Panama Papers Lesson #2: Beware the copycat leakers inside your firm

The massive leak of confidential documents from the Panamanian law firm Mossack Fonseca is still sending shock waves throughout the world.  It’s likely to keep reverberating for some time. We’re not any closer to learning the origin of the leak because the newspaper who disseminated the information won’t reveal their source.  We don’t know if the information was stolen and distributed by an activist hacker, or leaked by a current/former employee of the law firm.¹  What we do know us that a whole lot of confidential information was released and, “the data primarily comprises e-mails, pdf files, photo files, and excerpts of an internal Mossack Fonseca database.”²

In my last threat assessment I discussed the concerns about the possibility that the firm was hacked, but there is another, equally disturbing concern.  The leak could have been the work of an employee of the firm, perhaps acting as a whistleblower of sorts. In that case, what should the firm fear and what are the ethical concerns?

The thing to fear? Copycats.

Sure, the idea of whistleblowers is nothing new, but I’m concerned about people who are inspired by the Snowdens and the WikiLeaks of the world.  I’m worried that high profile leaks could be inspiring others to adopt a pseudo-Robin Hood mentality.  I call them Disclosure Vigilantes— those employees who feel that it’s their societal duty to expose the things they define as “wrongs.”  I’m not talking about people who expose criminal conduct— I’m talking about those copycats who steal and/or reveal our clients’ confidential data and leak it to someone outside the firm in an effort to make public something that they define as an affront to society.  They could be personally disgusted by someone’s “excessive wealth,”  or feel compelled to “uncover the extent to which Corporate America will go to keep the average worker down”….name your cause, name your villain.

The ethical concerns? Hiring and Supervision

If there is a danger that firm employees could be Disclosure Vigilantes, then what are we doing to counteract it? We need to ask whether the firm is properly vetting all of our new hires, including those in IT. Plus, are we asking the right questions during the interview process? Does our interview process in some way consider the issue of purposeful leaks (note that I’m an ethics guy, not a labor law guy, so talk to a labor lawyer to ensure that whatever questions you ask aren’t improper from a privacy/labor law/etc., perspective). From an ethical point of view, that sort of targeted due diligence during hiring could constitute the appropriate “thoroughness” required by Rule 1.1 (Competence), and it might be the “reasonable diligence” that’s required by Rule 1.3 (Diligence).

But it goes beyond just hiring.  After the employees are hired we need to manage our staff, and Rule 5.3 requires that we supervise nonlawyer personnel.  Lawyers in a firm have a responsibility to ensure that our nonlawyer employees behave in a manner that’s “compatible with the professional obligations of the lawyer,” and that has historically included confidentiality, among other things. But given the new reality of Disclosure Vigilanteism, that duty to supervise might be expanding to include the need to watch for morality-based intentional leaks of client information.

A savvy lawyer might see a third angle— (1) we should properly screen our new hires, (2) we should properly supervise our employees to make sure no disclosures are occurring, and…(3) maybe we should also watch for changed circumstances to our employees which could increase the probability of a purposeful disclosure.  Remember, employees could change during their tenure at the firm.  If that’s the case, the wise firm might ask whether we are periodically reviewing the staff to check for changed circumstances in our employees that might lead to Disclosure Vigilanteism (being cognizant, of course, of the limitations that are imposed by privacy restrictions and other labor law).

The potential for copycat Disclosure Vigilantes might be altering our responsibilities in hiring and supervising employees.  I don’t want you to be that firm….the firm that finds itself in front of an ethics tribunal listening to them say, “the signs were there…you didn’t look for them”…and then hearing that dreaded phrase…you “should have known” this was going to be a problem.

 

 

 

¹http://www.bustle.com/articles/151771-who-leaked-the-panama-papers-the-whistleblower-had-just-one-condition, last checked by the author May 3, 2016

²http://panamapapers.sueddeutsche.de/articles/56febff0a1bb8d3c3495adf4/ last checked by the author May, 3, 2016

 

Two law firm hacks should be scaring your firm into action

For years people have been warning that law firms of all sizes are major targets for cyber-criminals.  If your firm didn’t take that seriously before, then there are two major hackings last week that should get your attention.

The Wall Street Journal reported that cyber criminals breached Cravath, Weil Gotshal, and several other unnamed firms (read the article here: http://on.wsj.com/1MzYlN2). The paper states that it’s not clear what (or whether) information was taken, but the focus is on the possibility of confidential information being stolen for purposes of insider trading.

The other major breach is so big that it has its own hashtag— search Twitter for #PanamaPapers or #PanamaLeaks.  According to Reuters, the target was a law firm in Panama who specializes in setting up offshore companies.  Hackers stole data from the firm and provided that data to journalists who promptly revealed it to the public (read the article here: http://reut.rs/25GEy4X). The information allegedly reveals a network of offshore loans.  According to the BBC, the stolen data reveals how the law firm, “has helped clients launder money, dodge sanctions and avoid tax” (read the BBC’s article here: http://www.bbc.com/news/world-35918844).   Political figures and friends of popular politicians are allegedly implicated, according to the report.

My concern is not about the obvious political ramifications. My concern is about the ethical ramifications to lawyers. The danger of hacking is real.

No report has implicated any type of ethical wrongdoing on the part of any firm.  That needs to be restated and made abundantly clear: there has been no report of any evidence of ethical impropriety by any of the law firms mentioned in the news. I am bringing this to your collective attention because it should serve as a warning.  Confidential client information was stolen from that law firm in Panama….which reminds us that we are targets.

All lawyers are targets. Small firms, large firms, in-house counsel, government lawyers, you name it.  The bad guys know that lawyers are the custodians of valuable information and they are coming after us in a big way.  The message for all of us is clear:  you could be subject to an ethics grievance if you don’t take proper steps to secure your clients’ information.

The responsibility to protect our client information is nothing new. However, these recent events require us apply an increased sense of urgency to evaluating our compliance with that duty. Have you, or your firm, taken the necessary steps to adequately protect your clients’ information? Have you considered the fact that bad guys could be targeting you? What steps have you taken to counteract the potential piracy that could be aimed at your clients’ information?

You could be darn sure that someone is going to be asking those questions to the firms that were targeted in the hacks.  Maybe you need to put yourself in their position and ask, “how would we fare if that review was directed toward us?”

Our duty of competence requires that we take appropriate steps to protect our clients’ confidential information. And remember that you, as the lawyer, have the primary ethical duty, not your IT people.  Furthermore, various ethics opinions have held that, in some circumstances, the lawyer needs to understand the underlying technology itself.

If these issues weren’t on the front burner in your office before, these two hacks should be causing you to shift your priorities.

Quickly.

SWEET…a Win for the Good Guys!

Young man giving thumbs upThis is the first case I’ve seen where someone sued another person for making a false claim on the internet…and won.  Here a lawyer represented someone in their divorce.  The client was unhappy with the lawyer and went on an online rant.  The problem was that the rant was full of lies, so the lawyer sued for defamation.  The lawyer won at trial and on appeal…she got $350,000 in damages.  Yikes!  If you want to read the decision, you could find it here.

Your LinkedIn Profile Is Probably Advertising

A recent opinion of out New York says that our LinkedIn profile may be considered an advertisement. Maybe more importantly, the opinion imposes a duty upon lawyers to periodically review their social media profile.  I call it the “I told you so” opinion because I’ve been telling this to lawyers for some time in my ethics CLE programs.

Sure, the opinion is limited- it’s out of one particular state and it’s only advisory. But the rationale is solid and I could envision it being adopted in other jurisdictions.

Furthermore, the practical implications could be significant.  For instance, any misleading statements on your profile would now be governed by the content restrictions contained in Rule 7.1;  if you’re in a jurisdiction where disclaimers are require on ads, you may need to insert a disclaimer into your LinkedIn profile; maybe the concept applies to all social media sites that you use for professional purposes…and the list of concerns could go on. To get all of the details, download the full NYCLA Opinion 748 here.

—————-

I cover this concept in my ethics CLE program, “Tech, Tock, Tech, Tock: Social media and the countdown to your ethical demise.” Email me at stuart.teicher@icloud.com if you want some more information.

 

 

 

Lawyers may be required to supervise the client?

Here’s my latest Threat Assessment- those are my short warnings about key ethics dangers that both lawyers and the PD professionals who care about them, need to know.

Today: Technology scare (what a shocker). Our duty to supervise may have been drastically expanded in a recent opinion out of California. Specifically, the California Bar’s Standing Committee on Professional Responsibility and Conduct, Formal Opinion Np. 2015-193.

The opinion presents a hypo about a lawyer who messed up. He didn’t understand the technicalities of e-discovery, didn’t seek help from a professional with knowledge, and he let his adversary conduct an unsupervised e-discovery review of the client’s files. Result: disaster. There were allegations of withholding/obstructing discovery and a major leak of proprietary/confidential information to a major competitor. The opinion holds that the lawyer should have known better.

POINT 1 of 2: Competence is being expanded

The opinion states:

“An attorney’s obligations under the ethical duty of competence evolve as new technologies develop and become integrated with the practice of law.
* * *
Attorney competence related to litigation generally requires, among other things, and at a minimum, a basic understanding of, and facility with, issues relating to e-discovery, including the discovery of electronically stored information (“ESI”).”

What we need to know: Certain technologies that have so integrated themselves into the practice that our duty of competence demands that we understand them. We can’t just rely on our “people” to know about it. We need to, individually, understand the systems.

What we need to know: We need to understand the underlying technology, not just the “law” about that technology.

POINT 2 of 2: Our duty to supervise is being expanded drastically.

The opinion also stated:

“The duty of competence…includes the duty to supervise the work of subordinate attorneys and non- attorney employees or agents…This duty to supervise can extend to outside vendors or contractors, and even to the client itself.”

What we need to know: Our duty to supervise doesn’t just include the lawyers and non-lawyers in our office. It is also includes vendors and contractors. But the big extension is that it might also include supervising the client itself. That is a change- we are familiar with the need to “advise” and “guide” a client. Now we may also be required to “supervise” the client as well. Does that mean watching their IT people? It depends, but this opinion basically says yes, sometimes.

Find more information like this in my live program: Tech Tock, Tech Tock: Social Media and the Countdown to Your Ethical Demise. See my course list here.

A Violation You Didn’t See Coming

There are a ton of obvious ethics violations that lawyers might commit when using social media, but few people consider whether their posts violate the rule on Trial Publicity.  Did the lawyer’s internet search rise to the level of “participating…in the investigation” of a matter?” Was that errant tweet an “extrajudicial statement” that triggers the rule? You need to know this usual potential violation.

Here’s the rule, with the key phrases I’ll discuss in bold.

Rule 3.6. Trial publicity 

(a) A lawyer who is participating or has participated in the investigation or litigation of a matter shall not make an extrajudicial statement that the lawyer knows or reasonably should know will be disseminated by means of public communication and will have a substantial likelihood of materially prejudicing an adjudicative proceeding in the matter.

You, personally, gotta know your stuff

4F8K4ADXK8

I recently spoke at a law firm about the ethical implications when lawyers use technology.  I was talking about lawyers who choose to store client information in the cloud and  I explained how the lawyer needs to understand the technology associated with the cloud storage site that the lawyer may use.  I explained that Rule 1.1 (Competence) demands that we, personally, understand those details.  It was exactly then that a very irate lawyer shot up his hand and barked at me, “I’ll just bring my IT guy with me and point to him.  I’ll tell that committee to talk to HIM about it, then I’ll leave.”  While I was itching to answer in an obnoxiously New Jersey manner, I noticed that the angry lawyer was the only man in the room who happened to be older, white haired, male, and wearing a suit.  He had “managing partner” written all over him.  It was at that point that I figured I’d soften the edge on my reply, lest I not be invited back to the firm.  I (ever so gently) explained that it was the lawyer’s individual responsibility to understand the technology and that we would not be permitted to simply bring our support staff to a grievance and wash our hands of the situation.

 

I thought of this today because I was reading the Alaska Bar Association Ethics Opinion No. 2014-3.  That opinion addressed the ethics of using cloud services, and there is one sentence in particular that stood out.  The opinion reminds us that, “Because the lawyer’s duties of confidentiality and competence are ongoing and not delegable, a lawyer must take reasonable steps to protect client information when storing data in the cloud.” Op. 2014-3 at 1-2. The key words, of course, are “ongoing and not delegable.”

 

Our duty of competence is a personal requirement.  Sure, we can employ support staff to assist us with our practice, but the ultimate responsibility to maintain our competence lies with us.  That lawyers would not have been able to simply bring his IT guy to the grievance and throw him to the disciplinary wolves.  In fact, if he tried to do that I think he might get bit himself.

There really IS a new tech duty

Ethics tiles

For ages, lawyers have been able to stick their head in the sand about technology. At the very least, we’ve been able to push the problems to the another part of the sandbox. If the copier jammed, we’d shout for our secretary and leave it to her to fix (and in was usually a “her” in those days). If our computer locked up, we’d shout for the IT guy and we’d expect it to be up and running when we were back from lunch (and it was usually a “him” in those days). But technologies today are different and they are causing new duties to be created for lawyers.

For instance, the disciplinary authorities know that technology like cloud storage is prevalent these days. They also understand that the dangers inherent in using those new technologies are severe. As a result, a new duty applies to lawyers who use the cloud.

For some time I’ve been shouting that there exists a duty to understand technology. I’m not talking about understanding the law regarding technology. I mean a duty to understand the underlying technology itself. Granted, one might argue that there isn’t a separate duty in that regard and that it’s really just a subset of the duty of competence (Rule 1.1). To that I reply, “toe-may-to, toe-mah-to.” I don’t care how it fits into the rules, the bottom line is that it’s there and a recent ethics opinion in Alaska proves it’s existence. See Alaska Bar Association Ethics Opinion No. 2014-3.

On page 3, the authors state, “A lawyer engaged in cloud computing must have a basic understanding of the technology used and must keep abreast of changes in technology…Technological changes, the regulatory framework, and privacy laws are all matters requiring the lawyer’s attention.”

Thus, if you want to use technology, you must understand that technology. YOU must understand it. Not just your secretary or the IT guy/gal. You, individually, must understand the underlying technology.

For the ethics geeks like me, you aren’t surprised that this text is in the Alaska opinion. Heck, we’ve seen this in several opinions recently. But there are a bunch of you out there who didn’t believe me when I told you this at some of my CLE seminars. So, I guess what I’m really saying in this post is….“Told you so.”

Links to States’ Attorney Ethics Opinions

USA
Finding a link to the attorney ethics opinions issued by every state in the country is tough.  Some states don’t make the opinions available, others don’t issue opinions, and still others might be behind pay walls. I’ve tried to compile a list of links for each state’s ethics opinions and I’ve listed them below.  Since the states are constantly messing with their websites, some (…heck, many) of these links could be wrong.  All I can say is they were working when I checked them!

If you have a link for one of the states that I haven’t been able to get please feel free to send them to me at stuart.teicher@iCloud.com

Arkansas- no new opinions??   http://www.arkbar.com/pages/ethicsadv.aspx
Colorado- http://www.cobar.org/index.cfm/ID/22347/CETH/Formal-Ethics-Opinions-/
Connecticut- couldn’t find a good link
Indiana- http://www.inbar.org/?page=legal_ethics_opinion
Iowa-http://www.iabar.net/ethics.nsf/Ethics%20Opinions?OpenFrameset
Kansas- ???
Kentucky- Link is no good
Louisiana- Link is no good
Maryland- restricted
Michigan- link NG
Minnesota- ???
Missouri- http://www.mobar.org/ethics/formalopinions/frontpage.htm
Montana link NG
Nebraska link NG
New Hampshire link NG
Pennsylvania- couldn’t find a state site.
     Philadelphia: http://www.philadelphiabar.org/page/EthicsOpinions?appNum=2&wosid=DS4dMhc6qKMk3gyWo9pNt0
South Dakota- Can’t get them.  Only provided to bar members on request, per http://www.sdbar.org/ethics/ethics.shtm
Tennessee       Lawyers- links to formal and informal opinions on this page  http://tbpr.org/attorneys/ethicsopinions/
Wisconsin (behind a pay wall?)
Wyoming: Opinions?

Be very quiet…I’m hunting Jurors!

Ex parte communications with prospective jurors and members of a sitting jury have long been prohibited.[1] (See Rule 3.5(b)). But the advent of social media has created a difficult wrinkle because lawyers are using social media to research both prospective and sitting jurors. That isn’t frowned upon, per se.  In fact, the New York City Bar Association recognized that this type of research is consistent with a lawyer’s fundamental duties. It noted that, “…standards of competence and diligence may require doing everything reasonably possible to learn about the jurors who will sit in judgment on a case.” [2]

The problem is that part of the lawyer’s investigation process through social media could include communicating with the jurors, thereby violating Rule 3.5(b).  There could be friending, exchanges of messages, or a lawyer might just observe a juror’s social media page.  The issue is trying to figure out which of those actions actually constitute a “communication” that violates the Rule. The authorities are concerned because “social media…can blur the line between independent, private research and interactive, interpersonal ‘communication.’”[3]

The City Bar didn’t make many waves when it opined that “friending” a juror constituted a prohibited communication.[4]  That’s pretty much a no-brainer.  It shook things up slightly, however, when it stated that simply researching a juror’s social media page could constitute a communication.

The Bar was concerned about situations where a lawyer researched the jurors page and the website sends a message to the juror letting them know that the lawyer had viewed the juror’s page.  How could this happen? Consider these two specific examples: LinkedIn automatically generates a message that tells a user who has viewed the profile recently.  Also, Twitter lets a user know the identity of a new follower.  The City Bar considered those type of platform-generated messages to be considered “communication” under the rules. [5] They stated that the key factor was the effect that such knowledge would have on the receiver (in this case, the juror).[6]

The Bar held that “it is the ‘transmission of,’ ‘exchange of’ or ‘process of bringing’ information or ideas from one person to another that defines a communication”[7] and that in the world of social media, “this focus on the transmission of information or knowledge is critical.”[8] In a situation where a juror was notified that a lawyer was viewing the juror’s social media page “…the researcher imparted to the person being researched the knowledge that he or she is being investigated.”[9]  The City Bar believed that “The transmission of the information that the attorney viewed the juror’s page is a communication that may be attributable to the lawyer and even such minimal contact raises the specter of the improper influence and/or intimidation that the Rules are intended to prevent.”[10] In addition to being intimidating, the knowledge of that research might “tend to influence the juror’s conduct with respect to the trial.”[11] Thus, the key question is whether the juror would have learned of the lawyer’s research.[12]

Note that the City Bar made a distinction between whether the lawyer knew that the notice would be generated, or whether it was inadvertently sent.  The former was considered to be a clear violation of the rules, but the Bar wouldn’t say if they thought that the rules were broken if the message was sent by the social media page inadvertently.[13] They said it “might constitute a prohibited communication even if inadvertent or unintended.”[14] Either way, they see the communication as a no-no.

But—lest you think that the ethics world is a boring place—there is a bit of controversy on the topic.  The ABA has also opined on the topic and came down with a contradictory (and in my opinion, troubling) result.

In Formal Opinion 466 (April 24, 2014) the ABA’s Standing Committee on Ethics and Professional Responsibility evaluated the same question that NYC considered.  Knowing that Rule 3.5 prohibits communications with jurors, they considered whether a lawyer can investigate a juror/potential juror’s social media page.  The ABA resolved the easy question the same way as the City Bar. That is, overt contact with a juror (like friending) is a prohibited communication that violates Rule 3.5(b).[15]  The ABA came down differently, however, on the tough question—whether a lawyer may passively review a juror’s social media page if that review will become known to the juror. In that scenario, the ABA disagreed with NYC. The ABA thinks it’s okay.

According to the ABA, a lawyer is not communicating with a juror when a website sends an automatically generated notice to the juror telling them that the lawyer was reviewing their website. They stated, “This Committee concludes that a lawyer who uses a shared ESM platform[16] to passively view juror ESM under these circumstances does not communicate with the juror.  The lawyer is not communicating with the juror; the ESM service is communicating with the juror based on a technical feature of the ESM.”[17]

What’s amazing, is…that’s it.  That’s pretty much the crux of the decision.  The opinion is almost devoid of analysis.[18]  The only statement that in any way resembles some deeper thought is an analogy.  The opinion states, “This is akin to a neighbor’s recognizing a lawyer’s car driving down the juror’s street and telling the juror that the lawyer had been seen driving down the street.”[19] Personally, I think the ABA has it all wrong.

When a lawyer passively investigates a juror’s social media page, that lawyer is reading the details to the page.[20] They are inspecting the contents and looking for information.  It’s a lot less like driving down the street near a juror’s house and lot more like standing on the juror’s lawn peering over their bushes through the picture window in their living room, or rifling through the juror’s garbage cans.  I believe it’s more intrusive than the drafters of the opinions make it out to be. And intrusive can be intimidating.

But the ABA never talked about the potential intimidation.  They failed to explore that key underlying issue all together. They simply made a distinction about who is actually initiating the communication.  Since the website sent the message, it’s not a lawyer communication.

The mistake the drafters are making is focusing on the technical manner in which the message is sent.  The issue is not about who (or what) sent the communication, rather, it’s about what triggered that communication.  The impetus for the system sending a communication to the juror was the lawyer’s research.  The website-generated communication was only triggered because the lawyer made an appearance on the juror’s webpage.  The lawyer’s snooping caused the message to be sent.

The concern that prompted the City Bar opinion was the fact that knowledge of the lawyer’s presence on the juror’s social media page could be intimidating.[21] The message, regardless of who sent it, makes the juror aware that they are being watched. The key factor to the City Bar was the effect that such knowledge would have on the receiver (in this case, the juror).[22]  That’s why they stated that “even such minimal contact raises the specter of the improper influence and/or intimidation that the Rules are intended to prevent.”[23]

To date there haven’t been any other states that have chimed in on the matter.

I would expect that when other states opine on the matter that they will review the rationale behind the City Bar opinion in a more meaningful way and it will be interesting to see how they decide. My gut tells me that many jurisdictions will side with the City Bar view and I think that’s a good thing. I agree with them—the knowledge of a lawyer poking around on someone’s social media page could be somewhat intimidating.  But there’s a practical problem with all of this.

The problem is that the courts are also claiming that diligence demands that we research the public internet life of jurors.  In some cases they are even encouraging us to do so.[24] So how do we reconcile those two mandates?  Do we just stay away from sites like LinkedIn and Twitter because we know that they generate these messages?  But what if that changes—maybe we know which sites generate automatic messages today, but the functionality of these platforms change daily. The answer is competence.

This is a perfect illustration of how understanding social media and technology is becoming a core competency. There is a way to fulfill your mandate of researching jurors while also avoiding these type of computer generated messages. It means, however, that you need to have an intimate understanding of the individual platforms.

A well-versed user would know that you could adjust your own LinkedIn settings so that your identity isn’t revealed to other users when you view their profiles.  A person who understands Twitter knows that you can watch what another user says without actually “following” them.  Could that all change? Yes.  And when it does, you need to know about it.  You need to stay abreast of how all these platforms work…and that’s why knowledge of social media is becoming a core competency.

 

[1] New York City Bar Association, Formal Opinion 2012-2 at 1

[2] NYC Opinion 2012-2 at 2

[3] NYC Opinion 2012-2 at 2

[4] NYC Opinion 2012-2 at 3

[5] NYC Opinion 2012-2 at 2

[6] NYC Opinion 2012-2 at 4

[7] NYC Opinion 2012-2 at 4

[8] NYC Opinion 2012-2 at 4

[9] NYC Opinion 2012-2 at 4

[10] NYC Opinion 2012-2 at 5

[11] This quote actually comes from a different opinion out of New York City.  NYCLE Committee on Professional Ethics, Formal Opinion No. 743, Issued May 18, 2011 at 3.

[12] NYC Opinion 2012-2 at 3

[13] NYC Opinion 2012-2 at 5

[14] NYC Opinion 2012-2 at 2

[15] ABA Opinion 466 at 4

[16] “ESM” stands for “electronic social media” in this opinion.

[17] ABA Opinion 466 at 5

[18] This is all a bit surprising.  ABA opinions are normally well thought out writings that delve into the rationale behind their decisions.  In this case, however, the opinion is far too superficial.

[19] ABA Opinion 466 at 5

[20] …to the extent those details are available to be seen- we’re not talking about pages that are behind a privacy wall.

[21] NYC Opinion 2012-2 at 5

[22] NYC Opinion 2012-2 at 4

[23] NYC Opinion 2012-2 at 5

[24] See NYC Opinion 2012-2 at 2 where it references the Missouri case of Johnson v. McCullough, 306 S.W.3d 551, 558-59 (Mo. 2010).