Category Archives: Attorney Ethics- Hot Topics

Why lawyers might need two cell phones

Mixer cell phonesThe next ethical landmine for lawyers is located in our cell phones. Specifically, I think we are very close to the point where lawyers need to have two devices— one for work, and one for our personal use.  Here’s why.

The Wall Street Journal recently reported that cell phone sales growth have stagnated.  After years of incredible growth in sales, the pace of that growth has subsided significantly. The new frontier, the article claims, is in mobile device software. Specifically, the future lies in “frictionless computing.”

Amazon’s Echo speaker, which uses Alexa, and Snap Inc.’s new Spectacles, camera-bearing sunglasses, are examples of what Benedict Evans, partner at venture-capital firm Andreessen Horowitz, calls “frictionless computing”—easy-to-use devices that unite applications with hardware beyond smartphones. Ben Schachter, senior analyst at Macquarie Capital, says: “Our view is the next big innovation will be from outside the device—from the software.” He expects increasing use of such software to meet entertainment, health-care, home innovation and automotive needs.

The words that scare me in that quote are “outside the device.” That’s because the increased use of cell phones to connect with external hardware by way of an installed app increases the likelihood that hackers can get access to our devices.  Just this week we saw a similar concern from the medical community.  The Minneapolis Star Tribune reported about the vulnerability of hacking heart devices:

On Monday, the U.S. Food and Drug Administration published a public safety notice confirming it is possible for a hacker to remotely compromise security in St. Jude’s wireless communication network and then secretly change commands in a pacemaker or implantable defibrillator while it’s still wired to a patient’s heart….
…“As medical devices become increasingly interconnected via the internet, hospital networks, other medical devices and smartphones, there is an increased risk of exploitation of cybersecurity vulnerabilities, some of which could affect how a medical device operates,” the FDA’s Monday safety alert says.

While that isn’t frictionless computing when using a cell phone, it is an external device controlled by computers via wireless communication. In that regard, it is an analogous problem.  And that problem is clear: once we start to increase the use of that type of wireless communication between devices, we increase the chance that hackers can wreak havoc.  Yes, many of these opportunities to exploit our devices have existed for a while, but the concern I have is the increased chance of compromising our data.  As the use of this technology grows, there are more and more opportunities for phishing, wireless hacking, etc.  Thus, as frictionless computing becomes more prevalent it greatly increases the opportunity for the hackers to get at our information.

Personally, I’m willing to take the risk. I like using these devices, I understand the potential hacking problem, and I am willing to accept the downside in order to make use of this new technology. I am willing to put my personal information at risk.  I am not, however, willing to put my client’s information at risk.

Many of us use our personal devices to access work information.  We like to have remote access to notes apps like Evernote and cloud storage sites like DropBox.  We text our clients and receive work emails, and that’s all sent to/from our personal device.  It’s that same device that will be used to engage further in frictionless computing— many of us are probably Alexa addicts already, for instance.  To date, we feel comfortable mixing business and personal use because we put password protections on the device and take other reasonable measures to protect client information.  But at some point, vulnerabilities will increase to such an extent that the definition of what constitutes “reasonable measures” will change. I am concerned that the increased use of frictionless computing is hastening that change.

Today it might be reasonable to put a password to restrict access to the phones.  But if frictionless computing is going to increase the opportunities for bad guys to hack into our devices, then  it might not suffice to simply have a password or thumbprint barrier to access our phone.  The prudent move might be to get another device all together for work matters. Maybe that work device won’t be used for frictionless computing at all.  Maybe the security measures we take with that work-only device will be more stringent than our personal device.  Then, we can make use of the wonders of frictionless computing, etc., without taking unreasonable risks that compromise client information.

Bear in mind that this isn’t about eliminating risk. Risk can never be completely eliminated. The question we need to ask is, “when does the risk expand to a point where it’s necessary to take some different action?”  As usual, there is no way to discern exactly when we have crossed that line.  But it’s my job to tell you when the warning signs appear.  Well…boom, they’ve appeared.  Keep your eyes open and make the move when you think it’s warranted. Just don’t get blindsided.

Share

You, personally, gotta know your stuff

4F8K4ADXK8

I recently spoke at a law firm about the ethical implications when lawyers use technology.  I was talking about lawyers who choose to store client information in the cloud and  I explained how the lawyer needs to understand the technology associated with the cloud storage site that the lawyer may use.  I explained that Rule 1.1 (Competence) demands that we, personally, understand those details.  It was exactly then that a very irate lawyer shot up his hand and barked at me, “I’ll just bring my IT guy with me and point to him.  I’ll tell that committee to talk to HIM about it, then I’ll leave.”  While I was itching to answer in an obnoxiously New Jersey manner, I noticed that the angry lawyer was the only man in the room who happened to be older, white haired, male, and wearing a suit.  He had “managing partner” written all over him.  It was at that point that I figured I’d soften the edge on my reply, lest I not be invited back to the firm.  I (ever so gently) explained that it was the lawyer’s individual responsibility to understand the technology and that we would not be permitted to simply bring our support staff to a grievance and wash our hands of the situation.

 

I thought of this today because I was reading the Alaska Bar Association Ethics Opinion No. 2014-3.  That opinion addressed the ethics of using cloud services, and there is one sentence in particular that stood out.  The opinion reminds us that, “Because the lawyer’s duties of confidentiality and competence are ongoing and not delegable, a lawyer must take reasonable steps to protect client information when storing data in the cloud.” Op. 2014-3 at 1-2. The key words, of course, are “ongoing and not delegable.”

 

Our duty of competence is a personal requirement.  Sure, we can employ support staff to assist us with our practice, but the ultimate responsibility to maintain our competence lies with us.  That lawyers would not have been able to simply bring his IT guy to the grievance and throw him to the disciplinary wolves.  In fact, if he tried to do that I think he might get bit himself.
Share

There really IS a new tech duty

Ethics tiles

For ages, lawyers have been able to stick their head in the sand about technology. At the very least, we’ve been able to push the problems to the another part of the sandbox. If the copier jammed, we’d shout for our secretary and leave it to her to fix (and in was usually a “her” in those days). If our computer locked up, we’d shout for the IT guy and we’d expect it to be up and running when we were back from lunch (and it was usually a “him” in those days). But technologies today are different and they are causing new duties to be created for lawyers.

For instance, the disciplinary authorities know that technology like cloud storage is prevalent these days. They also understand that the dangers inherent in using those new technologies are severe. As a result, a new duty applies to lawyers who use the cloud.

For some time I’ve been shouting that there exists a duty to understand technology. I’m not talking about understanding the law regarding technology. I mean a duty to understand the underlying technology itself. Granted, one might argue that there isn’t a separate duty in that regard and that it’s really just a subset of the duty of competence (Rule 1.1). To that I reply, “toe-may-to, toe-mah-to.” I don’t care how it fits into the rules, the bottom line is that it’s there and a recent ethics opinion in Alaska proves it’s existence. See Alaska Bar Association Ethics Opinion No. 2014-3.

On page 3, the authors state, “A lawyer engaged in cloud computing must have a basic understanding of the technology used and must keep abreast of changes in technology…Technological changes, the regulatory framework, and privacy laws are all matters requiring the lawyer’s attention.”

Thus, if you want to use technology, you must understand that technology. YOU must understand it. Not just your secretary or the IT guy/gal. You, individually, must understand the underlying technology.

For the ethics geeks like me, you aren’t surprised that this text is in the Alaska opinion. Heck, we’ve seen this in several opinions recently. But there are a bunch of you out there who didn’t believe me when I told you this at some of my CLE seminars. So, I guess what I’m really saying in this post is….“Told you so.”

Share

Confidentiality: The ABA’s Changes

Last week the ABA made an important change to Rule 1.6, “Confidentiality.”  On its face, the change doesn’t seem like much—the drafters added a new section 1.6(c) which states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

That doesn’t seem like such a big deal, especially since the sentiment already existed in the commentary to the rules.  The need to safeguard our clients’ information was already stated in a slightly different form in Comment [16] to Rule 1.6.  And why shouldn’t it be—isn’t it an obvious point?  So why would the drafters simply take language that already existed in the commentary, tweak it, and move it to the rule itself?  It’s about addressing technology head on.

Lawyers are increasingly using new technologies like cloud storage sites and software as a service (SaaS) to store client data.  While helpful, the obvious risk of using these sites is that there is a potential for disclosing information.  Plus, this isn’t just about could-computing or websites, it’s about using any new technology, whether it be mobile storage devices, unencrypted wireless routers, iPads, etc.  The more we use these technologies, there more opportunities we have to reveal client information.  The drafters must have believed that the more frequent use of these types of technologies demands an increased emphasis on the need to protect client information.  Thus, by expanding the language and moving it to the actual text of the rule, the drafters are telling the bar that this issue is no longer just commentary, or “secondary guidance.” Now it’s a primary duty.

So now we know that before we use new technologies we have a duty to make reasonable efforts to prevent the release of information relating to the client.  But what does that mean? How do you know if the efforts you used were actually “reasonable?”  More on that in the next post…

Share

ABA Adopts New Ethics Rules!

A few days ago the ABA adopted amendments to the Model Rules of Professional Conduct. Many of these amendments were a response to issues regarding social media, but not entirely.  Over the next week I’ll be reviewing the rules and blogging about what the changes mean.

You can find all of the new rules here:

http://www.americanbar.org/content/dam/aba/administrative/ethics_2020/20120808_house_action_compilation_redline_105a-f.authcheckdam.pdf

 

IMPORTANT NOTE:  Remember, these rule changes only amend the ABA’s Model Code.  Each individual state must now determine which, if any, amendments they want to include in their own codes. That process will obviously take some time, given the requirement for debate, public comment, etc.

 

 

 

 

 

Share

Dear Law Students: Clean it Up

I’ve been speaking with a bunch of law students lately and I thought I’d share the unsolicited advice that I’ve been dispensing. It’s never too early to clean up your Facebook page.

We all know the types of photos being posted on social media.  Sure, as we get older we get a little tamer, but our lives are littered with bad decisions that were memorialized on social media.  While we can’t erase our past entirely, we can make an effort to clean things up a bit.  The reasons are clear.

First, I hope we all know that checking social media pages prior to making employment decisions is a way of life for employers of all kinds.  And we should all realize that we can’t hide behind fake names– our prospective employers know that many students open Facebook pages using alternate names and they’re starting to ask questions.

Also, keep in mind that searching our Facebook pages is being institutionalized.  In 2009 the Florida Board of Bar Examiners adopted a policy of searching applicants’ personal social networking websites in select situations, such as cases where there are significant candor concerns. Don’t be surprised if other states adopt this policy as well.

Be careful– there may be times where cleaning up our Facebook pages is improper.  For instance, I don’t think it would ethically proper to change your website in response to an inquiry about your social media page.  On the other hand, I don’t think there would be anything wrong with proactively cleaning up your page, in the absence of any inquiry.

Given the times we live in, it appears that it would be wise for law students to give consideration to cleaning things up, like, yesterday.

Share

Groupon use…what a mess.

Did you know that Alabama lawyers can’t advertise with Groupon?  It’s true– there’s even an ethics opinion on it.South Carolina lawyers may be able to use it, but they have to use a truckload of caution– so says this opinion.

One thing that’s apparent is that when we’re facing ethical issues surrounding new technology there’s an increased need for us to do our own interpreting of the ethics rules.  Rarely do jurisdictions have an opinion on point, so we have to review other states’ opinions and draw our own conclusions about how to behave.  Unfortunately, those opinions often vary (like with the Groupon issue) so we’re forced to be our own individual ethics boards.

Share

Any Hope for a Uniform Ethics Code? Nope.

Dear naive people who dream of one day living in a world where every lawyer lives under a single ethics code.  Here’s yet another sign that you’re never going to experience the nirvana you desire. 

A bit much?  Of course, but that’s how I roll.

Last week the ABA’s Commission on Ethics 20/20 sent a report to the group’s House of Delegates in which they recommended various changes to the Model Rules of Professional Conduct (I’ll be blogging about those details plenty, so check back).  In the Introduction and Overview, they made it clear that this arm of the ABA did not intend to advocate a uniform, country-wide ethics code. They said,


“Some commentators have
suggested that state-based judicial regulation of the profession is unworkable in the modern environment. The Commission concluded, as did the [Multi-Jurisdictional Practice] Commission before it, that those advocating for a departure from state-based judicial regulation of the legal profession in the U.S. had not made their case and, indeed, that there remain strong reasons to maintain our state-based system of judicial regulation”
(footnotes omitted).

Get used to it, campers…state-to-state nuances are here to stay.  Oh, be honest…you knew it would be that way!

Share

Wireless Networks? um…NO. Future Technologies? Maybe.

Sometimes finding free Wi-Fi feels like finding buried treasure.  A laptop user who finds free Wi-Fi in a coffee shop is comparable to a deep sea diver who finds a tank of oxygen.  However there is a downside– many of those networks are unsecured and vulnerable to being compromised.  That poses a problem for attorneys because our client’s confidential information may be exposed if we use an unsecured wireless network to perform work on their behalf.  The question then becomes, are lawyers permitted to use unsecured wireless networks to do client work?

The issue of course, is confidentiality because an unsecured wireless network is easily accessed by hackers.  The concept of competence is also in question because comments [16] and [17] of Rule 1.1 (“Competence”) remind lawyers that we must, “act competently to safeguard information…against …unauthorized disclosure” and that when transmitting a communication we must, “take reasonable precautions to prevent the information from coming into the hands of unintended recipients.”  California tackled the question directly in Formal Opinion No. 2010-179.

The Committee said that lawyers should not use unsecured wireless connections when working on client matters.  The opinion states,

“With regard to the use of a public wireless connection, the Committee believes that, due to the lack of security features provided in most public wireless access locations, Attorney risks violating his duties of confidentiality and competence in using the wireless connection at the coffee shop to work on Client’s matter unless he takes appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall. [FN omitted]  Depending on the sensitivity of the matter, Attorney may need to avoid using the public wireless connection entirely or notify Client of possible risks attendant to his use of the public wireless connection, including potential disclosure of confidential information and possible waiver of attorney-client privilege or work product protections, and seek her informed consent to do so. [FN omitted]

Finally, if Attorney’s personal wireless system has been configured with appropriate security features[FN omitted] the Committee does not believe that Attorney would violate his duties of confidentiality and competence by working on Client’s matter at home. Otherwise, Attorney may need to notify Client of the risks and seek her informed consent, as with the public wireless connection.”

The Takeaway: If your jurisdiction agrees with California, you can’t use wireless networks for client matters (unless you take the recommended precautions, none of which are practical/realistic).  Even if your state hasn’t stated that they agree with California it’s probably a good idea to abide by their direction anyway.  After all, the only way you’ll know your state’s position for sure is when the Bar finally acts, either because they were asked to opine on the subject or they are disciplining someone.   The question I ask myself is…do I want to be that person who “makes the law” by being the first person to be disciplined?

I love this opinion for another reason—the opinion listed 6 factors that an attorney should consider when evaluating new technologies.  Those factors could be helpful to attorneys everywhere when evaluating whether they could use new systems in the future.  Here are the factors (but I encourage you to read the opinion because they’re explained more fully and it makes better sense after you read that text).

1- An attorney’s ability to assess the level of security afforded by the technology, including (i) how the technology differs from other media use (ii) whether reasonable restrictions may be taken when using the technology to increase the level of security and (iii) Limitations on who is permitted to monitor the use of the technology to what extend and on what grounds.

2- Legal ramifications to third parties of intercepting the information

3- The degree of sensitivity of the information

4- The possible impact on the client of an inadvertent disclosure

5- The urgency of the situation

6- Client instructions and circumstances

The Takeaway: As time goes by, lawyers will find themselves wondering whether they can ethically use new technologies and California’s Opinion will help provide that answer.  The opinion provides these “technology permissibility factors” (my term) that a lawyer could use to evaluate the permissibility of those new technologies.

Granted, the California Opinion may not be binding in your jurisdiction, but it wouldn’t be such a bad idea to consider the factors when you find yourself in a pickle in the absence of a direct ruling from your home jurisdiction.  Consider how a disciplinary board would react if you were faced with a new technology, but before using it you evaluated the California “technology permissibility factors” and wrote a memo to the file detailing your analysis.  I would expect that a disciplinary board would look favorably upon you in a hearing situation.

Share