Cybersecurity for Lawyers: learn from other professions

I’ve blogged often on tech competence and the duty to safeguard client data.  In short, lawyers have a duty to take reasonable precautions against the inadvertent disclosure of or unauthorized access to confidential client information.

So, people often ask “what are reasonable precautions?”

It depends.

Nobody likes that answer.  But it’s correct.

For instance, do you mean “what are reasonable precautions when it comes to cloud storage?”  Or, are you asking whether a lawyer has a duty to encrypt e-mail? Wait, maybe you’re talking about your duties when crossing the border? No, no, I get it now:  you’re asking if a lawyer has a duty to disable auto-complete. Oh my gosh, no – you’re referring to the hallmarks of trust account scams.

No matter the mode of communication, no matter the place that information is stored, a lawyer must safeguard client information. And, as I explained here, it makes perfect sense not to get into the habit of re-evaulating a lawyer’s duty with every new technology.  Whatever the next new thing is, a lawyer’s duty will remain the same: to take reasonable precautions against the inadvertent disclosure of or unauthorized access to client information.

But, as this post in the ABA Journal points out, lawyers and law firms aren’t sailing into uncharted waters.  There are lessons to be drawn from other professions.  Per the post, those lessons include:

  • Encryption is important.  I’d even venture to opine that if it isn’t already, we aren’t long for the day when the failure to encrypt is tantamount to a failure to take reasonable precautions.
  • Partners and more senior lawyers have to follow the same rules as everyone else. “I don’t do tech” isn’t reasonable. It’s no different from saying “I don’t do ‘protecting client information.’ “
  • Employees and 3rd party vendors need to be trained on the importance of data security.

There’s a great quote in the article. It’s from Michael Mason, chief of security for Verizon Communications: law firms should foster, grow, and ” ‘develop a culture of security.’ ”

A culture premised on “we hope it doesn’t happen to us” is not a culture of security.

With “it” being a breach, the dreaded “it” has happened not just to lawyers and law firms, but to many other professions.  As the ABA Journal suggests, lawyers would be wise to take heed of the lessons learned by those other professions.

Image result for data security

Advertisements

Montreal?

There’s a lot going on in Montreal this summer.  Go! Be a #WellLawyer!

But, if you go, make sure you take reasonable precautions to protect client data at the border.

Today, I’m going to share a few old posts, as well as an updated advisory ethics opinion from the New York City Bar Association.

My old posts:

Last summer, the New York City Bar Association issued Formal Opinion 2017-5.  In short, and as reported by the ABA Journal, lawyers should take reasonable precautions to avoid the disclosure of client information during a border crossing.

Here are some highlights from the NYC Opinion:

  • Rules 1.1 (competence) and 1.6 (confidences) impose a duty to act competently to safeguard client information.
  • The duty includes taking reasonable precautions against disclosing information that should not be disclosed.
  • The duty requires “attorneys to make reasonable efforts prior to crossing the U.S. border to avoid or minimize the risk that government agents will review or seize client confidences that are carried on, or accessible on, electronic devices that attorneys carry across the border.”

Last month, the NYCBA reissued the opinion.  Some other takeaways:

  • Odds that a device will be searched might be low.  But, don’t discount the possibility.
  • The safest way to protect client data is not to bring any.  This might not be feasible given the increasingly blurred lines between “work” and “personal” devices, but it remains an option.
  • If asked to produce a device, an attorney should inform the border agent that it contains confidential & privileged information.  This triggers additional duties by the border agent before the search is conducted.
  • Finally, if a device is searched, an attorney likely has a duty to notify clients.

For more, see the opinion.

Adieu et bon voyage!

See the source image

 

 

 

Avoid the Oopsies: Reply to Some, not All

Last September, I posted on the perils of autocomplete.   The post was prompted by the story of a lawyer who accidentally disclosed confidential client information to a reporter for the Wall Street Journal. How?  By failing to realize that the reporter’s email address had been added to a distribution list.  The ABA Journal has the story here.

Has that happened to you?

Today, I came across a post on Robert Ambrogi’s LawSites blog.  I love the title:

Created By A Lawyer, ReplyToSome Helps Prevent Email Oopsies

Give it read.  It discusses “ReplyToSome,” an add-in to Microsoft Outlook that was created by a lawyer to help lawyers avoid email mistakes.

Image result for oops

 

Monday Morning Answers #115

Friday’s column about a kid from Barre is here.  The answers to the #fiveforfriday legal ethics quiz follow today’s honor roll.

Honor Roll

(hyperlinks when available.  lack of a link doesn’t reflect a lesser score or lower honors)

Answers

Question 1

Paralegal works for Firm.  Client asks Firm to represent Client in the matter Client v. Other.  

Paralegal has a relationship with Other that would preclude Paralegal from representing Client if Paralegal was a lawyer.

True or False? Under Vermont’s rules, Paralegal’s conflict is imputed to Firm and Firm cannot represent Client.

FALSE.  See, V.R.Pr.C. 1.10, Comment [4]Although, Paralegal “ordinarily must be screened from any personal participation in the matter” of Client v. Other.

Question 2

Lawyer called me with an inquiry. I listened, then said:

  • don’t state or imply that you’re disinterested;
  • do correct any misunderstanding about your role; and,
  • if the person’s interests conflict with your client’s, don’t give any legal advice other than the advice to seek counsel.

Given my response, Lawyer called to discuss the rule on:

  • A.  Candor to a Tribunal
  • B.  Communicating ex parte with a judge.
  • C.  Trial Publicity
  • D.  Dealing with an unrepresented person.  V.R.Pr.C. 4.3

Question 3

Attorney called with an inquiry. I listened, then said: “well, it’ll likely depend on whether you received information from Person that could be significantly harmful to Person.”

In this context, it’s most likely that Person is:

  • A.  A former client of Attorney’s
  • B.  A current client of Attorney’s
  • C.  A juror
  • D.  Someone who met with Attorney to discuss forming an attorney-client relationship, but who never formed such a relationship with Attorney See, V.R.Pr.C. 1.18. My comment comes straight from Rule 1.18(c).

Question 4

A lawyer who represents two or more clients shall not participate in making an aggregate settlement of the claims of or against the clients.

  • A.   True.
  • B.   True, unless each client gives informed consent in a writing signed by the client.  V.R.Pr.C. 1.8(g).
  • C.   True, but only in civil cases.  The rules prohibit joint representation of criminal defendants.
  • D.   The rules are silent on this issue.

Question 5

The unauthorized practice of law is contempt of court and, if done by a lawyer, is a violation of Rule 5.5.  And, as long time readers know, I’m a big fan of Rule 1.1 and the duty to provide clients with competent representation.

So, speaking of Italy, UPL, and competent representation . . .

. . . Portia was not a lawyer.  However, dressed as a man, she pretended to be one and successfully kept Antonio from having to give a pound of flesh to Shylock.

Name the literary work.

The Merchant of Venice, William Shakespeare

Can a lawyer be sanctioned for revealing information that’s a matter of public record?

Today’s question: does the 1st Amendment prohibit the Supreme Court from sanctioning a lawyer who reveals client information that is public record?

Here’s how the issue would arise.

Rule 1.6 prohibits lawyers from revealing information relating to the representation of a client.  There are some exceptions.  They are:

  • disclosure is impliedly authorized to carry out the representation;
  • the client consents to disclosure;
  • disclosure is required by Rule 1.6(b); or,
  • disclosure is permitted by Rule 1.6(c).

As you see, “it’s public record” is not one of the exceptions.

Rule 1.6 applies to current clients.

With respect to former clients, Rule 1.9(c)(2) prohibits a lawyer from “revealing information relating to the representation as these rules would permit or require with respect to a client.”  Basically, the rule refers back to Rule 1.6 and does not include an exception for information that is “public record.”

Similarly, Rule 1.9(c)(1) prohibits a lawyer from using “information relating to the representation to the disadvantage of the former client except as these rules would permit or require, or when the information has become generally known.” (emphasis added).  As I’ve blogged several times recently, the ABA’s Standing Committee on Ethics and Professional Responsibility has opined that information that is in the public record is not necessarily “generally known.”  Here are the blog posts:

The October post includes cites to several cases that stand for the notion that the prohibition against disclosing information relating to a representation is not lessened by the fact that the information is public record.  Or, for a more detailed explanation how broad the confidentialy rules are, the ABA’s Litigation News ran this article by Edward Feldman.

But there’s an important case that holds otherwise.  The case is Hunter v. Virginia State Bar.

Attorney Hunter blogged.  His posts caught the attention of the Virginia State Bar and resulted in a disciplinary prosecution.  The  VSB charged Attorney Hunter with violating the advertising rules.  Those charges aren’t relevant here.

What is relevant is that the VSB also charged Attorney Hunger with violating Rule 1.6 “by revealing information that could embarrass or likely be detrimental to his former clients by discussing their cases on his blog without their consent.”

At a disciplinary hearing, the VSB put on evidence that Hunter’s former clients “believe that the information posted was embarrassing or detrimental to [them], despite the fact that all such information had been previously revealed in court.”

Hunter was publicly admonished following a conclusion that he had violated both the advertising rules and Rule 1.6.

In an intermediate-level appeal, a circuit court upheld the advertising violations, but dismissed the 1.6 charge on the grounds that the rule, as applied, violated the 1st Amendment. An appeal to the Virginia Supreme Court followed.

On appeal, the VSB conceded that the blog posts were about former clients, contained information that was public, and would have been protected speech if disseminated by the news media or anyone other than Hunter.

The Supreme Court noted that it had been “called upon to answer whether the state may prohibit an attorney from discussing information about a client or former client that is not protected by attorney-client privilege without express consent from that client.”

The Court’s answer:  no.  Specifically,

  • “To the extent that the information is aired in a public forum, privacy considerations must yield to First Amendment protections. In that respect, a lawyer is no more prohibited than any other citizen from reporting what transpired in the courtroom.”

The issue has gained some traction lately, largely in response to the ABA’s most recent formal advisory opinion.  Here’s an excerpt from a blog I posted last week.  It refers to criticism of the ABA’s opinion that “public record” is not necessarily “generally known.”

************************************************************************************

“On that point, the opinion is not without criticism.  Check out the post from Above The Law.   Among other things, the author, Robert Ambrogi, writes:

  • “So a lawyer may not ‘reveal’ information that is contained in a public record. But how can someone reveal something that is already public? To reveal is to make something public that was secret.”

Interesting point.  I don’t necessarily disagree. However, on the flip side, what if you went through a messy divorce 10 years ago?

Imagine that it went to trial.  At trial, details emerged that remain embarrassing today.  Yes, the trial was public, but, really, in label only. Nobody went, certainly not the press.  The details are not, by any stretch of the imagination, generally known. The only way anyone could access the details would be by going to the great length of ordering a transcript.  Public? Yes.  Generally known? No.

How would you feel if your lawyer blogged the details tomorrow?”

************************************************************************************

Josh King is Chief Legal Officer at Avvo.  He commented on my post:

“Having hired lots of lawyers over the last 20+ years, of course I wouldn’t want them blabbing about my matters without my consent.

But there’s a difference between a best practice and what the law can prohibit. I’m quite sure that Rule 1.6 can’t constitutionally be applied to discipline a lawyer for stating something that is in the public record.”

Josh runs a blog called Socially Awkward.  He posted a much more detailed response there. You can read it here.

Keith Lee has a blog at Associate’s Mind.  In response to Josh’s post, Keith tweeted a quote from the Hunter decision:

 

Lee Tweet

Michael Cicchini is a lawyer in Wisconsin.  In 2015, the Vermont Law Review published his article On The Absurdity Of Rule 1.9.  Here’s an excerpt:

“Rule 1.9 is an absurdly broad rule that perpetually bans attorney speech  for all purposes and with regard to all information, including information in the public domain. The rule has no rational, underlying policy, and is not even rooted in clients’ actual expectations regarding confidentiality . . . Instead, Rule 1.9 should be interpreted to permit an attorney to discuss, write about, or otherwise disclose publicly-available information relating to a former client’s case, provided the attorney does not contradict the former client’s position in that case.”

I don’t know that I have a position, mainly because I’ve never had to think about it.  I know that most bar counsel types believe in the idea that “public record” is not “generally known” and, therefore, is not an exception to the general prohibition against disclosure stated in Rules 1.6 & 1.9.  More practically, I simply believe that it’s a good idea not to talk about a former client’s matter, even if the matter received widespread media coverage.  Also, for lack of a better word, it makes me squeamish to think of a lawyer disclosing information about a former client that, while public, almost nobody else knows.

Still, I’m sensitive to the First Amendment argument. And, despite my personal opinion that one should take advantage of every single opportunity to keep one’s mouth shut, I feel like the pendulum has started to swing swung back towards the debate’s equilibrium.

So, what say you? I’m a piece of clay.  Mold me.  Again, here’s the scenario:

  • You went through a messy divorce 10 years ago.  Mike represented you. The divorce went to trial.  At trial, details emerged that remain embarrassing today.  Yes, the trial was public, but, really, in label only. Nobody went, certainly not the press.  The details are not, by any stretch of the imagination, generally known. The only way anyone could access the details would be by going to the great length of ordering a transcript.  Public? Yes.  Generally known? No.  Yesterday, Mike blogged about them.

Should Mike be sanctioned? Discuss in the comment section, but keep it civil.  Or, take this poll.

Be Quiet

 

 

 

 

To: the prosecution. With love, the Defendant’s lawyer.

89 years ago today, almost to the minute, seven men were murdered in Chicago’s Lincoln Park neighborhood.  The incident became known as the Saint Valentine’s Day Massacre. Al Capone is widely regarded as the criminal mastermind behind the killings.

As bar counsel, I’m intrigued by one aspect of the events that led to Capone’s conviction and incarceration.  My intrigue lies in the so-called Mattingly Letter.  It’s a letter that Capone’s tax lawyer provided to treasury agents and that was eventually used against Capone at trial.

Douglas Linder is a professor at the University of Missouri-Kansas City School of Law. He has a website dedicated to Famous Trials.  Among others, Professor Linder has written on the trial of Al Capone.

Per Professor Linder, as of 1929, Capone had never filed a federal income tax return.  So, the Department of Treasury launched an investigation into whether Capone had committed income tax evasion.

Lawrence Mattingly was Capone’s tax lawyer. In April 1930, Mattingly agreed to let “revenue agents” interview Capone.  The transcript of the interview is here.  Here’s an excerpt of what would become a key segment:

  • Revenue Agent RALPH HERRICK: I think it is only fair to say that any statements which are made here, which could be used against you, probably would be used.
  • LAWRENCE MATTINGLY, Capone’s tax lawyer: Insofar as Mr. Capone can answer any questions without admitting his liability to criminal action, he is here to cooperate with you and work with you.
  • HERRICK: What records have you of your income, Mr. Capone-do you keep any records?
  • CAPONE: No, I never did,
  • HERRICK: Any checking accounts?
  • CAPONE: No, sir.
  • HERRICK: How long, Mr. Capone, have you enjoyed a large income?
  • CAPONE: I never had much of an income.
  • HERRICK: I will state it a little differently-an income that might be taxable?
  • CAPONE: I would rather let my lawyer answer that question.
  • MATTINGLY: Well, I’ll tell you. Prior to 1926, John Torrio, who happens to be a client of mine, was the employer of Mr. Capone, and up to that point it is my impression that Mr. Capone’s income wasn’t there. He was in the position of an employee, pure and simple. That is the information I get from Mr. Torrio and Mr. Capone.

A few months later, Mattingly met again with federal agents.  As the meeting ended, he provided the agents with this letter.  Mattingly opened the letter by stating:

  • “The following statement is made without prejudice to the rights of the above-mentioned taxpayer in any proceedings that may be instituted against him. The facts stated are upon information and belief only.”

He closed by conceding:

  • “I am of the opinion that his taxable income for the years 1925 and 1926 might fairly be fixed at not to exceed $26,000 and $40,000 respectively and for the years 1928 and 1929 not to exceed $100,000 per year.”

Several months later, a grand jury indicted Capone.

Eventually, Capone and the government reached a plea agreement under which Capone would’ve served 2.5 years.  A judge rejected the plea, stating:

  • “The parties to a criminal case may not stipulate as to the judgment to be entered. It is time for somebody to impress upon the defendant that it is utterly impossible to bargain with a Federal Court.”

As trial neared, the government obtained information establishing that Capone had likely bribed a significant portion of the jury pool.  The prosecution team notified the judge. Per Professor Linder, here’s what happened next:

  • “Judge Wilkerson took his seat at the bench and looked out over the packed courtroom. He called the bailiff to the bench. ‘Judge Edwards has another trial commencing today,’ he told the bailiff. ‘Go to his courtroom and bring me his entire panel of jurors; take my entire panel to Judge Edwards.'”

At trial, the government sought to introduce the Mattingly Letter through the agent to whom Attorney Mattingly had delivered it.  The defense objected.  The court admitted the letter as proof that Capone had made certain statements, albeit not as proof of those statements.  (yeah, right.)  A transcript of the testimony surrounding the letter’s admission is here.

The prosecution referred to the letter during its closing argument.  That portion of the summation, which I found enthralling, is here.  Here’s my favorite part:

Referring to Attorney Mattingly, the prosecutor argued:

  • “He had tried to get the revenue agents to say that the admission would not be used against his client; now, in the letter, Mattingly is saying it himself. The letter says, “‘his statement is made without prejudice to the taxpayer in any criminal action that may be instituted against him.'”

The prosecutor continued:

  •  “Suppose a speeder, when stopped by an officer, should say; ‘I am telling you this without prejudice, officer; I don’t want it used against me; but I was going 50 miles an hour.’ Suppose a gambler could tack a little sign on a roulette, ‘This device is not to be used as evidence against me.’ Suppose a murderer could put a sign on his gun, “This weapon is not to be used as evidence against me.’ What a refuge for criminals that would be! And yet, that is what we have here, ‘I am telling you this, but it is not to be used against me.’ “

In the end, Capone was convicted and sentenced to 11 years in prison.  Admissions from his own tax attorney appear to have played a significant role in the conviction.

Competence.  Client confidences.  You be the judge.

Valentine

An intriguing aside: one of the government’s key informants in the Capone investigation was Eddie O’Hare.  O’Hare held the patent for the mechanical rabbit that lures greyhounds around a race track. He also ran dog tracks for Capone.  Eddie was murdered shortly before Capone was released from prison.

The intriguing aside?  Eddie’s son, Edward, was a naval pilot. He was the Navy’s first “flying ace” and the first member of the Navy to receive the Medal of Honor in World War II. He was shot down in combat in 1943 and never found.  Chicago’s O’Hare Airport is named for him.

 

Monday Morning Answers #105

I’m not positive, but methinks this week’s is the largest Honor Roll ever!

Friday’s questions are HERE.  Thanks to all who sent in responses.   I especially enjoyed hearing & reading so many wonderful stories of grandmothers & grandfathers who sound so similar to mine.  Today’s answers follow the honor roll.

67FCDEE4-4A0B-4B58-9AB7-151422E4069A

Honor Roll

Answers

Question 1

Each of the following words is in the name of its own rule. Three of the rules involve the same type of ethics issue.   Which is associated with a different ethics issue than the other three?

  • A.  Prospective
  • B.  Meritorious
  • C.  Current
  • D.  Former

Rule 3.1 governs meritorious claims.  Prospective, Current, and Former are types of clients for the purposes of the conflicts rules.

Question 2

Attorney called me with an inquiry.  She said “Mike, I have some questions about mental impressions, as well as internal notes and memoranda.”  Most likely, what issue did Attorney call to discuss?

  • A.  The duty to report a client’s fraud
  • B.  The duty to act competently to safeguard client data stored in the cloud
  • C.   Duties to a client who suffers from a diminished capacity
  • D   File delivery & the question of “what is the file?”

I might have phrased this one poorly.  Option “A” certainly could happen, as a lawyer’s mental impressions and notes might include information that must be revealed pursuant to Rule 1.6(b).   However, here, I was getting at whether an attorney’s notes and mental impressions are part of “the file.”  For more on this topic, including a link to an ABA Formal Advisory Opinion, see this post.

Question 3

Fill in the blank. (two words)

Lawyer called with an inquiry.  Lawyer said “client said she’s fine with it, so do you think that I have ________  ___________?”

I replied “Well, ‘she’s fine with it’ isn’t exactly the definition of _________   _________.  Per the rules, it’s an agreement to a proposed course of conduct after you’ve adequately communicated & explained the material risks, and reasonably available alternatives to, the proposed course of conduct.”

Informed Consent, Rule 1.0(e).

Question 4

Attorney called me with an inquiry.  Attorney was concerned that her she and her firm had been “pwned.”  What did we discuss?

Whether Attorney & Firm had:

  • A.   suffered a breach of electronically stored client data.
  • B.   fallen for a trust account scam.
  • C.   violated the rules while responding to a negative online review.
  • D.  been duped by an adversary who intentionally posted “fake evidence” on a social media platform.

Hello gamers! I wasn’t familiar with the term “pwned” until I read the ABA Journal’s cybersecurity tips.

Question 5

Hint: in honor of my grandfather’s Chicago roots, and in anticipation of a blog I intend to post next week . . .

Lawrence Mattingly practiced law in Illinois.  Once, he arranged a meeting between a client and federal agents/prosecutors who were trying to build a tax evasion case against the client.  During the meeting, the client claimed “I’ve never had much of an income.”

Later, Attorney Mattingly provided Treasury agents with a letter in which he conceded that his client had, in fact, earned a substantial income over the previous 4 years. The “Mattingly Letter” was admitted at trial and used as evidence against the client.  The client was convicted and sent to prison.

Who was the client?

Al Capone

Thaw Bound? Protect client data at the border.

The VBA’s Young Lawyers Division Thaw is this weekend.  It’s shaping up to be as terrific as usual, and there’s still time to register.

Undoubtedly, many of you rely on mobile devices to practice law.  Reminder: as a lawyer, you have a duty to take reasonable precautions to protect against the disclosure of client information during a border crossing.

I’ve posted three blogs on this topic.  The most recent was Crossing the Border? Consider Bringing Only What You Need.  The post includes a link to (and summary of) the NYC Bar Association’s advisory opinion 2017-5.  The opinion, which is here, addresses an attorney’s duties with respect to protecting client information before, during, and after a border search.  The ABA Journal also reported the advisory opinion.

The post and links might be worth reviewing.

For more, and thanks to a tip from Attorney Caryn Waxman, check out Jeff Richardson’s latest post on his iPhoneJD blog: New Customs and Border Protection policy on searching attorney iPhones.  The post focuses on the “new procedures that a border patrol agent must use when confronted with data protected by the attorney-client privilege or work product.”  Note: the duty to protect client data at the border is NOT limited to data on Apple devices.

If you’re going to Montreal, have a great time!  But, before leaving, consider how important it really is to have client data with you for the weekend.

Border.jpg