Encryption & The Evolving Duty to Safeguard Client Information

In December 2015, I posted To Encrypt or not to Encrypt?   

The post began with an analysis of how Rules 1.1 and 1.6 work together to impose a duty to act competently to safeguard client information, including information that is stored and transmitted by electronic means.

From there, I walked readers through a series  advisory ethics opinions.  Over time, the opinions moved from concluding that the duty to act competently to safeguard client information did not include a duty to encrypt to concluding that it might.

I stated that, at the very least, lawyers had a duty to warn clients about the risks associated with unencrypted electronic communications.  Then, I wrote:

  • “My sense is that we will soon reach, if we haven’t already reached, a day upon which it will not be considered reasonable to transmit client information via unencrypted email.  Encryption is not as difficult or expensive as it used to be and more secure alternatives are readily available.”

Last week, that day drew closer.

On May 11, the ABA’s Standing Committee on Ethics & Professional Responsibility issued Formal Opinion 477: Securing Communication of Protected Client Information. The opinion analyzes the duties imposed by Rules 1.1 and 1.6.  It reviews a series of advisory ethics opinions and discusses the trend towards requiring lawyers to encrypt electronic client communications.

Opinion 477 concludes that lawyers must make reasonable efforts to safeguard client information.  It states that “[w]hat constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors.”  That is, lawyers must employ a “fact-based analysis” when transmitting & storing client information.  Factors in the analysis include:

  • the sensitivity of the information,
  • the likelihood of disclosure if special safeguards are not used,
  • the cost of using special safeguards, and
  • the difficulty of using special safeguards.

With respect to these factors, the opinion concludes that lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters . . . to determine what effort is reasonable.”

The opinion makes clear that lawyers must remain cognizant that the analysis will change as technology evolves. In other words, what’s reasonable today might not be reasonable in 2020.

More importantly, what was unreasonable in 1997 might be reasonable today.  For example, as the opinion notes, “a fact-based analysis means that particularly strong protective measures, like encryption, are warranted in some circumstances.”

The opinion suggests that the duty to safeguard client communications likely requires lawyers to:

  • Understand the nature of the threat,
  • Understand how information is transmitted & where it is stored,
  • Understand & use reasonable electronic security measures,
  • Determine how electronic communications should be protected,
  • Label communications as “privileged & confidential,”
  • Train partners, associates, and nonlawyer assistants in information security, and
  • Exercise due diligence when choosing a vendor.

For more on each, see pages 5-9 of formal opinion 477.

In my view, the opinion sends a strong signal that the failure to use basic and widely available tools violates the duties imposed by Rules 1.1 and 1.6.  Those tools include:

  • Within an office, using adequate login passwords
  • Changing those passwords on a regular basis
  • Password protecting email attachments
  • Using secure WiFi (as in, not the coffee shop’s Wifi)
  • Installing & updating firewalls, anti-malware, anti-spyware, and anti-virus software
  • Using client portals instead of email
  • Using established & secure cloud-based file storage vendors to send, exchange, and view documents
  • Remembering that client information is on, or has been accessed from, multiple devices: cell phones, tablets, remote log-ins

If you take anything away from this, as usual, let it be my refrain that “competence includes tech competence.”  For, if you find yourself in times of trouble, it will not be acceptable to respond “but that tech stuff is too complicated!”

It isn’t.

As technology evolves, so evolves the standard of “reasonable efforts to safeguard client information.”

Have you evolved?

Electronic Communication

 

 

 

 

Tech Competence: It includes more than you might think.

Last week I stepped off my e-soapbox and blogged that Tech Competence Isn’t Everything: Soft Skills Matter.

Today I’m e-jumping back onto the e-soapbox.  (Sadly, my e-vertical is infinitely higher than my real vertical was in my playing days.)

Tech encompasses things less techy than you think.

The Legal Rebels section of the ABA Journal has a very interesting new post from Ivy Grey.  It’s here:  Not competent in basic tech? You could be overbilling your clients – and be on shaky ground.

I recommend reading the entire post.  But, here are 3 sections that caught my eye.

  • “Data security and e-discovery may get attention in the press, but lawyers should not neglect learning about the mundane tools that they use every day. Document preparation, drafting, and polishing consumes a significant amount of every lawyer’s time regardless of practice area. And MS Word is more sophisticated with greater capabilities for meeting our complex needs than you might otherwise think. It is an area ripe for learning. Ignoring that touches on bigger issues like unearned fees.”
  • “Technology competence is broad. However, its definition must include the tools that lawyers use to practice law, such as case management software, document management software, billing software, email, a PDF system with redacting capabilities, and the MS Office Suite, particularly MS Word. Any lawyer who does not develop basic skills in these six types of programs will risk ethical rebuke”
  • “By remaining technologically incompetent, lawyers are knowingly wasting clients’ time and money due to lack of computer skills. That is unacceptable. It is time to recognize that inefficient use of technology, such as MS Word, could mean overbilling a client. When lawyers choose not to learn technology because the old way of doing things leads to more billable hours, they are not serving their clients fairly.”

Here’s my takeaway.

Rule 1.1 mandates competence.  Rule 1.5 prohibits unreasonable fees.  At some point, an inability to use the most basic tech tools causes an attorney to spend an unreasonable amount of time on a task.  Billing for that time might violate Rule 1.5.

Food for thought.

tech-ethics

So You Want To Store Client Data in the Cloud….

. . . you should! Odd are it’ll make your law practice more efficient, which will help both you and your clients.

With the June 30 deadline to report CLE compliance, I’m asked to present at a lot of CLEs in May and June.  This year, several folks have asked me to talk about the ethics associated with storing client data in the cloud.

I will do as asked. Reluctantly.

Last November, I posted a blog in which I expressed my hope that I’d done my last seminar on the ethics of storing information in the cloud.  I think it’s time we move beyond “can I use the cloud?” to figuring out whether the cloud works for you & your firm and, if so, which vendor to choose.

Since my hope has not yet been realized, I’m re-posting my post. Two words to remember: “Reasonable Precautions.”

****

The Cloud:  What are Reasonable Precautions?

Last Friday, I presented a CLE for the Rutland County Bar Association. My assigned topic: the ethics of storing client information in the cloud.  I started by saying that I hoped it was my final seminar on the topic.  I was serious.

Let’s walk through this.

In general, a lawyer has a duty not to disclose information relating to the representation of a client absent client consent.  See, Rule 1.6.  A lawyer also has a duty to keep client property safe.  See,Rule 1.15.

I view the cloud as the latest in a long line of different places to store information.  In that sense, the cloud is not different than manila folders, boxes, offices, attics, basements, barns, file cabinets, file cabinets with locks, storage facilities, hard drives, floppy disks, CDs, and thumb drives.

No matter where a lawyer stores client information, a lawyer must act competently to protect the information against inadvertent or unauthorized disclosure. See, Rule 1.6, Comment [16].  When transmitting client information, a lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients.  Rule 1.6, Comment [17].

So, think about cloud storage like this:  client information is electronically transmitted to a place where it will be kept.  Thus, a lawyer must take reasonable precautions to protect client information both while it is in transit and while it is at rest.

In fact, that’s almost exactly what the VBA’s Professional Responsibility Committee said – SIX YEARS AGO when it issued Advisory Ethics Opinion 2010-06.  Here’s the digest of the opinion:

  • “Vermont attorneys can utilize Software as a Service in connection with confidential client information, property, and communications, including for storage, processing, transmission, and calendaring of such materials, as long as they take reasonable precautions to protect the confidentiality of and to ensure access to these materials.”

(Aside: for anyone wondering why I included an advisory opinion about “Software as a Service” in a post on cloud computing, I remind you that Rule 1.0’s duty of competence includes tech competence.)

The question I hear most often is this:  “what are reasonable precautions?”  In Rutland, I suggested to the audience that they already know the answer, if only by treating the cloud as if it were a storage facility out on Old County Road. Some questions you might ask when considering that facility:

  • who do you let into this facility?
  • do you require a passcode or badge for the gate?
  • are there locks on the individual units?
  • who besides me has a key or knows the combination?
  • can i get into my unit whenever i want to?
  • what happens to my files if I don’t pay or if you go out of business?

Indeed, take a look at page 6 of the VBA Opinion.  The Committee suggested some of those exact questions when considering a cloud vendor.

Or, take a look at this post from Robert Ambrogi.  He writes that “[s]ome basic questions to ask of a cloud vendor, distilled from various ethics opinions, include:

  • Is it a solid company with a good reputation and record?
  • Can you get access to your data whenever you want, without restrictions?
  • If your service is terminated – by you or by the company – can you retrieve your data?
  • Does it allow use of advanced password protocols and two-step verification?
  • What are its internal policies regarding employee and third-party access to your data?
  • Is your data encrypted both while in transit and while at rest on the company’s servers?
  • How is your data backed up?
  • What security protections are in place at the data centers the company uses?”

Finally, remember that asking the questions isn’t enough.  You need to understand the answers or find someone who does.  For example, imagine this:

  • You:   Will my data be encrypted in transmission and at rest?
  • Vendor:  Yes.  In transmission, we use a BTTF Flux Capacitor.  At rest, we use the latest cloaking technology from Romii.
  • You.  Sounds awesome. Sign me up.

Umm, no.  You just signed up to star in the next entry in Was That Wrong.

In conclusion, you may store client information in the cloud so long as you take reasonable precautions.  This entry includes links that will help you determine what “reasonable precautions” are.  Don’t fear the cloud, but know what you don’t know.

Speaking of which, info on the BTTF Flux Capacitor is HERE. And, for more on Romii cloaking technology, go HERE.

 

Cloud for Lawyers

Guest Pass: Peter Zuk on Data Security

I’m rolling out a new column: Guest Pass.  Like Captain Kirk and the bridge, it’s a column in which I hand over control to a guest.

The first recipient of a Guest Pass is old friend Peter Zuk.  Many of you remember Peter from his title insurance days.  In my early years as disciplinary counsel, Peter was instrumental in helping me to learn the importance of a swift and serious response to a violation of the trust accounting rules.  He also served as an invaluable resource and sounding board when I found myself confronted with trust accounting issues that, having come from the AG’s office, I’d never encountered.

These days, Peter works for Kyocera Document Solutions and serves as a member of one of the Professional Responsibility Program’s hearing panels. Peter’s Guest Pass serves up an important reminder on tech competence & maintaining the security and confidentiality of client data.

Mr. Zuk, you’ve got the bridge.

**********

Data Security: Don’t Forget the Copier

by Peter Zuk

Michael:

I’m selling copiers and secure networks to lawyers many of whom were former title insurance customers.  It’s great to be able to serve my old clientele again.

In working through the purchase of a new copier or multi-function printer (MFP, as we like to say), the question frequently arises as to how to dispose of the old machine.  Big and heavy, they’re impossible to lift and few have a car big enough to haul it to a recycling facility.

Fortunately for most business customers the answer is an easy one:  The new company takes the old copier as a condition of the sale.

But what about law offices?  Is there anything else that they should consider?

The answer is “maybe”.

To understand this answer you have to know how the modern MFP works.

While they don’t look like much, copiers come packed with technology these days.  Part of that technology is a large capacity hard drive.  To provide you with a crisp, clear copy or scanned image, the MFP takes a picture of your document, digitizes it and saves it to an internal hard disk located within the machine.  From there, the internal computer then copies that image from the drive to a photo-statically charged drum which transfers the charged image to paper.

What happens to the image on the hard disk you may be asking?  Fortunately most machines now overwrite the image at the completion of each job obscuring its discovery.

Lawyers may be ok with that level of security.  To be sure though, the prudent attorney may wish to request that the copier company remove the hard disk from the old machine on premises and surrender it to a member of the firm for proper and documentable destruction.  On premises removal of hard disks is becoming requested more and more and should be considered as part of an overall data security plan for the firm.

Firms wishing to do this should notify their leasing company prior to removal as they may ask to be reimbursed for the cost of the hard drive.

******************

Thank you Peter!  For those of you saying to your selves “self, this isn’t a very big deal,” check out this 2010 story from CBS News: Digital Photocopiers Loaded With Secrets

Guest Pass

 

 

Yes! A Comparison of Law Practice Management Software

On Valentine’s Day, the folks at Lawyerist issued a press release that only a bar counsel who preaches “competence includes tech competence” could love.

The press release, which is HERE, starts by asking:

  • “Wish there was a place to perform side-by-side comparisons of the top law practice management software?”

Well, ask and ye shall receive!

Lawyerist published a side-by-side comparison of Law Practice Management Software systems.  The chart compares the features of 12 law practice management programs. Lawyerist intends to update the chart as appropriate.

You can view the chart HERE. (scroll down, you’ll see a chart.  Trust me, the chart has its own scroll bar that will allow you to scroll to the right & view the entire chart).

If you’re considering new law practice management software, the chart appears to be a great resource. As always, remember that a lawyer has a duty to take reasonable precautions when transmitting or storing information relating to a representation.

tech-ethics

Are Robots Nonlawyer Assistants?

Seyfarth Shaw is a law firm with an impressive list of accolades.  And, now, the firm appears poised to be the first major law firm to use robots to handle tasks presently performed by lawyers.

In a joint press release with a company called Blue Prism, Seyfarth Shaw announced:

  • “We’re excited about the opportunity this creates to free our lawyers from some of the more mundane legal tasks so they can focus on helping our clients solve their most complex business issues,” explained Seyfarth’s chair emeritus Stephen Poor. “In testing various use cases, we’ve already seen how Blue Prism’s RPA software can help us create exponential gains in productivity, and we’ve only begun to scratch the surface of possibilities.”

The ABA Journal has the full story here.

A phrase stood out:  “[w]e’re excited about the opportunity this creates to free our lawyers from some of the more mundane legal tasks . . ..”

So, it looks to me as if robots will be performing “mundane legal tasks.”

I’m not the least bit surprised.  But, from a regulatory perspective, what if the robot gets it wrong?

In Vermont, Rules 5.3(a) & (b) impose responsibilities regarding nonlawyer assistants.  Rule 5.3(c) holds a lawyer ethically liable for the conduct of a nonlawyer assistant if the lawyer orders or ratifies it, or if the lawyer has knowledge of a nonlawyer assistant’s conduct and fails to take reasonable remedial action at a time when the consequences can be avoided or mitigated.

As I’ve often said, Rule 1.1’s duty of competence includes tech competence.  Read together, do Rules 1.1 and 5.3 require lawyers who use robots to have some sort of understanding of the coder’s qualifications?  Perhaps we will eventually treat the purchase of robots as we do the selection of a cloud vendor and hold that “a lawyer must take reasonable precautions in choosing a robot that will perform mundane legal tasks.”

Even beyond choosing the robot, is there a duty to “trust but verify” the robot’s work?  I have no idea what “mundane legal tasks” the robots will be doing.  However, absent random quality assurance checks, it’s conceivable that the robots could get a task wrong for quite a period of time before anyone realizes it.  Not only that, I’d assume that a mistake would result from a programing error and, therefore, could be repeated over & over & over again.  Or, will this have been addressed in the testing phase?

The profession’s eventual replacement of humans with machines intrigues me, even if only from an ethics perspective.  Are machines burdened by notions of loyalty?  If not, will the conflict of interest rules apply to robots?

In any event, this is only the beginning.  As the press release goes on to state:

  • “Blue Prism provides an anchor around which we can refine and test the types of robotics that immediately make our lawyers better and faster,” said Byong Kim, director of technology innovations, SeyfarthLean Consulting. “At its core, this is about arming lawyers with the best technology, and software robots are the latest evolution.

tech-ethics

 

 

Service by Social Media

I’m at the mid-winter meeting of the National Organization of Bar Counsel. The program starts later today and I expect to learn lots of  blog-worthy info.

In the meantime, here’s something related to tech competence.

Earlier today, the ABA Legal Technology Resource Center shared a link from the ABA’sLaw Practice Group. The link, which is here, is to an update on the evolving area of using social media to effect service.

Competence includes tech competence. img_1938

Tips for Choosing a Practice Management System

Most of you know that when it comes to legal tech, I highly recommend Robert Ambrogi’s Law Sites Blog.  Ambrogi also writes a This Week In Legal Tech column for Above The Law.

Here’s the most recent column: 6 Questions To Ask Before Selecting A Practice Management Platform.

Read it.

A summary of the 6 questions:

  1. Do you want a cloud platform or a platform installed on site?
  2. How much do you want to pay?
  3. Does the system comply with security requirements and obligations under the Rules of Professional Conduct?
  4. Does it have the basic features that you need?
  5. Does it have the advanced features that you need?
  6. Does it feel right when you try it?

Again, read the article.

For part 2 of question 3, my view is that a lawyer’s obligation under the Rules of Professional Conduct is to take reasonable precautions to protect client data, whether the data is in transmission or at rest.  What are reasonable precautions?  I addressed that question HERE.

Still drinking coffee this morning?  You’ve got time to try this week’s legal ethics quiz before you hit the trails or slopes.

tech-ethics

 

Web Bugs: An Update.

Update:  So, I  received an e-mail stating that I’m “way off base” in “endorsing” the use of web bugs. Please review each of the posts I’ve made on the topic.  One is HERE, the other is HERE.  

I have not endorsed the use of web bugs or spy mail.

What I intended to convey is this: the fact that it may be wrong for someone to try to access information relating to the representation of your clients doesn’t relieve you from the duty to take reasonable precautions to prevent unauthorized access to that information. See, Rule 1.6, Comments 16 and 17.  

Do you have to store your paper files in a subterranean vault that’s equipped to survive an RPG attack?  No.  But you probably shouldn’t leave your file cabinets unlocked in a shared hallway, trusting that passersby will remember not to look at things that aren’t theirs.

Imagine a passerby looks through the files.  Are you willing to roll with the “but he shouldn’t have been looking!” defense to a formal charge that you violated Rule 1.6 by keeping your files unlocked in the hallway? If so, take a look at this decision from a hearing panel of the PRB.

Is there an affirmative duty to use available technology to protect against spy mail? I don’t know.  No matter the type of technology, including a type we can’t even imagine today, it will boil down to this: have you taken reasonable precautions to protect against the unauthorized disclosure of client information?

I will not be surprised if, someday, someone concludes that the duty to take reasonable precautions to protect against the unauthorized disclosure of information relating to the representation of a client includes using reasonably available technology to protect against web bugs & spy mail. In fact, as I mentioned in the first post, that’s almost exactly how the debates over metadata and encrypted e-mail have evolved.

cyber-security