Tag Archives: Ethics

The Hidden, but Fixable Danger with PDFs

Imagine this hypo: You’re working on a transaction for a client, and the lending institution needs to send money to your trust account on your client’s behalf.  

— Stay with me — this is not going where you think —  

The lender sends you a fillable PDF form where you’re supposed to provide your wiring information (routing number, account number, etc). You open the document, type all of the information in the fields as required, and email it to the lender.  Obviously there’s the danger of someone intercepting these types of messages so a host of precautionary measures have been put into place and you comply with each.  Let’s say that such precautions even include that the lending representatives call you after receiving the document and read back the wiring instructions to ensure that everything’s kosher.  Despite all of these efforts, you were still scammed — the money never made it to your trust account and no one knows why.  Here’s how it happened: 

Remember that I said the document was a “fillable” PDF? You opened the PDF on your computer, typed in the required information in the fields, then sent the file as a “document” to the lender.  Well, when you sent the document that way, you left all of those “fillable” sections as, well…”fillable.”  Those fields could still be changed by someone because you didn’t lock the document.  

So here’s what happened in the hypo above: after making the call to you and confirming the account information, someone in the bank opened the file, changed that account number/routing number and diverted the money into some other account.  They were able to do that because the document you filled out was a “fillable” PDF and you simply emailed it as a document to the other party.  By emailing it as a “document” the information in the fields could still be changed.  So even after all of the protocols at the lending institution were adhered to, there was still an opportunity for someone with access to the document to change the numbers on the PDF.

The good news? There is a way to avoid this.   

Instead of sending the form as a “document” you should have “flattened” the document. Flattening a document basically locks all of those fillable sections. There are a few ways you could do that.  First, if you get a drop down menu when you try to send the file you might have the option to mail the attachment as a “flattened” document. Another alternative is to save the document as flattened before you email it (you may have to “Print” the document to a PDF then save a “flattened” version of the form). Disclaimer: I’m no tech expert— my job is to point out the dangers, but I don’t claim to be an expert on how to fix them.  I think the procedures I outlined above are correct, but talk to your IT people to ensure that I’m right in that regard.  

Obviously this goes beyond just bank account information.  People can modify any fields in a fillable PDF if the document isn’t locked before transmitting.  That’s why every time you send a fillable PDF you need to flatten it or otherwise lock it to ensure that no one else can change it’s contents after emailing.  

This sort of knowledge is the type of thing that our ethics rules demand. Specifically, it’s about competence.  Rule 1.1 requires that lawyers have the, “legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” The commentary to that rule explains that, “Competent handling of a particular matter includes…[the] use of methods and procedures meeting the standards of competent practitioners. Rule 1.1, Comment [5]. In addition, the new California Rule on Competence requires that lawyers apply the learning and skill that is reasonably necessary for the performance of the legal service. CA RPC 1.1(b) 

Is understanding the dangers of fillable PDFs considered to be part of the “methods and procedures,” or part of the skill that is “reasonably necessary for performance” of the legal services?  It is now. Maybe it wasn’t last year, but it is today. That’s because our duty of competence evolves. We are required to understand the ethical implications of technology as these new technologies become integrated with the practice. See, State Bar of California, Standing Committee on Professional Responsibility and Conduct, Formal Opinion 2015-193. I don’t think there’s any question that PDFs are integrated with the practice of law. Of course, if my opinion doesn’t convince you, also consider that the issue of fillable PDFs was recently part of a best practices update that was sent to attorneys who work for the federal government.  And you know what I always say about the government…if they’re thinking about it, you need to be thinking about it.  

Share

Lawyers Need to Stop Using Gmail Immediately

Lawyers need to stop using gmail for their practice right now.  An article in the Wall Street Journal made it very clear that lawyers who use the system are doing so at their ethical peril.

(Watch the video, or continue reading below)

To understand why I feel this way you need a slight history lesson. Go back to the 90s when email first became popular.  For those of use who are old enough to recall, lawyers couldn’t use email in their practice because it was unencrypted. Our duty to safeguard client confidences per Rules 1.1 and 1.6 prohibited us from using the tool.  The ABA and state bars across the country deemed that unencrypted email was too insecure and that lawyers who used it weren’t taking the necessary steps to fulfill their duty of protecting clients’ confidential information.  So what changed? Today email is generally still unencrypted, but lawyers use it every day (yes, there have been recent opinions which question whether we should continue to use unencrypted email, but it is permitted in a variety of instances). Here’s the change— Congress criminalized the interception of email.  

Once Congress made the interception of email a crime, the powers that be agreed that lawyers had a reasonable expectation of privacy in using the medium. The key phrase is a “reasonable expectation of privacy.”  The ABA issued a formal opinion in 1999 confirming that idea:

“The Committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy. The level of legal protection accorded e-mail transmissions, like that accorded other modes of electronic communication, also supports the reasonableness of an expectation of privacy for unencrypted e-mail transmissions. The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of law. The Committee concludes, based upon current technology and law as we are informed of it, that a lawyer sending confidential client information by unencrypted e-mail does not violate Model Rule 1.6(a) in choosing that mode to communicate. This is principally because there is a reasonable expectation of privacy in its use.”

So what about the Gmail connection? Well, that standard — the reasonable expectation of privacy — was a key consideration for the New York State Bar Association when it opined about the permissibility of free email services like Gmail.  In its Opinion 820, the New York State Bar Association voiced concern about systems like Gmail because Google used advertising to keep the service free. In return for providing the email service, “the provider’s computers scan e-mails and send or display targeted advertising to the user of the service. The e-mail provider identifies the presumed interests of the service’s user by scanning for keywords in e-mails opened by the user. The provider’s computers then send advertising that reflects the keywords in the e-mail.”  The obvious problem is that if we’re using the email system for client work, then we’re allowing the provider to scan confidential information. 

The NY authorities, however, said that all of this was okay.  Even though the email messages are scanned humans don’t actually do the scanning.  Rather, only computers engage in that task.  Thus, they stated that “merely scanning the content of e-mails by computer to generate computer advertising…does not pose a threat to client confidentiality, because the practice does not increase the risk of others obtaining knowledge of the e-mails or access to the e-mails’ content.”  In other words, lawyers had a reasonable expectation of privacy when using the service.

Today there’s been a big change. 

Big.

On September 21, 2018 the Wall Street Journal reported that Google shares Gmail information with its app developers. But what’s important is the type of information that’s being shared and who view it (remember something— here we’re not worried about privacy issues related to data sharing…this is different…this is about the lawyer’s duty to protect confidential information).  The WSJ article revealed that:

Google Inc. told lawmakers it continues to allow other companies to scan and share data from Gmail accounts…the company allows app developers to scan Gmail accounts…outside app developers can access information about what products people buy, where they travel and which friends and colleagues they interact with the most. In some cases, employees at these app companies have read people’s actual emails in order to improve their software algorithms. [emphases added]

Did you get that last part? There are real human beings who are reading the contents of Gmail messages.  What we know from NY Opinion 780 is that if human beings are reading the lawyer emails, then lawyers no longer have a reasonable expectation of privacy in Gmail.  

Sure, we lack some specific data about which emails are read, but that doesn’t change the conclusion.  We might not know if lawyers’ messages in particular were included in the messages that were scanned.  But that’s sort of exactly the problem — we don’t know.  And we don’t have any way to control or restrict the app developers from reading anyone’s emails, including our practice-related emails.  Because of that reality I don’t think that lawyers have a reasonable expectation of privacy in using Gmail any more.  Our duty to protect client confidences set forth in Rule 1.6 precludes us from using the service.  I’ll tell you the truth, it actually looks like no one — lawyer or otherwise — has a reasonable expectation of privacy with the platform.  That’s why I think lawyers need to stop using Gmail for practice related matters immediately.

Share

Shut Your Mouth on Twitter. It’s only going to cause problems for you and the firm

Every day this month I’m going to post a short message called, “Something Smart & Safe.” They’re short video messages that will give lawyers a drop of good direction. My first installment is begging lawyers to stop tweeting about politics — its got problems written all over it.

Want to see the rest of the Smart & Safe posts? Subscribe to my YouTube Channel here.

 

Share

The practice is finally getting with the mental health program!

I’ve been quite happy with an important recent change in the legal profession— we’re finally talking seriously about mental health.  More specifically, we’re taking about getting help for our mental health issues.

Of course, while the powers-that-be have been advocating that discussion for a (short) while, the lawyers on the ground have been more reluctant to engage.  The reason is clear— stigma and repercussions.  Lawyers don’t want their colleagues or clients to know that they are struggling because they’re afraid it will affect how they appear to those people. Lawyers obviously also don’t want to suffer any setback to their career. As a result, there’s been a de facto disincentive for lawyers to come forward and get help.  It appears, however, that that’s changing.

The Wall Street Journal reports that firms are “offering on-site psychologists, training staff to spot problems and incorporating mental-health support alongside other wellness initiatives.” That’s the type of action we need. I’ve long said in my CLE programs that we need to create an environment where people feel comfortable about getting help.  Hopefully the firms’ actions set forth in that article are the front end of a growing trend.

Share

Open Source Software Could be Off Limits to Lawyers

I think it’s unethical for lawyers to use open source software for client work.

I want you to read that again.  I said that I THINK it’s unethical for lawyers to use open source software.  Truth is, I’m not so sure. That, however, is how I’m leaning after doing a bit of research.  Permit me to explain how I arrived at that conclusion….and please let me know if you agree.  I’d love to hear what the lawyer-universe thinks.

First, my disclaimer.  I am not scared of technology, and I don’t want to discourage lawyers from using it.  The question I’m grappling with is not, “Should lawyers be making use of cutting edge technology like open source software.”  The question is, “Given the actual opinions and standards that exist, are lawyers violating the ethics rules by using open source software.” So don’t attack me for trying to be anti-technology, because I’m not.

What is open source software?  A program is considered open source if, “its source code is freely available to its users. Its users – and anyone else – have the ability to take this source code, modify it, and distribute their own versions of the program. The users also have the ability to distribute as many copies of the original program as they want. Anyone can use the program for any purpose; there are no licensing fees or other restrictions on the software.….The opposite of open-source software is closed-source software, which has a license that restricts users and keeps the source code from them.”(http://www.howtogeek.com/129967/htg-explains-what-is-open-source-software-and-why-you-should-care/ last checked by the author on January 25, 2017). In order to understand the ethical issue, you’ll need a brief understanding about a key ethical concern with email.  I’m sorry to bore you with the history lesson, but trust me, it’s necessary.

Go back to the 90s when email first became popular.  For those of use who are old enough to recall, lawyers couldn’t use email in their practice because it was unencrypted. Our duty to safeguard client confidences per Rules 1.1 and 1.6 prohibited us from using the tool.  The ABA and state bars across the country deemed that unencrypted email was too insecure and that lawyers who used it weren’t taking the necessary steps to fulfill their duty of protecting clients’ confidential information.  So what changed? Today email is generally still unencrypted, but lawyers use it every day. Here’s the change— congress criminalized the interception of email.

Once Congress made the interception of email a crime the powers that be then agreed that this change, when combined with other factors, meant that now lawyers had a reasonable expectation of privacy in using the medium. The key phrase is “a reasonable expectation of privacy.”  The ABA issued a formal opinion in 1999 confirming that idea:

“The Committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy. The level of legal protection accorded e-mail transmissions, like that accorded other modes of electronic communication, also supports the reasonableness of an expectation of privacy for unencrypted e-mail transmissions. The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of law. The Committee concludes, based upon current technology and law as we are informed of it, that a lawyer sending confidential client information by unencrypted e-mail does not violate Model Rule 1.6(a) in choosing that mode to communicate. This is principally because there is a reasonable expectation of privacy in its use.” ABA Commission on Ethics and Professional Responsibility Formal Opinion 99-413.

States have since followed suit and permitted the use of unencrypted email in the practice of law. What’s key here is that we see the standard clearly— the reasonable expectation of privacy.  It’s important to understand that rationale for permitting such email communications, because it continues to be relevant today.  As new technologies are developed, the authorities apply the same reasoning.  Consider the furor over gmail and other free email services back in 2008.

In it’s Opinion 820, the New York State Bar Association opined about those free email systems. nNew York State Bar Association Committee on Professional Ethics Opinion 820 – 2/8/08.  The systems were a concern because of the business model that the systems use to keep the service free.  Here’s how they work: in return for providing the email service, “the provider’s computers scan e-mails and send or display targeted advertising to the user of the service. The e-mail provider identifies the presumed interests of the service’s user by scanning for keywords in e-mails opened by the user. The provider’s computers then send advertising that reflects the keywords in the e-mail.”  NYSBA Op. 820 at 2. The obvious problem is that if we’re using the email system for client work, then we’re allowing the provider to scan confidential information.

When considering whether these new email systems would be permitted, the NY authorities first considered the rationale for permitting email back in the 90s. Email was allowed because, “there is a reasonable expectation that e-mails will be as private as other forms of telecommunication and…therefore…a lawyer ordinarily may utilize unencrypted e-mail to transmit confidential information. NYSBA Op. 820 at 1.  They applied that same reasoning to the question of free emails.

Even though the email messages in the current systems are scanned, the opinion noted that humans don’t actually do the scanning.  Rather, it’s computers that take care of that task.  Thus, they stated that “Merely scanning the content of e-mails by computer to generate computer advertising…does not pose a threat to client confidentiality, because the practice does not increase the risk of others obtaining knowledge of the e-mails or access to the e-mails’ content.”  NYSBA Op. 820 at 2.

What the opinion is basically saying is that there continues to be a reasonable expectation of privacy in these email systems.  Maybe the better way to phrase it is a reasonable expectation of “confidentiality,” but the idea is the same. What’s important to note is that the technology developed, but the standard that was applied remained the same.

If we take that standard and apply it to open source software, then…Houston, we have a problem.  Earlier I noted that the characteristic that makes open source software “open” is that any programmer could change the source code.  That’s the whole point of open source software.  But that ability to change the source code is what worries me.

If any programmer could change the code to an open source program, then isn’t it possible that some version of that software could contain a virus or other nefarious element?  What if the programmer installed a hidden web bug or other software device that allows the programmer to view or copy your confidential client information?  Such a devious act isn’t out of the realm of possibility.  In fact, it seems realistic, and such tactics are being debated in the real-life practice today. Take the recent opinion out of Alaska.

In 2016 the state of Alaska issued an opinion that dealt with the ethical propriety of lawyers using web bugs to obtain information from their adversaries/opposing parties.  The Alaska authorities reviewed a case where an attorney actually utilized a bug and the Bar opined that using such tools would be an ethical violation because it “impermissibly infringes on the lawyer’s ability to preserve a client’s confidences as required by Rule 1.6.” Alaska Bar Association Ethics Opinion 2016-1.  I realize that the opinion isn’t really on point— in the open source question we’re not talking about a lawyer installing a bug.  I brought it up, however, because it shows that the use of those software devices is very much a reality in today’s practice.

What if a programmer installs a similar type of software device in a piece of open source software and that device allows the programmer to view, copy, and disseminate your confidential client information? Getting hacked or taken advantage of doesn’t give rise to ethical liability, per se.  But there are opinions that have said that you have a duty to avoid the obvious scams. See, New York City Bar Association Formal Opinion 2015-3, April 22, 2015 (“In our view, the duty of competence includes a duty to exercise reasonable diligence in identifying and avoiding common Internet-based scams, particularly where those scams can harm other existing clients.”).  Being infested with a virus/web bug certainly seems like an obvious concern, given the realities of the world today.  The question is, should we have expected that to happen?

Should a reasonable lawyer have known that there is a realistic probability that some dangerous device could be installed in open source software?  Should a reasonable lawyer have considered the open source software platform to be off limits because our client’s information is too vulnerable in that way?  Given the open nature of the software and given the real potential of having web bugs inserted into code, do lawyers have a reasonable expectation of privacy in open source software?

My answer is no.

It seems easy for a programmer to secretly install some bug or other information viewing device.  There are no controls or procedures that stop them from doing so. It is an open opportunity for any bad actor to wreak havoc and there is little to no protection against it.

A critical counter argument needs to be addressed. It is true that a programmer could still install some bug-like device even in a closed software environment.  A programmer in Microsoft or Apple could do it, and we might never be the wiser.  But I don’t think the question is whether it could happen — the question is whether it is likely.  One would think that the corporate software developer would have quality control measures that would ferret that out. There would be supervisory procedures to avoid that type of thing from happening.  Given those measures, I would think that it’s reasonable for lawyers to assume that there would not be a web bug installed in the corporate-purchased software.  Even if it did occur, it would have to be some employee/programmer gone rogue. That sort of extraordinary circumstance could be detrimental to the client, but it wouldn’t necessarily mean that the lawyer was derelict in their ethical duties by trusting the software.  It could probably still be said that the lawyer had a reasonable expectation of privacy in that corporate/closed source-created software.

One could argue that there are informal quality control measures in the open source environment. There are apparently very strong ethical underpinnings to the open source movement.  Behaving unethically is looked down upon in the open source community and there is a decent amount of peer pressure on programmers to uphold those unwritten ethical standards.  My concern is that there is no actual mechanism to enforce it.  The only thing stopping open source programmers from installing is the communal sense of morality that  discourages such behavior.  The lack of any formal mechanism is problematic.

It’s the ability of almost any programmer at any time to manipulate the code that makes me believe that lawyers do not have a reasonable expectation of privacy when using open source software.  Now, I realize that that is a blanket statement.  There are likely to be a variety of factors that could alter the equation.  For instance, maybe the main open source software system of some sort could have excellent quality control.  That’s fine, but what about the plug-ins you may download to use in connection with that tool?  Maybe some open source systems will be inherently more secure than others because the cooperative that developed it adopts some quality control.  Okay, so then maybe we con’t have to avoid all open source software, just the sketchy ones.  I’m sure that there are issues and I confess to not having an expert understanding of the programming world, so there are surely plenty of other considerations that I haven’t accounted for.  But these type of factors would simply make otherwise ethically impermissible systems permitted in some way.  It wouldn’t change my overall analysis.

Here, however, is why you should take my opinion seriously…even if you think it comes from a place of relative ignorance.  I have a decent understanding of technology. I also have a decent understanding of the ethics rules.  Truth is, I probably have as much knowledge in both areas as any ethics investigator who would be evaluating a grievance.  And if I’m leaning toward believing that open source software is an ethics violation, then that ethics investigator might be too.

Now….tell me why I’m wrong. But please be polite.

Share

The Ethical Danger of the Microsoft/LinkedIn Merger

This week it was announced that Microsoft is buying LinkedIn.  There are some hidden attorney ethics implications about which we all need to be aware.

A review of the recent news articles announcing the acquisition reveals that a key motivating factor in Microsoft’s purchase of LinkedIn was access to LinkedIn’s data.  Of course, sharing data is nothing new.  But when companies improve their ability to share our data across various platforms, my ears perk up. Not just because it’s creepy or because of obvious privacy implications. The type of data sharing they’re contemplating in the Microsoft/LinkedIn combination makes me worry about confidentiality (and other) issues.

Why they are merging:

According to the Wall Street Journal, Microsoft sees a critical synergy with LinkedIn:

“LinkedIn’s users are, arguably, Microsoft’s core demographic. They also offer Microsoft something it has long sought but never had—a network with which users identify. Microsoft needs to persuade LinkedIn users to adopt that identity, and use it across as many Microsoft products as possible.

Access to those users, as well as the enormous amounts of data they throw off, could yield insights and products within Microsoft that allow it to monetize its investment in LinkedIn in ways that the professional networking site might not be able to. [Microsoft CEO] Mr. Nadella already has mentioned a few of these, including going into a sales meeting armed with the bios of participants, and getting a feed of potential experts from LinkedIn whenever Office notices you’re working on a relevant task.“

In other words, Microsoft wants to have your Outlook and other Microsoft software products speak to your LinkedIn profile.  The intersection of that data is valuable — various sellers of products and services would be willing to pay for it.

It appears that Microsoft wants to be able to read through the work we do on their products like Word, review our upcoming appointments in our Outlook calendar, search for keywords in our emails, and then find connections with people with our LinkedIn connections.  That’s what they are searching for — connections they could monetize.

For instance, let’s say accountant X has an Outlook Calendar appointment which sets a meeting with “Charles McKenna of Account-Soft Corp.” Microsoft could then search LinkedIn and it would learn that McKenna works for a company that sells workflow management software.  Well, now Microsoft knows the accountant is in the market for workflow management software….and they could sell that knowledge to other software companies who would then direct solicitations in the accountant’s direction.  That’s an annoyance for an accountant, but a potential ethics disaster if he/she were a lawyer.

Basic issue, Confidentiality:

If Microsoft scours our Word documents and emails, then there could be Rule 1.6 confidentiality issues.  That’s so obvious that we don’t need to spend time talking about it now.  I think the more unusual issues come from the Calendar function…

If they leverage the data in our Calendar, it could reveal our client relationships:

The substance of what we learn from the client is confidential, but so is the very existence of the lawyer-client relationship.  Will the integration of these platforms make it easier for people to figure out who we represent?

Think about how much information Microsoft could piece together from our Calendar.  They might see a potential client introduction (which lists Pete Smith as present), a court appearance (which lists Pete Smith as present), and a meeting for settlement purposes (which lists Pete Smith as present). It’s not going to be too tough for the Microsoft bots to figure out that Pete Smith is your client.

If they leverage data in our Calendar, it could reveal key substantive information that could harm the client:

If Microsoft looks at our Calendar they can see that we’re heading to a particular locale.  They might then cross reference our LinkedIn connections and send a message to one of them that says something like, “Your connection Bruce Kramer is going to Chicago next week.  Why don’t you look him up?”

That heads-up might give someone the incentive to look into our movements a bit more…and who knows what they could find.  What if that info was given to a real estate agent that we know in Chicago…and maybe we are representing a successful land owner…and we’re clandestinely scouting a real estate purchase because we don’t want people to figure out that we’re there on behalf of our deep-pocketed client…because if they know, the purchaser will run up the price.  That LinkedIn message tipped off the real estate agent and it could cost the client a lot of money.

If they leverage data in our Calendar, it could end up revealing a misrepresentation:

Imagine that Client A asks you to accompany them to a meeting in Los Angeles. You tell her that you can’t go because you’ll be on vacation on the East Coast. That’s not true, however. The truth is that you’ve already scheduled a meeting with a potentially new client in Los Angeles. You didn’t want Client A to know that you’d be in town because you didn’t want to have to shuffle between clients- it would just be too much work.  You could have told Client A that you’d be in town but you didn’t have time to meet her, but you thought she’d be insulted.  It was just easier to say you’re far away and be done with it.

Later, Client A gets a LinkedIn message that says, “Your Connection Mary Smith is going to be in Los Angeles next weekend…send her a message and try to link up!”  Do you know what you are now? Busted. And not only do you have egg on your face, but you may also have committed an ethical violation.

Is the white lie that you told your client going to be considered a misrepresentation or deception per Rule 8.4(c)? That rule states: “It is professional misconduct for a lawyer to (c) engage in conduct involving dishonesty, fraud, deceit or misrepresentation…”

I know what you’re thinking…it was a half-truth.  No harm no foul. Well, I searched the ethics code, and I didn’t find the term “white lie” or “half-truth” anywhere in the code.  You should also note that Rule 8.4(c) does not require that the misrepresentation be “material.”  It doesn’t allow you to lie about inconsequential things and there’s no modifying language- it just says that you can’t lie or deceive.

These are just a few issues.  Some of these are clear ethics concerns, others are more akin to PR nightmares.  Are they so terrible that we all need to get off LinkedIn right away?  That might be a bit premature.  After all, they only just announced the merging of the platforms- they haven’t actually done anything yet.  I don’t know what dangers will actually be realized, or whether any dangers will be realized at all.  What I do know is that part of being a responsible attorney in this technological age is to be diligent in thinking about these issues.  As lawyers practicing in an ever-changing technological environment, we need to be aware of the potential problems.  Keep your eye on the news and stay abreast about the details regarding the integration of these two platforms.  Then, if you determine that you need to act, do so.  That way we are “keep[ing] abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” Comment [8], Rule 1.1

Share

Panama Papers Lesson #2: Beware the copycat leakers inside your firm

The massive leak of confidential documents from the Panamanian law firm Mossack Fonseca is still sending shock waves throughout the world.  It’s likely to keep reverberating for some time. We’re not any closer to learning the origin of the leak because the newspaper who disseminated the information won’t reveal their source.  We don’t know if the information was stolen and distributed by an activist hacker, or leaked by a current/former employee of the law firm.¹  What we do know us that a whole lot of confidential information was released and, “the data primarily comprises e-mails, pdf files, photo files, and excerpts of an internal Mossack Fonseca database.”²

In my last threat assessment I discussed the concerns about the possibility that the firm was hacked, but there is another, equally disturbing concern.  The leak could have been the work of an employee of the firm, perhaps acting as a whistleblower of sorts. In that case, what should the firm fear and what are the ethical concerns?

The thing to fear? Copycats.

Sure, the idea of whistleblowers is nothing new, but I’m concerned about people who are inspired by the Snowdens and the WikiLeaks of the world.  I’m worried that high profile leaks could be inspiring others to adopt a pseudo-Robin Hood mentality.  I call them Disclosure Vigilantes— those employees who feel that it’s their societal duty to expose the things they define as “wrongs.”  I’m not talking about people who expose criminal conduct— I’m talking about those copycats who steal and/or reveal our clients’ confidential data and leak it to someone outside the firm in an effort to make public something that they define as an affront to society.  They could be personally disgusted by someone’s “excessive wealth,”  or feel compelled to “uncover the extent to which Corporate America will go to keep the average worker down”….name your cause, name your villain.

The ethical concerns? Hiring and Supervision

If there is a danger that firm employees could be Disclosure Vigilantes, then what are we doing to counteract it? We need to ask whether the firm is properly vetting all of our new hires, including those in IT. Plus, are we asking the right questions during the interview process? Does our interview process in some way consider the issue of purposeful leaks (note that I’m an ethics guy, not a labor law guy, so talk to a labor lawyer to ensure that whatever questions you ask aren’t improper from a privacy/labor law/etc., perspective). From an ethical point of view, that sort of targeted due diligence during hiring could constitute the appropriate “thoroughness” required by Rule 1.1 (Competence), and it might be the “reasonable diligence” that’s required by Rule 1.3 (Diligence).

But it goes beyond just hiring.  After the employees are hired we need to manage our staff, and Rule 5.3 requires that we supervise nonlawyer personnel.  Lawyers in a firm have a responsibility to ensure that our nonlawyer employees behave in a manner that’s “compatible with the professional obligations of the lawyer,” and that has historically included confidentiality, among other things. But given the new reality of Disclosure Vigilanteism, that duty to supervise might be expanding to include the need to watch for morality-based intentional leaks of client information.

A savvy lawyer might see a third angle— (1) we should properly screen our new hires, (2) we should properly supervise our employees to make sure no disclosures are occurring, and…(3) maybe we should also watch for changed circumstances to our employees which could increase the probability of a purposeful disclosure.  Remember, employees could change during their tenure at the firm.  If that’s the case, the wise firm might ask whether we are periodically reviewing the staff to check for changed circumstances in our employees that might lead to Disclosure Vigilanteism (being cognizant, of course, of the limitations that are imposed by privacy restrictions and other labor law).

The potential for copycat Disclosure Vigilantes might be altering our responsibilities in hiring and supervising employees.  I don’t want you to be that firm….the firm that finds itself in front of an ethics tribunal listening to them say, “the signs were there…you didn’t look for them”…and then hearing that dreaded phrase…you “should have known” this was going to be a problem.

 

 

 

¹http://www.bustle.com/articles/151771-who-leaked-the-panama-papers-the-whistleblower-had-just-one-condition, last checked by the author May 3, 2016

²http://panamapapers.sueddeutsche.de/articles/56febff0a1bb8d3c3495adf4/ last checked by the author May, 3, 2016

 

Share