Alaska you a question about read receipts.

Sorry, bad and lazy pun for a title.  As loyal readers of the site know, I like to write from time-to-time about formal ethics opinions issued by state regulatory bodies.  A recent one caught my attention at first for its — “I cannot believe someone even had to ask feel.”  But, ultimately after I read it all the way through, it intrigued me as a gateway to raise another, related and I happen to think a bit more interesting question.

With that as prologue, on October 26, 2016, the Alaska Bar Association Board of Governors approved Ethics Opinion 2016-1 for release.  The opinion tackles the following question:

Is it ethically permissible for a lawyer to use a “web bug” or other tracking device to track the location and use of emails and documents sent to opposing counsel?

The opinion gets the answer to that question undoubtedly correct by saying that, no, it isn’t and that doing something like that violates Alaska’s RPC 8.4 on generally deceptive conduct and is also problematic because it can undercut the receiving lawyer’s ability to comply with her own obligations under RPC 1.6 to attempt to protect information related to her representation of her client as confidential.

To give a better sense of the kind of technology being discussed, the Opinion explains:

One commercial provider of this web bug service advertises that users may track emails “invisibly” (i.e., without the recipient’s knowledge) and may also track, among other details:

  • when the email was opened;
  • how long the email was reviewed (including whether it was in the foreground or background while the user worked on other activities);
  • how many times the email was opened;
  • whether the recipient opened attachments to the email;
  • how long the attachment (or a page of the attachment) was reviewed;
  • whether and when the subject email or attachment was forwarded; and
  • the rough geographical location of the recipient.

Yikes, right.  That’s a pretty dogged little bug and one that would provide a significant, surreptitious window into the work of the lawyer on the other side.  When I saw the headlines at places like the ABA Journal online about the issuance of this opinion, I jumped to the incorrect conclusion that the lawyer requesting the opinion was a lawyer looking to use this kind of software feature.  At that point, I was surprised anyone would need to ask to know that you couldn’t do this, but the Opinion explains that the request actually came from someone who received an email with one of these “web bugs.”  Thus, the request for a definitive opinion of the wrongful nature of the conduct makes more sense.  (And, for those immediately wondering, apparently some email providers do have countermeasures in place that notify you about some of these “webbugs” and that has to be how the receiving lawyer knew what had transpired.)

I think the opinion is pretty well done and reaches the obvious and correct solution.  It offers some interesting discussion about how, even if the webbug were not surreptitious but actually announced itself, the use of it by the sending lawyer could still be problematic as invasive on the attorney-client relationship through, among other things, potentially revealing otherwise work-product protected information and even endangering the whereabouts of clients who are trying to stay hidden.

What intrigued me enough to write this piece though was a tangential topic that is raised a bit in a footnote to the Opinion, the ethical issues surrounding generic “read receipts” on emails.  Specifically, in footnote 6, the Opinion says:

The use of “delivery receipts” and “read receipts” through Outlook and similar email services does not intrude upon the attorney’s work product or track the use of a document, and therefore is not at issue here.  Those types of receipts are functionally comparable to the receipt one may receive from the use of certified mail.

That last part may well be true — that these are digitally the functional equivalents of a return receipts on certified mail — but I have a slightly different view on this topic.  I certainly do not contend it is unethical for attorneys to send emails to other attorneys that include a request for a “read receipt,” but I uniformly refuse to comply when I get such “read receipt” requests, and I do so because of my obligations under the ethics rules.

If I’m getting an email only because I am an attorney representing a client, then information about when I read that email – how close to when you sent it to me or how far away from when you sent it to me – is “information related to the representation of my client,” and I see no need to do anything other than act to reasonably safeguard that information and decline the read receipt request.

I doubt anyone would ever get disciplined for doing otherwise as a violation of RPC 1.6, but I’m curious as to whether there are others reading this who conduct themselves the same way and have the same view of the “read receipt” issue.

 

Yet another lawyer marketing network joins the fray.

It is often jokingly said that “you learn something new every day.”  I kind of like to think that I learn more than one new thing every day, but results fluctuate.  Last week, in connection with reading about the launch of a new legal marketing network that combines Martindale-Hubbell (which is also behind www.lawyers.com) and Nolo, I learned that Martindale and Nolo are owned by the same company, Internet Brands.  This same company also owns something with which I was entirely unfamiliar, Ngage Live Chat –  a live chat service for lawyers.

Nolo Press is well-known as one of the pioneers for consumers in the “do-it-yourself” approach to law.  The purchase of a pretty well-known commodity in the lawyer rating community by a company called Internet Brands and the fact of common ownership with Nolo seems like something I should have been aware of sooner, but c’est la vie, I guess.

This new marketing network, which will be called the Martindale-Nolo Legal Marketing Network, offers yet another indication of just how significant a push is being made by extremely well-funded companies further into the legal marketing and lead generation space.  Now, of course, like other networks when they have launched, this one claims that it is now that world’s largest legal marketing network.  I don’t have a good sense of whether that is true or not.

A deeper dive into the press release put out about this leaves me learning even more new things (which hopefully drives my per day average up for a while).  The same company that owns Martindale-Hubbell also owns TotalAttorneys.com and a few other services including something called DisabilitySecrets.com, something called DivorceNet.com and another something called DrivingLaws.org.  Total Attorneys is well known among legal ethics nerds such as myself, but if you haven’t paid a visit to its website in a while you might be surprised to see how much more expansive its offerings seem to be, in fact, it really seems like something that looks much more like a direct competitor with something like Martindale-Nolo but for the common ownership.  Interestingly, while the press release references it, I have a good bit of trouble finding it anywhere on the actual Martindale-Nolo website.

The same Martindale-Nolo press release also explains what is contemplated by this particular marketing network in terms of the three “core services” it will deliver, and these clearly include things that are quite likely to be scrutinized under ethics rules referencing payments for referrals versus advertising expenses and lead generation services… which likely means that participating lawyers, at least under current ethics rules like Model Rule 7.2, will need to make sure to pay close attention to terms and conditions.  (And in Tennessee it will be interesting to see if this arrangement finds its way into the basket covered by our special RPC 7.6.)

  • Highlytargeted lead generation, delivered through Martindale-Nolo’s business unit in Pleasanton, Calif., connecting more than 100,000 consumers to attorneys each month from its network of websites. These sites include the high-trafficked domains of Nolo.com, Attorneys.com, AllLaw.com, TotalAttorneys.com, DisabilitySecrets.com, DivorceNet.com, DrivingLaws.org, and a variety of other practice-specific sites. Nolo.com is also highly recognized by consumers for its extensive library of legal resources.
  • Professional websites and online profiles, delivered through Martindale-Hubbell’s flagship websites Martindale.com and Lawyers.com. These established websites display more than 1 million Martindale-Hubbell Peer Review Ratings and Client Review Ratings, as well as educational content to inform visitors about legal issues and processes. The New Providence, N.J.-based business unit has also built and hosted professional websites for more than 40,000 attorneys.
  • Ngage Live Chat, providing 24/7 live chat service for law firm websites. Based in Austin, Texas, Ngage Live Chat uses advanced conversion techniques to deliver twice as many leads to lawyers versus standard website forms or competing chat providers.

You can go take a look yourself at this new offering here, or if you really just want to marvel at how far and fast things have changed in terms of what you think about when you think about Martindale-Hubbell, just read the lead generation portion of the site – here.

Proposal to adopt Ethics 20/20 Revisions in Tennessee Put Out For Public Comment

Back in August 2012, the ABA House of Delegates approved revisions to the ABA Model Rules proposed by the ABA Ethics 20/20 Commission.  Very few of the proposed revisions included in the ABA Ethics 20/20 package are earth-shaking revisions, as many of them only involve change to language in the Comment accompanying certain rules.

The overall bent of the revisions, however, are to address aspects of the impact that technology has on modern law practice, highlight for lawyers their duty to, at the very least, keep abreast of and be competent regarding the types of technologies they use in their practice, and address a few other issues with good guidance regarding how aspects of globalization and the increased use of outsourcing interact with our ethical obligations.

More than twenty-five states have now adopted all or significant parts of the Ethics 20/20 package of changes.  Most recently Washington state has done this, with its revisions to become effective September 1, 2016.  Here in Tennessee, the TBA has filed a petition proposing adoption of almost all of those rule changes, and our Court has now put the TBA petition out for public comment with a November 17, 2016 comment deadline.  (There is also an Errata that the TBA put out to fix a redlining error made by the stupid Chair of the TBA Standing Committee on Ethics and Professional Responsibility when it was pointed out that we’d forgotten to pick up some changes to our RPC 5.5 that went into effect back in January 1, 2016.)

In my opinion, the most important, and most helpful, part of the Ethics 20/20 revisions takes place in RPC 1.6 by explicitly acknowledging the need to reconcile the duty of confidentiality with the duty to avoid conflicts of interest and the fact that, in reality, this means that lawyers need to be able to disclose some otherwise confidential information when looking at moving law firms or when firms are looking at proposed mergers in order to make sure to identify and address potential conflicts of interest under RPC 1.7.

The Tennessee proposed revisions would pick that change up.  Thus, if adopted, like the ABA Model, our RPC 1.6(b)(6) would now provide an exception to RPC 1.6(a) confidentilaity:

(6) to detect and resolve conflicts of interest arising from the lawyer’s change of employment or from changes in the composition or ownership of a firm, but only if the revealed information would not compromise the attorney-client privilege or otherwise prejudice the client.

If adopted, the TBA’s proposed revisions would also move the language about duties of safeguarding confidential information from the Comment to RPC 1.6 up into the black-letter of the rule itself.  Although our version of that rule would be place into a new RPC 1.6(d), instead of Rule 1.6(c) as in the ABA Model Rules because we already have a RPC 1.6(c) that deviates from the ABA Model Rules approach by imposing certain duties of mandatory disclosure of confidential information.

What we do not propose to pick up, however, are certain aspects of the Ethics 20/20 changes that were made to ABA Model Rule 4.4.  This is because, in Tennessee, we have a more robustly detailed version of  the rule that specifically addresses the duties of lawyers when they receive confidential information that they know or should reasonably know was inadvertently transmitted to them or that they know or should reasonably know was provided to them by someone not authorized to have the information in the first place.

Based on the November 2016 comment deadline, there is reason to be hopeful that these proposed revisions might become effective in Tennessee as early as January 1, 2017.  But, stay tuned.

Two developments from the ABA Annual Meeting – which one will have the bigger impact?

The 2016 ABA Annual Meeting continues today and tomorrow but the two actions for which it likely will be most remembered have already transpired.  One happened Monday when, after much public discussion and multiple revisions to the proposal along the way, a final set of proposed revisions to ABA Model Rule 8.4 was approved in a voice vote by the ABA House of Delegates.   As this short article at The ABA Journal makes clear, after all of the criticism over many months, no one requested time to speak against the final version of the proposal.  You can see the full, final version of Revised Resolution 109 that passed here.

I’ve written twice before about earlier versions of the proposal here and here.  The action adds a new RPC 8.4(g) designed to make harassment and discriminatory conduct by lawyers connected to their law practice unethical.  A last set of revisions were made to the proposal in just the last month to change the triggering conduct from potential strict liability of “harass or discriminate on the basis of,” to a more favorable mens rea standard of “engage in conduct that the lawyer knows or reasonably should know is harassment or discrimination on the basis of” and to clarify that “legitimate advice or advocacy consistent with these Rules” would not be prohibited by moving the language protecting such conduct from the comment up into the black-letter rule itself.

It is certainly a significant and historic event for the ABA to have passed this rule revision, and I don’t mean to downplay the significance from the standpoint of the ABA as the largest lawyer organization in the United States.  But, what will be the impact exactly of this action?  The ABA Model Rules do not, of course, actually govern anyone anywhere.  They are, however, a standard setter and often result over time in adoption and implementation in other U.S. jurisdictions.

Will this change to RPC 8.4 work its way through the states?  Well, it is kind of hard to say because one of the big advocacy points of the ABA change was the assertion that 20 states already had a form of the anti-discrimination provision in their version of the rule, so as a starting point this is a change that only targets 30 states.  As a lawyer who practices in the deep South, I will simply state my skepticism about how quickly my own state and the various bright red states around me will move to revise a version of RPC 8.4 not already prohibiting harassment and discrimination.  I’d love to be proven wrong about that though.

The second potentially historic development was the final work product from the ABA Commission on the Future of Legal Services – The Report on the Future of Legal Services in The United States, and the establishment of the Center on Innovation.  In the words of the Commission, the Center on Innovation will be something like an R&D division for the legal industry.  The creation of the Center has already been approved by the Board of Governors, but what will it do — and what will be off-limits to it?  According to the piece at The ABA Journal, the Center’s “primary tasks will include assisting law firms interested in introducing new approaches to their practices, studying innovations in legal services delivery in other countries, and developing training programs for law students interested in innovative law practice.”

But, given the ABA’s problematic history over the years with efforts at exploring nonlawyer ownership of law firms, it is hard to figure out how “studying innovations in legal services delivery in other countries,”  truly leads to anything other than yet another obvious conclusion that the innovations in the delivery of legal services occurring in other countries pretty much involve nonlawyer ownership of law firms.  It doesn’t require much additional study to grasp that point.

Lest I end up sounding completely like Eeyore today, the creation of the Center does not have to be the sole lasting legacy of the ABA Commission on the Future of Legal Services, one of the other recommendations the final report encourages should be implemented — involving making courts more accessible by doing things such as embracing online dispute resolution and self-service kiosk centers — might actually have the most significant potential to assist with perceived, and real, access to justice gaps in the United States, even though it might not be of any benefit to the legal profession.

Here, for those who don’t necessarily have a moment right now to read the full 100+ page report are the 12 recommendations made by the Commission:

RECOMMENDATION 1. The legal profession should support the goal of providing some form of effective assistance for essential civil legal needs to all persons otherwise unable to afford a lawyer.

RECOMMENDATION 2. Courts should consider regulatory innovations in the area of legal services delivery. 2.1. Courts should consider adopting the ABA Model Regulatory Objectives for the Provision of Legal Services. 2.2. Courts should examine, and if they deem appropriate and beneficial to providing greater access to competent legal services, adopt rules and procedures for judicially-authorized-and-regulated legal services providers. 2.3. States should explore how legal services are delivered by entities that employ new technologies and internet-based platforms and then assess the benefits and risks to the public associated with those services. 2.4. Continued exploration of alternative business structures (ABS) will be useful, and where ABS is allowed, evidence and data regarding the risks and benefits associated with these entities should be developed and assessed.

RECOMMENDATION 3. All members of the legal profession should keep abreast of relevant technologies.

RECOMMENDATION 4. Individuals should have regular legal checkups, and the ABA should create guidelines for lawyers, bar associations, and others who develop and administer such checkups.

RECOMMENDATION 5. Courts should be accessible, user-centric, and welcoming to all litigants, while ensuring fairness, impartiality, and due process. 5.1. Physical and virtual access to courts should be expanded. 5.2. Courts should consider streamlining litigation processes through uniform, plainlanguage forms and, where appropriate, expedited litigation procedures. 5.3 Multilingual written materials should be adopted by courts, and the availability of qualified translators and interpreters should be expanded. 5.4. Court-annexed online dispute resolution systems should be piloted and, as appropriate, expanded.

RECOMMENDATION 6. The ABA should establish a Center for Innovation.

RECOMMENDATION 7. The legal profession should partner with other disciplines and the public for insights about innovating the delivery of legal services. 7.1. Increased collaboration with other disciplines can help to improve access to legal services. 7.2. Law schools and bar associations, including the ABA, should offer more continuing legal education and other opportunities for lawyers to study entrepreneurship, innovation, the business and economics of law practice, and other relevant disciplines.

RECOMMENDATION 8. The legal profession should adopt methods, policies, standards, and practices to best advance diversity and inclusion.

RECOMMENDATION 9. The criminal justice system should be reformed. 9.1. The Commission endorses reforms proposed by the ABA Justice Kennedy Commission and others. 9.2. Administrative fines and fees should be adjusted to avoid a disproportionate impact on the poor and to avoid incarceration due to nonpayment of fines and fees. 9.3. Courts should encourage the creation of programs to provide training and mentoring for those who are incarcerated with a goal of easing re-entry into society as productive and law-abiding citizens.9.4. Minor offenses should be decriminalized to help alleviate racial discrepancies and over-incarceration. 9.5. Public defender offices must be funded at levels that ensure appropriate caseloads.

RECOMMENDATION 10. Resources should be vastly expanded to support long-standing efforts that have proven successful in addressing the public’s unmet needs for legal services. 10.1. Legal aid and pro bono efforts must be expanded, fully-funded, and better-promoted. 10.2. Public education about how to access legal services should be widely offered by the ABA, bar associations, courts, lawyers, legal services providers, and law schools.

RECOMMENDATION 11. Outcomes derived from any established or new models for the delivery of legal services must be measured to evaluate effectiveness in fulfilling regulatory objectives.

RECOMMENDATION 12. The ABA and other bar associations should make the examination of the future of legal services part of their ongoing strategic long-range planning.

 

Astonished and admonished.

So, on days like today, it is very difficult to have a forum (even one as small as this one) and not talk about truly important problems plaguing society, but no one comes here for my thoughts on those things so I’ll refrain.

Staying in my lane, here is another example of a problem lawyers are still having trouble grasping.  The exceptions to client confidentiality under RPC 1.6 (which can also be looked to as a way of justifying disclosure of information about representation of a former client under RPC 1.9) are not likely to give you permission to debate a dissatisfied client publicly, online.  This latest example of the problems arising for a lawyer who does so comes via the fine folks at the Legal Profession Blog who first wrote about it yesterday.

A D.C. lawyer has been informally admonished for trying to refute allegations published on the web by a former client.  The former client was complaining about overbilling, and the lawyer’s allegedly negligent/improper handling of a mediation for her.  Even though the DC Office of Disciplinary Counsel ultimately cleared the lawyer of the alleged violations as to fees and actual handling of the matter, the informal admonishment was in order because of what the lawyer disclosed online in responding to the former client’s complaints.

As the informal admonishment letter to the lawyer explains:

We do find, however, that in including detailed information about your client and the client’s case in your responses to her website postings, you violated your obligations under Rule 1.6 to protect her confidences and secrets — obligations that continued after your attorney-client relationship ended.  See Rule 1.6(g).  The information that you included in your responses to the client’s posts included information about the client and the client’s case that were protected under Rule 1.6.  Although you did not refer to the client by name, you included the name of the client’s employer, the dates on which certain events occurred, and other detailed information that could lead back to your former client.  You did not have the client’s consent to publish or disclose this information.  Nor did your disclosures fall within any of the exceptions to Rule 1.6, including the exception under 1.6(e)(3) that permits a lawyer to use or reveal client confidences or secrets “to the extent reasonably necessary to establish a defense to a criminal charge, disciplinary charge, or civil claim, formally instituted against the lawyer . . .” (emphasis supplied).

Now, D.C.’s version of the Rule 1.6 “self-defense” exception makes the inability to do what this lawyer did more clear cut than in many other jurisdictions.  (It also didn’t help this lawyer’s cause, as the letter goes on to explain, that during the disciplinary investigation process, he went back to the online site to post information claiming he’d been exonerated — conduct the letter indicates was a violation of Rule 8.4(c) and that violation is wrapped into the admonishment as well.)  But even in jurisdictions that do not have the “formally instituted” language of D.C., lawyers face an uphill climb trying to respond to online complaints of former clients as I’ve mentioned before a time or two.

It is also worth remembering that, in most jurisdictions, unlike the “confidences and secrets” language still used in D.C., RPC 1.6 extends to any information regarding the representation of a client.  Remembering that, and the fact that a paragraph of the Comment to the rule most places alerts lawyers that the prohibition on revealing information “also applies to disclosures by a lawyer that do not in themselves reveal protected information but could reasonably lead to the discovery of such information by a third person.”

Although the Legal Profession Blog has a bad link, you can get the full letter to the D.C. lawyer here.  And, candidly, I’m a bit astonished by that.  Here, in Tennessee, this kind of informal discipline is private.  Not so in D.C.  Learn something new every day.

(Updated – it was brought to my attention that I also had provided a bad link to the letter.  I’ve corrected the link.  Apologies.)

Two updates – one persuasive, one not so much

An important development for labor lawyers that I delved into a bit recently here has now been put on hold.  I managed to point out that there would be significant efforts aimed through litigation at stopping the rule from ever going into effect.  Yesterday, a Texas federal district court has stayed the Department of Labor’s new “Persuader” rule from going into effect on July 1, 2016.  You can read the full 90-page order here or, if you’d prefer the cliffnotes, this ABA Journal online piece does a fine job as always.  Beyond the substantial concerns that exist about how the rule would impact the giving of legal advice and the seeking of legal counsel by employers in connection with union organizing efforts, the crux of things boils down to whether the Department of Labor exceeded its rule-making authority.

Speaking of people who are union members, some of you will recall that I’ve managed to write twice before, using Johnny Manziel as an example, about how much better off professional athletes can be if they would retain the services of an actual lawyer to represent them because of the benefits they would obtain from the obligations lawyers have to treat all information related to the representation of their clients as confidential.  Well, that didn’t work out so well.  We learned this week that Manziel’s lawyer handling his criminal matter managed to send a rather lengthy text to the Associated Press rather than to the prosecutor with whom he was intending to communicate.  On the upside, this time the lawyer quit rather than firing Manziel as his past agents did, but I’m starting to think that Manziel is just cursed at this point.

Unfortunately, this act of preventable negligence on the part of Manziel’s lawyer will, of course, spur some folks to argue that this is further proof that lawyers should never use text messaging to talk to a client or someone else involved in a matter about a client’s matter.  Do not count me among those folks as I think such advice is entirely unrealistic in 2016.  The only lesson to be learned is the old-fashioned, but harder to swallow, advice about being careful, cautious, and deliberate in all of your communications.

 

Bad blogger – please accept this potpourri like sprinkling of items

The week feels like it is getting away from me, some travel, some work, some personal life, but may be able to write about something more substantive I’ve been meaning to tackle for later this week.  For today, here is a scattershot of stories all of which involve something previously found to be worthwhile enough to have written about.

First, just a very short period of time after the Baker Hostetler announcement of its use of Ross in its bankruptcy practice, we get the announcement that DLA Piper will be using a competing AI software program known as Kira for document review in its mergers and acquisitions practice.  You can read the short ABA Journal story online here.  More indications that this is a fast-moving area and that there will likely be more such announcements coming with regularity.

Second, the availability to consumers of an array of other choices for the delivery of legal services has been a frequent topic here.  The FTC has long been willing to speak out when state bars go too far down regulatory paths that have the potential to really impact consumers — lawyer advertising being an area that they have, in the past, been not at all shy about weighing in on — and the FTC (in conjunction this time with the Antitrust Division of the US Justice Department) has done so again earlier this month with respect to companies operating in the legal service provider sphere and how the services they offer online are beneficial to consumers.  The context involves a North Carolina state senator who requested their input on potential legislation in that state that would address the scope of the definition of the practice of law to carve out certain interactive websites.  Specifically, there is apparently pending in North Carolina a bill that, as the FTC/DOJ describes it would:

amend North Carolina General Statutes Section 84-2.1 to exclude from the statutory definition of the practice of law the operation of interactive websites that generate legal documents based on a consumer’s answers to questions presented by the software.27 A website would have to satisfy several conditions in order to be excluded from the definition of the practice of law, and thus for its provider not to be subject to prosecution for the unauthorized practice of law. These conditions include providing a disclosure that the forms are not a substitute for attorney advice or services, and disclosing the provider’s legal name and physical location and address.

The comment of the combined agencies appears to view the bill, as it stands, as being pro-competitive but also provided some further guidance:

The Agencies recommend that the North Carolina General Assembly not adopt restrictions on such software products unless there is credible evidence that they harm consumers, any restriction is narrowly tailored to address that harm, and the benefits of the restriction will outweigh the harm that will likely result to competition. Should the General Assembly receive any claims of consumer harm from interactive websites or similar products, the Agencies urge the legislature to consider whether the evidence substantiates any such actual or predicted harm.

The full comment of the FTC/DOJ is worth a read and you can get it here.

Last, Karen Rubin and the folks at her firm’s fine blog bring you an update on the latest travails of the lawyer I wrote about here in my Drunk and Disorderly is No Way to Attend a CLE piece.  You can read there latest well done post here.

Three short technology stories for a Tuesday

Throwback Thursday is definitely a thing all over the World Wide Web it seems, but maybe Tech Tuesday ought to be a thing?  Though, I guess, for lawyers focusing on technology has to be an every day affair.

Like multitudes of others, I wrote a little bit recently about the Panama Papers and the Mossack Fonseca data breach fiasco.  Fortune now has an article online about a Wired U.K. story that casts a harsh light on the electronic security measures that the Panamanian firm had in place.  Blurbs like these

Mosseck Fonseca’s client portal, according to Wired, runs on a version of Drupal last updated in 2013, and vulnerable to an array of attacks, including one that would allow attackers to execute commands on the site. Another weakness allows access to the site’s back end just by guessing the right web address.

Just as bad is the firm’s webmail portal, which runs Microsoft Outlook Web Access, and hasn’t been updated since 2009. The firm also did not encrypt its emails. As one expert speaking to Wired put it, “They seem to have been caught in a time warp.”

sound very bad when you are talking about a firm that trafficked almost exclusively in “highly sensitive financial information.”  I suspect though that there are lots of other lawyers out there that are hopeful that their technology arrangements will never be subjected to even half as much scrutiny.

One lawyer who is in the middle of a highly public examination of their choices in technology is the lawyer at the heart of this story yesterday.  The lawyer has been sued by her former clients over a theft from them of $1.9 million resulting from hacking of the lawyer’s email account.  The couple had hired the attorney to represent them in the purchase of a nearly $20 million co-op apartment.  Luckily, it appears that the clients figured out what was going on even before the lawyer did and were able to recover almost all of the $1.9 million that was to be the down payment but was wired to the fraudsters.  The lawyer — and you ought to brace yourself here (though I admittedly know lawyers who still use this service) — was using an AOL email account for her real estate law practice.

The lawsuit contends that AOL accounts are particularly vulnerable to hacking and that the hacking was what let the cybercriminals know when certain transactions were going to take place, but as the article makes clear there were other opportunities for the lawyer to realize something was amiss:

It accuses Doran of forwarding bogus emails from the hackers — who were impersonating the seller of the apartment’s attorney — about payments from the Millards without confirming their authenticity last December. The name of the seller’s attorney was misspelled in the email which should have been a tip off that something was amiss.

Finally, the usually on-point Karen Rubin has a well-done post over at The Law For Lawyers Today about a relatively fortunate Oklahoma lawyer who managed to avoid full reciprocal discipline over his inability to figure out how to e-file in bankruptcy court.

The Oklahoma lawyer was permanently suspended by the Western District of Oklahoma bankruptcy court from ever practicing before it again, but the Oklahoma Supreme Court hit him only with a public censure.  Given the current rhetoric surrounding the practice of law and the demands everyone appears to assume lawyers absolutely must satisfy when it comes to using technology, it is pretty startling to read a state supreme court, in that case Oklahoma’s, issue an opinion in a lawyer discipline case that can be read to seem to minimize the obligation to be technologically competent.  But, in fairness, unless the Oklahoma Supreme Court was going to be willing to disbar the lawyer in question — which would seem supremely harsh — then any discipline imposed through reciprocal channels was going to be less than that meted out by the federal bankruptcy court and a public censure sounds about right to me.

 

Panama Papers – a worst case scenario for the development of cyber liability law for law firms?

It’s an old adage that bad facts make bad law.

In the last few weeks, a good number of pieces were written focusing heightened attention on an issue that many lawyers were already stewing about . . . technological vulnerabilities arising from how lawyers and law firms use (and don’t use) technology.  Most of these stories, like this one and this one, used the news of hackers targeting particular large law firms as the jumping off point for the discussion.

I happen to think that the question of how law firms should address the topic of cyber security is actually a fairly complex one.  Given the vast amount of sensitive information that law firms handle and store, there are obvious strong arguments to make that law firms should have to have the highest level of cyber security in measures in place in all respects.  Yet, I think there are also legitimate arguments that certain aspects of data privacy and data breach laws should not apply in the same fashion to law firms as they do to other businesses.  In the event of a breach of a law firm’s electronic records, the mere act of publicly communicating about it to more than those whose information was known to be compromised, for example, could actually result in certain circumstances in additional harm to clients in the form of breaches of attorney-client confidentiality or privilege.

The last thing lawyers and law firms needed as something that might drive the needle in one direction or another was for the absolute wrong kind of high-profile situation involving a law firm hack to be the focus of attention and in the forefront of any discussion about what the standard of care ought to require of lawyers and law firms in terms of cyber security.  Yet, the last thing lawyers needed arrived: the Mossack Fonseca data breach in Panama, now known as the Panama Papers.

This obscure but remarkably large and incredibly well-connected (or shady depending on your perspective) law firm founded in Panama has been victimized by a hack of some sort resulting in  some 2.6 terabytes of documents to have been improperly accessed and then leaked to the International Consortium of Investigative Journalists.  The vast amount of otherwise confidential information (if you want to visualize how much 2.6 terabytes, imagine you had 1 terabyte sitting on your desk … now think what that would look like if you had another one and then like 60% of another one.  😉 ) that has come out has led to a deluge of news stories about the maneuverings of the global rich to hide their money offshore to avoid taxes or scrutiny or both.

The latest story I’ve seen is this one in The Guardian that focuses a good bit on the firm itself.  It also offers a nice snapshot of the nature of the documents and information leaked after the breach:

The company’s leaked internal database gives some idea of the massive scale of these international operations, many of them perfectly legal. The 11.5m documents include shareholder registers, bank statements, emails from lawyers and accountants, passport scans and contracts. Much of it legal, if hidden.

Most of the media attention to this story has focused on the clients and the policy questions regarding the legality/illegality of what the clients were doing.  Most of the legal media attention paid to the story has, so far, focused on the questionable nature of the lawyering involved — in a way it seems a bit like the 60 Minutes story we covered here a while back but if all of the examples were real in a fashion and one firm was undertaking to represent all of the endeavors.  As Bill Freivogel elegantly put it in an online piece I saw “A U.S. lawyer skating on the edge of what Mossack Fonseca has been doing could easily slip into a federal wire fraud or other criminal prosecution.”

Inevitably, this story will ramp up the rhetoric and discussion about what lawyers and law firms “absolutely” must be doing on the technological side of their business.  For example, we now have this piece from the assistant director of the Center of Practice Management of the North Carolina Bar Association essentially insisting that lawyers must encrypt all of their data, when in use, when in transit, and when it’s in storage and insisting on restrictions on access and downloads, etc.

In an utopia where price and practicality were no option for all lawyers, the North Carolina advice would be commonsense, but many lawyers do not practice in such utopian settings.  And, importantly, the ethics rules nowhere in the United States presently insist that all lawyers adhere to such requirements.  Not in North Carolina, and not even under the post Ethics 20/20 ABA Model Rules, which North Carolina has adopted.  What they require is in Rule 1.6(c):  ” A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

And jurisdictions like North Carolina that have adopted the Ethics 20/20 version elaborate on what this means in two paragraphs of the Comment accompanying Rule 1.6:

[18] Paragraph (c) requires a lawyer to act competently to safeguard information acquired during the representation of a client against unauthorized access by third parties and against inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision. See Rules 1.1, 5.1, and 5.3. The unauthorized access to, or the inadvertent or unauthorized disclosure of, information acquired during the professional relationship with a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule, or may give informed consent to forgo security measures that would otherwise be required by this Rule. Whether a lawyer may be required to take additional steps to safeguard a client’s information to comply with other law—such as state and federal laws that govern data privacy, or that impose notification requirements upon the loss of, or unauthorized access to, electronic information—is beyond the scope of these Rules. For a lawyer’s duties when sharing information with nonlawyers outside the lawyer’s own firm, see Rule 5.3, Comments [3]-[4].

[19] When transmitting a communication that includes information acquired during the representation of a client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of unintended recipients. This duty, however, does not require that the lawyer use special security measures if the method of communication affords a reasonable expectation of privacy. Special circumstances, however, may warrant special precautions. Factors to be considered in determining the reasonableness of the client’s expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to the use of a means of communication that would otherwise be prohibited by this Rule. Whether a lawyer may be required to take additional steps to comply with other law, such as state and federal laws that govern data privacy, is beyond the scope of these Rules.

(all emphasis has been added by me)

But bad facts make bad law.  All of the ramifications of the loss of confidentiality of the data possessed by this particular law firm are going to continue to play out in the most public of ways.  There is no question that this particular firm — given its size, including the number and location of offices, and the fact that it’s core business turned completely on the promise of secrecy — over and above even the level of secrecy people normally think of when they think of hiring a lawyer — needed to have incredibly stringent measures in place to secure its electronic data.  We’re talking about clients, as The Guardian article explains, who were paying thousands of dollars extra just to be able to correspond only through fake email accounts the firm helped create under names like Harry Potter and Isaac Asimov for goodness sake.

If the end result of this story is going to be a call for mandatory encryption, that is not going to be great for the profession at all.  And, frankly, could create a stratification between haves and have nots that could ironically look a lot like the one that already exists between the truly, extraordinarily rich who were hiring a firm like Mossack Fonseca and the rest of the world.  Such a result will only further drive up the cost of legal services and make it even harder for those engaged in the traditional delivery of legal services to compete in a marketplace increasingly under pressure from alternative providers of legal services.

(Edited to fix a few errors caught by a loyal reader.)

Who are these people that ask these questions?

I like a well written, helpful ethics opinion as much as the next guy.  Probably more so, given the statistically low likelihood that anyone standing near me at a given time is also a male lawyer who commits a significant part of their practice to legal ethics and professional responsibility matters.  I think I’ve also managed to establish over the first 11 1/2 months of this blog that I really, really, dislike bad ethics opinions significantly more than the next guy.  (And, by now writing this post in mid-February 2016 about a December 8, 2015 ethics opinion as if it were a “new” opinion, I think I’ve also now demonstrated that I’m behind on my reading.)

Some ethics opinions are a bit maddening mostly because it is hard to believe they ever came to exist in the first place.  NYSBA Ethics Opinion 1076 is one of these where there are so many people involved in it doing things that don’t seem necessary.

From the outset the opinion just appears to exist in some sort of bizarro world where lawyers don’t seem to know how to act.  The “Facts” paragraph of the opinion reads:

Opposing counsel has sent the inquiring attorney an email stating that opposing counsel does not consent to inquiring attorney blind copying inquiring attorney’s client on inquiring attorney’s emails to opposing counsel.

How does he know?  Why does he care?  Does he just assume everyone is doing that and preemptively communicate to them he doesn’t consent?  Who attempts to instruct another lawyer to cease including that lawyer’s own client in email correspondence?  All of those are among the many questions that spring to mind when I read that.

So, the lawyer, wanting to continue the practice of blind copying the client on the email traffic, requests an ethics opinion from the NYSBA about whether he can keep doing it over opposing counsel’s objection.  Wait.  What?  On so many levels, just… what?  Why bother?  You have to know that opposing counsel’s consent doesn’t matter as to how you communicate with your own client, right?  But also, why wouldn’t you just stop doing it and just forward your email to your client after  you send it to opposing counsel?  I can think of lots of things a lawyer might do in the situation, but seeking out an ethics opinion from the state bar wouldn’t make the list.  Because this lawyer did, there now exists an ethics opinion that earnestly resolves whether or not blind-copying a client on an email could somehow be treated as “deceptive” conduct in violation of RPC 8.4.

The end result is, on the bright side, the existence of an ethics opinion that serves a decent purpose — highlighting for lawyers that the practice of cc’ing or even bcc’ing your client on email traffic with opposing counsel is likely not the best idea.  As the opinion explains, cc’ing exposes the client’s email address (which is otherwise information the lawyer is obligated to treat as confidential under RPC 1.6) and makes it easier for opposing counsel to try to communicate directly with your client.  Bcc’ing shields the RPC 1.6 information, but makes it easier for your own client to accidentally communicate information meant only for you to adverse counsel.  Given that simply forwarding an email you want your client to know was sent after sending it is a foolproof way to protect your client not only from unwanted communications from adversary counsel but also from unnecessary risk to the status of the privileged nature of your communications with him/her/it, there can be no argument but that it is the safer, wiser way to do things.

I do wish, if the NYSBA was going to the trouble of issuing an opinion on this topic anyway, it would have gone ahead and spent a few paragraphs talking about actual ways to come as close as you can to disabling the “reply to all” feature on certain emails if you are using some of the more common email platforms.  Of course, the kinds of solutions you can obtain through the link won’t work if the person on the other end decides to respond from their smart phone, but luckily no one does that these days.   (By the way, everything beginning with “but” in that last sentence should be pictured in comic sans.)

Instead, in addition to the above-mentioned explanation for why cc’ing or bcc’ing your client isn’t the best approach, the NYSBA issued an opinion with the following ethics guidance:

Two opposing lawyers do not have a relationship of confidentiality.  Consequently, a lawyer who receives correspondence from opposing counsel is not obligated under the Rules of Professional Conduct (the “Rules”) to maintain the confidentiality of those communications.  A lawyer does not need the “consent” of opposing counsel to send the client copies of correspondence between the inquirer and opposing counsel.  Since a lawyer is an agent of the lawyer’s client, opposing counsel should expect that the lawyer may share correspondence relating to the representation with the client.

Absolutely correct analysis.  Of course.  I just cannot help but be surprised it had to be written down at all.