There’s only so much that virus scanning/blocking software can do to protect lawyers against cyber threats. That’s because one of the primary ways the bad guys gain access to our computer systems is by human error- when someone in our office clicks on an attachment or link and lets the bad guys in the door. Toward that end, here’s some advice about avoiding a common trap: If it’s scary, be wary. The bad guys are sending emails that are designed to be scary in order to motivate you to click on their evil link. If you see something super scary, pause and take steps to verify it’s validity.
A recent opinion in Virginia made it clear for all lawyers— if your firm doesn’t have an impaired lawyer policy, you need to create one.
Many lawyers aren’t aware that ethics rules require you to stop representing a client if you, individually, develop some material impairment. Rule 1.16(a) says, “…a lawyer shall not represent a client or, where representation has commenced, shall withdraw from the representation of a client if…(2) the lawyer’s physical or mental condition materially impairs the lawyer’s ability to represent the client…” Essentially, this is a duty to act. Your required action, is if I become materially impaired, I must withdraw. But a recent opinion went further and held that that there may be a duty to act imposed on other lawyers in the firm. Specifically, if you’re in a supervisory role, you may need to take some action with respect to an impaired lawyer in the firm.
First, a reminder about the general rule on supervising: Lawyers in a managerial position have a duty to create policies which ensure that other lawyers in the office are complying with the ethics rules. In addition, lawyers who specifically supervise other lawyers need to ensure that the lawyers in their charge follow the rules. Rules 5.1(a) and 5.1(b). Now, on to the impairment issue…
In LEO 1886 (December 15, 2016) the Supreme Court of Virginia asked, “What are the ethical obligations of a partner or supervisory lawyer who reasonably believes another lawyer in the firm may be suffering from a significant impairment that poses a risk to clients or the general public?” They posited two hypotheticals: one in which a lawyer finds out that there is another lawyer at their firm with a significant substance abuse problem, and the other that portrayed an older lawyer who appears to be suffering the onset of dementia. In both cases, the lawyers’ condition is affecting their work.
Virginia confirmed that, “When a partner or supervising lawyer knows or reasonably believes that a lawyer under their direction and control is impaired, Rule 5.1(b) requires that they take reasonable steps to prevent the impaired lawyer from violating the Rules of Professional Conduct.” LEO 1886 at 3. The opinion didn’t say that you need to dismiss the lawyer. Quite the contrary, they said that, “the firm may be able to work around or accommodate some impairment situations.” LEO 1886 at 4. But the managerial/supervisory lawyer does need to step in and do something to protect the client’s interests.
The opinion gave some direction for how to deal with this, practically. They quoted from the ABA’s Standing Committee on Ethics and Professionalism Formal Op. 03-429 and said,
“The first step may be to confront the impaired lawyer with the facts of his impairment and insist upon steps to assure that clients are represented appropriately notwithstanding the lawyer’s impairment. Other steps may include forcefully urging the impaired lawyer to accept assistance to prevent future violations or limiting the ability of the impaired lawyer to handle legal matters or deal with clients.”
Here’s the dangerous quirk— not only do lawyers need to accept their duty to deal with this situation after the impairment issues have surfaced, but the opinion explicitly states that this issue should be considered ahead of time, in law firm policies. I’m not so sure that many firms have accounted for this in their HR docs. Specifically, the opinion states:
“In order to protect its clients, the firm should have an enforceable policy that would require, and a partner or supervising lawyer should insist, that the impaired lawyer seek appropriate assistance, counseling, therapy, or treatment as a condition of continued employment with the firm. For example, the firm could recommend, encourage or direct that the impaired lawyer contact Lawyers Helping Lawyers for an evaluation and assessment of his or her condition and referral to appropriate medical or mental health care professionals for treatment and therapy. Alternatively, making a confidential report to Lawyers Helping Lawyers may be an appropriate step for the firm. The firm or its managing lawyers might instead find it necessary or appropriate to consult with a professional medical or health care provider for advice on how to deal with and manage an impaired lawyer, including considering options for an “intervention” or other means of encouraging the lawyer to seek treatment or therapy.” LEO 1886 at 5.
And don’t forget, if the impaired lawyer violated the rules by, perhaps, neglecting a client’s matter, the firm/supervisors may be required to report that lawyer under Rule 8.3(a). I’m sure you’re aware of that duty, but I can see a firm trying to help an impaired lawyer get better, but allow the reporting duty to slip through the proverbial cracks.
The moral of this story: if your firm doesn’t have an impaired lawyer policy, you need to create one.
The next ethical landmine for lawyers is located in our cell phones. Specifically, I think we are very close to the point where lawyers need to have two devices— one for work, and one for our personal use. Here’s why.
The Wall Street Journal recently reported that cell phone sales growth have stagnated. After years of incredible growth in sales, the pace of that growth has subsided significantly. The new frontier, the article claims, is in mobile device software. Specifically, the future lies in “frictionless computing.”
Amazon’s Echo speaker, which uses Alexa, and Snap Inc.’s new Spectacles, camera-bearing sunglasses, are examples of what Benedict Evans, partner at venture-capital firm Andreessen Horowitz, calls “frictionless computing”—easy-to-use devices that unite applications with hardware beyond smartphones. Ben Schachter, senior analyst at Macquarie Capital, says: “Our view is the next big innovation will be from outside the device—from the software.” He expects increasing use of such software to meet entertainment, health-care, home innovation and automotive needs.
The words that scare me in that quote are “outside the device.” That’s because the increased use of cell phones to connect with external hardware by way of an installed app increases the likelihood that hackers can get access to our devices. Just this week we saw a similar concern from the medical community. The Minneapolis Star Tribune reported about the vulnerability of hacking heart devices:
On Monday, the U.S. Food and Drug Administration published a public safety notice confirming it is possible for a hacker to remotely compromise security in St. Jude’s wireless communication network and then secretly change commands in a pacemaker or implantable defibrillator while it’s still wired to a patient’s heart….
…“As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates,” the FDA’s Monday safety alert says.
While that isn’t frictionless computing when using a cell phone, it is an external device controlled by computers via wireless communication. In that regard, it is an analogous problem. And that problem is clear: once we start to increase the use of that type of wireless communication between devices, we increase the chance that hackers can wreak havoc. Yes, many of these opportunities to exploit our devices have existed for a while, but the concern I have is the increased chance of compromising our data. As the use of this technology grows, there are more and more opportunities for phishing, wireless hacking, etc. Thus, as frictionless computing becomes more prevalent it greatly increases the opportunity for the hackers to get at our information.
Personally, I’m willing to take the risk. I like using these devices, I understand the potential hacking problem, and I am willing to accept the downside in order to make use of this new technology. I am willing to put my personal information at risk. I am not, however, willing to put my client’s information at risk.
Many of us use our personal devices to access work information. We like to have remote access to notes apps like Evernote and cloud storage sites like DropBox. We text our clients and receive work emails, and that’s all sent to/from our personal device. It’s that same device that will be used to engage further in frictionless computing— many of us are probably Alexa addicts already, for instance. To date, we feel comfortable mixing business and personal use because we put password protections on the device and take other reasonable measures to protect client information. But at some point, vulnerabilities will increase to such an extent that the definition of what constitutes “reasonable measures” will change. I am concerned that the increased use of frictionless computing is hastening that change.
Today it might be reasonable to put a password to restrict access to the phones. But if frictionless computing is going to increase the opportunities for bad guys to hack into our devices, then it might not suffice to simply have a password or thumbprint barrier to access our phone. The prudent move might be to get another device all together for work matters. Maybe that work device won’t be used for frictionless computing at all. Maybe the security measures we take with that work-only device will be more stringent than our personal device. Then, we can make use of the wonders of frictionless computing, etc., without taking unreasonable risks that compromise client information.
Bear in mind that this isn’t about eliminating risk. Risk can never be completely eliminated. The question we need to ask is, “when does the risk expand to a point where it’s necessary to take some different action?” As usual, there is no way to discern exactly when we have crossed that line. But it’s my job to tell you when the warning signs appear. Well…boom, they’ve appeared. Keep your eyes open and make the move when you think it’s warranted. Just don’t get blindsided.
I recently spoke at a law firm about the ethical implications when lawyers use technology. I was talking about lawyers who choose to store client information in the cloud and I explained how the lawyer needs to understand the technology associated with the cloud storage site that the lawyer may use. I explained that Rule 1.1 (Competence) demands that we, personally, understand those details. It was exactly then that a very irate lawyer shot up his hand and barked at me, “I’ll just bring my IT guy with me and point to him. I’ll tell that committee to talk to HIM about it, then I’ll leave.” While I was itching to answer in an obnoxiously New Jersey manner, I noticed that the angry lawyer was the only man in the room who happened to be older, white haired, male, and wearing a suit. He had “managing partner” written all over him. It was at that point that I figured I’d soften the edge on my reply, lest I not be invited back to the firm. I (ever so gently) explained that it was the lawyer’s individual responsibility to understand the technology and that we would not be permitted to simply bring our support staff to a grievance and wash our hands of the situation.
For ages, lawyers have been able to stick their head in the sand about technology. At the very least, we’ve been able to push the problems to the another part of the sandbox. If the copier jammed, we’d shout for our secretary and leave it to her to fix (and in was usually a “her” in those days). If our computer locked up, we’d shout for the IT guy and we’d expect it to be up and running when we were back from lunch (and it was usually a “him” in those days). But technologies today are different and they are causing new duties to be created for lawyers.
For instance, the disciplinary authorities know that technology like cloud storage is prevalent these days. They also understand that the dangers inherent in using those new technologies are severe. As a result, a new duty applies to lawyers who use the cloud.
For some time I’ve been shouting that there exists a duty to understand technology. I’m not talking about understanding the law regarding technology. I mean a duty to understand the underlying technology itself. Granted, one might argue that there isn’t a separate duty in that regard and that it’s really just a subset of the duty of competence (Rule 1.1). To that I reply, “toe-may-to, toe-mah-to.” I don’t care how it fits into the rules, the bottom line is that it’s there and a recent ethics opinion in Alaska proves it’s existence. See Alaska Bar Association Ethics Opinion No. 2014-3.
On page 3, the authors state, “A lawyer engaged in cloud computing must have a basic understanding of the technology used and must keep abreast of changes in technology…Technological changes, the regulatory framework, and privacy laws are all matters requiring the lawyer’s attention.”
Thus, if you want to use technology, you must understand that technology. YOU must understand it. Not just your secretary or the IT guy/gal. You, individually, must understand the underlying technology.
For the ethics geeks like me, you aren’t surprised that this text is in the Alaska opinion. Heck, we’ve seen this in several opinions recently. But there are a bunch of you out there who didn’t believe me when I told you this at some of my CLE seminars. So, I guess what I’m really saying in this post is….“Told you so.”
Last week the ABA made an important change to Rule 1.6, “Confidentiality.” On its face, the change doesn’t seem like much—the drafters added a new section 1.6(c) which states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
That doesn’t seem like such a big deal, especially since the sentiment already existed in the commentary to the rules. The need to safeguard our clients’ information was already stated in a slightly different form in Comment  to Rule 1.6. And why shouldn’t it be—isn’t it an obvious point? So why would the drafters simply take language that already existed in the commentary, tweak it, and move it to the rule itself? It’s about addressing technology head on.
Lawyers are increasingly using new technologies like cloud storage sites and software as a service (SaaS) to store client data. While helpful, the obvious risk of using these sites is that there is a potential for disclosing information. Plus, this isn’t just about could-computing or websites, it’s about using any new technology, whether it be mobile storage devices, unencrypted wireless routers, iPads, etc. The more we use these technologies, there more opportunities we have to reveal client information. The drafters must have believed that the more frequent use of these types of technologies demands an increased emphasis on the need to protect client information. Thus, by expanding the language and moving it to the actual text of the rule, the drafters are telling the bar that this issue is no longer just commentary, or “secondary guidance.” Now it’s a primary duty.
So now we know that before we use new technologies we have a duty to make reasonable efforts to prevent the release of information relating to the client. But what does that mean? How do you know if the efforts you used were actually “reasonable?” More on that in the next post…
A few days ago the ABA adopted amendments to the Model Rules of Professional Conduct. Many of these amendments were a response to issues regarding social media, but not entirely. Over the next week I’ll be reviewing the rules and blogging about what the changes mean.
You can find all of the new rules here:
IMPORTANT NOTE: Remember, these rule changes only amend the ABA’s Model Code. Each individual state must now determine which, if any, amendments they want to include in their own codes. That process will obviously take some time, given the requirement for debate, public comment, etc.
I’ve been speaking with a bunch of law students lately and I thought I’d share the unsolicited advice that I’ve been dispensing. It’s never too early to clean up your Facebook page.
We all know the types of photos being posted on social media. Sure, as we get older we get a little tamer, but our lives are littered with bad decisions that were memorialized on social media. While we can’t erase our past entirely, we can make an effort to clean things up a bit. The reasons are clear.
First, I hope we all know that checking social media pages prior to making employment decisions is a way of life for employers of all kinds. And we should all realize that we can’t hide behind fake names– our prospective employers know that many students open Facebook pages using alternate names and they’re starting to ask questions.
Also, keep in mind that searching our Facebook pages is being institutionalized. In 2009 the Florida Board of Bar Examiners adopted a policy of searching applicants’ personal social networking websites in select situations, such as cases where there are significant candor concerns. Don’t be surprised if other states adopt this policy as well.
Be careful– there may be times where cleaning up our Facebook pages is improper. For instance, I don’t think it would ethically proper to change your website in response to an inquiry about your social media page. On the other hand, I don’t think there would be anything wrong with proactively cleaning up your page, in the absence of any inquiry.
Given the times we live in, it appears that it would be wise for law students to give consideration to cleaning things up, like, yesterday.