to do so by law or a court order.” (emphasis added).

And here’s the Virginia State Bar’s conclusion:

  • “A lawyer who includes their client in the ‘to’ or ‘cc’ field of an email has given implied consent to a reply-all by opposing counsel.”

I find the opinion notable. For many years, advisory opinions cautioned against copying a client on an email to opposing counsel but stopped short of concluding that, by doing so, the sending lawyer consents to a “reply-all” by the receiving lawyer. Virginia did not stop short and, in fact, was quite clear in its conclusion. 

The Virginia opinion comes on the heels of this opinion that the New Jersey Supreme Court’s Advisory Committee on Professional Ethics issued in March 2021. In it, the ACPE stated:

  • “lawyers who include their clients in the ‘to’ or ‘cc’ line of a group email are deemed to have provided informed consent to a ‘reply all’ response from opposing counsel that will be received by the client.”

A trend seems to be emerging.[1]

The Virginia opinion includes guidance related to a sending lawyer’s duties to provide competent representation and to take reasonable precautions against the inadvertent disclosure of confidential information. 

  • “Including or copying the lawyer’s client risks not only that the opposing lawyer, or another recipient of the email, will respond directly to the lawyer’s client, but also that the lawyer’s client will respond in a way that the lawyer would not advise or desire.”

It goes on to include guidance on tech competence.

  • “Lawyers should note that merely blind copying their own client, while including other recipients in the ‘to’ field, will not fully prevent these issues; a blind copied client may still be able to reply all to everyone who was in the ‘to’ field of the original email.”

Now, for you transactional lawyers who are thinking about rolling your eyes, please check out this post on Brian Faughnan’s Faughnan on Ethics [2]

I’m not aware of a situation in which a client mistakenly replied to all, making disclosures that the lawyer wished the client wouldn’t have made.

Yet.

It’s bound to happen.  And when it does, trends suggest that the cc-ing lawyer might not be able to rely upon “how was I to know?”

As always, let’s be careful out there.

Related posts:

Advisory Opinions

[1] Important note for receiving lawyers: the trend is that opposing counsel has consent that you may “reply-all.”  Nothing yet suggests that the cc is consent to communicate directly with opposing counsel’s client without including opposing counsel in the loop.

[2] Brian’s post included: “Now transactional lawyers may be screaming at me here for my naivete, but, unless you are truly trying to mimic a situation where lawyers and clients are all sitting around the table and having a discussion, I don’t think including all of those parties on an email thread makes sense. (And, it’s 2022, if that’s what you are trying to do then use some other communications platform at this point whether that be Zoom or WebEx or Teams or something else.) Otherwise, whatever you want your client to see, just forward the email thread to them separately. Doing anything else, absent a clear agreement among the counsel involved about whether communication is permitted is simply an unnecessary risk to take.”