Social Clients

Earlier this month, the ABA Journal posted a blog in its “ethics” section: Celebrity attorneys face challenges, ethical pitfalls.   I enjoyed it as much from the pop culture slant as I did from the “it’s my job” slant.

However, speaking of the “it’s my job” slant, I want to mention three things.

First, over the past year, the news has been filled with lawyers making public statements about their clients and former clients.  So much so that several times I’ve been asked what I think about it.

Regular readers know what I think it.  I’m a big believer in two concepts:

  1. Hey Lawyers! STFU!!!
  2. Can’t Keep Quiet? Try Harder.  

As Thomas Edison said:

“You will have many opportunities
to keep your mouth shut.
You should take advantage
of everyone of them.”

(aside: choosing not to blog is probably one of the opportunities of which I should take advantage.)

Second, despite my big belief that silence is a virtue, I was intrigued by two arguments in the ABA Journal’s post.  Specifically, the arguments that (1) at times, the duties of competence & diligence require a lawyer to speak out in a client’s defense;  and (2) the rules prohibiting such conduct run afoul of the First Amendment.  Alas, I can count on 2 fingers the number of Rule 3.6 complaints we’ve received in the past 15 years.  So, I am not so intrigued to do more than mention my intrigue.

Finally, there’s a little nugget in the article that, in my view, is great advice not just for lawyers who represent celebrities, but for lawyers who represent, well, clients.

Referring to lawyers who represent famous people, the article says:

  • “Client and entourage use of social media can compromise a defense. Ethically, attorneys have to make sure their clients and their team understand ground rules and place limitations on social media use related to the case.”

Trust me, I understand that very few of my readers represent the Vinny Chases of the world.  Nonetheless, I think the second sentence is critically important even for lawyers whose clients don’t have their own versions of E, Turtle, and Johnny Drama.

Why?

Because these days, entourage or not, what client isn’t on social media???  And that’s where the very next paragraph in the ABA Journal post comes in.  Quoting Ann Murphy, a professor at Gonzaga University School of Law, the post notes:

  • ” ‘Attorneys, as part of their ethical duties, must now counsel their clients on the use of social media,’ Murphy says. ‘Once it is out there, it is out there. Even if someone deletes a Facebook post—it likely has been saved as a screenshot and is of course subject to discovery,’ she adds. ‘Personally, I think the best advice is tell the client that any posts about his or her case must be viewed in advance by the attorney.’ “

That’s a fantastic tip.  Professor Murphy – if perchance you find this blog, In Few I Trust. Go Zags! 2019 national champs!

See the source image

Now, I can hear some of you now – “mike, am I supposed to know what my client puts on social media?”

Well, opposing counsel will.  So unless you’re comfortable finding out about that damning tweet or post at deposition or in mediation, then my response is:

See the source image

At the very least – and by “very least” I mean “barest of bare minimums” – I think lawyers have a duty to communicate to their clients the risks associated with posting info to a public forum.

Hmm…I guess this is where I can finally reference Hall & Oates.  When it comes to advising clients on the risks of posting too much to social media, it might be this:

  • Private eyes, they’re watching you.  They see your every move.  And they definitely see what you put out there to be seen.

Anyhow, while the ABA Journal article focuses on the risks associated with representing famous clients, it includes a tidbit that applies to any lawyer who has a client on social media: what happens on social media rarely stays on social media.

Tech competence.  It’s a thing.

By the way, among my friends, I’m definitely E.  My brother is almost definitely Drama.  Alas, while we have several candidates for Turtle, not many for Vinny.   And at risk of offending my friends, the “many” in that previous sentence?  It’s pronounced with a silent “m.”

Hint: this post doesn’t mention Ari Gold.  Which means his name might be of utmost importance later in the week.

Image result for entourage

 

 

Advertisements

Cybersecurity for Lawyers: learn from other professions

I’ve blogged often on tech competence and the duty to safeguard client data.  In short, lawyers have a duty to take reasonable precautions against the inadvertent disclosure of or unauthorized access to confidential client information.

So, people often ask “what are reasonable precautions?”

It depends.

Nobody likes that answer.  But it’s correct.

For instance, do you mean “what are reasonable precautions when it comes to cloud storage?”  Or, are you asking whether a lawyer has a duty to encrypt e-mail? Wait, maybe you’re talking about your duties when crossing the border? No, no, I get it now:  you’re asking if a lawyer has a duty to disable auto-complete. Oh my gosh, no – you’re referring to the hallmarks of trust account scams.

No matter the mode of communication, no matter the place that information is stored, a lawyer must safeguard client information. And, as I explained here, it makes perfect sense not to get into the habit of re-evaulating a lawyer’s duty with every new technology.  Whatever the next new thing is, a lawyer’s duty will remain the same: to take reasonable precautions against the inadvertent disclosure of or unauthorized access to client information.

But, as this post in the ABA Journal points out, lawyers and law firms aren’t sailing into uncharted waters.  There are lessons to be drawn from other professions.  Per the post, those lessons include:

  • Encryption is important.  I’d even venture to opine that if it isn’t already, we aren’t long for the day when the failure to encrypt is tantamount to a failure to take reasonable precautions.
  • Partners and more senior lawyers have to follow the same rules as everyone else. “I don’t do tech” isn’t reasonable. It’s no different from saying “I don’t do ‘protecting client information.’ “
  • Employees and 3rd party vendors need to be trained on the importance of data security.

There’s a great quote in the article. It’s from Michael Mason, chief of security for Verizon Communications: law firms should foster, grow, and ” ‘develop a culture of security.’ ”

A culture premised on “we hope it doesn’t happen to us” is not a culture of security.

With “it” being a breach, the dreaded “it” has happened not just to lawyers and law firms, but to many other professions.  As the ABA Journal suggests, lawyers would be wise to take heed of the lessons learned by those other professions.

Image result for data security

The Interwebs

Good morning!

So, later today, I’m presenting a CLE to the Washington County Bar Association.  The august group’s leaders asked that I talk about some of the ethical issues that arise from lawyers’ failure to understand use of social media.

Prepping for the seminar, I was struck by two things.

Some of you are quietly hoping they were both lightning bolts.   Nope.

Rather, I realized that for all I write about tech competence, (1) in college, I bought a Betamax, siding with Sony in the Format War against VHS; and (2) more recently, I thought Blockbuster would squash that little upstart called Netflix.

img_2031

Anyhow, for those of you interested in the topic, the folks over at Internet for Lawyer maintain this great list of the various advisory ethics opinions on social media.  As for me, I’ve blogged often on the subject  This post – Friends, Followers, and Legal Ethics – sums up my thoughts.

Finally, at the CLE, I’m going to mention this opinion from the titanic clash of Oracle v. Google.  As I reviewed it yesterday afternoon, I wondered whether the judge considered ending the opening sentence after the words “trial lawyers.”

  • “Trial judges have such respect for juries — reverential respect would not be too strongto say — that it must pain them to contemplate that, in addition to the sacrifice jurors make for our country, they must suffer trial lawyers and jury consultants scouring over their Facebook and other profiles to dissect their politics, religion, relationships, preferences, friends, photographs, and other personal information.”

Social Media

 

Bouchons, Cybersecurity & Ransomware

Yesterday, I met with lawyers from the Lamoille County Bar Association.  Leslie Black, president-emeritus (by my proclamation) of the LCBA, had me up to talk legal ethics.

As an aside, Leslie stole the show by showing up with a fresh batch of bouchons.  You might have heard of Thomas Keller and the Bouchon Bakery.   Fine stuff, I’m sure.

Well, Leslie’s lemon bouchons, with a hint of cinnamon, are better.  And that, my friends, is not mere puffery.   The trick, je pense, is her brown butter recipe.

Leslie – les bouchons etait magnifique!

Now, back to business.

First off, I hope I’ve dispelled those who are less tech competent than others of the notion that “bouchon” has something to do with cybersecurity & ransomware.

Next, yesterday, we had an interesting discussion on cybersecurity & ransomware.  I’ve blogged previously on the issue here.  I’m blogging again for a few reasons.  Mainly, to stress a key point that David Polow made at the CLE:  back-up.  Storing info only in the cloud isn’t enough.

My prior blog post includes links to several helpful articles.  I failed to link to this one from the ABA Journal: Ransomware is a growing threat, but there are things you can do to protect your firm.  A critical point in the article echoes David:

  • ” The panelists say that the core of ransomware protection is a robust backup system. However, Simek said that backups need to be tested on a periodic basis.If a firm’s backup is in the cloud, then redundancies of that backup system should be made as well—in other words, one backup is insufficient. For the truly business-critical data, McNew said a backup should be stored offsite and ‘air gapped,’ meaning it is not able to connect to the internet.”

Or, as Jim Knapp says, when it comes to backup “onsite, online, air-gap.”

Are you likely to be targeted? I don’t know.  It happened to one of the nation’s largest firms.  And, a Vermont firm was targeted in April.  The firm did not have sufficient back-up and data was at risk.

If it’s an issue that concerns you, talk to someone with a tech background.  Here are a few links from my original post that might be helpful:

As always, let’s be careful out there.

Ransomware & Cybersecurity Insurance

As I’ve often blogged, Rules 1.1 and 1.6 require lawyers to act competently to safeguard client data.

Last month, I became aware of a law firm that was the subject of a ransomware attack. The cyber attacker blocked the firm’s access to client files and demanded a ransom.

Reminder: if a lawyer’s electronic files are compromised in a cyber attack, the question of whether the lawyer violated the Rules of Professional Conduct will likely turn on whether the lawyer took reasonable precautions to safeguard against the unauthorized access of client data.  In other words, being the victim of an attack is not, in & of itself, an ethics violation.

For example, consider two scenarios.

Scenario 1:  Lawyer operates a solo practice.  Lawyer employs a state-of-the art security system.  Nevertheless, a determined criminal uses C-4 to detonate into the office, into the safe, and then steals Lawyer’s files.

Scenario 2:  Attorney operates a solo practice.  Attorney keeps client files in an unlocked cabinet that’s on the front porch.  A lazy criminal walks up the steps, opens a drawer, and takes some of Attorney’s files.

Between the two, my guess is that a hearing panel is more likely to conclude that Lawyer is the one who took reasonable precautions against the inadvertent or unauthorized disclosure of confidential information.

In any event, on the subject of ransomware, here are few thoughts:

As always, let’s be careful out there.

Hill Street Blues

 

 

 

ESI: there’s risk in failing to preserve.

Say it with me: competence includes tech competence.

In most of my posts on the topic, the unstated message is that a lawyer who fails to satisfy the duty of competence violates Rule 1.1 and risks having a sanction imposed against his or her license.

Here’s my post on Competence, ESI, and E-Discovery.  In it, I wrote that the duty of (tech) competence includes:

  • knowing that “it” exists,
  • knowing that clients, their adversaries, and witnesses have “it;” and,
  • knowing how to protect, preserve, produce, request, review, and use “it.”

What is “it?” It is Electronically Stored Information (“ESI”).

In addition, I cited to an advisory opinion from the State Bar of California that includes the following quote:

  • “Attorney competence related to litigation generally requires, among other things, and at a minimum, a basic understanding of, and facility with, issues relating to e-discovery, including the discovery of electronically stored information (“ESI”).”

Today, I blog to call your attention to other risks. Namely, the risk of having a court impose severe sanctions against you and your clients if you fail to preserve ESI.

Melinda Levitt and Peter Vogel are partners at Foley & Lardner.  Yesterday, The National Law Review posted their article Bad Preservation in eDiscovery is Still Very Costly! 

Give it read.

The article begins by reporting that there is both “good news” and “bad news” when it comes to discovery sanctions for failures to preserve ESI.

The good news is that relative recent amendments to the civil rules reserve the most severe sanctions for situations in which the failure to preserve resulted from an “intent to deprive.” As the authors note, “the ‘bad news’ is that bad preservation behavior continues.”

Next, the authors point out that:

  • “[i]t has been twelve years now since the federal rules were first amended and explicitly came to recognize ‘ESI’ – that is emails, electronic documents, excel spreadsheets, PowerPoints, and a myriad of other electronic materials – as documents” within the meaning of the discovery rules.”

They also point out that, over those 12 years, all of us have become increasingly reliant on technology, without necessarily developing any clue how it works.

Nevertheless,

  • ” . . . there are some basic things that people at least in the business community should have come to understand over the last 12 years. Among them are if litigation is occurring or is about to occur, a company is obligated to take reasonable steps to ensure that its relevant (or potentially relevant) ESI is preserved. That means getting out the word quickly – whether by way of a formal written litigation hold or otherwise – that employees and electronic systems managers/overseers need to take steps to stop either conscious or system-wide deletions or purges of potentially relevant ESI. By now, business owners, their IT employees, and their in-house and outside counsel really should have no doubt about this obligation and how to accomplish it. Granted, meeting this obligation can get dicey and difficult when it comes to things such as employee text messages, social media postings, telephone messages, and structured data. However, in terms of emails and basic electronic documents – the mainstays of business life – there should be no question or hesitation about what needs to be done.  

Then, the meat of their message:

  • “And yet . . . and yet, very recent decisions demonstrate that executives, managers and yes, even lawyers, either remain willfully ignorant of how these business systems work or are determined to pass the buck, having assumed that some mysterious “someone else” in the company was handling things. Well, while courts no longer can impose the most draconian of sanctions, no one should kid him or herself – judges continue to have very potent sanctions options available and are very willing to use them when confronted with preservation misconduct borne of ignorance, indifference or good old-fashioned boneheadness. The following are a few telling examples – and were issued in just the last few weeks – and each leaves us with the question – what were they thinking?”

From there, the article goes on to recount several cases in which significant discovery sanctions were imposed against lawyers and their clients as a result of failures to preserve ESI.  Some might strike a nerve.  If so, there’s still time to sign up for tomorrow’s first-ever VBA Tech Show.

Tech competence.  The lack thereof impacts much more than a lawyer’s license.

E Discovery

 

 

 

 

 

Reruns

Remember reruns?  In the age of streaming content, I don’t know if reruns are even a thing anymore.  If not, good riddance!!

Seriously, was there anything as disappointing as waiting all week for the next episode of your favorite show only to have it be a rerun?

Aside: yes, we used to have wait all week for the next episode of our favorite shows.

As much as I despised reruns as a viewer, I love them as a blogger.  They’re the perfect antidote to writer’s block. So, here goes.

The VBA’s Tech Day is next month.  The agenda is fantastic.  It includes seminars on several topics upon which I’ve blogged in my nauseating ongoing effort to remind lawyers that the duty of competence includes tech competence.

Missed my posts?  Thank goodness for reruns.

Last October, I posted Competence, ESI, and E-DiscoveryIt referenced several topics, including:

  • admitting social media posts into evidence;
  • an attorney’s duties related to a client “taking down” or “scrubbing” social media posts;
  • practical tips on preservation letters regarding ESI.

VBA Tech Day includes seminars on each.

Last September, I posted Protecting Data: Cybersecurity TipsI followed up in February with  ABA Journal Provides Cybersecurity TipsEach post refers back to my post on the electronic transmission & storage of client information: The Cloud: What are Reasonable Precautions? Indeed, I’ve often blogged on Encryption & The Evolving Duty to Safeguard Client Information.

VBA Tech day includes seminars on encryption, cybersecurity, & data security.

Finally, I’ve blogged on using technology to become more efficient.  My post Fees. Is there an App for that? refers to an ABA Journal post that discusses how technology can help lawyers bill more than 2.24 hours per day that, on average, they currently bill.  And, in Tech Competence: It includes more than you might think, I cautioned that a lawyer who isn’t competent in basic tech runs the risk of violating Rule 1.5 by over-billing clients.

VBA Tech Day includes seminars on using technology to become more efficient at billing.

I think the networks might have used reruns to build anticipation for the final few episodes of a show’s season.  Most of those episodes ran in May.

Well, I’ve posted some reruns here today. Hopefully they build anticipation for VBA Tech Day.  A terrific conference on tech-related issues that will take place in, you guessed it, May.

See the source image

 

Got Tech Competence? The VBA Does.

Last week, the Professional Responsibility Board voted to recommend that the Vermont Supreme Court follow the lead of ABA and 31 other states and adopt a duty of tech competence.  Specifically, the Board voted to recommend that the Court amend Comment 6 to Rule 1.1 to read as follows:

  • “[6] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes to the law and its practice, including the benefits and risks associated with the technology relevant to the lawyer’s practice, engage in continuing study and education and comply with all legal education requirements to which the lawyer is subject.”

I’ve blogged a zillion times on tech competence.  Yes, a zillion.  Remember, puffery isn’t unethical.

I’ve also blogged that lawyers shouldn’t fear tech, but embrace it.  And here’s a chance to do exactly that!

Next month, the Vermont Bar Association is presenting its first ever Tech Day.  It looks like a fantastic event.  For more, go here.  Or, read the VBA announcement below.

Remember: amendment or not, Competence includes Tech Competence!

************************

REGISTER HERE

VIEW FLYER HERE

If one of your goals this year is to learn all there is to know about using technology in your law practice, then this is the place to be! Whether it’s cloud computing, automating your law practice, emerging tech trends, security, office IT, e-discovery, encryption, social media evidence, billing or digital forensics and more, we’ve got you covered.

Our Tech Show CLE Seminars cover the topics you need to know to get your law firm up to speed with current legal technology tools. Technology can streamline your law practice and save you time and money on top of ensuring you are competent in your practice. As Bar Counsel Mike Kennedy often says, legal competence includes tech competence.

Of course, there’s much more to our Tech Show than the educational sessions. We have built in plenty of time to view demos, get personalized recommendations and network with our Sponsors and Exhibitors as well as to mingle with your colleagues at our luncheon and reception.

And last, by not least, you’ll find all the inspiration you need to streamline and prosper from our Keynote Speakers, Brian Kuhn of IBM Watson Legal and Edward Hartman, Co-Founder of Legal Zoom.

************************

tech-ethics

 

Tech Competence: Don’t Let the Web Bugs Bite

Last week, the Illinois State Bar Association (ISBA) became the 4th to opine that a lawyer violates the ethics rules by using secret email tracking software.  The opinion is here.  The opinion was reported by 2Civility .

Secret email tracking software?? What is this? 007, Archer, and Get Smart?

I wish.

Alas, it’s tech competence.  As in, Rule 1.1‘s duty of competence includes tech competence.

The Illinois opinion does a nice job framing the question that was presented.

  • “The present inquiry involves the use of email ‘tracking’ software, applications that
    permit the sender of an email message to secretly monitor the receipt and subsequent handling of the message, including any attachments.  The specific technology, operation, and other features of such software appear to vary among vendors. Typically, however, tracking software inserts an invisible image or code into an email message that is automatically activated when the email is opened. Once activated, the software reports to the sender, without the knowledge of the recipient, detailed information regarding the recipient’s use of the message. Depending on the vendor, the information reported back to the sender may include: when the email was opened; who opened the email; the type of device used to open the email; how long the email was open; whether and how long any attachments, or individual pages of an attachment, were opened; when and how often the email or any attachments, or individual pages of an attachment, were reopened; whether and what attachments were downloaded; whether and when the email or any attachments were forwarded; the email address of any subsequent recipient; and the general geographic location of the device that received the forwarded message or attachment. At the sender’s option, tracking software can be used with or without notice to the recipient.”

The ISBA concluded that an attorney who uses email tracking software engages in dishonest & deceitful conduct, and also impermissibly intrudes on opposing counsel’s attorney-client relationship.  As such, the use web bugs violates Rules 8.4(c) and 4.4(a). The ISBA’s conclusions track (pun intended) conclusions reached by New York, Alaska, and Pennsylvania.

The opinion isn’t surprising.  However, it includes a section that I find interesting.

Here’s the sentence that immediately follows the section of the opinion that I quoted above:

  • “There do not appear to be any generally available or consistently reliable devices or programs capable of detecting or blocking email tracking software.”

That’s an important statement.  Why?  I’m glad you asked.

Lawyers have a duty to take reasonable precautions against both the inadvertent disclosure of and unauthorized access to client information.  For example, while it might be wrong for a passerby to open your file cabinet and look inside, it’s probably not a good idea for you to leave the file cabinet unlocked on the sidewalk in front of your office.  That’s not a reasonable precaution.  Similarly, and ( i hope) more likely to arise, hacking is wrong and illegal. But, the general trend is towards a conclusion that a lawyer violates the rules by failing to encrypt client data that is electronically transmitted and stored.

So, is the failure to check for – protect against – web bugs a violation of the duty to take reasonable precautions to safeguard client data?

According to the Illinois State Bar, no.  Specifically, the ISBA noted that while the ethics rules:

  • “express a general duty that a lawyer should keep abreast of the benefits and risks associated with relevant technology as well as make ‘reasonable efforts’ to prevent unauthorized access to client information, requiring the receiving lawyer to first discover and then defeat every undisclosed use of tracking software would be unfair, unworkable, and unreasonable.”

I apologize for yet another block quote.  But, I think this is an important issue.  So, here’s why the ISBA thought it would be “unfair, unworkable, and unreasonable” to expect a receiving lawyer to defend against web bugs:

  • “It would be unfair for at least two reasons. First, it is unfair to require lawyers to use email and other electronic documents in communications regarding their practice and then interpret the professional conduct rules to enable the undisclosed use of tracking software to gain covert, unauthorized access to protected client information of opposing parties. Second, it is unfair to require lawyers receiving email, i.e., all lawyers, to assume that all email messages contain undisclosed tracking software because that approach places the burden of preventing
    unauthorized access to protected client information on the wrong party. The sending lawyer is the actor in these situations and controls whether, when, and what type of tracking software to employ. Tracking software is not, for example, a common functional aspect of electronic documents like metadata. As noted in ABA Formal Opinion 06-442 (August 5, 2006), metadata is embedded information that enables word-processing software to manage documents and facilitates collaborative drafting among colleagues. Unlike tracking software, which must be purposely, and usually surreptitiously, inserted into an email, metadata is a universal feature of every word-processed document. It is appropriate and reasonable to expect lawyers to understand metadata and other ubiquitous aspects of common information technology. But it would be neither appropriate nor reasonable to charge all lawyers with an understanding of the latest version of tracking software that might be chosen, and then employed without notice, at the option of opposing counsel.”

The ISBA opinion continues:

  • “Even assuming that ‘defensive’ software or devices capable of discovering and/or
    defeating tracking software were to become available, it would be unworkable to, in effect, force every Illinois lawyer to become and remain familiar with the various tracking programs on the market and then immediately purchase and install whatever new anti-tracking software or device that may, or may not, protect against the latest version. Given the typical rapid changes in technology, few, if any, solo or small firm lawyers could reasonably do so. Aside from creating sustained employment for IT consultants and software vendors, that approach would only precipitate an ‘arms race’ in which the developers and users of tracking software would always be a step ahead.”

I am not condoning a lawyer’s use of web bugs or surreptitious tracking software.  No more than I’d condone wiretapping opposing counsel’s phone. However, I am not sympathetic to the suggestion that tech evolves so rapidly that we shouldn’t expect lawyers to stay abreast of developments in technology.

Also, as I’ve blogged, the rationale for the conclusion that receiving lawyers have no duty to protect against tracking software that is designed to pierce the attorney-client relationship sounds an awful lot like what we used to say about whether lawyers had a duty to encrypt email, scrub metadata, or have a basic knowledge of common trust account (phishing) scams.

I’m fairly confident that someday, it will no longer be difficult or burdensome to detect and protect against email tracking software.  In other words, go back to the statement that’s bolded above.  Soon, I think it might be changed to:

  • “There appear to be many generally available and consistently reliable devices or programs capable of detecting or blocking email tracking software.”

When that day arrives, I doubt that “but they shouldn’t have used tracking software on me” will be a defense to a charge that a lawyer failed to take reasonable precautions to safeguard client data.  In any event, regardless of whether there’s an affirmative duty to protect against web bugs, I’d think a prudent lawyer would want to do so anyway.

In conclusion, don’t let the web bugs bite.  Not only that, remember that we’re likely soon to live in a world in which web bugs bite all involved with a particular communication.

Bugs