Redacting Confidential Info

In January, Paul Manafort’s lawyers made headlines for failing to take proper steps to redact a document.  Myriad outlets covered the story, including The Atlantic, BBC, and Legal Tech News.

In response, the ABA Journal posted How to redact a PDF and protect your clients.  A few days later, I recommended the ABA post in my blog Competence, Confidences and PDFs

Today, the ABA Journal published more helpful information: Redacting confidential client information: The devil is in the detailsThe post points out the risks in failing to understand how property to redact a document.  I recommend it.

One risk? Disciplinary action.  Lawyers have a duty not to disclose information relating to the representation of a client.  There’s also a duty to use reasonable safeguards to protect against unauthorized access to or inadvertent disclosure of confidential information.  In my view, employing a redaction method that fails to keep information confidential is not a reasonable safeguard.

Rather, it’s tech incompetence.

Image result for images of redacting confidential info

 

 

 

Advising Clients on Social Media Use

At CLEs over the past few months, lawyers have seemed surprised to hear me suggest that the duty of competence includes advising clients to refrain from social media posts that could be detrimental to their cases.

The surprise surprises me.

Indeed, I’ve often followed up by asking whether anyone has had a client’s social media post used by the other side.  The raised hands and nodding heads tell me that it happens.

A lot.

So if we know that it’s happening a lot, shouldn’t we advise our clients not to do it?

Last summer, the ABA Journal posted Celebrity attorneys face challenges, ethical pitfalls.  One of the challenges mentioned is clients’ use of social media.  Here are two paragraphs:

“ ‘Likely you have a whole team of people doing damage control,’ says Ann Murphy, a professor at the Gonzaga University School of Law who published ‘Spin Control and the High-Profile Client’ in the Syracuse Law Review. ‘The attorney needs to be very, very careful to keep the client’s legal advice separate.’

‘Attorneys, as part of their ethical duties, must now counsel their clients on the use of social media,’ Murphy says. ‘Once it is out there, it is out there. Even if someone deletes a Facebook post—it likely has been saved as a screenshot and is of course subject to discovery,” she adds. ‘Personally, I think the best advice is tell the client that any posts about his or her case must be viewed in advance by the attorney.'”

I get it. Both the ABA Journal and Professor Murphy are focusing on lawyers who represent celebrities.  Still, look again at one of Professor Murphy’s statements:

” ‘Once it is out there, it is out there. Even if someone deletes a Facebook post—it likely has been saved as a screenshot and is of course subject to discovery. ‘ ”

That could be any client, celebrity or not.

The ABA Journal poses a “question of the week.” Each new question is followed by the  “featured to response” to the prior week’s question.

Last week’s question was What advice do you give your clients about social media? 

This week’s – How do you stay alert during long meetings or trials? – includes the featured response to last week’s social media question.  The featured response:

  • “In some ways, I take a more laissez-faire approach than many attorneys: Yes, I would love it if my clients would avoid social media, but at the end of the day, they’re going to do what they want to do. If they were great at heeding sensible advice, they probably wouldn’t have ended up in my office in the first place. I ask them to think before they post. I ask them to review their privacy settings. I ask that they avoid posting things directly related to the case at hand. And then, I just cross my fingers that the guy on trial for trying to strangle his girlfriend doesn’t post a meme about strangling one’s girlfriend.” (emphasis added)

The advice in bold?  Seems pretty simple.

Not only that, when we know that the other side is looking, it’s advice that competent lawyers provide.

Social Media

 

 

 

 

Competence, Confidences and PDFs

In my view, Rules 1.1 and 1.6 impose a duty to act competently to prevent the unauthorized access to or disclosure of information relating to the representation of a client.  I’ve blogged on this issue many times:

Next week, I’m presenting two seminars at the YLD Mid-Winter Thaw in Montreal.  In the first, I’m on a panel with Judge Hayes and the Judiciary’s Andy Stone.  Judge Hayes and Andy will introduce lawyers to the Judiciary’s new case management system.  My job will be to chime in on ethics issues that might arise with electronic filing.   My thoughts will focus on tech competence.

expos

Imagine this scenario: whether in a filing or a communication to opposing counsel, a lawyer includes a PDF.  Prior to transmission, the lawyer redacted the PDF to keep certain information confidential.  Alas, the lawyer did not properly redact the PDF.  By highlighting the redacted the portions and pasting them into a new document, opposing counsel, or anyone else with access to the PDF, can discover what the lawyer intended to obscure.  The filing is here.

Did the lawyer take reasonable precautions to protect the information?  Was it a one-time mistake that doesn’t rise to the level of an ethics violation?  What if it was information that the court had ordered remain confidential and now is public?

Earlier this week, lawyers for Paul Manafort, President Trump’s former campaign chair, filed a response to special counsel Robert Mueller’s allegation that Manafort lied to Mueller’s investigators.  Due to what the ABA Journal described as a “technical oversight,” the filing was not properly redacted.  As such, the media was able to discover that Manafort is accused of sharing polling data with a Russian business person.  The story has been covered by the ABA Journal, BuzzFeed, Fox News, and the Washington Post.

(Update at 1:16 PM on January 10:  Above The Law’s Joe Patrice has a great recap here.)

Go back to the scenario I posited above: what if that’s you in a Vermont case?  What if you meant to redact a client’s proprietary information, or a witness’s mental health records, or a confidential informant’s identity? What if you didn’t do it right?

Jason Tashea writes for the ABA Journal. Today, he posted How to redact a PDF and protect your clients.  If this is an area of tech competence that interests or concerns you, I’d suggest giving Jason’s post a read.

 

ABA Addresses an Attorney’s Obligations in Response to a Data Breach

I’ve blogged often on a lawyer’s duty to act competently to safeguard client data.  Generally, an attorney must take reasonable precautions to protect against inadvertent or unauthorized disclosure of client information.  Some of my posts:

Last month, the ABA’s Standing Committee on Ethics & Professional Responsibility issued Formal Opinion 483.  It sets out a lawyer’s obligations following an electronic data breach or cyber attack.

The opinion is detailed and technical.  It’s worth reading, or, at the very least, sharing with your IT support staff.  Also, various outlets have reported on the opinion, including The National Law Review, Louisiana Legal Ethics, and The ABA Journal.  I suggest each.

I’m going to try to stick to a summary.

  •  Prior to a breach, a lawyer has a duty to act competently to safeguard client property and information.  This likely includes adopting an “incident response plan” that will kick in once a breach occurs.
  • The duty includes an obligation “to monitor the security of electronically stored client property and information.”  In other words, there’s a duty to take reasonable efforts to monitor for and detect unauthorized access. This includes reasonable steps to ensure that vendors act in accordance with the lawyer’s professional obligations.
  • A breach is not necessarily evidence that the lawyer failed to act competently to safeguard client information.
  • If a breach occurs, a lawyer must take reasonable steps to stop it and mitigate the damage that results.
  • If a breach occurs, a lawyer must assess its scope.  This includes determining what information, if any, was lost or accessed.
  • A lawyer must notify current clients if the breach:
    • involves material, confidential client information; or,
    • impairs or prevents the lawyer from representing the client. For example, as would be the case in a ransomware attack.
  • Lawyers must be aware that their ethical obligations are independent of any post-breach obligations imposed by law.  Compliance with professional obligations is not necessarily compliance with other law, and vice versa.

Again, the full opinion is here.

As usual, I like to analogize to non-tech issues.  For instance, when it comes to paper files, most lawyers probably know that there’s a duty to take reasonable safeguards to protect them.  Locked file cabinets.  Locked rooms.  Secure office space.

If a lawyer arrives at work and realizes that the office has been broken into, I imagine the lawyer would intuitively understand the need to determine what, if anything, was viewed or taken.  Then, as appropriate, will notify clients. I also imagine that the lawyer would replace the broken locks, doors, and windows.

Thus, in my view, the ABA opinion clarifies that very standards that most of us already apply to clients’ paper files also applies to their electronic files.

Image result for images of a data breach

 

 

 

 

Court Adopts Comment on Tech Competence

The first rule in the Vermont Rules of Professional Conduct requires lawyers to provide clients with competent representation.  I’ve long argued that Rule 1.1’s duty of competence includes tech competence.

Last week, the Vermont supreme Court promulgated amendments to Rule 1.1.  The amendments add three new comments, including one that makes it clear that, in fact, the duty of competence includes tech competence.  As amended, Comment [8] now reads:

Maintaining Competence

[8] To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technologygy, engage in continuing study and education and comply with all continuing legal education requirements to which a lawyer is subject.

As reported by Robert Ambrogi’s LawSitesBlog, Vermont becomes the 32nd state to adopt the duty of tech competence.

Take a look at the picture that Bob uses on his blog:

Image result for lawyer technology competence

No more.

Don’t confuse the meaning of the new comment. It does not require lawyers to know how to use every new gizmo, gadget, or app.  It’s far more practical than that.

For instance, do you understand the risks and benefits of using certain technologies to transmit confidential communications? Or the risks and benefits of mobile payment services? Have you thought about disabling autocomplete? Do you advise clients against being too social?

Also, don’t sleep on the other new comments. As legal outsourcing becomes more prevalent, the new comments provide helpful guidance.

The new comments take effect on December 10.

Related Posts

 

 

Cybersecurity for Lawyers: learn from other professions

I’ve blogged often on tech competence and the duty to safeguard client data.  In short, lawyers have a duty to take reasonable precautions against the inadvertent disclosure of or unauthorized access to confidential client information.

So, people often ask “what are reasonable precautions?”

It depends.

Nobody likes that answer.  But it’s correct.

For instance, do you mean “what are reasonable precautions when it comes to cloud storage?”  Or, are you asking whether a lawyer has a duty to encrypt e-mail? Wait, maybe you’re talking about your duties when crossing the border? No, no, I get it now:  you’re asking if a lawyer has a duty to disable auto-complete. Oh my gosh, no – you’re referring to the hallmarks of trust account scams.

No matter the mode of communication, no matter the place that information is stored, a lawyer must safeguard client information. And, as I explained here, it makes perfect sense not to get into the habit of re-evaulating a lawyer’s duty with every new technology.  Whatever the next new thing is, a lawyer’s duty will remain the same: to take reasonable precautions against the inadvertent disclosure of or unauthorized access to client information.

But, as this post in the ABA Journal points out, lawyers and law firms aren’t sailing into uncharted waters.  There are lessons to be drawn from other professions.  Per the post, those lessons include:

  • Encryption is important.  I’d even venture to opine that if it isn’t already, we aren’t long for the day when the failure to encrypt is tantamount to a failure to take reasonable precautions.
  • Partners and more senior lawyers have to follow the same rules as everyone else. “I don’t do tech” isn’t reasonable. It’s no different from saying “I don’t do ‘protecting client information.’ “
  • Employees and 3rd party vendors need to be trained on the importance of data security.

There’s a great quote in the article. It’s from Michael Mason, chief of security for Verizon Communications: law firms should foster, grow, and ” ‘develop a culture of security.’ ”

A culture premised on “we hope it doesn’t happen to us” is not a culture of security.

With “it” being a breach, the dreaded “it” has happened not just to lawyers and law firms, but to many other professions.  As the ABA Journal suggests, lawyers would be wise to take heed of the lessons learned by those other professions.

Image result for data security

ESI: there’s risk in failing to preserve.

Say it with me: competence includes tech competence.

In most of my posts on the topic, the unstated message is that a lawyer who fails to satisfy the duty of competence violates Rule 1.1 and risks having a sanction imposed against his or her license.

Here’s my post on Competence, ESI, and E-Discovery.  In it, I wrote that the duty of (tech) competence includes:

  • knowing that “it” exists,
  • knowing that clients, their adversaries, and witnesses have “it;” and,
  • knowing how to protect, preserve, produce, request, review, and use “it.”

What is “it?” It is Electronically Stored Information (“ESI”).

In addition, I cited to an advisory opinion from the State Bar of California that includes the following quote:

  • “Attorney competence related to litigation generally requires, among other things, and at a minimum, a basic understanding of, and facility with, issues relating to e-discovery, including the discovery of electronically stored information (“ESI”).”

Today, I blog to call your attention to other risks. Namely, the risk of having a court impose severe sanctions against you and your clients if you fail to preserve ESI.

Melinda Levitt and Peter Vogel are partners at Foley & Lardner.  Yesterday, The National Law Review posted their article Bad Preservation in eDiscovery is Still Very Costly! 

Give it read.

The article begins by reporting that there is both “good news” and “bad news” when it comes to discovery sanctions for failures to preserve ESI.

The good news is that relative recent amendments to the civil rules reserve the most severe sanctions for situations in which the failure to preserve resulted from an “intent to deprive.” As the authors note, “the ‘bad news’ is that bad preservation behavior continues.”

Next, the authors point out that:

  • “[i]t has been twelve years now since the federal rules were first amended and explicitly came to recognize ‘ESI’ – that is emails, electronic documents, excel spreadsheets, PowerPoints, and a myriad of other electronic materials – as documents” within the meaning of the discovery rules.”

They also point out that, over those 12 years, all of us have become increasingly reliant on technology, without necessarily developing any clue how it works.

Nevertheless,

  • ” . . . there are some basic things that people at least in the business community should have come to understand over the last 12 years. Among them are if litigation is occurring or is about to occur, a company is obligated to take reasonable steps to ensure that its relevant (or potentially relevant) ESI is preserved. That means getting out the word quickly – whether by way of a formal written litigation hold or otherwise – that employees and electronic systems managers/overseers need to take steps to stop either conscious or system-wide deletions or purges of potentially relevant ESI. By now, business owners, their IT employees, and their in-house and outside counsel really should have no doubt about this obligation and how to accomplish it. Granted, meeting this obligation can get dicey and difficult when it comes to things such as employee text messages, social media postings, telephone messages, and structured data. However, in terms of emails and basic electronic documents – the mainstays of business life – there should be no question or hesitation about what needs to be done.  

Then, the meat of their message:

  • “And yet . . . and yet, very recent decisions demonstrate that executives, managers and yes, even lawyers, either remain willfully ignorant of how these business systems work or are determined to pass the buck, having assumed that some mysterious “someone else” in the company was handling things. Well, while courts no longer can impose the most draconian of sanctions, no one should kid him or herself – judges continue to have very potent sanctions options available and are very willing to use them when confronted with preservation misconduct borne of ignorance, indifference or good old-fashioned boneheadness. The following are a few telling examples – and were issued in just the last few weeks – and each leaves us with the question – what were they thinking?”

From there, the article goes on to recount several cases in which significant discovery sanctions were imposed against lawyers and their clients as a result of failures to preserve ESI.  Some might strike a nerve.  If so, there’s still time to sign up for tomorrow’s first-ever VBA Tech Show.

Tech competence.  The lack thereof impacts much more than a lawyer’s license.

E Discovery

 

 

 

 

 

Reruns

Remember reruns?  In the age of streaming content, I don’t know if reruns are even a thing anymore.  If not, good riddance!!

Seriously, was there anything as disappointing as waiting all week for the next episode of your favorite show only to have it be a rerun?

Aside: yes, we used to have wait all week for the next episode of our favorite shows.

As much as I despised reruns as a viewer, I love them as a blogger.  They’re the perfect antidote to writer’s block. So, here goes.

The VBA’s Tech Day is next month.  The agenda is fantastic.  It includes seminars on several topics upon which I’ve blogged in my nauseating ongoing effort to remind lawyers that the duty of competence includes tech competence.

Missed my posts?  Thank goodness for reruns.

Last October, I posted Competence, ESI, and E-DiscoveryIt referenced several topics, including:

  • admitting social media posts into evidence;
  • an attorney’s duties related to a client “taking down” or “scrubbing” social media posts;
  • practical tips on preservation letters regarding ESI.

VBA Tech Day includes seminars on each.

Last September, I posted Protecting Data: Cybersecurity TipsI followed up in February with  ABA Journal Provides Cybersecurity TipsEach post refers back to my post on the electronic transmission & storage of client information: The Cloud: What are Reasonable Precautions? Indeed, I’ve often blogged on Encryption & The Evolving Duty to Safeguard Client Information.

VBA Tech day includes seminars on encryption, cybersecurity, & data security.

Finally, I’ve blogged on using technology to become more efficient.  My post Fees. Is there an App for that? refers to an ABA Journal post that discusses how technology can help lawyers bill more than 2.24 hours per day that, on average, they currently bill.  And, in Tech Competence: It includes more than you might think, I cautioned that a lawyer who isn’t competent in basic tech runs the risk of violating Rule 1.5 by over-billing clients.

VBA Tech Day includes seminars on using technology to become more efficient at billing.

I think the networks might have used reruns to build anticipation for the final few episodes of a show’s season.  Most of those episodes ran in May.

Well, I’ve posted some reruns here today. Hopefully they build anticipation for VBA Tech Day.  A terrific conference on tech-related issues that will take place in, you guessed it, May.

See the source image

 

ABA Journal Provides Cybersecurity Tips

Rules 1.1 and 1.6 operate to impose a duty to act competently to safeguard information relating to the representation of a client.  The duty includes taking reasonable steps to protect against the unauthorized or inadvertent disclosure of (or access to) electronically stored client data.

In 2018, the ABA Journal will publish a year-long series on cybersecurity.  Last month, and as part of the series, the ABA Journal posted 5 cybersecurity steps you should already be taking.  I recommend it.  A quick summary:

  1. Check to see if you’ve been pwned.
  2. Consider a password manager.
  3. Improve the strength of your passwords.
  4. Use 2-factor (or multi-factor) authentication.
  5. Encrypt your devices.

Again, read the post.  It’s not long, and the tips are as simple as they are valuable.

Finally, don’t forget that the Vermont Bar Association is offering its first ever Tech Day on May 16.  It’s shaping up to be a fantastic CLE.

cyber-security

Service via Instagram

It has been over two years since I first blogged on tech competence.  As regular readers know, my opinion is that competence includes tech competence.

Here’s the latest:  Above The Law and Canadian Lawyer have the story of a Toronto lawyer who received permission to serve an adversary via direct message on Instagram. The lawyer made the request after unsuccessful attempts to serve the defendant in person and by e-mail.

Remember: as I’ve often said, the rules don’t require lawyers to have or to use social media platforms.  However, my position is that Rule 1.1’s duty of competence includes providing clients with competent advice as to the impact (or not) that their social media platforms will have on any particular matter.  This includes the impact of information that clients make available on social media, and, as today’s story illustrates, the impact of merely having a social media account through which messages can be delivered.  For instance, imagine a client’s claim never being brought for no other reason than you didn’t think to check whether the defendant could be “found” on social media.

@vtbarcounsel

See the source image