Frictionless computing is an emerging technology and it poses some serious ethics risks. There was recently an article about it that raised my eyebrows, so I wanted to let you know about this danger.
Frictionless computing is an emerging technology and it poses some serious ethics risks. There was recently an article about it that raised my eyebrows, so I wanted to let you know about this danger.
I watched an ethics violation unfold right next to me today. So, of course, I had to vlog about it. Scroll below for the transcript if you don’t want to watch the video.
I’m on the road, minding my own business in my usual breakfast joint, enjoying my Spinach Feta Egg White Wrap and Grande Non-Fat Latte. The breakfast of Champions. Three guys sit down next to me and start to talk. Here’s what I know: these guys are lawyers and they are involved in a suit about a particular kitchen accessory. The guy against the wall flew in from Washington DC this morning and he appears to be an expert or specialized legal counsel of some sort.
It appears that the expert (that’s what I’ll call him) is going to give testimony today and these guys are talking about the best approach. They’ve talked about statistics and the design of the product at issue. The expert is laying out the various ways the team could approach the matter and he’s giving examples of testimony that’s been given in previous cases.
The reason I know the case is about a kitchen appliance [[arrow]] is because one of the lawyers brought one into the coffee shop and it’s sitting on the table next to them. The expert keeps putting his hand on it and talking about it. You don’t have to be Sherlock Holes to figure this stuff out. I heard the name of one of the the Judges involved in the case, I heard that they’ve submitted mediation statements, and I heard a whole lot of substance that this expert is going to be addressing.
The reason I know all of this is because I COULD HEAR EVERYTHING THEY WERE SAYING. I wasn’t eavesdropping, I was just sitting about 24 inches away from them at the next table in a public coffee shop.
This, people, is why I continue to have a job.
The very first thing we teach in law school about confidentiality is that you shouldn’t be talking about your clients’ matters in public places. I mean, the hypos we use talk about actually include restaurants in the fact pattern. It’s so basic, that if I were to mention this at the ethics program I’m delivering tomorrow, the lawyers in the firm would roll their eyes at me. “Who would be so stupid to do something like that?” they’d say. “Come on- talk to us about a more sophisticated issue.” But this is real life. And this happens all the time. Most of us who get into trouble don’t do something outlandish like steal from a trust account or forge a document. We make stupid mistakes because we let our guard down in every day situations.
Do you think those lawyers knew that they were sitting next to someone who investigates ethics grievances? Do you think they had any idea at all that I was sitting right next to them tearing them to ethical pieces? NO. Do you know why? Because they suffer from a malady that we all have at one time or another. “Little old me” syndrome. Do you really think that someone is listening to what I have to say? Little old me? Who really cares about listening to little old me?
The answer is everyone is listening to everything you say and everything you write. You have GOT to have a heightened state of awareness about these things. There is no such thing as “little old me.” It’s BIG OLD YOU and you’re a constant target.
Even though I’m going on about this for a while, this entire escapade actually happened very quickly. And I was just going to leave well enough alone because it seemed as if they were going to leave. But then, another guy showed up and he started speaking louder, which prompted one of the first guys to stand up and basically shout.
I couldn’t take it anymore. I packed my bag up, threw on my jacket and as I walked out I tapped the standing guy on the shoulder and said, “Could I steal you for a minute?” We walked a few feet away from the tables and I said, “I teach professional responsibility for a living. Stop talking about your client’s files in a public place like this. Someone’s going to overhear you and you’re gonna get smacked for it. I’m just trying to help you out.” He replied, “Oh, fair point.” And I left.
Every day this month I’m going to post a short message called, “Something Smart & Safe.” They’re short video messages that will give lawyers a drop of good direction. My first installment is begging lawyers to stop tweeting about politics — its got problems written all over it.
Want to see the rest of the Smart & Safe posts? Subscribe to my YouTube Channel here.
What happened in the news today should make all lawyers pause and look at the manufacturers of the hardware and software they’re using in their offices. Listen to this video for the info. Also, the post below has a bit more detail.
For years, the United States has been concerned that the Russians were using technology purchased by average consumers to steal secrets from the NSA. United States officials have been concerned that a popular anti-virus software product commonly sold in the US that’s developed by a a Moscow-based company called “Kapersky” is being used by the Russians to steal NSA technology. These past few months a series of newspaper reports made the concerns far more real. And today additional information was released that makes the matter even more concerning.
“The Wall Street Journal reported on Oct. 5 that hackers working for the Russian government appeared to have targeted an NSA worker by using Kaspersky software to identify classified files. The New York Times reported on Oct. 10 that Israeli officials reported the operation to the United States after they hacked into Kaspersky’s network.”1
The US is concerned that Russians Intelligence deliberately used the Kapersky software in it’s spying activities. These articles revealed that on October 25th Kapersky admitted that it’s software took the source code for an American hacking tool from someone’s personal computer. But they deny that it was part of a larger spying scheme. “Kaspersky said in the statement that it had stumbled on the code in 2014, a year earlier than the newspaper reports had stated…The company said logs showed that the consumer version of Kaspersky’s popular product had been analyzing questionable software from a U.S. computer and found a zip file that was flagged as malicious…While reviewing the file’s contents, an analyst discovered it contained the source code for a hacking tool later attributed to what Kaspersky calls the Equation Group. The analyst reported the matter to Chief Executive Eugene Kaspersky, who ordered that the company’s copy of the code be destroyed, the company said…It said no third parties saw the code, though the media reports said the spy tool had ended up in the hands of the Russian government.”2
In today’s Fortune magazine (November 13, 2017), we learn that UK officials are worried as well. The first line of that article reads, “The British spy agency GCHQ is concerned about Kaspersky Lab’s antivirus software being used to spy on people in the UK…”3 The magazine explains why UK officials are concerned: “Barclays has given millions of its banking customers free Kaspersky subscriptions. If those customers happen to work for the British military or government, the spooks fear, Kaspersky’s software might help the Russian intelligence services gain access to their information.”
Today there was another article that made me concerned for similar reasons. It appears that the U.S. intelligence services are worried that certain security cameras could be used by the Chinese government to spy on U.S. targets. The concern is about cameras made by Hangzhou Hikvision Digital Technology, a company owned in large part by the Chinese government. Their product, called, “Hikvision (pronounced “hike-vision”) was nurtured by Beijing to help keep watch on its 1.4 billion citizens, part of a vast expansion of its domestic-surveillance apparatus. In the process, the little-known company has become the world’s largest maker of surveillance cameras. It has sold equipment used to track French airports, an Irish port and sites in Brazil and Iran.” They were also used by the Memphis police and the U.S. military. Furthermore, “Consumer models hang in homes and businesses across the country. At one point, the cameras kept watch on the U.S. embassy in Kabul…Hikvision’s rapid rise, its ties to the Chinese government and a cybersecurity lapse flagged by the Department of Homeland Security have fanned concerns among officials in the U.S. and Italy about the security of Hikvision’s devices.”4
The report also notes that, “Some security vendors in the U.S. refuse to carry Hikvision cameras or place restrictions on their purchase, concerned they could be used by Beijing to spy on Americans. The General Services Administration, which oversees $66 billion of procurement for the U.S. government, has removed Hikvision from a list of automatically approved suppliers. In May, the Department of Homeland Security issued a cybersecurity warning saying some of Hikvision’s cameras contained a loophole making them easily exploitable by hackers. The department assigned its worst security rating to that vulnerability.”5
Hikvision, of course, denies that they are involved in any sort of inappropriate activity. “Hikvision says its equipment is safe and secure, that it follows the law wherever it does business and that it worked with Homeland Security to patch the flaws the agency cited.”6
The concern is that “Last year, hackers took control of hundreds of thousands of cameras, including many made by a Chinese rival of Hikvision, to launch a huge “denial of service” attack that security experts said made sites run by Amazon.com Inc., PayPal Inc. and Twitter Inc. unavailable for hours.”7
If I’ve said it before, I’l say it again. If they are worrying about it, you need to be worrying about it. If the government is worried that products like Kapersky and Hikvision can cause security risks, then you need to be conecnered as well. Why? The government secrets are targeted by the bad guys and lawyers’ secrets are also targeted nay the bad guys.
The government is worried that the Russians and the Chinese will use these technologies to steal secrets from the US. You need to worry that the Russians and the Chinese will steal secrets about your clients. Lawyers are targets That’s because the bad guys know that you are the gatekeeper for a lot of your client’s valuable information.
I believe that we have a three-part duty when it comes to these cyber concerns like this. We must Understand, Anticipate, and Act.
Modern ethics concepts require that you understand these dangers. My reading of recent opinions reveals that we have an ethical duty to understand obvious, well known cyber traps. What’s obvious and well known? You need to stay up to date on the latest concerns to know that. We have an ethical duty to maintain our competence and opinions have acknowledged that that duty evolves as technology changes.
The issues with these cameras and software products may not be considered to be “obvious” today but what about in a month from now when people have read all of these articles? The concern that these software and hardware developers could be using their products to steal information from valuable targets, including our clients, will soon be common knowledge.
You need to consider how these concerns can manifest in your particular practice. Do you use Kapersky as your anti-virus software? Are the security cameras in your office Hikvision products? Are the security cameras installed by your landlord Hikvision products? Did you even know that your landlord has cameras installed in your office? If they are not Hikvison or Kapersky, then what are you using? Who makes those products? I believe that the concept of Diligence (Rule 1.3) demands that you ask those kinds of questions so you could properly anticipate any potential traps.
Third, and Finally- Act
Here is where it gets dicey. What, if anything must you do? Listen, I don’t know if it’s time to stop using Kapersky or Hikvision. What I do know is that now is the time to start asking questions. Sit down with your IT people and discuss these issues with your cybersecurity consultants. Scrutinize the developers of the software and hardware that you’re using in your office and come to a decision.
But just as important as assessing the risk and determining if there is any action to take— document your decision. Set forth the research you did and memorialize your diligence. Make it clear that you gave this careful consideration and that you actually made an informed decision, rather than ignoring the problem.
Understand, Anticipate, and Act.
Now go look at your systems and talk to your people.
There’s only so much that virus scanning/blocking software can do to protect lawyers against cyber threats. That’s because one of the primary ways the bad guys gain access to our computer systems is by human error- when someone in our office clicks on an attachment or link and lets the bad guys in the door. Toward that end, here’s some advice about avoiding a common trap: If it’s scary, be wary. The bad guys are sending emails that are designed to be scary in order to motivate you to click on their evil link. If you see something super scary, pause and take steps to verify it’s validity.
I’ve been quite happy with an important recent change in the legal profession— we’re finally talking seriously about mental health. More specifically, we’re taking about getting help for our mental health issues.
Of course, while the powers-that-be have been advocating that discussion for a (short) while, the lawyers on the ground have been more reluctant to engage. The reason is clear— stigma and repercussions. Lawyers don’t want their colleagues or clients to know that they are struggling because they’re afraid it will affect how they appear to those people. Lawyers obviously also don’t want to suffer any setback to their career. As a result, there’s been a de facto disincentive for lawyers to come forward and get help. It appears, however, that that’s changing.
The Wall Street Journal reports that firms are “offering on-site psychologists, training staff to spot problems and incorporating mental-health support alongside other wellness initiatives.” That’s the type of action we need. I’ve long said in my CLE programs that we need to create an environment where people feel comfortable about getting help. Hopefully the firms’ actions set forth in that article are the front end of a growing trend.
A recent opinion in Virginia made it clear for all lawyers— if your firm doesn’t have an impaired lawyer policy, you need to create one.
Many lawyers aren’t aware that ethics rules require you to stop representing a client if you, individually, develop some material impairment. Rule 1.16(a) says, “…a lawyer shall not represent a client or, where representation has commenced, shall withdraw from the representation of a client if…(2) the lawyer’s physical or mental condition materially impairs the lawyer’s ability to represent the client…” Essentially, this is a duty to act. Your required action, is if I become materially impaired, I must withdraw. But a recent opinion went further and held that that there may be a duty to act imposed on other lawyers in the firm. Specifically, if you’re in a supervisory role, you may need to take some action with respect to an impaired lawyer in the firm.
First, a reminder about the general rule on supervising: Lawyers in a managerial position have a duty to create policies which ensure that other lawyers in the office are complying with the ethics rules. In addition, lawyers who specifically supervise other lawyers need to ensure that the lawyers in their charge follow the rules. Rules 5.1(a) and 5.1(b). Now, on to the impairment issue…
In LEO 1886 (December 15, 2016) the Supreme Court of Virginia asked, “What are the ethical obligations of a partner or supervisory lawyer who reasonably believes another lawyer in the firm may be suffering from a significant impairment that poses a risk to clients or the general public?” They posited two hypotheticals: one in which a lawyer finds out that there is another lawyer at their firm with a significant substance abuse problem, and the other that portrayed an older lawyer who appears to be suffering the onset of dementia. In both cases, the lawyers’ condition is affecting their work.
Virginia confirmed that, “When a partner or supervising lawyer knows or reasonably believes that a lawyer under their direction and control is impaired, Rule 5.1(b) requires that they take reasonable steps to prevent the impaired lawyer from violating the Rules of Professional Conduct.” LEO 1886 at 3. The opinion didn’t say that you need to dismiss the lawyer. Quite the contrary, they said that, “the firm may be able to work around or accommodate some impairment situations.” LEO 1886 at 4. But the managerial/supervisory lawyer does need to step in and do something to protect the client’s interests.
The opinion gave some direction for how to deal with this, practically. They quoted from the ABA’s Standing Committee on Ethics and Professionalism Formal Op. 03-429 and said,
“The first step may be to confront the impaired lawyer with the facts of his impairment and insist upon steps to assure that clients are represented appropriately notwithstanding the lawyer’s impairment. Other steps may include forcefully urging the impaired lawyer to accept assistance to prevent future violations or limiting the ability of the impaired lawyer to handle legal matters or deal with clients.”
Here’s the dangerous quirk— not only do lawyers need to accept their duty to deal with this situation after the impairment issues have surfaced, but the opinion explicitly states that this issue should be considered ahead of time, in law firm policies. I’m not so sure that many firms have accounted for this in their HR docs. Specifically, the opinion states:
“In order to protect its clients, the firm should have an enforceable policy that would require, and a partner or supervising lawyer should insist, that the impaired lawyer seek appropriate assistance, counseling, therapy, or treatment as a condition of continued employment with the firm. For example, the firm could recommend, encourage or direct that the impaired lawyer contact Lawyers Helping Lawyers for an evaluation and assessment of his or her condition and referral to appropriate medical or mental health care professionals for treatment and therapy. Alternatively, making a confidential report to Lawyers Helping Lawyers may be an appropriate step for the firm. The firm or its managing lawyers might instead find it necessary or appropriate to consult with a professional medical or health care provider for advice on how to deal with and manage an impaired lawyer, including considering options for an “intervention” or other means of encouraging the lawyer to seek treatment or therapy.” LEO 1886 at 5.
And don’t forget, if the impaired lawyer violated the rules by, perhaps, neglecting a client’s matter, the firm/supervisors may be required to report that lawyer under Rule 8.3(a). I’m sure you’re aware of that duty, but I can see a firm trying to help an impaired lawyer get better, but allow the reporting duty to slip through the proverbial cracks.
The moral of this story: if your firm doesn’t have an impaired lawyer policy, you need to create one.
Tech gurus around the country have been tweeting about the new ABA opinion like it’s some sort of revelation that was brought down from a mountain on stone tablets. I don’t know why everyone is going up in arms about this. Here’s what I think. The ABA is (a) on point (as usual), and (b) 7 years too late (as usual). The opinion is 11 pages of stuff that ethics professionals and various states have been shouting for almost a decade. If you’re a lawyer and you didn’t know the contents of Opinion 477 already, you should be embarrassed.
After all 11 pages, it comes down to the last two sentences of the opinion. They basically say that lawyers need to take special security precautions to protect client information if you’re required to do so by agreement (really, you didn’t know that?), by law (someone needed to issue an opinion to tell you that you need to abide by the law?), or when the nature of the information requires a higher degree of security (teachers like me have been preaching that for YEARS). Opinion 477 at 11.
It takes everything in my being not to say, “…duh.”
Of course you need to consider the sensitivity of the information when determining how you communicate that information to your client. The State of California told us that….in 2010 (go look at Formal Opinion 2010-179. And California did it in only 7 pages). The ABA even told us that in their revised rules…in 2012. But now, in 2017, they finally get around to writing this opinion?
All of the information in this opinion is important. But it should have been issued years ago. “But wait,” you might protest, “Opinion 477 gives some factors to consider.” Listen— if the seven precautionary recommendations that they list in this opinion are new to you, then here’s a newsflash: You haven’t been meeting your duty of competence for years. Maybe in their next opinion they’ll give us some more useful tech advice like, “To rename a file, type the following command after the C:\…” Seriously, this is all coming to us a bit late.
Here’s another helpful nugget from Op. 477: It reminds us that the rules “may require a lawyer to discuss security safeguards with clients.” Opinion 477 at 5. People, technology issues like that should be a part of every lawyer’s initial conversation with their client…and it should have been that way already for years. If you haven’t been talking about it, then you’re in borderline malpractice territory. It also means that you haven’t been listening because every respectable ethics teacher has been shouting about that for almost a decade.
Here’s what I would have tweeted about this opinion (if I had more than 140 characters):
To the lawyers: If any of this is new to you, stop what you’re doing and (a) chastise yourself for being 10 years behind the curve and (b) read the opinion. My gut tells me that there will be a total of 3 lawyers who are surprised by the contents of Opinion 477.
To the ABA: Move quicker and talk less. You’ll serve all lawyers better.