History’s best “worst” song, and tips on acting reasonably to safeguard client data.

Yesterday was this blog’s 7th birthday.  We entered the world with Competence Includes Tech Competence.  The theme dominated back then.  Indeed, one could reasonably argue that tech competence is to this blog, as rock & roll is to Starship’s city.[1]

The rules related to tech competence have evolved since then.  In 2018, we adopted language that makes clear that maintaining competence includes keeping “abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.”[2] More recently, we amended V.R.Pr.C. 1.6, the confidentiality rule, to include this paragraph:

  • (d) A lawyer shall make reasonable efforts to prevent the inadvertent disclosure of, or unauthorized access to, information relating to the representation of a client.

The amendment, which takes effect next week, addresses the duty to act competently to safeguard client information, no matter the format in which the information is stored.  Here’s the Reporter’s Note:

  • “Subdivision (d) is added to reflect that the modern practice of law includes possession of information related to the representation of client in many forms, including information that is stored electronically or digitally. A lawyer is under a duty to act competently to safeguard client information, no matter its format. See V.R.Pr.C. 1.1. Paragraph (d) tracks the ABA Model Rule, clarifies that V.R.Pr.C. 1.6 applies to the electronic transmission and storage of information relating to a representation, and makes explicit that the duty under Rule 1.6 is broader than avoiding affirmative disclosures of information relating to the representation of a client.”

With the new rule, a question that arises is “what are reasonable efforts?”  As I indicated here, it’s not my role to issue a formal opinion as to what’s reasonable and what isn’t.  My stance finds support in ABA Formal Opinion 477.  Among other things, the opinion concludes that “[w]hat constitutes reasonable efforts is not susceptible to a hard and fast rule, but rather is contingent upon a set of factors.”  It goes on to state that “the reasonable efforts standard:

  • “. . . rejects requirements for specific security measures (such as firewalls, passwords, and the like) and instead adopts a fact-specific approach to business security obligations that requires a ‘process’ to assess risks, identify and implement
    appropriate security measures responsive to those risks, verify that they are effectively implemented, and ensure that they are continually updated in response to new developments.

That said, it’s undisputed that my role includes providing guidance.  To that end, here are two resources.

In September, Jim Knapp and I presented “Tech Competence & Cybersecurity” at the VBA’s Annual Meeting.  I began with a short overview of the new rule, then Jim provided a boatload of cyber and tech tips.  You can access the material here.

In addition, Catherine Reach is the Director of the North Carolina Bar Association’s Center for Practice Management.  Two days ago, Catherine posted “Protecting Portable Devices.”  Like Jim’s material, Catherine’s post is chock full o’ helpful tips on securing data.

As always, let’s be careful out there.

[1] Those of you who remember the 80s music scene might question including We Built This City in a post on competence. Your skepticism is warranted. After all, a few years ago, GQ named it “the Worst Song of All Time.” However, I’ll say this: on the rare occasion that I listen to the song, I turn the volume to 11, sing along enthusiastically, and find myself particularly thrilled to belt out (with proper intonation that doesn’t come through in a blog post) “knee deep in the hoopla” and “Marconi plays the Mamba.”  So, for giggles, a trip down memory lane is here.

[2] V.R.Pr.C. 1.1, Cmt. [8].

Cybersecurity, data protection, and a lawyer’s duty of competence.

Given some of the looks and comments that I receive when broaching this topic at CLEs, I’m not certain that it’s an appropriate subject for a day typically reserved for “wellness” posts.  However, as I emerge from a summer blogging hiatus fueled by a disinterest in blogging, I’m less worried about sticking to the traditional schedule than I am in finding something – anything – to write about.  And today, “cybersecurity” not only presents itself as a topic, it does so in a manner that reinforces a notion that lies near and dear to this blog’s heart: competence includes tech competence.

Cybersecurity White Images – Browse 16,974 Stock Photos, Vectors, and Video  | Adobe Stock

To recap, V.R.Pr.C. 1.1 requires a lawyer to provide clients with competent representation. Under the heading “Maintaining Competence,” Comment [8] states:

  • “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education, and comply with all continuing legal education requirements to which the lawyer is subject.” (emphasis added).

The bolded language refers to “tech competence” and was added in 2018.  At the time, and as reported by LawSites, its addition made Vermont the 32nd state to adopt a duty of technology competence. The italicized language has existed since the rule was first promulgated in 1999.  I emphasized it to make clear that continuing legal education is a critical component of maintaining competence.

Which brings me to today’s point.

As reported by LawSites and the ABA Journal, New York recently became the first state to mandate CLE in cybersecurity and data privacy & protection.  From the LawSites post:

  • “Under the new requirement, all attorneys must complete one hour of training every two years in either the ethical obligations surrounding cybersecurity, privacy and data protection, or in the technological and practice-related aspects of protecting data and client communications. Only two other U.S. states mandate technology training as part of a lawyer’s continuing education requirement, Florida and North Carolina. While those states’ CLE requirements allow for training in a range of technology topics, which can include cybersecurity, New York’s is the first to focus its requirement on these topics.”

New York’s new rule is here. The ABA Journal notes that the rule allows lawyers to count up to 3 hours of cybersecurity CLE towards their required 4 hours of ethics CLE.  The ABA post goes on to state:

  • “The New York State Supreme Court’s Appellate Division adopted the cybersecurity CLE requirement based on a recommendation from the New York State Bar Association’s Committee on Technology and the Legal Profession. The NYSBA approved the committee reportin June 2020, according to the bar’s news center.”

This is important. The impetus for the new CLE requirement was not my counterpart in New York.  It was the bar association.  In other words, this isn’t bar counsel crying wolf over competence, tech competence, and the duty to take reasonable precautions to safeguard client data.

Am I saying that a breach is an ethics violation?



Again, a lawyer’s duty is to take reasonable precautions to safeguard client data. As I’ve always recognized, the fact that a lawyer or firm is breached or hacked does not necessarily mean that the precautions in place weren’t reasonable. Indeed, in yesteryear, the fact that a client’s paper documents ended up in unauthorized hands didn’t necessarily mean that the lawyer or firm charged with safeguarding those documents failed to take reasonable precautions.  For instance, it likely wouldn’t have been an ethics violation for a firm to fall victim to enterprising criminals who employed thermite to breach a secure cabinet within a secure room within a secure office within a secure building [i]

What I’m saying is this.

A lawyer’s professional obligations include providing clients with competent representation.  CLE is a way to maintain competence.  There’s now a jurisdiction that requires 1 hour of CLE in cybersecurity, privacy, and data protection.  That same jurisdiction allows lawyers to count up to 3 hours of cybersecurity CLE toward their required 4 hours of ethics CLE. In sum, no more eye-rolling at CLEs when I discuss cybersecurity and data protection.  The topic clearly goes to the duty of competence.

As always, let’s be careful out there.


[i] I’m obsessed with Better Call Saul.  This week’s series finale has left me thinking of ways to pay homage to the show.  My thermite analogy reminded me not of Better Call Saul, but of its predecessor, Breaking Bad. Specifically, the scenes in the Season 1 finale when Walt uses the innards of an old Etch-A-Sketch to make thermite that he and Jesse use to break into a warehouse to steal methylamine. In fact, the scenes themselves probably subconsciously caused me to use “thermite” in the analogy.

Ontario Court Addresses Tech Competence as a Tool to Increase Court Access.

Before we start, here’s an old-fashioned challenge.  “Old-fashioned” in the sense that you are not allowed to do any research or to ask for assistance.

What is a Gestetner?

Anyone who  emails me the correct answer will receive a spot on the next #fiveforfriday Honor Roll in Legal Ethics.


Last week on his LawSites blog, Robert Ambrogi posted Ontario Court Lays Down the Law on Technology Competence and Video ProceedingsThe post recounts a discovery dispute that resulted in this order.

In short, Plaintiff’s counsel wanted to conduct in-person witness “examinations.”  Ambrogi reports that an “examination” is the equivalent of a deposition.  Defense counsel objected to appearing in-person, asking instead to proceed remotely.

The order summarizes the competing arguments.

Plaintiff’s counsel, who is in Toronto, argued that “that he has gone to a Toronto Blue Jays game with thousands of fans. Society is opening and he should be able to examine for discovery in person. He adds that in his view it is the ‘best’ method to conduct an examination well and properly.”

Meanwhile, the Ottawa-based defense countered that “we are in the fourth wave of the pandemic. While some parts of society are re-opening with appropriate precautions, the defendants prefer not to get together in an examiners’ office with the parties opposite, staff, and the crowd of other counsel, parties, and witnesses often there for other cases.”

In the end, the court sided with the defense, ordering that, absent an agreement to appear in-person, the examinations would be done remotely.  In reaching its conclusion, the court made several observations on how tech competence can increase access.  For example,

  • “Arrangements so that litigants do not have to take a full day off work; drive downtown and pay $40 or more for parking; or take the bus for 90 minutes each way; are real savings that promote participation and access to justice.  If a lawyer can avoid travel and waiting time because she is working at her desk until she signs-on to a virtual examination or hearing, transaction costs are decreased for clients. Avoiding paying a lawyer to come to Toronto or to go to another place is also\significant cost savings for a client through virtual proceedings. Lawyers can participate in proceedings in multiple locations on the same day virtually. The increase in efficiency in their practices is substantial.”

Next, the court conceded that there are risks associated with virtual proceedings. Specifically, participants’ unfamiliarity with technology, off-screen coaching, and an informal setting that is not as likely to result in a “solemnity for the process.”

Nevertheless, noting that technology continues to evolve in helpful ways, the court concluded that, even when the pandemic ends, we shouldn’t necessarily “just go back to the way it was.” Doing so “assumes that the ‘good old days’ were actually good.”

Finally, and as Ambrogi reported, here’s where the court laid down the law on tech competence and court access:

  • “As to the balance of convenience and any other relevant matters, [Plaintiff’s counsel] submitted that just because virtual procedures are ‘easier and more convenient’ does not overcome the presumption that examination in person is the best way to examine a witness. Au contraire I say. Efficiency, affordability, and enhanced access to justice trump counsels’ comfort and presumptions every time. With the current pace of change, everyone has to keep learning technology. Counsel and the court alike have a duty of technological competency in my respectful view.”

Then, after noting that more experienced attorneys might not be as familiar with technology as newer lawyers, the court stated:

  • “Technological change affects everyone. Once upon a time, I had to learn how to use a Gestetner (Google it) and then a fax machine. I do not accept that in person is just ‘better’. It can be in some cases. But if counsel just prefers it because he or she is more comfortable with it, ought we to reject the printer because I liked my Gestetner (and Word Perfect for that matter)? The balance of convenience favours easier and more convenient processes with accompanying cost savings.”

There you have it. Competence includes tech competence, and tech competence can increase access.

Who’d have thunk it?

Tech competence: do lawyers have a duty to follow the news?

The early days of this blog featured me harping on the duty of tech competence.  Long-time readers might remember the refrain: competence includes tech competence.

While they might not know it, two of my ethics gurus are Lucian Pera and Catherine Reach.   I consider each a friend of this blog and am particularly thankful for their thoughts and work on a lawyer’s duty to understand the risks and benefits that technology brings to the practice of law.

In the current issue of Law Practice Magazine, Lucian explores the idea that the duty of tech competence includes following the news.  After setting the groundwork by referencing the applicable Rules of Professional Conduct, Lucian writes:

  • “My pitch: As lawyers, we need to be alert to the news of hacks and cybersecurity incidents, whether specifically about lawyers or not, and we should have regular conversations with our tech gurus about them. They are teachable moments.  We need to train ourselves to be in regular learning mode. Because we can learn from others’ experiences and mistakes.”

From there, Lucian uses two cyber incidents – one widely reported, the other less so – to make the argument.  Lucian concludes:

  • “Our ethical obligations amid the dangerous tech environment in which we find ourselves demand that we stay informed about new threats and how we are positioned to protect ourselves.”

I’m no fan of the news and, but for sports news, avoid it on purpose.[1]  It’s part of my personal wellness campaign. Still, I agree with Lucian’s point.  And, as I blogged here, I agree that lawyers can learn cybersecurity lessons from other professions.

I know what you’re thinking: “Mike, that’s all well & good, but how do I stay up on tech news?”

Here’s one way: check out Catherine’s work for the North Carolina Bar Association’s Center for Practice Management.

Following up on Lucian’s article, Catherine posted Staying Up to Speed on Security. Catherine’s post includes helpful “resources to subscribe to or follow to keep up to date with the constantly shifting sands of cybersecurity.” It’s worth the read and might lead to the one tip that saves you from learning this stuff after it’s too late.

As always, let’s be careful out there.


[1] Due to my news blockade, I only learned today – from a lawyer who called with an inquiry – that Taylor Swift did not win this year’s AMA Artist of the Year.  The Rules of Professional Conduct frown upon impugning judges’ integrity.  Alas, there can be no other explanation!

Tech competence: don’t take the wrong message from this NJ decision declining to sanction a lawyer.

When I created this blog, many early posts focused on technology.  Long-time readers probably remember the mantra “competence includes tech competence.”  Key points included:

  1. At some point, a basic understanding of technology that impacts client matters is required.
  2. Technology is always evolving.
  3. Even if you don’t know everything about a new technology, sometimes it helps to analogize to a “paper” or “real life” situation.

Weaved into the messaging was a reminder that “but I don’t even know how that stuff works!” likely won’t excuse a violation of the Rules of Professional Conduct.  Which is why today’s story so interests me.

As reported by the ABA Journal, the New Jersey Supreme Court recently dismissed disciplinary charges against a lawyer whose paralegal had obtained information directly from a represented adverse party via Facebook.  Law360 and Law.com also reported the opinion.

First, I’m going to summarize what happened. Then, I’m going to share several of the New Jersey Supreme Court’s statements with which I agree, and one that gives me pause.

What happened?

Flashback to 2007.  Yes, 2007.  Plaintiff, a police officer, was struck by a police car while exercising in the police station’s parking lot.  Plaintiff sued the police department.  Plaintiff claimed significant injuries.

Attorney represented the Department. In 2008, Attorney instructed Paralegal to “conduct internet research” into Plaintiff.  Paralegal found Plaintiff’s Facebook page.

With respect to what happened next, here’s what’s not in dispute:

At a time when Attorney knew that Plaintiff was represented, Paralegal became Facebook friends with Plaintiff.  Paralegal found a video showing Plaintiff wrestling.  Paralegal downloaded the video and gave it to Attorney.  Attorney believed that the video was made after Plaintiff was struck by the police car.  So, another lawyer in Plaintiff’s firm asked questions about the video during Plaintiff’s deposition.  Afterwards, Attorney forwarded the video and other postings to Plaintiff’s Counsel.  Never having consented to direct communication with Plaintiff, Counsel filed an ethics complaint against Attorney.

Not all was undisputed.  At a disciplinary hearing that, for reasons not important here, did not happen until April 2018, different versions of what else happened next emerged.

Paralegal’s version:  for a while, Plaintiff’s Facebook account was public, Paralegal monitored the account, and reported publicly available information to Attorney.  The account became private. Paralegal told Attorney that the only way to continue to monitor the account was to become Facebook friends with Plaintiff.  Attorney did not seem to understand Facebook privacy settings or friend requests and instructed Paralegal to send a message that would grant access to Plaintiff’s postings.  Paralegal sent a Facebook message to Plaintiff stating that Plaintiff looked like Paralegal’s favorite hockey player.  Plaintiff responded with “flirtatious messages” and a friend request.  Paralegal accepted the request and resumed monitoring the account.

Plaintiff’s version:  the account was always private.  Paralegal sent a friend request that Plaintiff accepted.  Plaintiff messaged Paralegal, asking who Plaintiff was.  Paralegal replied that Plaintiff looked like Paralegal’s favorite hockey player.  Nothing in Paralegal’s profile or reply indicated that Paralegal worked with Attorney.

Attorney: I told Paralegal to conduct internet research.  Back then, I didn’t know what it meant to be Facebook friends or that Facebook offered various privacy settings.  I did not tell Paralegal to friend Plaintiff.   I told Plaintiff to monitor any information about the lawsuit that Plaintiff posted to the internet. I believed that information posted to Facebook was available to all and that the duties of competence and diligence that I owed to my client required me to review such information.

Over many years, the case worked its way through New Jersey’s disciplinary system.  Eventually, at the trial level, a Special Master concluded that Attorney did not violate the Rules of Professional Conduct.

On review, the Disciplinary Review Board (DRB) concluded otherwise, determining that Attorney violated (1) the rule that prohibits communication with represented persons; (2) the rule that prohibits dishonesty (Paralegal’s failure to identify Paralegal’s role was a misrepresentation by omission); and (3) the rule that required Attorney to ensure that Paralegal’s conduct conformed with Attorney’s professional obligations.

In the end, the New Jersey Supreme Court dismissed the charges, concluding that they had not been proven by clear and convincing evidence. To a large degree, the court’s opinion recognizes that the ultimate decision turns on witness credibility and that the Special Master – not the DRB or the court – was in the best position to assess credibility having presided over the evidentiary hearing.

Still, several of the court’s statements bear noting.  Because while the court declined to sanction Attorney, it also made clear our duties with respect to tech competence.

For instance,

  • “[Attorney] may have had a good faith misunderstanding about the nature of Facebook in 2008, as the special master found; but there should be no lack of clarity today about the professional strictures guiding attorneys in the use of Facebook and other similar social media platforms.”

The court went on:

  • “When the communication is ethically proscribed, it makes no difference in what medium the message is communicated. The same rule applies to communications in person or by letter, email, or telephone, or through social media, such as Facebook.”


  • “Lawyers must educate themselves about the commonly used forms of social media to avoid the scenario that arose in this case. The defense of ignorance will not be a safe haven.”

I don’t disagree with any of the quoted statements.  I’m especially a fan of refusing to find port in the storm for the “the defense of ignorance.”  Yet, it’s another statement that gives me pause.

Essentially, a single statement underpins the court’s opinion:

  • “What attorneys know or reasonably should know about Facebook and other social media today is not a standard that we can impute to [Attorney] in 2008 when Facebook was in its infancy.”

I get it.  Really, I do.  But, for practicing lawyers and their nonlawyer assistants, I urge caution.

On tech competence, people in my practice area have been clear: we are long past the day when we will provide “hard and fast” pronouncements on each new technological development.  Rather, lawyers are reminded that technology will continue to develop and, as it does, lawyers remain under a duty to ensure that their use of technology complies with the Rules of Professional Conduct.[i]

Whether 2030, 2025, or sooner, there will be a new way to communicate that none of us has ever imagined.  In my view, the New Jersey opinion should not be viewed as suggesting that, with brand new technology, lawyers can use first, ask questions later.  That is, with respect to the conclusion that a technology’s “infancy” may excuse a violation, I’d be very careful in how I define “infancy.” Indeed, as I read the NJ opinion, both Paralegal and Plaintiff were well-versed in how Facebook worked. It was only Attorney who was not.

Also, for two reasons, don’t forget my point about analogizing to “paper” or “real life.”

First, when the day comes that an assistant asks you if you want to communicate with a represented person via the assistant’s Ansible, I hope your reaction isn’t “I wonder what Ansible is.”  Instead, I hope warning bells go off as you respond, “we can’t communicate with a represented person!!”[ii]

Second, I suppose an assistant might resort to Ansible without asking you first.  So, remember: if someone brings you information that seems too good to be true, it just might be.

Competence includes tech competence.  As always, be careful out there.

Social Media

[i] See, ABA Formal Opinion 477R

[ii] It’s okay if you clicked on the Wiki entry for Ansible before realizing that that you’d been asked to communicate with a represented person.  As an old coach, it’s best to make mistakes in practice, learn from them, and not repeat them in games.

Tech Competence and . . . flipping the bird?

It’s been a while since I’ve posted.  I love easing my way back into blogging with quick hitters.  So, without further ado:

Tip #1.   During a remote hearing, whether angry at yourself, opposing counsel, the court, or a screen that’s blank, frozen, or otherwise not working properly, don’t “flip the bird” at your camera.

Tip #2.  If you forget Tip #1, be honest when the court asks you what it just saw.

Today’s post comes thanks to a tip from Catamount Law’s Samantha Lednicky.  Last week, Sam sent me this order issued by the Michigan Court of Appeals.  The ABA Journal and Detroit Free Press have coverage.

I leave further reading to curious minds.

Flip the Bird

Related Posts:

Preparing for a remote hearing? Maybe check your client’s screen name

Tech Competence & Cats

Tech Competence Posts:

Go here for all my posts categorized or tagged as “tech competence.”

Wisconsin Advisory Opinion Offers Cybersecurity Tips on Working Remotely

In late January, the Wisconsin Bar issued Formal Ethics Opinion EF-21-02: Working Remotely.  The opinion makes three important points and shares helpful and practical guidance on cybersecurity practices, training & supervision, and preparing clients.


First, the important points.

I’m a fan of the opening line of the synopsis:

  • “The basic responsibilities that a lawyer owes the client – competence, diligence, communication, and confidentiality – lie at the core of lawyer’s professional obligations and remain unchanged irrespective of the lawyer’s physical location.”

That’s critical: the pandemic hasn’t lessened or diminished our professional obligations.  Our responsibilities remain the same as in 2019 when we were working in our offices.  Further, our basic obligations to clients will not change once the pandemic ends. As the opinion points out, “it is expected that lawyers, like other professionals, will continue to work remotely in some form after the pandemic.” So, the guidance, while issued in response to the pandemic, will prove valuable in an increasingly remote post-pandemic workplace.

Next, the opinion reiterates what I’ve been blogging for years: competence includes tech competence.  Pages 2 and 3 include language that I’m certain will worry lawyers.  The language, however, is important to take to heart.

  • “Basic technological competence includes, at a minimum, knowledge of the types of devices available for communication, software options for communication, preparation, transmission and storage of documents and other information, and the means to keep the devices and the information they transmit and store secure and private.”

As the opinion notes, large firms likely will employ IT professionals for these issues.  Small firms and solos are reminded that they “may need to retain the services of an expert if they lack the knowledge to personally manage the technological aspects of practice.”

Finally, the conclusion ties together the first two points in an important reminder:

  • “The COVID-19 pandemic has dramatically changed how lawyers work and represent their clients. Some of these changes may be temporary but others are likely part of a movement towards increased reliance on technology in the practice of law. As working remotely has become the new normal, lawyers must develop new skills and knowledge to comply with their core responsibilities.”


I’ll finish by cutting and pasting the guidance and practical tips that begin on page 10 of the Wisconsin opinion.  I’ve reformatted & renumbered the footnotes to endnotes.


General Guidance

 It is impossible to provide specific requirements for working remotely because lawyers’ ethical duties are continually evolving as technology changes. It is possible, however, to provide some guidance. Cybersecurity Practices Because working remotely relies on technology, competence in technology and cybersecurity practices are essential. The following cybersecurity practices have been recommended by a number of ethics opinions[i] and other resources. None of these practices are new: they are reasonable precautions that have helped lawyers fulfill their ethical obligations, especially the duty of confidentiality, when working in the office and when working remotely, whether at home during evenings and weekends, or during travel for work or vacation.

  • Require strong passwords to protect data and to access devices. The more complex the password, the less likely that an unauthorized user will be able to access data or devices by using password cracking techniques or software.
  • Use two-factor or multi-factor authentication to access firm information and firm networks. Although requiring an additional authentication step, such as a six-digit code sent to the lawyer’s phone or email, may seem inconvenient or burdensome, it is a reasonable precaution that increases protection and reduces the likelihood of unauthorized access by providing an additional layer of security beyond a strong password.
  • Avoid using unsecured or public WiFi when accessing or transmitting client information. Hackers can access unencrypted information on unsecured WiFi and can use unsecured WiFi to distribute malware.
  • Use a virtual private network (VPN) when accessing or transmitting client information. A VPN encrypts information and allows users to create a secure connection to another network.
  • Use firewalls and secure router settings. A firewall monitors and controls incoming and outgoing network traffic based on predetermined security rules: it establishes a barrier between a trusted network and an untrusted network. A router connects multiple devices to the Internet, and connects the devices to each other.
  • Use and keep current anti-virus and anti-malware software. Anti-virus and anti-malware both refer to software designed to detect, protect against, and remove malicious software.
  • Keep all software current: install updates immediately. Updates help patch security flaws or software vulnerabilities, which are security holes or weaknesses found in a software program or operating system.
  • Supply or require employees to use secure and encrypted laptops. All lawyers and staff should use only firm issued devices with security protections and backup systems and prohibit storage of firm or client information on unauthorized devices. All devices used by the lawyer, such as desktop computers, laptops, tablets, portable drives, phones, and scanning and copy machines, should be protected.
  • Do not use USB drives or other external devices unless they are owned by the firm or they are provided by a trusted source.
  • Specify how and where data created remotely will be stored and how it will be backed up.
  • Save data permanently only on the office network, not personal devices. If saved on personal devices, taking reasonable precautions to protect such information.
  • Use reputable vendors for cloud services. Transmission and storage of firm and client information through a cloud service is appropriate provided the lawyer has made sufficient inquiry that the service is competent and reputable.[ii]
  • Encrypt emails or use other security to protect sensitive information from unauthorized disclosure. A lawyer should balance the interests in determining when encryption is appropriate.
  • Encrypt electronic records, including backups containing sensitive information such a personally identifiable information.
  • Do not open suspicious attachments or click unusual links in messages, email, tweets, posts, online ads.
  • Use websites have enhanced security whenever possible. Such websites begin with “HTTPS” in their address rather than “HTTP,” and encrypt the communication.
  • Provide adequate security for video meetings or conferences. The FBI has recommended the following steps: use the up-to-date version of the application; do not make the meetings public; require a meeting password; do not share the link to the video meeting on an unrestricted publicly available social media post; provide the meeting link directly to the invited guests; and manage the screen-sharing options.[iii] In selecting a videoconferencing platform, the lawyer should make sure it is sufficiently secure both in its structure and its contractual terms of use, especially any terms on access to user information.[iv]
  • Do not have work-related conversations in the presence of smart devices such as voice assistants. These devices may listen to and record conversations.[v]

Training and Supervision

To comply with the duties required by SCR 20:5.1 and 5.3, partners, managers and supervisory lawyers should consider whether the firm’s policies and procedures are adequate to address the specific challenges that may arise when lawyers and nonlawyer assistants are working remotely.

  • Establish and implement policies and procedures for cybersecurity practices. These policies and procedures should be in writing and provided to all lawyers and nonlawyer assistants, and stress compliance.
  • Establish and implement policies and procedures for the training and supervision of lawyers and nonlawyer assistants in the firm’s cybersecurity practices. Training is the most basic step in avoiding a cyberattack at a law firm. In other words, it is extremely important to develop a culture of awareness. The most serious vulnerabilities of a cybersecurity system are not the hardware or software, but rather the people who use it. It is estimated that 90% of cybersecurity breaches are due to human error.[vi]
  • Establish and implement policies and procedures regarding remote workspaces to mitigate the risk of inadvertent or unauthorized disclosures of information relating to the representation of clients. Remote workspaces should be private to ensure that others do not have access to phone conversations, video conferences, or case-related materials.
  • Hold sufficiently frequent remote meetings between supervising attorneys and supervised attorneys, and between supervising attorneys and supervised nonlawyer assistants to achieve effective supervision.

Preparing Clients

Representing a client remotely may present challenges to competent representation.[vii] Consequently, a lawyer should carefully consider whether the lawyer can adequately prepare the client to testify or for interviews while working remotely.

  • The lawyer and the client should have sufficient ability with the technology.
  • The lawyer and the client should have access to relevant documents.
  • The lawyer and the client have adequate time and attention to ensure the client’s comfort with the communicating by the medium that will be used.

[i] See, e.g., Wisconsin Formal Ethics Opinion EF-15-01: Ethical Obligations of Attorneys Using Cloud Computing (Amended September 8, 2017).

[ii] Wisconsin Formal Ethics Opinion EF-15-01.

[iii] https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-ofteleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic

[iv] Lawyers must understand that if video conferences are recorded the vendor may retain a copy under the terms of service. See INSIGHT: Zooming and Attorney Client Privilege, https://www.bloomberglaw.com/exp/eyJjdHh0IjoiQ1ZOVyIsImlkIjoiMDAwMDAxNzEtZWExYy1kMDAwLWE5N2YtZ WE3ZTkwYWMwMDAxIiwic2lnIjoidVliaWhQR3J3ZmpWcDBKeE5KY1JYV1c0RlcwPSIsInRpbWUiOiIxNTkwMjQwMzM 1IiwidXVpZCI6IndNWHUzdVFGajBEWGxkZFBKcTNSVVE9PU1ZZmVtSkhLU0hBMWtPNG8rTE50eGc9PSIsInYiOiIxIn0= ?usertype=External&bwid=00000171-ea1c-d000-a97fea7e90ac0001&qid=6912181&cti=LSCH&uc=1320042032&et=SINGLE_ARTICLE&emc=bcvnw_cn%3A7&bna_news_ filter=true

[v] For example, Google and Amazon maintain those recordings on servers and hire people to review the recordings. Although the identities of the speakers are not disclosed to these reviewers, they might hear sufficient details to be able to connect a voice to a specific person. https://www.vox.com/recode/2020/2/21/21032140/alexa-amazongoogle-home-siri-applemicrosoft-cortana-recording .

[vi] https://www.techradar.com/news/90-percent-of-data-breaches-are-caused-by-humanerror#:~:text=A%20new%20report%20from%20Kaspersky,carried%20out%20by%20cloud%20providers .

[vii] The New York County Lawyers Association Formal Opinion 754-2020 at 3.

Tech Competence & Cats

Back when I blogged more often than I do now, I’d post about tech on Tuesdays.

Today, I didn’t intend to blog. Alas, in the past hour, numerous readers have emailed or texted me the same story.  Initially, it came from lawyers. Then, my friend Waskow texted me and my brother, with my brother replying, “I hope this makes the blog.”

When the non-lawyers chime in, who am I not to share a cautionary tale involving tech competence?

Lawyers: may your careers in law never require you to tell a judge “I’m not a cat.” 

If the Florida Bar’s tweet doesn’t work for you, it’s on YouTube here.

Social Media & Legal Ethics: Keep It Real.

As I usually do every year, I presented a CLE for the Vermont Paralegal Organization on Wednesday.  I present for many groups.  I assure you that there is no group more dedicated to providing competent services than Vermont’s paralegals.  They are a valuable resource that we should not overlook or undervalue.

The topic was social media & legal ethics.  My theme was “Keep it Real.”  I tried to convey that social media isn’t so much the cause of misconduct as it is a relatively new forum for misconduct that has always existed. That is, if it’s wrong in real life, it’s wrong on social media.

Here’s how I tried to make my point.

Social Media

Consider the following 8 headlines.  You’re only allowed to click on 4.  Which do you choose?

  1. Judge reprimanded for sexting women in his robes.
  2. Judge sanctioned for harassment.
  3. Instagram posts land Lawyer in hot water.
  4. Lawyer sanctioned for misrepresentation to a tribunal.
  5. Lawyer suspended over rude Facebook message to client.
  6. Lawyer suspended for failing to properly communicate with client.
  7. Facebook spoliation results in $700K in sanctions and 5-year license suspension.
  8. Lawyer suspended for discovery violations and lack of candor to a tribunal.

I’m guessing that many of you have already figured it out.  While the list includes 8 headlines, there are only 4 stories.  Clicking on 1 or 2 would return the same story.  The same goes for 3 & 4, 5 & 6, 7 & 8.

It seems to me that “social media sells.”  Its click-bait nature, I think, does a disservice in the sense that in each of the 4 matters, the conduct would have resulted in disciplinary sanctions even if it had not involved social media.

For instance, the Tennessee judge’s ‘overtly sexual’ messages would’ve have been just as wrong if sent via U.S. mail with accompanying Polaroids.  (h/t ABA Journal).

The Instagram posts that revealed this lawyer’s dishonesty did not make the lawyer’s misconduct any worse than it already was.

A lawyer who is rude and/or non-responsive to a client’s Facebook Messages is no different than a lawyer who is rude and/or non-responsive to a client’s phone calls and letters.

Finally, counseling a client to destroy evidence, lie about it in discovery, and then attempt to cover-up the entire scheme is a violation regardless of whether the evidence is electronic. (h/t Above The Law).

Imagine the following ethics inquiry:

  • Lawyer: “Mike, can I send a Facebook message directly to my client’s represented adversary?”
  • Me: “Would that be okay to do by letter in real life?”
  • Lawyer: “No.”
  • Me:  “There you have it. Keep it real.

Below, I’ve pasted in links to resources.  It’s a sampling, not an exhaustive list. If you only have time for one, I recommend the Social Media & Legal Ethics Guidelines published by the Commercial & Federal Litigation Section of the New York State Bar Association.

In closing, does social media raise new questions?


But, often, the answer is the same as it was in the old days.

What’s wrong is wrong.




Redacting Confidential Info

In January, Paul Manafort’s lawyers made headlines for failing to take proper steps to redact a document.  Myriad outlets covered the story, including The Atlantic, BBC, and Legal Tech News.

In response, the ABA Journal posted How to redact a PDF and protect your clients.  A few days later, I recommended the ABA post in my blog Competence, Confidences and PDFs

Today, the ABA Journal published more helpful information: Redacting confidential client information: The devil is in the detailsThe post points out the risks in failing to understand how property to redact a document.  I recommend it.

One risk? Disciplinary action.  Lawyers have a duty not to disclose information relating to the representation of a client.  There’s also a duty to use reasonable safeguards to protect against unauthorized access to or inadvertent disclosure of confidential information.  In my view, employing a redaction method that fails to keep information confidential is not a reasonable safeguard.

Rather, it’s tech incompetence.

Image result for images of redacting confidential info