Frictionless computing is an emerging technology and it poses some serious ethics risks. There was recently an article about it that raised my eyebrows, so I wanted to let you know about this danger.
Frictionless computing is an emerging technology and it poses some serious ethics risks. There was recently an article about it that raised my eyebrows, so I wanted to let you know about this danger.
Tech gurus around the country have been tweeting about the new ABA opinion like it’s some sort of revelation that was brought down from a mountain on stone tablets. I don’t know why everyone is going up in arms about this. Here’s what I think. The ABA is (a) on point (as usual), and (b) 7 years too late (as usual). The opinion is 11 pages of stuff that ethics professionals and various states have been shouting for almost a decade. If you’re a lawyer and you didn’t know the contents of Opinion 477 already, you should be embarrassed.
After all 11 pages, it comes down to the last two sentences of the opinion. They basically say that lawyers need to take special security precautions to protect client information if you’re required to do so by agreement (really, you didn’t know that?), by law (someone needed to issue an opinion to tell you that you need to abide by the law?), or when the nature of the information requires a higher degree of security (teachers like me have been preaching that for YEARS). Opinion 477 at 11.
It takes everything in my being not to say, “…duh.”
Of course you need to consider the sensitivity of the information when determining how you communicate that information to your client. The State of California told us that….in 2010 (go look at Formal Opinion 2010-179. And California did it in only 7 pages). The ABA even told us that in their revised rules…in 2012. But now, in 2017, they finally get around to writing this opinion?
All of the information in this opinion is important. But it should have been issued years ago. “But wait,” you might protest, “Opinion 477 gives some factors to consider.” Listen— if the seven precautionary recommendations that they list in this opinion are new to you, then here’s a newsflash: You haven’t been meeting your duty of competence for years. Maybe in their next opinion they’ll give us some more useful tech advice like, “To rename a file, type the following command after the C:\…” Seriously, this is all coming to us a bit late.
Here’s another helpful nugget from Op. 477: It reminds us that the rules “may require a lawyer to discuss security safeguards with clients.” Opinion 477 at 5. People, technology issues like that should be a part of every lawyer’s initial conversation with their client…and it should have been that way already for years. If you haven’t been talking about it, then you’re in borderline malpractice territory. It also means that you haven’t been listening because every respectable ethics teacher has been shouting about that for almost a decade.
Here’s what I would have tweeted about this opinion (if I had more than 140 characters):
To the lawyers: If any of this is new to you, stop what you’re doing and (a) chastise yourself for being 10 years behind the curve and (b) read the opinion. My gut tells me that there will be a total of 3 lawyers who are surprised by the contents of Opinion 477.
To the ABA: Move quicker and talk less. You’ll serve all lawyers better.
I think it’s unethical for lawyers to use open source software for client work.
I want you to read that again. I said that I THINK it’s unethical for lawyers to use open source software. Truth is, I’m not so sure. That, however, is how I’m leaning after doing a bit of research. Permit me to explain how I arrived at that conclusion….and please let me know if you agree. I’d love to hear what the lawyer-universe thinks.
First, my disclaimer. I am not scared of technology, and I don’t want to discourage lawyers from using it. The question I’m grappling with is not, “Should lawyers be making use of cutting edge technology like open source software.” The question is, “Given the actual opinions and standards that exist, are lawyers violating the ethics rules by using open source software.” So don’t attack me for trying to be anti-technology, because I’m not.
What is open source software? A program is considered open source if, “its source code is freely available to its users. Its users – and anyone else – have the ability to take this source code, modify it, and distribute their own versions of the program. The users also have the ability to distribute as many copies of the original program as they want. Anyone can use the program for any purpose; there are no licensing fees or other restrictions on the software.….The opposite of open-source software is closed-source software, which has a license that restricts users and keeps the source code from them.”(http://www.howtogeek.com/129967/htg-explains-what-is-open-source-software-and-why-you-should-care/ last checked by the author on January 25, 2017). In order to understand the ethical issue, you’ll need a brief understanding about a key ethical concern with email. I’m sorry to bore you with the history lesson, but trust me, it’s necessary.
Go back to the 90s when email first became popular. For those of use who are old enough to recall, lawyers couldn’t use email in their practice because it was unencrypted. Our duty to safeguard client confidences per Rules 1.1 and 1.6 prohibited us from using the tool. The ABA and state bars across the country deemed that unencrypted email was too insecure and that lawyers who used it weren’t taking the necessary steps to fulfill their duty of protecting clients’ confidential information. So what changed? Today email is generally still unencrypted, but lawyers use it every day. Here’s the change— congress criminalized the interception of email.
Once Congress made the interception of email a crime the powers that be then agreed that this change, when combined with other factors, meant that now lawyers had a reasonable expectation of privacy in using the medium. The key phrase is “a reasonable expectation of privacy.” The ABA issued a formal opinion in 1999 confirming that idea:
“The Committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy. The level of legal protection accorded e-mail transmissions, like that accorded other modes of electronic communication, also supports the reasonableness of an expectation of privacy for unencrypted e-mail transmissions. The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of law. The Committee concludes, based upon current technology and law as we are informed of it, that a lawyer sending confidential client information by unencrypted e-mail does not violate Model Rule 1.6(a) in choosing that mode to communicate. This is principally because there is a reasonable expectation of privacy in its use.” ABA Commission on Ethics and Professional Responsibility Formal Opinion 99-413.
States have since followed suit and permitted the use of unencrypted email in the practice of law. What’s key here is that we see the standard clearly— the reasonable expectation of privacy. It’s important to understand that rationale for permitting such email communications, because it continues to be relevant today. As new technologies are developed, the authorities apply the same reasoning. Consider the furor over gmail and other free email services back in 2008.
In it’s Opinion 820, the New York State Bar Association opined about those free email systems. nNew York State Bar Association Committee on Professional Ethics Opinion 820 – 2/8/08. The systems were a concern because of the business model that the systems use to keep the service free. Here’s how they work: in return for providing the email service, “the provider’s computers scan e-mails and send or display targeted advertising to the user of the service. The e-mail provider identifies the presumed interests of the service’s user by scanning for keywords in e-mails opened by the user. The provider’s computers then send advertising that reflects the keywords in the e-mail.” NYSBA Op. 820 at 2. The obvious problem is that if we’re using the email system for client work, then we’re allowing the provider to scan confidential information.
When considering whether these new email systems would be permitted, the NY authorities first considered the rationale for permitting email back in the 90s. Email was allowed because, “there is a reasonable expectation that e-mails will be as private as other forms of telecommunication and…therefore…a lawyer ordinarily may utilize unencrypted e-mail to transmit confidential information. NYSBA Op. 820 at 1. They applied that same reasoning to the question of free emails.
Even though the email messages in the current systems are scanned, the opinion noted that humans don’t actually do the scanning. Rather, it’s computers that take care of that task. Thus, they stated that “Merely scanning the content of e-mails by computer to generate computer advertising…does not pose a threat to client confidentiality, because the practice does not increase the risk of others obtaining knowledge of the e-mails or access to the e-mails’ content.” NYSBA Op. 820 at 2.
What the opinion is basically saying is that there continues to be a reasonable expectation of privacy in these email systems. Maybe the better way to phrase it is a reasonable expectation of “confidentiality,” but the idea is the same. What’s important to note is that the technology developed, but the standard that was applied remained the same.
If we take that standard and apply it to open source software, then…Houston, we have a problem. Earlier I noted that the characteristic that makes open source software “open” is that any programmer could change the source code. That’s the whole point of open source software. But that ability to change the source code is what worries me.
If any programmer could change the code to an open source program, then isn’t it possible that some version of that software could contain a virus or other nefarious element? What if the programmer installed a hidden web bug or other software device that allows the programmer to view or copy your confidential client information? Such a devious act isn’t out of the realm of possibility. In fact, it seems realistic, and such tactics are being debated in the real-life practice today. Take the recent opinion out of Alaska.
In 2016 the state of Alaska issued an opinion that dealt with the ethical propriety of lawyers using web bugs to obtain information from their adversaries/opposing parties. The Alaska authorities reviewed a case where an attorney actually utilized a bug and the Bar opined that using such tools would be an ethical violation because it “impermissibly infringes on the lawyer’s ability to preserve a client’s confidences as required by Rule 1.6.” Alaska Bar Association Ethics Opinion 2016-1. I realize that the opinion isn’t really on point— in the open source question we’re not talking about a lawyer installing a bug. I brought it up, however, because it shows that the use of those software devices is very much a reality in today’s practice.
What if a programmer installs a similar type of software device in a piece of open source software and that device allows the programmer to view, copy, and disseminate your confidential client information? Getting hacked or taken advantage of doesn’t give rise to ethical liability, per se. But there are opinions that have said that you have a duty to avoid the obvious scams. See, New York City Bar Association Formal Opinion 2015-3, April 22, 2015 (“In our view, the duty of competence includes a duty to exercise reasonable diligence in identifying and avoiding common Internet-based scams, particularly where those scams can harm other existing clients.”). Being infested with a virus/web bug certainly seems like an obvious concern, given the realities of the world today. The question is, should we have expected that to happen?
Should a reasonable lawyer have known that there is a realistic probability that some dangerous device could be installed in open source software? Should a reasonable lawyer have considered the open source software platform to be off limits because our client’s information is too vulnerable in that way? Given the open nature of the software and given the real potential of having web bugs inserted into code, do lawyers have a reasonable expectation of privacy in open source software?
My answer is no.
It seems easy for a programmer to secretly install some bug or other information viewing device. There are no controls or procedures that stop them from doing so. It is an open opportunity for any bad actor to wreak havoc and there is little to no protection against it.
A critical counter argument needs to be addressed. It is true that a programmer could still install some bug-like device even in a closed software environment. A programmer in Microsoft or Apple could do it, and we might never be the wiser. But I don’t think the question is whether it could happen — the question is whether it is likely. One would think that the corporate software developer would have quality control measures that would ferret that out. There would be supervisory procedures to avoid that type of thing from happening. Given those measures, I would think that it’s reasonable for lawyers to assume that there would not be a web bug installed in the corporate-purchased software. Even if it did occur, it would have to be some employee/programmer gone rogue. That sort of extraordinary circumstance could be detrimental to the client, but it wouldn’t necessarily mean that the lawyer was derelict in their ethical duties by trusting the software. It could probably still be said that the lawyer had a reasonable expectation of privacy in that corporate/closed source-created software.
One could argue that there are informal quality control measures in the open source environment. There are apparently very strong ethical underpinnings to the open source movement. Behaving unethically is looked down upon in the open source community and there is a decent amount of peer pressure on programmers to uphold those unwritten ethical standards. My concern is that there is no actual mechanism to enforce it. The only thing stopping open source programmers from installing is the communal sense of morality that discourages such behavior. The lack of any formal mechanism is problematic.
It’s the ability of almost any programmer at any time to manipulate the code that makes me believe that lawyers do not have a reasonable expectation of privacy when using open source software. Now, I realize that that is a blanket statement. There are likely to be a variety of factors that could alter the equation. For instance, maybe the main open source software system of some sort could have excellent quality control. That’s fine, but what about the plug-ins you may download to use in connection with that tool? Maybe some open source systems will be inherently more secure than others because the cooperative that developed it adopts some quality control. Okay, so then maybe we con’t have to avoid all open source software, just the sketchy ones. I’m sure that there are issues and I confess to not having an expert understanding of the programming world, so there are surely plenty of other considerations that I haven’t accounted for. But these type of factors would simply make otherwise ethically impermissible systems permitted in some way. It wouldn’t change my overall analysis.
Here, however, is why you should take my opinion seriously…even if you think it comes from a place of relative ignorance. I have a decent understanding of technology. I also have a decent understanding of the ethics rules. Truth is, I probably have as much knowledge in both areas as any ethics investigator who would be evaluating a grievance. And if I’m leaning toward believing that open source software is an ethics violation, then that ethics investigator might be too.
Now….tell me why I’m wrong. But please be polite.
The next ethical landmine for lawyers is located in our cell phones. Specifically, I think we are very close to the point where lawyers need to have two devices— one for work, and one for our personal use. Here’s why.
The Wall Street Journal recently reported that cell phone sales growth have stagnated. After years of incredible growth in sales, the pace of that growth has subsided significantly. The new frontier, the article claims, is in mobile device software. Specifically, the future lies in “frictionless computing.”
Amazon’s Echo speaker, which uses Alexa, and Snap Inc.’s new Spectacles, camera-bearing sunglasses, are examples of what Benedict Evans, partner at venture-capital firm Andreessen Horowitz, calls “frictionless computing”—easy-to-use devices that unite applications with hardware beyond smartphones. Ben Schachter, senior analyst at Macquarie Capital, says: “Our view is the next big innovation will be from outside the device—from the software.” He expects increasing use of such software to meet entertainment, health-care, home innovation and automotive needs.
The words that scare me in that quote are “outside the device.” That’s because the increased use of cell phones to connect with external hardware by way of an installed app increases the likelihood that hackers can get access to our devices. Just this week we saw a similar concern from the medical community. The Minneapolis Star Tribune reported about the vulnerability of hacking heart devices:
On Monday, the U.S. Food and Drug Administration published a public safety notice confirming it is possible for a hacker to remotely compromise security in St. Jude’s wireless communication network and then secretly change commands in a pacemaker or implantable defibrillator while it’s still wired to a patient’s heart….
…“As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates,” the FDA’s Monday safety alert says.
While that isn’t frictionless computing when using a cell phone, it is an external device controlled by computers via wireless communication. In that regard, it is an analogous problem. And that problem is clear: once we start to increase the use of that type of wireless communication between devices, we increase the chance that hackers can wreak havoc. Yes, many of these opportunities to exploit our devices have existed for a while, but the concern I have is the increased chance of compromising our data. As the use of this technology grows, there are more and more opportunities for phishing, wireless hacking, etc. Thus, as frictionless computing becomes more prevalent it greatly increases the opportunity for the hackers to get at our information.
Personally, I’m willing to take the risk. I like using these devices, I understand the potential hacking problem, and I am willing to accept the downside in order to make use of this new technology. I am willing to put my personal information at risk. I am not, however, willing to put my client’s information at risk.
Many of us use our personal devices to access work information. We like to have remote access to notes apps like Evernote and cloud storage sites like DropBox. We text our clients and receive work emails, and that’s all sent to/from our personal device. It’s that same device that will be used to engage further in frictionless computing— many of us are probably Alexa addicts already, for instance. To date, we feel comfortable mixing business and personal use because we put password protections on the device and take other reasonable measures to protect client information. But at some point, vulnerabilities will increase to such an extent that the definition of what constitutes “reasonable measures” will change. I am concerned that the increased use of frictionless computing is hastening that change.
Today it might be reasonable to put a password to restrict access to the phones. But if frictionless computing is going to increase the opportunities for bad guys to hack into our devices, then it might not suffice to simply have a password or thumbprint barrier to access our phone. The prudent move might be to get another device all together for work matters. Maybe that work device won’t be used for frictionless computing at all. Maybe the security measures we take with that work-only device will be more stringent than our personal device. Then, we can make use of the wonders of frictionless computing, etc., without taking unreasonable risks that compromise client information.
Bear in mind that this isn’t about eliminating risk. Risk can never be completely eliminated. The question we need to ask is, “when does the risk expand to a point where it’s necessary to take some different action?” As usual, there is no way to discern exactly when we have crossed that line. But it’s my job to tell you when the warning signs appear. Well…boom, they’ve appeared. Keep your eyes open and make the move when you think it’s warranted. Just don’t get blindsided.
The massive leak of confidential documents from the Panamanian law firm Mossack Fonseca is still sending shock waves throughout the world. It’s likely to keep reverberating for some time. We’re not any closer to learning the origin of the leak because the newspaper who disseminated the information won’t reveal their source. We don’t know if the information was stolen and distributed by an activist hacker, or leaked by a current/former employee of the law firm.¹ What we do know us that a whole lot of confidential information was released and, “the data primarily comprises e-mails, pdf files, photo files, and excerpts of an internal Mossack Fonseca database.”²
In my last threat assessment I discussed the concerns about the possibility that the firm was hacked, but there is another, equally disturbing concern. The leak could have been the work of an employee of the firm, perhaps acting as a whistleblower of sorts. In that case, what should the firm fear and what are the ethical concerns?
The thing to fear? Copycats.
Sure, the idea of whistleblowers is nothing new, but I’m concerned about people who are inspired by the Snowdens and the WikiLeaks of the world. I’m worried that high profile leaks could be inspiring others to adopt a pseudo-Robin Hood mentality. I call them Disclosure Vigilantes— those employees who feel that it’s their societal duty to expose the things they define as “wrongs.” I’m not talking about people who expose criminal conduct— I’m talking about those copycats who steal and/or reveal our clients’ confidential data and leak it to someone outside the firm in an effort to make public something that they define as an affront to society. They could be personally disgusted by someone’s “excessive wealth,” or feel compelled to “uncover the extent to which Corporate America will go to keep the average worker down”….name your cause, name your villain.
The ethical concerns? Hiring and Supervision
If there is a danger that firm employees could be Disclosure Vigilantes, then what are we doing to counteract it? We need to ask whether the firm is properly vetting all of our new hires, including those in IT. Plus, are we asking the right questions during the interview process? Does our interview process in some way consider the issue of purposeful leaks (note that I’m an ethics guy, not a labor law guy, so talk to a labor lawyer to ensure that whatever questions you ask aren’t improper from a privacy/labor law/etc., perspective). From an ethical point of view, that sort of targeted due diligence during hiring could constitute the appropriate “thoroughness” required by Rule 1.1 (Competence), and it might be the “reasonable diligence” that’s required by Rule 1.3 (Diligence).
But it goes beyond just hiring. After the employees are hired we need to manage our staff, and Rule 5.3 requires that we supervise nonlawyer personnel. Lawyers in a firm have a responsibility to ensure that our nonlawyer employees behave in a manner that’s “compatible with the professional obligations of the lawyer,” and that has historically included confidentiality, among other things. But given the new reality of Disclosure Vigilanteism, that duty to supervise might be expanding to include the need to watch for morality-based intentional leaks of client information.
A savvy lawyer might see a third angle— (1) we should properly screen our new hires, (2) we should properly supervise our employees to make sure no disclosures are occurring, and…(3) maybe we should also watch for changed circumstances to our employees which could increase the probability of a purposeful disclosure. Remember, employees could change during their tenure at the firm. If that’s the case, the wise firm might ask whether we are periodically reviewing the staff to check for changed circumstances in our employees that might lead to Disclosure Vigilanteism (being cognizant, of course, of the limitations that are imposed by privacy restrictions and other labor law).
The potential for copycat Disclosure Vigilantes might be altering our responsibilities in hiring and supervising employees. I don’t want you to be that firm….the firm that finds itself in front of an ethics tribunal listening to them say, “the signs were there…you didn’t look for them”…and then hearing that dreaded phrase…you “should have known” this was going to be a problem.
¹http://www.bustle.com/articles/151771-who-leaked-the-panama-papers-the-whistleblower-had-just-one-condition, last checked by the author May 3, 2016
²http://panamapapers.sueddeutsche.de/articles/56febff0a1bb8d3c3495adf4/ last checked by the author May, 3, 2016
For years people have been warning that law firms of all sizes are major targets for cyber-criminals. If your firm didn’t take that seriously before, then there are two major hackings last week that should get your attention.
The Wall Street Journal reported that cyber criminals breached Cravath, Weil Gotshal, and several other unnamed firms (read the article here: http://on.wsj.com/1MzYlN2). The paper states that it’s not clear what (or whether) information was taken, but the focus is on the possibility of confidential information being stolen for purposes of insider trading.
The other major breach is so big that it has its own hashtag— search Twitter for #PanamaPapers or #PanamaLeaks. According to Reuters, the target was a law firm in Panama who specializes in setting up offshore companies. Hackers stole data from the firm and provided that data to journalists who promptly revealed it to the public (read the article here: http://reut.rs/25GEy4X). The information allegedly reveals a network of offshore loans. According to the BBC, the stolen data reveals how the law firm, “has helped clients launder money, dodge sanctions and avoid tax” (read the BBC’s article here: http://www.bbc.com/news/world-35918844). Political figures and friends of popular politicians are allegedly implicated, according to the report.
My concern is not about the obvious political ramifications. My concern is about the ethical ramifications to lawyers. The danger of hacking is real.
No report has implicated any type of ethical wrongdoing on the part of any firm. That needs to be restated and made abundantly clear: there has been no report of any evidence of ethical impropriety by any of the law firms mentioned in the news. I am bringing this to your collective attention because it should serve as a warning. Confidential client information was stolen from that law firm in Panama….which reminds us that we are targets.
All lawyers are targets. Small firms, large firms, in-house counsel, government lawyers, you name it. The bad guys know that lawyers are the custodians of valuable information and they are coming after us in a big way. The message for all of us is clear: you could be subject to an ethics grievance if you don’t take proper steps to secure your clients’ information.
The responsibility to protect our client information is nothing new. However, these recent events require us apply an increased sense of urgency to evaluating our compliance with that duty. Have you, or your firm, taken the necessary steps to adequately protect your clients’ information? Have you considered the fact that bad guys could be targeting you? What steps have you taken to counteract the potential piracy that could be aimed at your clients’ information?
You could be darn sure that someone is going to be asking those questions to the firms that were targeted in the hacks. Maybe you need to put yourself in their position and ask, “how would we fare if that review was directed toward us?”
Our duty of competence requires that we take appropriate steps to protect our clients’ confidential information. And remember that you, as the lawyer, have the primary ethical duty, not your IT people. Furthermore, various ethics opinions have held that, in some circumstances, the lawyer needs to understand the underlying technology itself.
If these issues weren’t on the front burner in your office before, these two hacks should be causing you to shift your priorities.
Here’s my latest Threat Assessment- those are my short warnings about key ethics dangers that both lawyers and the PD professionals who care about them, need to know.
Today: Technology scare (what a shocker). Our duty to supervise may have been drastically expanded in a recent opinion out of California. Specifically, the California Bar’s Standing Committee on Professional Responsibility and Conduct, Formal Opinion Np. 2015-193.
The opinion presents a hypo about a lawyer who messed up. He didn’t understand the technicalities of e-discovery, didn’t seek help from a professional with knowledge, and he let his adversary conduct an unsupervised e-discovery review of the client’s files. Result: disaster. There were allegations of withholding/obstructing discovery and a major leak of proprietary/confidential information to a major competitor. The opinion holds that the lawyer should have known better.
POINT 1 of 2: Competence is being expanded
The opinion states:
“An attorney’s obligations under the ethical duty of competence evolve as new technologies develop and become integrated with the practice of law.
* * *
Attorney competence related to litigation generally requires, among other things, and at a minimum, a basic understanding of, and facility with, issues relating to e-discovery, including the discovery of electronically stored information (“ESI”).”
What we need to know: Certain technologies that have so integrated themselves into the practice that our duty of competence demands that we understand them. We can’t just rely on our “people” to know about it. We need to, individually, understand the systems.
What we need to know: We need to understand the underlying technology, not just the “law” about that technology.
POINT 2 of 2: Our duty to supervise is being expanded drastically.
The opinion also stated:
“The duty of competence…includes the duty to supervise the work of subordinate attorneys and non- attorney employees or agents…This duty to supervise can extend to outside vendors or contractors, and even to the client itself.”
What we need to know: Our duty to supervise doesn’t just include the lawyers and non-lawyers in our office. It is also includes vendors and contractors. But the big extension is that it might also include supervising the client itself. That is a change- we are familiar with the need to “advise” and “guide” a client. Now we may also be required to “supervise” the client as well. Does that mean watching their IT people? It depends, but this opinion basically says yes, sometimes.
Find more information like this in my live program: Tech Tock, Tech Tock: Social Media and the Countdown to Your Ethical Demise. See my course list here.
Last week the ABA made an important change to Rule 1.6, “Confidentiality.” On its face, the change doesn’t seem like much—the drafters added a new section 1.6(c) which states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
That doesn’t seem like such a big deal, especially since the sentiment already existed in the commentary to the rules. The need to safeguard our clients’ information was already stated in a slightly different form in Comment  to Rule 1.6. And why shouldn’t it be—isn’t it an obvious point? So why would the drafters simply take language that already existed in the commentary, tweak it, and move it to the rule itself? It’s about addressing technology head on.
Lawyers are increasingly using new technologies like cloud storage sites and software as a service (SaaS) to store client data. While helpful, the obvious risk of using these sites is that there is a potential for disclosing information. Plus, this isn’t just about could-computing or websites, it’s about using any new technology, whether it be mobile storage devices, unencrypted wireless routers, iPads, etc. The more we use these technologies, there more opportunities we have to reveal client information. The drafters must have believed that the more frequent use of these types of technologies demands an increased emphasis on the need to protect client information. Thus, by expanding the language and moving it to the actual text of the rule, the drafters are telling the bar that this issue is no longer just commentary, or “secondary guidance.” Now it’s a primary duty.
So now we know that before we use new technologies we have a duty to make reasonable efforts to prevent the release of information relating to the client. But what does that mean? How do you know if the efforts you used were actually “reasonable?” More on that in the next post…
Sometimes finding free Wi-Fi feels like finding buried treasure. A laptop user who finds free Wi-Fi in a coffee shop is comparable to a deep sea diver who finds a tank of oxygen. However there is a downside– many of those networks are unsecured and vulnerable to being compromised. That poses a problem for attorneys because our client’s confidential information may be exposed if we use an unsecured wireless network to perform work on their behalf. The question then becomes, are lawyers permitted to use unsecured wireless networks to do client work?
The issue of course, is confidentiality because an unsecured wireless network is easily accessed by hackers. The concept of competence is also in question because comments  and  of Rule 1.1 (“Competence”) remind lawyers that we must, “act competently to safeguard information…against …unauthorized disclosure” and that when transmitting a communication we must, “take reasonable precautions to prevent the information from coming into the hands of unintended recipients.” California tackled the question directly in Formal Opinion No. 2010-179.
The Committee said that lawyers should not use unsecured wireless connections when working on client matters. The opinion states,
“With regard to the use of a public wireless connection, the Committee believes that, due to the lack of security features provided in most public wireless access locations, Attorney risks violating his duties of confidentiality and competence in using the wireless connection at the coffee shop to work on Client’s matter unless he takes appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall. [FN omitted] Depending on the sensitivity of the matter, Attorney may need to avoid using the public wireless connection entirely or notify Client of possible risks attendant to his use of the public wireless connection, including potential disclosure of confidential information and possible waiver of attorney-client privilege or work product protections, and seek her informed consent to do so. [FN omitted]
Finally, if Attorney’s personal wireless system has been configured with appropriate security features[FN omitted] the Committee does not believe that Attorney would violate his duties of confidentiality and competence by working on Client’s matter at home. Otherwise, Attorney may need to notify Client of the risks and seek her informed consent, as with the public wireless connection.”
The Takeaway: If your jurisdiction agrees with California, you can’t use wireless networks for client matters (unless you take the recommended precautions, none of which are practical/realistic). Even if your state hasn’t stated that they agree with California it’s probably a good idea to abide by their direction anyway. After all, the only way you’ll know your state’s position for sure is when the Bar finally acts, either because they were asked to opine on the subject or they are disciplining someone. The question I ask myself is…do I want to be that person who “makes the law” by being the first person to be disciplined?
I love this opinion for another reason—the opinion listed 6 factors that an attorney should consider when evaluating new technologies. Those factors could be helpful to attorneys everywhere when evaluating whether they could use new systems in the future. Here are the factors (but I encourage you to read the opinion because they’re explained more fully and it makes better sense after you read that text).
1- An attorney’s ability to assess the level of security afforded by the technology, including (i) how the technology differs from other media use (ii) whether reasonable restrictions may be taken when using the technology to increase the level of security and (iii) Limitations on who is permitted to monitor the use of the technology to what extend and on what grounds.
2- Legal ramifications to third parties of intercepting the information
3- The degree of sensitivity of the information
4- The possible impact on the client of an inadvertent disclosure
5- The urgency of the situation
6- Client instructions and circumstances
The Takeaway: As time goes by, lawyers will find themselves wondering whether they can ethically use new technologies and California’s Opinion will help provide that answer. The opinion provides these “technology permissibility factors” (my term) that a lawyer could use to evaluate the permissibility of those new technologies.
Granted, the California Opinion may not be binding in your jurisdiction, but it wouldn’t be such a bad idea to consider the factors when you find yourself in a pickle in the absence of a direct ruling from your home jurisdiction. Consider how a disciplinary board would react if you were faced with a new technology, but before using it you evaluated the California “technology permissibility factors” and wrote a memo to the file detailing your analysis. I would expect that a disciplinary board would look favorably upon you in a hearing situation.