ESI: there’s risk in failing to preserve.

Say it with me: competence includes tech competence.

In most of my posts on the topic, the unstated message is that a lawyer who fails to satisfy the duty of competence violates Rule 1.1 and risks having a sanction imposed against his or her license.

Here’s my post on Competence, ESI, and E-Discovery.  In it, I wrote that the duty of (tech) competence includes:

  • knowing that “it” exists,
  • knowing that clients, their adversaries, and witnesses have “it;” and,
  • knowing how to protect, preserve, produce, request, review, and use “it.”

What is “it?” It is Electronically Stored Information (“ESI”).

In addition, I cited to an advisory opinion from the State Bar of California that includes the following quote:

  • “Attorney competence related to litigation generally requires, among other things, and at a minimum, a basic understanding of, and facility with, issues relating to e-discovery, including the discovery of electronically stored information (“ESI”).”

Today, I blog to call your attention to other risks. Namely, the risk of having a court impose severe sanctions against you and your clients if you fail to preserve ESI.

Melinda Levitt and Peter Vogel are partners at Foley & Lardner.  Yesterday, The National Law Review posted their article Bad Preservation in eDiscovery is Still Very Costly! 

Give it read.

The article begins by reporting that there is both “good news” and “bad news” when it comes to discovery sanctions for failures to preserve ESI.

The good news is that relative recent amendments to the civil rules reserve the most severe sanctions for situations in which the failure to preserve resulted from an “intent to deprive.” As the authors note, “the ‘bad news’ is that bad preservation behavior continues.”

Next, the authors point out that:

  • “[i]t has been twelve years now since the federal rules were first amended and explicitly came to recognize ‘ESI’ – that is emails, electronic documents, excel spreadsheets, PowerPoints, and a myriad of other electronic materials – as documents” within the meaning of the discovery rules.”

They also point out that, over those 12 years, all of us have become increasingly reliant on technology, without necessarily developing any clue how it works.

Nevertheless,

  • ” . . . there are some basic things that people at least in the business community should have come to understand over the last 12 years. Among them are if litigation is occurring or is about to occur, a company is obligated to take reasonable steps to ensure that its relevant (or potentially relevant) ESI is preserved. That means getting out the word quickly – whether by way of a formal written litigation hold or otherwise – that employees and electronic systems managers/overseers need to take steps to stop either conscious or system-wide deletions or purges of potentially relevant ESI. By now, business owners, their IT employees, and their in-house and outside counsel really should have no doubt about this obligation and how to accomplish it. Granted, meeting this obligation can get dicey and difficult when it comes to things such as employee text messages, social media postings, telephone messages, and structured data. However, in terms of emails and basic electronic documents – the mainstays of business life – there should be no question or hesitation about what needs to be done.  

Then, the meat of their message:

  • “And yet . . . and yet, very recent decisions demonstrate that executives, managers and yes, even lawyers, either remain willfully ignorant of how these business systems work or are determined to pass the buck, having assumed that some mysterious “someone else” in the company was handling things. Well, while courts no longer can impose the most draconian of sanctions, no one should kid him or herself – judges continue to have very potent sanctions options available and are very willing to use them when confronted with preservation misconduct borne of ignorance, indifference or good old-fashioned boneheadness. The following are a few telling examples – and were issued in just the last few weeks – and each leaves us with the question – what were they thinking?”

From there, the article goes on to recount several cases in which significant discovery sanctions were imposed against lawyers and their clients as a result of failures to preserve ESI.  Some might strike a nerve.  If so, there’s still time to sign up for tomorrow’s first-ever VBA Tech Show.

Tech competence.  The lack thereof impacts much more than a lawyer’s license.

E Discovery

 

 

 

 

 

Advertisements

Reruns

Remember reruns?  In the age of streaming content, I don’t know if reruns are even a thing anymore.  If not, good riddance!!

Seriously, was there anything as disappointing as waiting all week for the next episode of your favorite show only to have it be a rerun?

Aside: yes, we used to have wait all week for the next episode of our favorite shows.

As much as I despised reruns as a viewer, I love them as a blogger.  They’re the perfect antidote to writer’s block. So, here goes.

The VBA’s Tech Day is next month.  The agenda is fantastic.  It includes seminars on several topics upon which I’ve blogged in my nauseating ongoing effort to remind lawyers that the duty of competence includes tech competence.

Missed my posts?  Thank goodness for reruns.

Last October, I posted Competence, ESI, and E-DiscoveryIt referenced several topics, including:

  • admitting social media posts into evidence;
  • an attorney’s duties related to a client “taking down” or “scrubbing” social media posts;
  • practical tips on preservation letters regarding ESI.

VBA Tech Day includes seminars on each.

Last September, I posted Protecting Data: Cybersecurity TipsI followed up in February with  ABA Journal Provides Cybersecurity TipsEach post refers back to my post on the electronic transmission & storage of client information: The Cloud: What are Reasonable Precautions? Indeed, I’ve often blogged on Encryption & The Evolving Duty to Safeguard Client Information.

VBA Tech day includes seminars on encryption, cybersecurity, & data security.

Finally, I’ve blogged on using technology to become more efficient.  My post Fees. Is there an App for that? refers to an ABA Journal post that discusses how technology can help lawyers bill more than 2.24 hours per day that, on average, they currently bill.  And, in Tech Competence: It includes more than you might think, I cautioned that a lawyer who isn’t competent in basic tech runs the risk of violating Rule 1.5 by over-billing clients.

VBA Tech Day includes seminars on using technology to become more efficient at billing.

I think the networks might have used reruns to build anticipation for the final few episodes of a show’s season.  Most of those episodes ran in May.

Well, I’ve posted some reruns here today. Hopefully they build anticipation for VBA Tech Day.  A terrific conference on tech-related issues that will take place in, you guessed it, May.

See the source image

 

Got Tech Competence? The VBA Does.

Last week, the Professional Responsibility Board voted to recommend that the Vermont Supreme Court follow the lead of ABA and 31 other states and adopt a duty of tech competence.  Specifically, the Board voted to recommend that the Court amend Comment 6 to Rule 1.1 to read as follows:

  • “[6] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes to the law and its practice, including the benefits and risks associated with the technology relevant to the lawyer’s practice, engage in continuing study and education and comply with all legal education requirements to which the lawyer is subject.”

I’ve blogged a zillion times on tech competence.  Yes, a zillion.  Remember, puffery isn’t unethical.

I’ve also blogged that lawyers shouldn’t fear tech, but embrace it.  And here’s a chance to do exactly that!

Next month, the Vermont Bar Association is presenting its first ever Tech Day.  It looks like a fantastic event.  For more, go here.  Or, read the VBA announcement below.

Remember: amendment or not, Competence includes Tech Competence!

************************

REGISTER HERE

VIEW FLYER HERE

If one of your goals this year is to learn all there is to know about using technology in your law practice, then this is the place to be! Whether it’s cloud computing, automating your law practice, emerging tech trends, security, office IT, e-discovery, encryption, social media evidence, billing or digital forensics and more, we’ve got you covered.

Our Tech Show CLE Seminars cover the topics you need to know to get your law firm up to speed with current legal technology tools. Technology can streamline your law practice and save you time and money on top of ensuring you are competent in your practice. As Bar Counsel Mike Kennedy often says, legal competence includes tech competence.

Of course, there’s much more to our Tech Show than the educational sessions. We have built in plenty of time to view demos, get personalized recommendations and network with our Sponsors and Exhibitors as well as to mingle with your colleagues at our luncheon and reception.

And last, by not least, you’ll find all the inspiration you need to streamline and prosper from our Keynote Speakers, Brian Kuhn of IBM Watson Legal and Edward Hartman, Co-Founder of Legal Zoom.

************************

tech-ethics

 

Tech Competence: Don’t Let the Web Bugs Bite

Last week, the Illinois State Bar Association (ISBA) became the 4th to opine that a lawyer violates the ethics rules by using secret email tracking software.  The opinion is here.  The opinion was reported by 2Civility .

Secret email tracking software?? What is this? 007, Archer, and Get Smart?

I wish.

Alas, it’s tech competence.  As in, Rule 1.1‘s duty of competence includes tech competence.

The Illinois opinion does a nice job framing the question that was presented.

  • “The present inquiry involves the use of email ‘tracking’ software, applications that
    permit the sender of an email message to secretly monitor the receipt and subsequent handling of the message, including any attachments.  The specific technology, operation, and other features of such software appear to vary among vendors. Typically, however, tracking software inserts an invisible image or code into an email message that is automatically activated when the email is opened. Once activated, the software reports to the sender, without the knowledge of the recipient, detailed information regarding the recipient’s use of the message. Depending on the vendor, the information reported back to the sender may include: when the email was opened; who opened the email; the type of device used to open the email; how long the email was open; whether and how long any attachments, or individual pages of an attachment, were opened; when and how often the email or any attachments, or individual pages of an attachment, were reopened; whether and what attachments were downloaded; whether and when the email or any attachments were forwarded; the email address of any subsequent recipient; and the general geographic location of the device that received the forwarded message or attachment. At the sender’s option, tracking software can be used with or without notice to the recipient.”

The ISBA concluded that an attorney who uses email tracking software engages in dishonest & deceitful conduct, and also impermissibly intrudes on opposing counsel’s attorney-client relationship.  As such, the use web bugs violates Rules 8.4(c) and 4.4(a). The ISBA’s conclusions track (pun intended) conclusions reached by New York, Alaska, and Pennsylvania.

The opinion isn’t surprising.  However, it includes a section that I find interesting.

Here’s the sentence that immediately follows the section of the opinion that I quoted above:

  • “There do not appear to be any generally available or consistently reliable devices or programs capable of detecting or blocking email tracking software.”

That’s an important statement.  Why?  I’m glad you asked.

Lawyers have a duty to take reasonable precautions against both the inadvertent disclosure of and unauthorized access to client information.  For example, while it might be wrong for a passerby to open your file cabinet and look inside, it’s probably not a good idea for you to leave the file cabinet unlocked on the sidewalk in front of your office.  That’s not a reasonable precaution.  Similarly, and ( i hope) more likely to arise, hacking is wrong and illegal. But, the general trend is towards a conclusion that a lawyer violates the rules by failing to encrypt client data that is electronically transmitted and stored.

So, is the failure to check for – protect against – web bugs a violation of the duty to take reasonable precautions to safeguard client data?

According to the Illinois State Bar, no.  Specifically, the ISBA noted that while the ethics rules:

  • “express a general duty that a lawyer should keep abreast of the benefits and risks associated with relevant technology as well as make ‘reasonable efforts’ to prevent unauthorized access to client information, requiring the receiving lawyer to first discover and then defeat every undisclosed use of tracking software would be unfair, unworkable, and unreasonable.”

I apologize for yet another block quote.  But, I think this is an important issue.  So, here’s why the ISBA thought it would be “unfair, unworkable, and unreasonable” to expect a receiving lawyer to defend against web bugs:

  • “It would be unfair for at least two reasons. First, it is unfair to require lawyers to use email and other electronic documents in communications regarding their practice and then interpret the professional conduct rules to enable the undisclosed use of tracking software to gain covert, unauthorized access to protected client information of opposing parties. Second, it is unfair to require lawyers receiving email, i.e., all lawyers, to assume that all email messages contain undisclosed tracking software because that approach places the burden of preventing
    unauthorized access to protected client information on the wrong party. The sending lawyer is the actor in these situations and controls whether, when, and what type of tracking software to employ. Tracking software is not, for example, a common functional aspect of electronic documents like metadata. As noted in ABA Formal Opinion 06-442 (August 5, 2006), metadata is embedded information that enables word-processing software to manage documents and facilitates collaborative drafting among colleagues. Unlike tracking software, which must be purposely, and usually surreptitiously, inserted into an email, metadata is a universal feature of every word-processed document. It is appropriate and reasonable to expect lawyers to understand metadata and other ubiquitous aspects of common information technology. But it would be neither appropriate nor reasonable to charge all lawyers with an understanding of the latest version of tracking software that might be chosen, and then employed without notice, at the option of opposing counsel.”

The ISBA opinion continues:

  • “Even assuming that ‘defensive’ software or devices capable of discovering and/or
    defeating tracking software were to become available, it would be unworkable to, in effect, force every Illinois lawyer to become and remain familiar with the various tracking programs on the market and then immediately purchase and install whatever new anti-tracking software or device that may, or may not, protect against the latest version. Given the typical rapid changes in technology, few, if any, solo or small firm lawyers could reasonably do so. Aside from creating sustained employment for IT consultants and software vendors, that approach would only precipitate an ‘arms race’ in which the developers and users of tracking software would always be a step ahead.”

I am not condoning a lawyer’s use of web bugs or surreptitious tracking software.  No more than I’d condone wiretapping opposing counsel’s phone. However, I am not sympathetic to the suggestion that tech evolves so rapidly that we shouldn’t expect lawyers to stay abreast of developments in technology.

Also, as I’ve blogged, the rationale for the conclusion that receiving lawyers have no duty to protect against tracking software that is designed to pierce the attorney-client relationship sounds an awful lot like what we used to say about whether lawyers had a duty to encrypt email, scrub metadata, or have a basic knowledge of common trust account (phishing) scams.

I’m fairly confident that someday, it will no longer be difficult or burdensome to detect and protect against email tracking software.  In other words, go back to the statement that’s bolded above.  Soon, I think it might be changed to:

  • “There appear to be many generally available and consistently reliable devices or programs capable of detecting or blocking email tracking software.”

When that day arrives, I doubt that “but they shouldn’t have used tracking software on me” will be a defense to a charge that a lawyer failed to take reasonable precautions to safeguard client data.  In any event, regardless of whether there’s an affirmative duty to protect against web bugs, I’d think a prudent lawyer would want to do so anyway.

In conclusion, don’t let the web bugs bite.  Not only that, remember that we’re likely soon to live in a world in which web bugs bite all involved with a particular communication.

Bugs

 

CC, BCC, and a lawyer’s duty of competence.

I can hear you now.

  • “Mike, what the heck do CC & BCC have to do with my duty of competence?”

Thank you!! The fact that you know you have a duty of competence is music to my ears!

Now, back to your question.

In my view, the duty of competence includes a duty to have a basic understanding of the benefits and risks of using technology while representing a client.  For example, understanding the risks of “CC-ing” or “BCC-ing” a client on an e-mail to opposing counsel.

So, to bcc or not to bcc?  That is the question.  It’s a question worth considering, if only not to suffer the slings and arrows of angry clients & frustrated opposing counsel.

I’ve blogged on this issue before:

The posts reference advisory opinions from North Carolina and New York.  The opinions list the reasons not to “cc” clients, “bcc” clients, or “reply-all” to an email in which opposing counsel “cc’d” a client.   Any or all can lead a lawyer right into the danger zone.

Seriously Lana, call Kenny Loggins.

Last month, the Alaska Bar Association issued Ethics Opinion 2018-01: E-Mail Correspondence with Opposing Counsel While Sending a Copy to the Client.  The opinion is consistent with those issued by the North Carolina and New York bars.

Here’s a summary of the Alaska Bar’s opinion:

  • A lawyer has a duty to act competently to protect a client’s confidences.
  • A lawyer has a duty not to communicate with a represented party on the subject of the representation.
  • Lawyers are encouraged not to “cc” or “bcc” their clients on electronic communications to opposing counsel.
  • A more prudent practice is to forward the client a copy of a sent e-mail.
  • At the outset of any matter, lawyers should agree on a “cc” and “reply-all” protocol.
  • Absent a protocol, s lawyer has a duty to inquire whether opposing counsel’s “cc” to opposing counsel’s client is permission to “reply-all.”

Good recommendations.

Stay safe out there.  And, remember: competence includes tech competence.

Image result for hamlet to be or not to be

 

 

 

 

 

Competent Advice & Privacy Settings

Rule 1.1 requires lawyers to provide clients with competent representation.  As nearly everyone who has read my blog twice knows, my position is that competence includes tech competence.

It’s also my position that a lawyer has a duty to provide a client with competent advice as to the impact, if any, that the client’s social media will have on a matter.

Let me be clear.

I often hear “but, Mike, I don’t want to have a Facebook account.”  I am not saying that you are required to.  Rather, I’m saying that you should know that your clients most likely do and, further, that information posted to a client’s Facebook account might impact the matter in which you are representing the client.

Here’s the latest.

Per the ABA Journal, a New York court ruled that the defense may discover photos that a personal injury plaintiff posted to Facebook and set as “private.”  The opinion is here.

The upshot:  it’s likely not competent to advise clients “don’t worry, as long as you keep it private, the other side won’t be able to access it.”

The case is one in which the plaintiff fell from a horse.  She sued, alleging that the defendant’s defective mounting of the stirrups caused the fall.  Among other things, plaintiff contends that her injuries prohibit her from many activities that she used to enjoy.

During her deposition, plaintiff testified that, prior to her fall, she had regularly posted photos to Facebook.  The defense requested access to the photos, which plaintiff had set to “private.”  Plaintiff declined to provide access.

The defense moved to compel production of the photos.  The defense argued that the photos bore on the credibility of plaintiff’s assertion that she had previously engaged in the activities that, now, she claimed she could not.

Plaintiff’s attorney countered that the single public photo on plaintiff’s Facebook account did not contradict her deposition testimony.  As such, the argument went, the defense had not established that access to the private portion of the account was likely to lead to the discovery of relevant information.

The trial court compelled production.  An appellate court modified the order to compel, limiting it only to photos that plaintiff intended to introduce at trial.  In the end, the New York Court of Appeals reinstated the trial court’s order. In so doing, the Court set out the various factors that a trial court should consider in response to a motion to compel production of information stored electronically on a social media platform.

I won’t go into the court’s decision in length.  Here are two key takeaways:

  1. As I’ve often said, electronically stored information is no different from any other information.  Or, in this case, photographs posted to Facebook are no different than photos that grandma slid behind plastic in that old, musty, album.
  2. A quote from the NY Court’s opinion (citations deleted):
    • “Plaintiff suggests that disclosure of social media materials necessarily constitutes an unjustified invasion of privacy. We assume for purposes of resolving the narrow issue before us that some materials on a Facebook account may fairly be characterized as private.But even private materials may be subject to discovery if they are relevant. For example, medical records enjoy protection in many contexts under the physician-patient
      privilege  But when a party commences an action, affirmatively placing
      a mental or physical condition in issue, certain privacy interests relating to relevant medical records – including the physician-patient privilege – are waived. For purposes of disclosure, the threshold inquiry is not whether the materials sought are private but whether they are reasonably calculated to contain relevant information.”

Remember: competence includes tech competence.

Social Media

Monday Morning Answers #105

I’m not positive, but methinks this week’s is the largest Honor Roll ever!

Friday’s questions are HERE.  Thanks to all who sent in responses.   I especially enjoyed hearing & reading so many wonderful stories of grandmothers & grandfathers who sound so similar to mine.  Today’s answers follow the honor roll.

67FCDEE4-4A0B-4B58-9AB7-151422E4069A

Honor Roll

Answers

Question 1

Each of the following words is in the name of its own rule. Three of the rules involve the same type of ethics issue.   Which is associated with a different ethics issue than the other three?

  • A.  Prospective
  • B.  Meritorious
  • C.  Current
  • D.  Former

Rule 3.1 governs meritorious claims.  Prospective, Current, and Former are types of clients for the purposes of the conflicts rules.

Question 2

Attorney called me with an inquiry.  She said “Mike, I have some questions about mental impressions, as well as internal notes and memoranda.”  Most likely, what issue did Attorney call to discuss?

  • A.  The duty to report a client’s fraud
  • B.  The duty to act competently to safeguard client data stored in the cloud
  • C.   Duties to a client who suffers from a diminished capacity
  • D   File delivery & the question of “what is the file?”

I might have phrased this one poorly.  Option “A” certainly could happen, as a lawyer’s mental impressions and notes might include information that must be revealed pursuant to Rule 1.6(b).   However, here, I was getting at whether an attorney’s notes and mental impressions are part of “the file.”  For more on this topic, including a link to an ABA Formal Advisory Opinion, see this post.

Question 3

Fill in the blank. (two words)

Lawyer called with an inquiry.  Lawyer said “client said she’s fine with it, so do you think that I have ________  ___________?”

I replied “Well, ‘she’s fine with it’ isn’t exactly the definition of _________   _________.  Per the rules, it’s an agreement to a proposed course of conduct after you’ve adequately communicated & explained the material risks, and reasonably available alternatives to, the proposed course of conduct.”

Informed Consent, Rule 1.0(e).

Question 4

Attorney called me with an inquiry.  Attorney was concerned that her she and her firm had been “pwned.”  What did we discuss?

Whether Attorney & Firm had:

  • A.   suffered a breach of electronically stored client data.
  • B.   fallen for a trust account scam.
  • C.   violated the rules while responding to a negative online review.
  • D.  been duped by an adversary who intentionally posted “fake evidence” on a social media platform.

Hello gamers! I wasn’t familiar with the term “pwned” until I read the ABA Journal’s cybersecurity tips.

Question 5

Hint: in honor of my grandfather’s Chicago roots, and in anticipation of a blog I intend to post next week . . .

Lawrence Mattingly practiced law in Illinois.  Once, he arranged a meeting between a client and federal agents/prosecutors who were trying to build a tax evasion case against the client.  During the meeting, the client claimed “I’ve never had much of an income.”

Later, Attorney Mattingly provided Treasury agents with a letter in which he conceded that his client had, in fact, earned a substantial income over the previous 4 years. The “Mattingly Letter” was admitted at trial and used as evidence against the client.  The client was convicted and sent to prison.

Who was the client?

Al Capone

ABA Journal Provides Cybersecurity Tips

Rules 1.1 and 1.6 operate to impose a duty to act competently to safeguard information relating to the representation of a client.  The duty includes taking reasonable steps to protect against the unauthorized or inadvertent disclosure of (or access to) electronically stored client data.

In 2018, the ABA Journal will publish a year-long series on cybersecurity.  Last month, and as part of the series, the ABA Journal posted 5 cybersecurity steps you should already be taking.  I recommend it.  A quick summary:

  1. Check to see if you’ve been pwned.
  2. Consider a password manager.
  3. Improve the strength of your passwords.
  4. Use 2-factor (or multi-factor) authentication.
  5. Encrypt your devices.

Again, read the post.  It’s not long, and the tips are as simple as they are valuable.

Finally, don’t forget that the Vermont Bar Association is offering its first ever Tech Day on May 16.  It’s shaping up to be a fantastic CLE.

cyber-security

Service via Instagram

It has been over two years since I first blogged on tech competence.  As regular readers know, my opinion is that competence includes tech competence.

Here’s the latest:  Above The Law and Canadian Lawyer have the story of a Toronto lawyer who received permission to serve an adversary via direct message on Instagram. The lawyer made the request after unsuccessful attempts to serve the defendant in person and by e-mail.

Remember: as I’ve often said, the rules don’t require lawyers to have or to use social media platforms.  However, my position is that Rule 1.1’s duty of competence includes providing clients with competent advice as to the impact (or not) that their social media platforms will have on any particular matter.  This includes the impact of information that clients make available on social media, and, as today’s story illustrates, the impact of merely having a social media account through which messages can be delivered.  For instance, imagine a client’s claim never being brought for no other reason than you didn’t think to check whether the defendant could be “found” on social media.

@vtbarcounsel

See the source image