Tech Competence and . . . flipping the bird?

It’s been a while since I’ve posted.  I love easing my way back into blogging with quick hitters.  So, without further ado:

Tip #1.   During a remote hearing, whether angry at yourself, opposing counsel, the court, or a screen that’s blank, frozen, or otherwise not working properly, don’t “flip the bird” at your camera.

Tip #2.  If you forget Tip #1, be honest when the court asks you what it just saw.

Today’s post comes thanks to a tip from Catamount Law’s Samantha Lednicky.  Last week, Sam sent me this order issued by the Michigan Court of Appeals.  The ABA Journal and Detroit Free Press have coverage.

I leave further reading to curious minds.

Flip the Bird

Related Posts:

Preparing for a remote hearing? Maybe check your client’s screen name

Tech Competence & Cats

Tech Competence Posts:

Go here for all my posts categorized or tagged as “tech competence.”

Wisconsin Advisory Opinion Offers Cybersecurity Tips on Working Remotely

In late January, the Wisconsin Bar issued Formal Ethics Opinion EF-21-02: Working Remotely.  The opinion makes three important points and shares helpful and practical guidance on cybersecurity practices, training & supervision, and preparing clients.

astronaut-sitting-moon-laptop

First, the important points.

I’m a fan of the opening line of the synopsis:

  • “The basic responsibilities that a lawyer owes the client – competence, diligence, communication, and confidentiality – lie at the core of lawyer’s professional obligations and remain unchanged irrespective of the lawyer’s physical location.”

That’s critical: the pandemic hasn’t lessened or diminished our professional obligations.  Our responsibilities remain the same as in 2019 when we were working in our offices.  Further, our basic obligations to clients will not change once the pandemic ends. As the opinion points out, “it is expected that lawyers, like other professionals, will continue to work remotely in some form after the pandemic.” So, the guidance, while issued in response to the pandemic, will prove valuable in an increasingly remote post-pandemic workplace.

Next, the opinion reiterates what I’ve been blogging for years: competence includes tech competence.  Pages 2 and 3 include language that I’m certain will worry lawyers.  The language, however, is important to take to heart.

  • “Basic technological competence includes, at a minimum, knowledge of the types of devices available for communication, software options for communication, preparation, transmission and storage of documents and other information, and the means to keep the devices and the information they transmit and store secure and private.”

As the opinion notes, large firms likely will employ IT professionals for these issues.  Small firms and solos are reminded that they “may need to retain the services of an expert if they lack the knowledge to personally manage the technological aspects of practice.”

Finally, the conclusion ties together the first two points in an important reminder:

  • “The COVID-19 pandemic has dramatically changed how lawyers work and represent their clients. Some of these changes may be temporary but others are likely part of a movement towards increased reliance on technology in the practice of law. As working remotely has become the new normal, lawyers must develop new skills and knowledge to comply with their core responsibilities.”

Indeed.

I’ll finish by cutting and pasting the guidance and practical tips that begin on page 10 of the Wisconsin opinion.  I’ve reformatted & renumbered the footnotes to endnotes.

***

General Guidance

 It is impossible to provide specific requirements for working remotely because lawyers’ ethical duties are continually evolving as technology changes. It is possible, however, to provide some guidance. Cybersecurity Practices Because working remotely relies on technology, competence in technology and cybersecurity practices are essential. The following cybersecurity practices have been recommended by a number of ethics opinions[i] and other resources. None of these practices are new: they are reasonable precautions that have helped lawyers fulfill their ethical obligations, especially the duty of confidentiality, when working in the office and when working remotely, whether at home during evenings and weekends, or during travel for work or vacation.

  • Require strong passwords to protect data and to access devices. The more complex the password, the less likely that an unauthorized user will be able to access data or devices by using password cracking techniques or software.
  • Use two-factor or multi-factor authentication to access firm information and firm networks. Although requiring an additional authentication step, such as a six-digit code sent to the lawyer’s phone or email, may seem inconvenient or burdensome, it is a reasonable precaution that increases protection and reduces the likelihood of unauthorized access by providing an additional layer of security beyond a strong password.
  • Avoid using unsecured or public WiFi when accessing or transmitting client information. Hackers can access unencrypted information on unsecured WiFi and can use unsecured WiFi to distribute malware.
  • Use a virtual private network (VPN) when accessing or transmitting client information. A VPN encrypts information and allows users to create a secure connection to another network.
  • Use firewalls and secure router settings. A firewall monitors and controls incoming and outgoing network traffic based on predetermined security rules: it establishes a barrier between a trusted network and an untrusted network. A router connects multiple devices to the Internet, and connects the devices to each other.
  • Use and keep current anti-virus and anti-malware software. Anti-virus and anti-malware both refer to software designed to detect, protect against, and remove malicious software.
  • Keep all software current: install updates immediately. Updates help patch security flaws or software vulnerabilities, which are security holes or weaknesses found in a software program or operating system.
  • Supply or require employees to use secure and encrypted laptops. All lawyers and staff should use only firm issued devices with security protections and backup systems and prohibit storage of firm or client information on unauthorized devices. All devices used by the lawyer, such as desktop computers, laptops, tablets, portable drives, phones, and scanning and copy machines, should be protected.
  • Do not use USB drives or other external devices unless they are owned by the firm or they are provided by a trusted source.
  • Specify how and where data created remotely will be stored and how it will be backed up.
  • Save data permanently only on the office network, not personal devices. If saved on personal devices, taking reasonable precautions to protect such information.
  • Use reputable vendors for cloud services. Transmission and storage of firm and client information through a cloud service is appropriate provided the lawyer has made sufficient inquiry that the service is competent and reputable.[ii]
  • Encrypt emails or use other security to protect sensitive information from unauthorized disclosure. A lawyer should balance the interests in determining when encryption is appropriate.
  • Encrypt electronic records, including backups containing sensitive information such a personally identifiable information.
  • Do not open suspicious attachments or click unusual links in messages, email, tweets, posts, online ads.
  • Use websites have enhanced security whenever possible. Such websites begin with “HTTPS” in their address rather than “HTTP,” and encrypt the communication.
  • Provide adequate security for video meetings or conferences. The FBI has recommended the following steps: use the up-to-date version of the application; do not make the meetings public; require a meeting password; do not share the link to the video meeting on an unrestricted publicly available social media post; provide the meeting link directly to the invited guests; and manage the screen-sharing options.[iii] In selecting a videoconferencing platform, the lawyer should make sure it is sufficiently secure both in its structure and its contractual terms of use, especially any terms on access to user information.[iv]
  • Do not have work-related conversations in the presence of smart devices such as voice assistants. These devices may listen to and record conversations.[v]

Training and Supervision

To comply with the duties required by SCR 20:5.1 and 5.3, partners, managers and supervisory lawyers should consider whether the firm’s policies and procedures are adequate to address the specific challenges that may arise when lawyers and nonlawyer assistants are working remotely.

  • Establish and implement policies and procedures for cybersecurity practices. These policies and procedures should be in writing and provided to all lawyers and nonlawyer assistants, and stress compliance.
  • Establish and implement policies and procedures for the training and supervision of lawyers and nonlawyer assistants in the firm’s cybersecurity practices. Training is the most basic step in avoiding a cyberattack at a law firm. In other words, it is extremely important to develop a culture of awareness. The most serious vulnerabilities of a cybersecurity system are not the hardware or software, but rather the people who use it. It is estimated that 90% of cybersecurity breaches are due to human error.[vi]
  • Establish and implement policies and procedures regarding remote workspaces to mitigate the risk of inadvertent or unauthorized disclosures of information relating to the representation of clients. Remote workspaces should be private to ensure that others do not have access to phone conversations, video conferences, or case-related materials.
  • Hold sufficiently frequent remote meetings between supervising attorneys and supervised attorneys, and between supervising attorneys and supervised nonlawyer assistants to achieve effective supervision.

Preparing Clients

Representing a client remotely may present challenges to competent representation.[vii] Consequently, a lawyer should carefully consider whether the lawyer can adequately prepare the client to testify or for interviews while working remotely.

  • The lawyer and the client should have sufficient ability with the technology.
  • The lawyer and the client should have access to relevant documents.
  • The lawyer and the client have adequate time and attention to ensure the client’s comfort with the communicating by the medium that will be used.

[i] See, e.g., Wisconsin Formal Ethics Opinion EF-15-01: Ethical Obligations of Attorneys Using Cloud Computing (Amended September 8, 2017).

[ii] Wisconsin Formal Ethics Opinion EF-15-01.

[iii] https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-ofteleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic

[iv] Lawyers must understand that if video conferences are recorded the vendor may retain a copy under the terms of service. See INSIGHT: Zooming and Attorney Client Privilege, https://www.bloomberglaw.com/exp/eyJjdHh0IjoiQ1ZOVyIsImlkIjoiMDAwMDAxNzEtZWExYy1kMDAwLWE5N2YtZ WE3ZTkwYWMwMDAxIiwic2lnIjoidVliaWhQR3J3ZmpWcDBKeE5KY1JYV1c0RlcwPSIsInRpbWUiOiIxNTkwMjQwMzM 1IiwidXVpZCI6IndNWHUzdVFGajBEWGxkZFBKcTNSVVE9PU1ZZmVtSkhLU0hBMWtPNG8rTE50eGc9PSIsInYiOiIxIn0= ?usertype=External&bwid=00000171-ea1c-d000-a97fea7e90ac0001&qid=6912181&cti=LSCH&uc=1320042032&et=SINGLE_ARTICLE&emc=bcvnw_cn%3A7&bna_news_ filter=true

[v] For example, Google and Amazon maintain those recordings on servers and hire people to review the recordings. Although the identities of the speakers are not disclosed to these reviewers, they might hear sufficient details to be able to connect a voice to a specific person. https://www.vox.com/recode/2020/2/21/21032140/alexa-amazongoogle-home-siri-applemicrosoft-cortana-recording .

[vi] https://www.techradar.com/news/90-percent-of-data-breaches-are-caused-by-humanerror#:~:text=A%20new%20report%20from%20Kaspersky,carried%20out%20by%20cloud%20providers .

[vii] The New York County Lawyers Association Formal Opinion 754-2020 at 3.

Tech Competence & Cats

Back when I blogged more often than I do now, I’d post about tech on Tuesdays.

Today, I didn’t intend to blog. Alas, in the past hour, numerous readers have emailed or texted me the same story.  Initially, it came from lawyers. Then, my friend Waskow texted me and my brother, with my brother replying, “I hope this makes the blog.”

When the non-lawyers chime in, who am I not to share a cautionary tale involving tech competence?

Lawyers: may your careers in law never require you to tell a judge “I’m not a cat.” 

If the Florida Bar’s tweet doesn’t work for you, it’s on YouTube here.

Social Media & Legal Ethics: Keep It Real.

As I usually do every year, I presented a CLE for the Vermont Paralegal Organization on Wednesday.  I present for many groups.  I assure you that there is no group more dedicated to providing competent services than Vermont’s paralegals.  They are a valuable resource that we should not overlook or undervalue.

The topic was social media & legal ethics.  My theme was “Keep it Real.”  I tried to convey that social media isn’t so much the cause of misconduct as it is a relatively new forum for misconduct that has always existed. That is, if it’s wrong in real life, it’s wrong on social media.

Here’s how I tried to make my point.

Social Media

Consider the following 8 headlines.  You’re only allowed to click on 4.  Which do you choose?

  1. Judge reprimanded for sexting women in his robes.
  2. Judge sanctioned for harassment.
  3. Instagram posts land Lawyer in hot water.
  4. Lawyer sanctioned for misrepresentation to a tribunal.
  5. Lawyer suspended over rude Facebook message to client.
  6. Lawyer suspended for failing to properly communicate with client.
  7. Facebook spoliation results in $700K in sanctions and 5-year license suspension.
  8. Lawyer suspended for discovery violations and lack of candor to a tribunal.

I’m guessing that many of you have already figured it out.  While the list includes 8 headlines, there are only 4 stories.  Clicking on 1 or 2 would return the same story.  The same goes for 3 & 4, 5 & 6, 7 & 8.

It seems to me that “social media sells.”  Its click-bait nature, I think, does a disservice in the sense that in each of the 4 matters, the conduct would have resulted in disciplinary sanctions even if it had not involved social media.

For instance, the Tennessee judge’s ‘overtly sexual’ messages would’ve have been just as wrong if sent via U.S. mail with accompanying Polaroids.  (h/t ABA Journal).

The Instagram posts that revealed this lawyer’s dishonesty did not make the lawyer’s misconduct any worse than it already was.

A lawyer who is rude and/or non-responsive to a client’s Facebook Messages is no different than a lawyer who is rude and/or non-responsive to a client’s phone calls and letters.

Finally, counseling a client to destroy evidence, lie about it in discovery, and then attempt to cover-up the entire scheme is a violation regardless of whether the evidence is electronic. (h/t Above The Law).

Imagine the following ethics inquiry:

  • Lawyer: “Mike, can I send a Facebook message directly to my client’s represented adversary?”
  • Me: “Would that be okay to do by letter in real life?”
  • Lawyer: “No.”
  • Me:  “There you have it. Keep it real.

Below, I’ve pasted in links to resources.  It’s a sampling, not an exhaustive list. If you only have time for one, I recommend the Social Media & Legal Ethics Guidelines published by the Commercial & Federal Litigation Section of the New York State Bar Association.

In closing, does social media raise new questions?

Yes.

But, often, the answer is the same as it was in the old days.

What’s wrong is wrong.

Resources

 

 

Redacting Confidential Info

In January, Paul Manafort’s lawyers made headlines for failing to take proper steps to redact a document.  Myriad outlets covered the story, including The Atlantic, BBC, and Legal Tech News.

In response, the ABA Journal posted How to redact a PDF and protect your clients.  A few days later, I recommended the ABA post in my blog Competence, Confidences and PDFs

Today, the ABA Journal published more helpful information: Redacting confidential client information: The devil is in the detailsThe post points out the risks in failing to understand how property to redact a document.  I recommend it.

One risk? Disciplinary action.  Lawyers have a duty not to disclose information relating to the representation of a client.  There’s also a duty to use reasonable safeguards to protect against unauthorized access to or inadvertent disclosure of confidential information.  In my view, employing a redaction method that fails to keep information confidential is not a reasonable safeguard.

Rather, it’s tech incompetence.

Image result for images of redacting confidential info

 

 

 

Advising Clients on Social Media Use

At CLEs over the past few months, lawyers have seemed surprised to hear me suggest that the duty of competence includes advising clients to refrain from social media posts that could be detrimental to their cases.

The surprise surprises me.

Indeed, I’ve often followed up by asking whether anyone has had a client’s social media post used by the other side.  The raised hands and nodding heads tell me that it happens.

A lot.

So if we know that it’s happening a lot, shouldn’t we advise our clients not to do it?

Last summer, the ABA Journal posted Celebrity attorneys face challenges, ethical pitfalls.  One of the challenges mentioned is clients’ use of social media.  Here are two paragraphs:

“ ‘Likely you have a whole team of people doing damage control,’ says Ann Murphy, a professor at the Gonzaga University School of Law who published ‘Spin Control and the High-Profile Client’ in the Syracuse Law Review. ‘The attorney needs to be very, very careful to keep the client’s legal advice separate.’

‘Attorneys, as part of their ethical duties, must now counsel their clients on the use of social media,’ Murphy says. ‘Once it is out there, it is out there. Even if someone deletes a Facebook post—it likely has been saved as a screenshot and is of course subject to discovery,” she adds. ‘Personally, I think the best advice is tell the client that any posts about his or her case must be viewed in advance by the attorney.'”

I get it. Both the ABA Journal and Professor Murphy are focusing on lawyers who represent celebrities.  Still, look again at one of Professor Murphy’s statements:

” ‘Once it is out there, it is out there. Even if someone deletes a Facebook post—it likely has been saved as a screenshot and is of course subject to discovery. ‘ ”

That could be any client, celebrity or not.

The ABA Journal poses a “question of the week.” Each new question is followed by the  “featured to response” to the prior week’s question.

Last week’s question was What advice do you give your clients about social media? 

This week’s – How do you stay alert during long meetings or trials? – includes the featured response to last week’s social media question.  The featured response:

  • “In some ways, I take a more laissez-faire approach than many attorneys: Yes, I would love it if my clients would avoid social media, but at the end of the day, they’re going to do what they want to do. If they were great at heeding sensible advice, they probably wouldn’t have ended up in my office in the first place. I ask them to think before they post. I ask them to review their privacy settings. I ask that they avoid posting things directly related to the case at hand. And then, I just cross my fingers that the guy on trial for trying to strangle his girlfriend doesn’t post a meme about strangling one’s girlfriend.” (emphasis added)

The advice in bold?  Seems pretty simple.

Not only that, when we know that the other side is looking, it’s advice that competent lawyers provide.

Social Media

 

 

 

 

Competence, Confidences and PDFs

In my view, Rules 1.1 and 1.6 impose a duty to act competently to prevent the unauthorized access to or disclosure of information relating to the representation of a client.  I’ve blogged on this issue many times:

Next week, I’m presenting two seminars at the YLD Mid-Winter Thaw in Montreal.  In the first, I’m on a panel with Judge Hayes and the Judiciary’s Andy Stone.  Judge Hayes and Andy will introduce lawyers to the Judiciary’s new case management system.  My job will be to chime in on ethics issues that might arise with electronic filing.   My thoughts will focus on tech competence.

expos

Imagine this scenario: whether in a filing or a communication to opposing counsel, a lawyer includes a PDF.  Prior to transmission, the lawyer redacted the PDF to keep certain information confidential.  Alas, the lawyer did not properly redact the PDF.  By highlighting the redacted the portions and pasting them into a new document, opposing counsel, or anyone else with access to the PDF, can discover what the lawyer intended to obscure.  The filing is here.

Did the lawyer take reasonable precautions to protect the information?  Was it a one-time mistake that doesn’t rise to the level of an ethics violation?  What if it was information that the court had ordered remain confidential and now is public?

Earlier this week, lawyers for Paul Manafort, President Trump’s former campaign chair, filed a response to special counsel Robert Mueller’s allegation that Manafort lied to Mueller’s investigators.  Due to what the ABA Journal described as a “technical oversight,” the filing was not properly redacted.  As such, the media was able to discover that Manafort is accused of sharing polling data with a Russian business person.  The story has been covered by the ABA Journal, BuzzFeed, Fox News, and the Washington Post.

(Update at 1:16 PM on January 10:  Above The Law’s Joe Patrice has a great recap here.)

Go back to the scenario I posited above: what if that’s you in a Vermont case?  What if you meant to redact a client’s proprietary information, or a witness’s mental health records, or a confidential informant’s identity? What if you didn’t do it right?

Jason Tashea writes for the ABA Journal. Today, he posted How to redact a PDF and protect your clients.  If this is an area of tech competence that interests or concerns you, I’d suggest giving Jason’s post a read.

 

ABA Addresses an Attorney’s Obligations in Response to a Data Breach

I’ve blogged often on a lawyer’s duty to act competently to safeguard client data.  Generally, an attorney must take reasonable precautions to protect against inadvertent or unauthorized disclosure of client information.  Some of my posts:

Last month, the ABA’s Standing Committee on Ethics & Professional Responsibility issued Formal Opinion 483.  It sets out a lawyer’s obligations following an electronic data breach or cyber attack.

The opinion is detailed and technical.  It’s worth reading, or, at the very least, sharing with your IT support staff.  Also, various outlets have reported on the opinion, including The National Law Review, Louisiana Legal Ethics, and The ABA Journal.  I suggest each.

I’m going to try to stick to a summary.

  •  Prior to a breach, a lawyer has a duty to act competently to safeguard client property and information.  This likely includes adopting an “incident response plan” that will kick in once a breach occurs.
  • The duty includes an obligation “to monitor the security of electronically stored client property and information.”  In other words, there’s a duty to take reasonable efforts to monitor for and detect unauthorized access. This includes reasonable steps to ensure that vendors act in accordance with the lawyer’s professional obligations.
  • A breach is not necessarily evidence that the lawyer failed to act competently to safeguard client information.
  • If a breach occurs, a lawyer must take reasonable steps to stop it and mitigate the damage that results.
  • If a breach occurs, a lawyer must assess its scope.  This includes determining what information, if any, was lost or accessed.
  • A lawyer must notify current clients if the breach:
    • involves material, confidential client information; or,
    • impairs or prevents the lawyer from representing the client. For example, as would be the case in a ransomware attack.
  • Lawyers must be aware that their ethical obligations are independent of any post-breach obligations imposed by law.  Compliance with professional obligations is not necessarily compliance with other law, and vice versa.

Again, the full opinion is here.

As usual, I like to analogize to non-tech issues.  For instance, when it comes to paper files, most lawyers probably know that there’s a duty to take reasonable safeguards to protect them.  Locked file cabinets.  Locked rooms.  Secure office space.

If a lawyer arrives at work and realizes that the office has been broken into, I imagine the lawyer would intuitively understand the need to determine what, if anything, was viewed or taken.  Then, as appropriate, will notify clients. I also imagine that the lawyer would replace the broken locks, doors, and windows.

Thus, in my view, the ABA opinion clarifies that very standards that most of us already apply to clients’ paper files also applies to their electronic files.

Image result for images of a data breach

 

 

 

 

Court Adopts Comment on Tech Competence

The first rule in the Vermont Rules of Professional Conduct requires lawyers to provide clients with competent representation.  I’ve long argued that Rule 1.1’s duty of competence includes tech competence.

Last week, the Vermont supreme Court promulgated amendments to Rule 1.1.  The amendments add three new comments, including one that makes it clear that, in fact, the duty of competence includes tech competence.  As amended, Comment [8] now reads:

Maintaining Competence

[8] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technologygy, engage in continuing study and education and comply with all continuing legal education requirements to which a lawyer is subject.

As reported by Robert Ambrogi’s LawSitesBlog, Vermont becomes the 32nd state to adopt the duty of tech competence.

Take a look at the picture that Bob uses on his blog:

Image result for lawyer technology competence

No more.

Don’t confuse the meaning of the new comment. It does not require lawyers to know how to use every new gizmo, gadget, or app.  It’s far more practical than that.

For instance, do you understand the risks and benefits of using certain technologies to transmit confidential communications? Or the risks and benefits of mobile payment services? Have you thought about disabling autocomplete? Do you advise clients against being too social?

Also, don’t sleep on the other new comments. As legal outsourcing becomes more prevalent, the new comments provide helpful guidance.

The new comments take effect on December 10.

Related Posts

 

 

Cybersecurity for Lawyers: learn from other professions

I’ve blogged often on tech competence and the duty to safeguard client data.  In short, lawyers have a duty to take reasonable precautions against the inadvertent disclosure of or unauthorized access to confidential client information.

So, people often ask “what are reasonable precautions?”

It depends.

Nobody likes that answer.  But it’s correct.

For instance, do you mean “what are reasonable precautions when it comes to cloud storage?”  Or, are you asking whether a lawyer has a duty to encrypt e-mail? Wait, maybe you’re talking about your duties when crossing the border? No, no, I get it now:  you’re asking if a lawyer has a duty to disable auto-complete. Oh my gosh, no – you’re referring to the hallmarks of trust account scams.

No matter the mode of communication, no matter the place that information is stored, a lawyer must safeguard client information. And, as I explained here, it makes perfect sense not to get into the habit of re-evaulating a lawyer’s duty with every new technology.  Whatever the next new thing is, a lawyer’s duty will remain the same: to take reasonable precautions against the inadvertent disclosure of or unauthorized access to client information.

But, as this post in the ABA Journal points out, lawyers and law firms aren’t sailing into uncharted waters.  There are lessons to be drawn from other professions.  Per the post, those lessons include:

  • Encryption is important.  I’d even venture to opine that if it isn’t already, we aren’t long for the day when the failure to encrypt is tantamount to a failure to take reasonable precautions.
  • Partners and more senior lawyers have to follow the same rules as everyone else. “I don’t do tech” isn’t reasonable. It’s no different from saying “I don’t do ‘protecting client information.’ “
  • Employees and 3rd party vendors need to be trained on the importance of data security.

There’s a great quote in the article. It’s from Michael Mason, chief of security for Verizon Communications: law firms should foster, grow, and ” ‘develop a culture of security.’ ”

A culture premised on “we hope it doesn’t happen to us” is not a culture of security.

With “it” being a breach, the dreaded “it” has happened not just to lawyers and law firms, but to many other professions.  As the ABA Journal suggests, lawyers would be wise to take heed of the lessons learned by those other professions.

Image result for data security