The Interwebs

Good morning!

So, later today, I’m presenting a CLE to the Washington County Bar Association.  The august group’s leaders asked that I talk about some of the ethical issues that arise from lawyers’ failure to understand use of social media.

Prepping for the seminar, I was struck by two things.

Some of you are quietly hoping they were both lightning bolts.   Nope.

Rather, I realized that for all I write about tech competence, (1) in college, I bought a Betamax, siding with Sony in the Format War against VHS; and (2) more recently, I thought Blockbuster would squash that little upstart called Netflix.

img_2031

Anyhow, for those of you interested in the topic, the folks over at Internet for Lawyer maintain this great list of the various advisory ethics opinions on social media.  As for me, I’ve blogged often on the subject  This post – Friends, Followers, and Legal Ethics – sums up my thoughts.

Finally, at the CLE, I’m going to mention this opinion from the titanic clash of Oracle v. Google.  As I reviewed it yesterday afternoon, I wondered whether the judge considered ending the opening sentence after the words “trial lawyers.”

  • “Trial judges have such respect for juries — reverential respect would not be too strongto say — that it must pain them to contemplate that, in addition to the sacrifice jurors make for our country, they must suffer trial lawyers and jury consultants scouring over their Facebook and other profiles to dissect their politics, religion, relationships, preferences, friends, photographs, and other personal information.”

Social Media

 

Advertisements

Bouchons, Cybersecurity & Ransomware

Yesterday, I met with lawyers from the Lamoille County Bar Association.  Leslie Black, president-emeritus (by my proclamation) of the LCBA, had me up to talk legal ethics.

As an aside, Leslie stole the show by showing up with a fresh batch of bouchons.  You might have heard of Thomas Keller and the Bouchon Bakery.   Fine stuff, I’m sure.

Well, Leslie’s lemon bouchons, with a hint of cinnamon, are better.  And that, my friends, is not mere puffery.   The trick, je pense, is her brown butter recipe.

Leslie – les bouchons etait magnifique!

Now, back to business.

First off, I hope I’ve dispelled those who are less tech competent than others of the notion that “bouchon” has something to do with cybersecurity & ransomware.

Next, yesterday, we had an interesting discussion on cybersecurity & ransomware.  I’ve blogged previously on the issue here.  I’m blogging again for a few reasons.  Mainly, to stress a key point that David Polow made at the CLE:  back-up.  Storing info only in the cloud isn’t enough.

My prior blog post includes links to several helpful articles.  I failed to link to this one from the ABA Journal: Ransomware is a growing threat, but there are things you can do to protect your firm.  A critical point in the article echoes David:

  • ” The panelists say that the core of ransomware protection is a robust backup system. However, Simek said that backups need to be tested on a periodic basis.If a firm’s backup is in the cloud, then redundancies of that backup system should be made as well—in other words, one backup is insufficient. For the truly business-critical data, McNew said a backup should be stored offsite and ‘air gapped,’ meaning it is not able to connect to the internet.”

Or, as Jim Knapp says, when it comes to backup “onsite, online, air-gap.”

Are you likely to be targeted? I don’t know.  It happened to one of the nation’s largest firms.  And, a Vermont firm was targeted in April.  The firm did not have sufficient back-up and data was at risk.

If it’s an issue that concerns you, talk to someone with a tech background.  Here are a few links from my original post that might be helpful:

As always, let’s be careful out there.

Ransomware & Cybersecurity Insurance

As I’ve often blogged, Rules 1.1 and 1.6 require lawyers to act competently to safeguard client data.

Last month, I became aware of a law firm that was the subject of a ransomware attack. The cyber attacker blocked the firm’s access to client files and demanded a ransom.

Reminder: if a lawyer’s electronic files are compromised in a cyber attack, the question of whether the lawyer violated the Rules of Professional Conduct will likely turn on whether the lawyer took reasonable precautions to safeguard against the unauthorized access of client data.  In other words, being the victim of an attack is not, in & of itself, an ethics violation.

For example, consider two scenarios.

Scenario 1:  Lawyer operates a solo practice.  Lawyer employs a state-of-the art security system.  Nevertheless, a determined criminal uses C-4 to detonate into the office, into the safe, and then steals Lawyer’s files.

Scenario 2:  Attorney operates a solo practice.  Attorney keeps client files in an unlocked cabinet that’s on the front porch.  A lazy criminal walks up the steps, opens a drawer, and takes some of Attorney’s files.

Between the two, my guess is that a hearing panel is more likely to conclude that Lawyer is the one who took reasonable precautions against the inadvertent or unauthorized disclosure of confidential information.

In any event, on the subject of ransomware, here are few thoughts:

As always, let’s be careful out there.

Hill Street Blues

 

 

 

ESI: there’s risk in failing to preserve.

Say it with me: competence includes tech competence.

In most of my posts on the topic, the unstated message is that a lawyer who fails to satisfy the duty of competence violates Rule 1.1 and risks having a sanction imposed against his or her license.

Here’s my post on Competence, ESI, and E-Discovery.  In it, I wrote that the duty of (tech) competence includes:

  • knowing that “it” exists,
  • knowing that clients, their adversaries, and witnesses have “it;” and,
  • knowing how to protect, preserve, produce, request, review, and use “it.”

What is “it?” It is Electronically Stored Information (“ESI”).

In addition, I cited to an advisory opinion from the State Bar of California that includes the following quote:

  • “Attorney competence related to litigation generally requires, among other things, and at a minimum, a basic understanding of, and facility with, issues relating to e-discovery, including the discovery of electronically stored information (“ESI”).”

Today, I blog to call your attention to other risks. Namely, the risk of having a court impose severe sanctions against you and your clients if you fail to preserve ESI.

Melinda Levitt and Peter Vogel are partners at Foley & Lardner.  Yesterday, The National Law Review posted their article Bad Preservation in eDiscovery is Still Very Costly! 

Give it read.

The article begins by reporting that there is both “good news” and “bad news” when it comes to discovery sanctions for failures to preserve ESI.

The good news is that relative recent amendments to the civil rules reserve the most severe sanctions for situations in which the failure to preserve resulted from an “intent to deprive.” As the authors note, “the ‘bad news’ is that bad preservation behavior continues.”

Next, the authors point out that:

  • “[i]t has been twelve years now since the federal rules were first amended and explicitly came to recognize ‘ESI’ – that is emails, electronic documents, excel spreadsheets, PowerPoints, and a myriad of other electronic materials – as documents” within the meaning of the discovery rules.”

They also point out that, over those 12 years, all of us have become increasingly reliant on technology, without necessarily developing any clue how it works.

Nevertheless,

  • ” . . . there are some basic things that people at least in the business community should have come to understand over the last 12 years. Among them are if litigation is occurring or is about to occur, a company is obligated to take reasonable steps to ensure that its relevant (or potentially relevant) ESI is preserved. That means getting out the word quickly – whether by way of a formal written litigation hold or otherwise – that employees and electronic systems managers/overseers need to take steps to stop either conscious or system-wide deletions or purges of potentially relevant ESI. By now, business owners, their IT employees, and their in-house and outside counsel really should have no doubt about this obligation and how to accomplish it. Granted, meeting this obligation can get dicey and difficult when it comes to things such as employee text messages, social media postings, telephone messages, and structured data. However, in terms of emails and basic electronic documents – the mainstays of business life – there should be no question or hesitation about what needs to be done.  

Then, the meat of their message:

  • “And yet . . . and yet, very recent decisions demonstrate that executives, managers and yes, even lawyers, either remain willfully ignorant of how these business systems work or are determined to pass the buck, having assumed that some mysterious “someone else” in the company was handling things. Well, while courts no longer can impose the most draconian of sanctions, no one should kid him or herself – judges continue to have very potent sanctions options available and are very willing to use them when confronted with preservation misconduct borne of ignorance, indifference or good old-fashioned boneheadness. The following are a few telling examples – and were issued in just the last few weeks – and each leaves us with the question – what were they thinking?”

From there, the article goes on to recount several cases in which significant discovery sanctions were imposed against lawyers and their clients as a result of failures to preserve ESI.  Some might strike a nerve.  If so, there’s still time to sign up for tomorrow’s first-ever VBA Tech Show.

Tech competence.  The lack thereof impacts much more than a lawyer’s license.

E Discovery

 

 

 

 

 

Reruns

Remember reruns?  In the age of streaming content, I don’t know if reruns are even a thing anymore.  If not, good riddance!!

Seriously, was there anything as disappointing as waiting all week for the next episode of your favorite show only to have it be a rerun?

Aside: yes, we used to have wait all week for the next episode of our favorite shows.

As much as I despised reruns as a viewer, I love them as a blogger.  They’re the perfect antidote to writer’s block. So, here goes.

The VBA’s Tech Day is next month.  The agenda is fantastic.  It includes seminars on several topics upon which I’ve blogged in my nauseating ongoing effort to remind lawyers that the duty of competence includes tech competence.

Missed my posts?  Thank goodness for reruns.

Last October, I posted Competence, ESI, and E-DiscoveryIt referenced several topics, including:

  • admitting social media posts into evidence;
  • an attorney’s duties related to a client “taking down” or “scrubbing” social media posts;
  • practical tips on preservation letters regarding ESI.

VBA Tech Day includes seminars on each.

Last September, I posted Protecting Data: Cybersecurity TipsI followed up in February with  ABA Journal Provides Cybersecurity TipsEach post refers back to my post on the electronic transmission & storage of client information: The Cloud: What are Reasonable Precautions? Indeed, I’ve often blogged on Encryption & The Evolving Duty to Safeguard Client Information.

VBA Tech day includes seminars on encryption, cybersecurity, & data security.

Finally, I’ve blogged on using technology to become more efficient.  My post Fees. Is there an App for that? refers to an ABA Journal post that discusses how technology can help lawyers bill more than 2.24 hours per day that, on average, they currently bill.  And, in Tech Competence: It includes more than you might think, I cautioned that a lawyer who isn’t competent in basic tech runs the risk of violating Rule 1.5 by over-billing clients.

VBA Tech Day includes seminars on using technology to become more efficient at billing.

I think the networks might have used reruns to build anticipation for the final few episodes of a show’s season.  Most of those episodes ran in May.

Well, I’ve posted some reruns here today. Hopefully they build anticipation for VBA Tech Day.  A terrific conference on tech-related issues that will take place in, you guessed it, May.

See the source image

 

Got Tech Competence? The VBA Does.

Last week, the Professional Responsibility Board voted to recommend that the Vermont Supreme Court follow the lead of ABA and 31 other states and adopt a duty of tech competence.  Specifically, the Board voted to recommend that the Court amend Comment 6 to Rule 1.1 to read as follows:

  • “[6] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes to the law and its practice, including the benefits and risks associated with the technology relevant to the lawyer’s practice, engage in continuing study and education and comply with all legal education requirements to which the lawyer is subject.”

I’ve blogged a zillion times on tech competence.  Yes, a zillion.  Remember, puffery isn’t unethical.

I’ve also blogged that lawyers shouldn’t fear tech, but embrace it.  And here’s a chance to do exactly that!

Next month, the Vermont Bar Association is presenting its first ever Tech Day.  It looks like a fantastic event.  For more, go here.  Or, read the VBA announcement below.

Remember: amendment or not, Competence includes Tech Competence!

************************

REGISTER HERE

VIEW FLYER HERE

If one of your goals this year is to learn all there is to know about using technology in your law practice, then this is the place to be! Whether it’s cloud computing, automating your law practice, emerging tech trends, security, office IT, e-discovery, encryption, social media evidence, billing or digital forensics and more, we’ve got you covered.

Our Tech Show CLE Seminars cover the topics you need to know to get your law firm up to speed with current legal technology tools. Technology can streamline your law practice and save you time and money on top of ensuring you are competent in your practice. As Bar Counsel Mike Kennedy often says, legal competence includes tech competence.

Of course, there’s much more to our Tech Show than the educational sessions. We have built in plenty of time to view demos, get personalized recommendations and network with our Sponsors and Exhibitors as well as to mingle with your colleagues at our luncheon and reception.

And last, by not least, you’ll find all the inspiration you need to streamline and prosper from our Keynote Speakers, Brian Kuhn of IBM Watson Legal and Edward Hartman, Co-Founder of Legal Zoom.

************************

tech-ethics

 

Tech Competence: Don’t Let the Web Bugs Bite

Last week, the Illinois State Bar Association (ISBA) became the 4th to opine that a lawyer violates the ethics rules by using secret email tracking software.  The opinion is here.  The opinion was reported by 2Civility .

Secret email tracking software?? What is this? 007, Archer, and Get Smart?

I wish.

Alas, it’s tech competence.  As in, Rule 1.1‘s duty of competence includes tech competence.

The Illinois opinion does a nice job framing the question that was presented.

  • “The present inquiry involves the use of email ‘tracking’ software, applications that
    permit the sender of an email message to secretly monitor the receipt and subsequent handling of the message, including any attachments.  The specific technology, operation, and other features of such software appear to vary among vendors. Typically, however, tracking software inserts an invisible image or code into an email message that is automatically activated when the email is opened. Once activated, the software reports to the sender, without the knowledge of the recipient, detailed information regarding the recipient’s use of the message. Depending on the vendor, the information reported back to the sender may include: when the email was opened; who opened the email; the type of device used to open the email; how long the email was open; whether and how long any attachments, or individual pages of an attachment, were opened; when and how often the email or any attachments, or individual pages of an attachment, were reopened; whether and what attachments were downloaded; whether and when the email or any attachments were forwarded; the email address of any subsequent recipient; and the general geographic location of the device that received the forwarded message or attachment. At the sender’s option, tracking software can be used with or without notice to the recipient.”

The ISBA concluded that an attorney who uses email tracking software engages in dishonest & deceitful conduct, and also impermissibly intrudes on opposing counsel’s attorney-client relationship.  As such, the use web bugs violates Rules 8.4(c) and 4.4(a). The ISBA’s conclusions track (pun intended) conclusions reached by New York, Alaska, and Pennsylvania.

The opinion isn’t surprising.  However, it includes a section that I find interesting.

Here’s the sentence that immediately follows the section of the opinion that I quoted above:

  • “There do not appear to be any generally available or consistently reliable devices or programs capable of detecting or blocking email tracking software.”

That’s an important statement.  Why?  I’m glad you asked.

Lawyers have a duty to take reasonable precautions against both the inadvertent disclosure of and unauthorized access to client information.  For example, while it might be wrong for a passerby to open your file cabinet and look inside, it’s probably not a good idea for you to leave the file cabinet unlocked on the sidewalk in front of your office.  That’s not a reasonable precaution.  Similarly, and ( i hope) more likely to arise, hacking is wrong and illegal. But, the general trend is towards a conclusion that a lawyer violates the rules by failing to encrypt client data that is electronically transmitted and stored.

So, is the failure to check for – protect against – web bugs a violation of the duty to take reasonable precautions to safeguard client data?

According to the Illinois State Bar, no.  Specifically, the ISBA noted that while the ethics rules:

  • “express a general duty that a lawyer should keep abreast of the benefits and risks associated with relevant technology as well as make ‘reasonable efforts’ to prevent unauthorized access to client information, requiring the receiving lawyer to first discover and then defeat every undisclosed use of tracking software would be unfair, unworkable, and unreasonable.”

I apologize for yet another block quote.  But, I think this is an important issue.  So, here’s why the ISBA thought it would be “unfair, unworkable, and unreasonable” to expect a receiving lawyer to defend against web bugs:

  • “It would be unfair for at least two reasons. First, it is unfair to require lawyers to use email and other electronic documents in communications regarding their practice and then interpret the professional conduct rules to enable the undisclosed use of tracking software to gain covert, unauthorized access to protected client information of opposing parties. Second, it is unfair to require lawyers receiving email, i.e., all lawyers, to assume that all email messages contain undisclosed tracking software because that approach places the burden of preventing
    unauthorized access to protected client information on the wrong party. The sending lawyer is the actor in these situations and controls whether, when, and what type of tracking software to employ. Tracking software is not, for example, a common functional aspect of electronic documents like metadata. As noted in ABA Formal Opinion 06-442 (August 5, 2006), metadata is embedded information that enables word-processing software to manage documents and facilitates collaborative drafting among colleagues. Unlike tracking software, which must be purposely, and usually surreptitiously, inserted into an email, metadata is a universal feature of every word-processed document. It is appropriate and reasonable to expect lawyers to understand metadata and other ubiquitous aspects of common information technology. But it would be neither appropriate nor reasonable to charge all lawyers with an understanding of the latest version of tracking software that might be chosen, and then employed without notice, at the option of opposing counsel.”

The ISBA opinion continues:

  • “Even assuming that ‘defensive’ software or devices capable of discovering and/or
    defeating tracking software were to become available, it would be unworkable to, in effect, force every Illinois lawyer to become and remain familiar with the various tracking programs on the market and then immediately purchase and install whatever new anti-tracking software or device that may, or may not, protect against the latest version. Given the typical rapid changes in technology, few, if any, solo or small firm lawyers could reasonably do so. Aside from creating sustained employment for IT consultants and software vendors, that approach would only precipitate an ‘arms race’ in which the developers and users of tracking software would always be a step ahead.”

I am not condoning a lawyer’s use of web bugs or surreptitious tracking software.  No more than I’d condone wiretapping opposing counsel’s phone. However, I am not sympathetic to the suggestion that tech evolves so rapidly that we shouldn’t expect lawyers to stay abreast of developments in technology.

Also, as I’ve blogged, the rationale for the conclusion that receiving lawyers have no duty to protect against tracking software that is designed to pierce the attorney-client relationship sounds an awful lot like what we used to say about whether lawyers had a duty to encrypt email, scrub metadata, or have a basic knowledge of common trust account (phishing) scams.

I’m fairly confident that someday, it will no longer be difficult or burdensome to detect and protect against email tracking software.  In other words, go back to the statement that’s bolded above.  Soon, I think it might be changed to:

  • “There appear to be many generally available and consistently reliable devices or programs capable of detecting or blocking email tracking software.”

When that day arrives, I doubt that “but they shouldn’t have used tracking software on me” will be a defense to a charge that a lawyer failed to take reasonable precautions to safeguard client data.  In any event, regardless of whether there’s an affirmative duty to protect against web bugs, I’d think a prudent lawyer would want to do so anyway.

In conclusion, don’t let the web bugs bite.  Not only that, remember that we’re likely soon to live in a world in which web bugs bite all involved with a particular communication.

Bugs

 

CC, BCC, and a lawyer’s duty of competence.

I can hear you now.

  • “Mike, what the heck do CC & BCC have to do with my duty of competence?”

Thank you!! The fact that you know you have a duty of competence is music to my ears!

Now, back to your question.

In my view, the duty of competence includes a duty to have a basic understanding of the benefits and risks of using technology while representing a client.  For example, understanding the risks of “CC-ing” or “BCC-ing” a client on an e-mail to opposing counsel.

So, to bcc or not to bcc?  That is the question.  It’s a question worth considering, if only not to suffer the slings and arrows of angry clients & frustrated opposing counsel.

I’ve blogged on this issue before:

The posts reference advisory opinions from North Carolina and New York.  The opinions list the reasons not to “cc” clients, “bcc” clients, or “reply-all” to an email in which opposing counsel “cc’d” a client.   Any or all can lead a lawyer right into the danger zone.

Seriously Lana, call Kenny Loggins.

Last month, the Alaska Bar Association issued Ethics Opinion 2018-01: E-Mail Correspondence with Opposing Counsel While Sending a Copy to the Client.  The opinion is consistent with those issued by the North Carolina and New York bars.

Here’s a summary of the Alaska Bar’s opinion:

  • A lawyer has a duty to act competently to protect a client’s confidences.
  • A lawyer has a duty not to communicate with a represented party on the subject of the representation.
  • Lawyers are encouraged not to “cc” or “bcc” their clients on electronic communications to opposing counsel.
  • A more prudent practice is to forward the client a copy of a sent e-mail.
  • At the outset of any matter, lawyers should agree on a “cc” and “reply-all” protocol.
  • Absent a protocol, s lawyer has a duty to inquire whether opposing counsel’s “cc” to opposing counsel’s client is permission to “reply-all.”

Good recommendations.

Stay safe out there.  And, remember: competence includes tech competence.

Image result for hamlet to be or not to be

 

 

 

 

 

Competent Advice & Privacy Settings

Rule 1.1 requires lawyers to provide clients with competent representation.  As nearly everyone who has read my blog twice knows, my position is that competence includes tech competence.

It’s also my position that a lawyer has a duty to provide a client with competent advice as to the impact, if any, that the client’s social media will have on a matter.

Let me be clear.

I often hear “but, Mike, I don’t want to have a Facebook account.”  I am not saying that you are required to.  Rather, I’m saying that you should know that your clients most likely do and, further, that information posted to a client’s Facebook account might impact the matter in which you are representing the client.

Here’s the latest.

Per the ABA Journal, a New York court ruled that the defense may discover photos that a personal injury plaintiff posted to Facebook and set as “private.”  The opinion is here.

The upshot:  it’s likely not competent to advise clients “don’t worry, as long as you keep it private, the other side won’t be able to access it.”

The case is one in which the plaintiff fell from a horse.  She sued, alleging that the defendant’s defective mounting of the stirrups caused the fall.  Among other things, plaintiff contends that her injuries prohibit her from many activities that she used to enjoy.

During her deposition, plaintiff testified that, prior to her fall, she had regularly posted photos to Facebook.  The defense requested access to the photos, which plaintiff had set to “private.”  Plaintiff declined to provide access.

The defense moved to compel production of the photos.  The defense argued that the photos bore on the credibility of plaintiff’s assertion that she had previously engaged in the activities that, now, she claimed she could not.

Plaintiff’s attorney countered that the single public photo on plaintiff’s Facebook account did not contradict her deposition testimony.  As such, the argument went, the defense had not established that access to the private portion of the account was likely to lead to the discovery of relevant information.

The trial court compelled production.  An appellate court modified the order to compel, limiting it only to photos that plaintiff intended to introduce at trial.  In the end, the New York Court of Appeals reinstated the trial court’s order. In so doing, the Court set out the various factors that a trial court should consider in response to a motion to compel production of information stored electronically on a social media platform.

I won’t go into the court’s decision in length.  Here are two key takeaways:

  1. As I’ve often said, electronically stored information is no different from any other information.  Or, in this case, photographs posted to Facebook are no different than photos that grandma slid behind plastic in that old, musty, album.
  2. A quote from the NY Court’s opinion (citations deleted):
    • “Plaintiff suggests that disclosure of social media materials necessarily constitutes an unjustified invasion of privacy. We assume for purposes of resolving the narrow issue before us that some materials on a Facebook account may fairly be characterized as private.But even private materials may be subject to discovery if they are relevant. For example, medical records enjoy protection in many contexts under the physician-patient
      privilege  But when a party commences an action, affirmatively placing
      a mental or physical condition in issue, certain privacy interests relating to relevant medical records – including the physician-patient privilege – are waived. For purposes of disclosure, the threshold inquiry is not whether the materials sought are private but whether they are reasonably calculated to contain relevant information.”

Remember: competence includes tech competence.

Social Media