Who else is in the room when you give your client legal advice over a remote communication platform? It’s a question you need to ask.
The ethics rules make it clear that lawyers have a continuing duty to understand the dangers associated with technology and that we need to take reasonable steps to avoid disclosing our client’s information. Comment  to Rule 1.1 reminds us that, “To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology…”; Rule 1.6(c) states that lawyers are required to “make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to” our client information, and; Rule 1.3 requires that we act with reasonable diligence in representing a client. Together those rules make it clear that lawyers need to constantly stay on top of changes in technology and take reasonable steps to protect client data. And that principle has ushered in a new responsibility —the duty to update our software.
The company that sells Norton anti-virus software explained recently that software updates are critical because they patch security flaws:
“Hackers love security flaws, also known as software vulnerabilities. A software vulnerability is a security hole or weakness found in a software program or operating system. Hackers can take advantage of the weakness by writing code to target the vulnerability. The code is packaged into malware — short for malicious software.
An exploit sometimes can infect your computer with no action on your part other than viewing a rogue website, opening a compromised message, or playing infected media.
What happens next? The malware can steal data saved on your device or allow the attacker to gain control over your computer and encrypt your files. Software updates often include software patches. They cover the security holes to keep hackers out.”
It should be pretty clear how this ties into a lawyer’s ethical duty. If we have a continuing duty to understand the dangers in technology and we need to take reasonable steps to avoid disclosing client information, then we must take steps that ensure that the computer systems and software programs we use remain secure. Our duties of competence, confidentiality, and diligence require us to promptly install updates that are designed to repair vulnerabilities in the software we use in the practice.
It’s this type of proactive effort that is so important to avoiding grievances in today’s dangerous technological age. Listen, chances are good that you’re going to get hacked. Chances are good that we are all going to get hacked. The bad guys and gals are simply trying too hard — the odds are against us. Many lawyers therefore wonder, If I’m going to get hacked, doesn’t that mean that I will get into ethical trouble? Not necessarily. You can save your ethical hide if you are proactive in taking steps to avoid the hack.
The disciplinary authorities aren’t likely to make a decision about someone’s ethical liability based solely on the consequences. They are likely to make a decision based on your actions. Remember that when it comes to attorney ethics, it’s all about your behavior. It’s all about whether you behaved reasonably. It’s all about whether you took reasonable steps to avoid the calamity. You will likely be judged not on whether you were hacked, rather whether you took reasonable steps to avoid that hack. If you took every reasonable step possible to protect your client data and avoid the disclosure, then it’s likely that you won’t be disciplined even if something terrible happens.
If you know the bad guys are trying to exploit vulnerabilities in our systems, and you know that software updates are specifically designed to fix those vulnerabilities, then it’s not reasonable to ignore those updates. It’s not reasonable to wait months before you install them. The reasonable effort is to diligently install those updates when they are released. Your duty to protect your client data means that you need to maintain the integrity of your computer systems, and that includes installing security updates promptly.
On the other hand, you might need to do the exact opposite when it comes to massive program upgrades
The duty to update that I discussed above applies to periodic updates that software manufacturers release to existing systems. But every once in a while those same programmers completely overhaul a system and release a major update that ushers in a new generation of their software. In those instances it’s probably reasonable for a lawyer to wait and delay installing that update. Though that seems to contradict everything I discussed above, the rationale is actually quite consistent.
New generations of software very often contain vulnerabilities that were not anticipated by the original programmers. Often hackers exploit those bugs right after the new software is released, thus exposing the problems. The manufacturers then rush to develop and issue updates that close the holes in their code. In those situations, then, prudent approach is probably for lawyers to delay installing updates that constitute massive overhauls or new generations of a software system. Wait until the bugs appear to be worked out, then update to the new generation of software.
Norton article can be found at: https://us.norton.com/internetsecurity-how-to-the-importance-of-general-software-updates-and-patches.html, last checked by the author on March 26, 2019.
— Stay with me — this is not going where you think —
The lender sends you a fillable PDF form where you’re supposed to provide your wiring information (routing number, account number, etc). You open the document, type all of the information in the fields as required, and email it to the lender. Obviously there’s the danger of someone intercepting these types of messages so a host of precautionary measures have been put into place and you comply with each. Let’s say that such precautions even include that the lending representatives call you after receiving the document and read back the wiring instructions to ensure that everything’s kosher. Despite all of these efforts, you were still scammed — the money never made it to your trust account and no one knows why. Here’s how it happened:
Remember that I said the document was a “fillable” PDF? You opened the PDF on your computer, typed in the required information in the fields, then sent the file as a “document” to the lender. Well, when you sent the document that way, you left all of those “fillable” sections as, well…”fillable.” Those fields could still be changed by someone because you didn’t lock the document.
So here’s what happened in the hypo above: after making the call to you and confirming the account information, someone in the bank opened the file, changed that account number/routing number and diverted the money into some other account. They were able to do that because the document you filled out was a “fillable” PDF and you simply emailed it as a document to the other party. By emailing it as a “document” the information in the fields could still be changed. So even after all of the protocols at the lending institution were adhered to, there was still an opportunity for someone with access to the document to change the numbers on the PDF.
The good news? There is a way to avoid this.
Instead of sending the form as a “document” you should have “flattened” the document. Flattening a document basically locks all of those fillable sections. There are a few ways you could do that. First, if you get a drop down menu when you try to send the file you might have the option to mail the attachment as a “flattened” document. Another alternative is to save the document as flattened before you email it (you may have to “Print” the document to a PDF then save a “flattened” version of the form). Disclaimer: I’m no tech expert— my job is to point out the dangers, but I don’t claim to be an expert on how to fix them. I think the procedures I outlined above are correct, but talk to your IT people to ensure that I’m right in that regard.
Obviously this goes beyond just bank account information. People can modify any fields in a fillable PDF if the document isn’t locked before transmitting. That’s why every time you send a fillable PDF you need to flatten it or otherwise lock it to ensure that no one else can change it’s contents after emailing.
This sort of knowledge is the type of thing that our ethics rules demand. Specifically, it’s about competence. Rule 1.1 requires that lawyers have the, “legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” The commentary to that rule explains that, “Competent handling of a particular matter includes…[the] use of methods and procedures meeting the standards of competent practitioners. Rule 1.1, Comment . In addition, the new California Rule on Competence requires that lawyers apply the learning and skill that is reasonably necessary for the performance of the legal service. CA RPC 1.1(b)
Is understanding the dangers of fillable PDFs considered to be part of the “methods and procedures,” or part of the skill that is “reasonably necessary for performance” of the legal services? It is now. Maybe it wasn’t last year, but it is today. That’s because our duty of competence evolves. We are required to understand the ethical implications of technology as these new technologies become integrated with the practice. See, State Bar of California, Standing Committee on Professional Responsibility and Conduct, Formal Opinion 2015-193. I don’t think there’s any question that PDFs are integrated with the practice of law. Of course, if my opinion doesn’t convince you, also consider that the issue of fillable PDFs was recently part of a best practices update that was sent to attorneys who work for the federal government. And you know what I always say about the government…if they’re thinking about it, you need to be thinking about it.
Believe it or not, but there are critics of our ethics rules. I know what you’re thinking, “How could that be? They are PERFECT.” I’m sorry to burst your bubble, but there really are scholars who have taken shots at the code.
One of the biggest complaints is that the current code amounts to nothing more than a how-to manual. How-to stay away from a grievance. Surely you’re wondering how that can be a bad thing! Well, staying away from grievances is good, but is that all our ethics code is really supposed to be about? The critics contend that the current code is harsh and devoid of the aspirational goals and the statements of morality that could be found in the predecessor codes. It’s a valid point, but I understand why the code is written that way. To get a real picture for what I mean, you need consider Watergate. Yup, the actual Watergate fiasco.
After the fallout from that disaster, the powers that be realized that many of the people implicated in the scandal were lawyers. Plus, many of the lawyers implicated— and many of their colleagues across the country — really didn’t take the ethics rules seriously. As a result, the authorities had to reform the code and I believe that’s why they created such a harsh set of rules. I believe that they took out the aspirational elements from the disciplinary rules because they had to reinforce the idea that there really would be disciplinary action if you acted inappropriately. The problem? In doing so, they removed all of the morality from the code.
The current code tells us how we “could” act. It tell us when our actions are subject us to discipline. it does not, however, tells us how we “should” behave.
That’s an important distinction. In other words, just because we “could” do something, does it mean we “should” be doing it? Just because some action taken in the course of our practice won’t subject us to discipline, is it still “right” to take that action? That disconnect is something the drafters have been considering since the publication of the modern code in 1983. And over the years you’ve started to see a flurry of new “professionalism documents” being adopted across the country. Basically, these professionalism codes are trying to reinforce the need to behave in a morally acceptable way. Though they are the product of individual states, the all seem to share the same sentiment— they are talking about how we “should” be behaving.
One word that you don’t see in many of these new professionalism documents is “zealous.” The reason is clear. The word zealous has been used by many lawyers to cover up all manner of sins (yes, that was a Watergate shout-out) I shudder to think about how many ethical violations have been committed in the name of zealous advocacy. I believe that the drafters have the same concern. I believe they know that lawyers push the edge too far, and try to cover it up by claiming to be “zealous.” Well, I believe that lawyers need to start thinking about behaving in a morally acceptable manner. We need to voluntarily aspire to behave better. And that might not be compatible with the old school definition of zealous (just for the record— I am old school age. But I’d like to think that I’m learning some new tricks).
I explore the relationship between what we “could” do and what we “should” do a little more in a CLE program I recorded called “The Dirtiest Word in Ethics, Zealous.” In that program I also provide my version of the optimal lawyer attitude (sorry, no spoilers!) You can find that program by clicking here.