Tag Archives: Technology

Two law firm hacks should be scaring your firm into action

For years people have been warning that law firms of all sizes are major targets for cyber-criminals.  If your firm didn’t take that seriously before, then there are two major hackings last week that should get your attention.

The Wall Street Journal reported that cyber criminals breached Cravath, Weil Gotshal, and several other unnamed firms (read the article here: http://on.wsj.com/1MzYlN2). The paper states that it’s not clear what (or whether) information was taken, but the focus is on the possibility of confidential information being stolen for purposes of insider trading.

The other major breach is so big that it has its own hashtag— search Twitter for #PanamaPapers or #PanamaLeaks.  According to Reuters, the target was a law firm in Panama who specializes in setting up offshore companies.  Hackers stole data from the firm and provided that data to journalists who promptly revealed it to the public (read the article here: http://reut.rs/25GEy4X). The information allegedly reveals a network of offshore loans.  According to the BBC, the stolen data reveals how the law firm, “has helped clients launder money, dodge sanctions and avoid tax” (read the BBC’s article here: http://www.bbc.com/news/world-35918844).   Political figures and friends of popular politicians are allegedly implicated, according to the report.

My concern is not about the obvious political ramifications. My concern is about the ethical ramifications to lawyers. The danger of hacking is real.

No report has implicated any type of ethical wrongdoing on the part of any firm.  That needs to be restated and made abundantly clear: there has been no report of any evidence of ethical impropriety by any of the law firms mentioned in the news. I am bringing this to your collective attention because it should serve as a warning.  Confidential client information was stolen from that law firm in Panama….which reminds us that we are targets.

All lawyers are targets. Small firms, large firms, in-house counsel, government lawyers, you name it.  The bad guys know that lawyers are the custodians of valuable information and they are coming after us in a big way.  The message for all of us is clear:  you could be subject to an ethics grievance if you don’t take proper steps to secure your clients’ information.

The responsibility to protect our client information is nothing new. However, these recent events require us apply an increased sense of urgency to evaluating our compliance with that duty. Have you, or your firm, taken the necessary steps to adequately protect your clients’ information? Have you considered the fact that bad guys could be targeting you? What steps have you taken to counteract the potential piracy that could be aimed at your clients’ information?

You could be darn sure that someone is going to be asking those questions to the firms that were targeted in the hacks.  Maybe you need to put yourself in their position and ask, “how would we fare if that review was directed toward us?”

Our duty of competence requires that we take appropriate steps to protect our clients’ confidential information. And remember that you, as the lawyer, have the primary ethical duty, not your IT people.  Furthermore, various ethics opinions have held that, in some circumstances, the lawyer needs to understand the underlying technology itself.

If these issues weren’t on the front burner in your office before, these two hacks should be causing you to shift your priorities.

Quickly.

Share

Lawyers may be required to supervise the client?

Here’s my latest Threat Assessment- those are my short warnings about key ethics dangers that both lawyers and the PD professionals who care about them, need to know.

Today: Technology scare (what a shocker). Our duty to supervise may have been drastically expanded in a recent opinion out of California. Specifically, the California Bar’s Standing Committee on Professional Responsibility and Conduct, Formal Opinion Np. 2015-193.

The opinion presents a hypo about a lawyer who messed up. He didn’t understand the technicalities of e-discovery, didn’t seek help from a professional with knowledge, and he let his adversary conduct an unsupervised e-discovery review of the client’s files. Result: disaster. There were allegations of withholding/obstructing discovery and a major leak of proprietary/confidential information to a major competitor. The opinion holds that the lawyer should have known better.

POINT 1 of 2: Competence is being expanded

The opinion states:

“An attorney’s obligations under the ethical duty of competence evolve as new technologies develop and become integrated with the practice of law.
* * *
Attorney competence related to litigation generally requires, among other things, and at a minimum, a basic understanding of, and facility with, issues relating to e-discovery, including the discovery of electronically stored information (“ESI”).”

What we need to know: Certain technologies that have so integrated themselves into the practice that our duty of competence demands that we understand them. We can’t just rely on our “people” to know about it. We need to, individually, understand the systems.

What we need to know: We need to understand the underlying technology, not just the “law” about that technology.

POINT 2 of 2: Our duty to supervise is being expanded drastically.

The opinion also stated:

“The duty of competence…includes the duty to supervise the work of subordinate attorneys and non- attorney employees or agents…This duty to supervise can extend to outside vendors or contractors, and even to the client itself.”

What we need to know: Our duty to supervise doesn’t just include the lawyers and non-lawyers in our office. It is also includes vendors and contractors. But the big extension is that it might also include supervising the client itself. That is a change- we are familiar with the need to “advise” and “guide” a client. Now we may also be required to “supervise” the client as well. Does that mean watching their IT people? It depends, but this opinion basically says yes, sometimes.

Find more information like this in my live program: Tech Tock, Tech Tock: Social Media and the Countdown to Your Ethical Demise. See my course list here.

Share

Confidentiality: The ABA’s Changes

Last week the ABA made an important change to Rule 1.6, “Confidentiality.”  On its face, the change doesn’t seem like much—the drafters added a new section 1.6(c) which states, “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

That doesn’t seem like such a big deal, especially since the sentiment already existed in the commentary to the rules.  The need to safeguard our clients’ information was already stated in a slightly different form in Comment [16] to Rule 1.6.  And why shouldn’t it be—isn’t it an obvious point?  So why would the drafters simply take language that already existed in the commentary, tweak it, and move it to the rule itself?  It’s about addressing technology head on.

Lawyers are increasingly using new technologies like cloud storage sites and software as a service (SaaS) to store client data.  While helpful, the obvious risk of using these sites is that there is a potential for disclosing information.  Plus, this isn’t just about could-computing or websites, it’s about using any new technology, whether it be mobile storage devices, unencrypted wireless routers, iPads, etc.  The more we use these technologies, there more opportunities we have to reveal client information.  The drafters must have believed that the more frequent use of these types of technologies demands an increased emphasis on the need to protect client information.  Thus, by expanding the language and moving it to the actual text of the rule, the drafters are telling the bar that this issue is no longer just commentary, or “secondary guidance.” Now it’s a primary duty.

So now we know that before we use new technologies we have a duty to make reasonable efforts to prevent the release of information relating to the client.  But what does that mean? How do you know if the efforts you used were actually “reasonable?”  More on that in the next post…

Share

Wireless Networks? um…NO. Future Technologies? Maybe.

Sometimes finding free Wi-Fi feels like finding buried treasure.  A laptop user who finds free Wi-Fi in a coffee shop is comparable to a deep sea diver who finds a tank of oxygen.  However there is a downside– many of those networks are unsecured and vulnerable to being compromised.  That poses a problem for attorneys because our client’s confidential information may be exposed if we use an unsecured wireless network to perform work on their behalf.  The question then becomes, are lawyers permitted to use unsecured wireless networks to do client work?

The issue of course, is confidentiality because an unsecured wireless network is easily accessed by hackers.  The concept of competence is also in question because comments [16] and [17] of Rule 1.1 (“Competence”) remind lawyers that we must, “act competently to safeguard information…against …unauthorized disclosure” and that when transmitting a communication we must, “take reasonable precautions to prevent the information from coming into the hands of unintended recipients.”  California tackled the question directly in Formal Opinion No. 2010-179.

The Committee said that lawyers should not use unsecured wireless connections when working on client matters.  The opinion states,

“With regard to the use of a public wireless connection, the Committee believes that, due to the lack of security features provided in most public wireless access locations, Attorney risks violating his duties of confidentiality and competence in using the wireless connection at the coffee shop to work on Client’s matter unless he takes appropriate precautions, such as using a combination of file encryption, encryption of wireless transmissions and a personal firewall. [FN omitted]  Depending on the sensitivity of the matter, Attorney may need to avoid using the public wireless connection entirely or notify Client of possible risks attendant to his use of the public wireless connection, including potential disclosure of confidential information and possible waiver of attorney-client privilege or work product protections, and seek her informed consent to do so. [FN omitted]

Finally, if Attorney’s personal wireless system has been configured with appropriate security features[FN omitted] the Committee does not believe that Attorney would violate his duties of confidentiality and competence by working on Client’s matter at home. Otherwise, Attorney may need to notify Client of the risks and seek her informed consent, as with the public wireless connection.”

The Takeaway: If your jurisdiction agrees with California, you can’t use wireless networks for client matters (unless you take the recommended precautions, none of which are practical/realistic).  Even if your state hasn’t stated that they agree with California it’s probably a good idea to abide by their direction anyway.  After all, the only way you’ll know your state’s position for sure is when the Bar finally acts, either because they were asked to opine on the subject or they are disciplining someone.   The question I ask myself is…do I want to be that person who “makes the law” by being the first person to be disciplined?

I love this opinion for another reason—the opinion listed 6 factors that an attorney should consider when evaluating new technologies.  Those factors could be helpful to attorneys everywhere when evaluating whether they could use new systems in the future.  Here are the factors (but I encourage you to read the opinion because they’re explained more fully and it makes better sense after you read that text).

1- An attorney’s ability to assess the level of security afforded by the technology, including (i) how the technology differs from other media use (ii) whether reasonable restrictions may be taken when using the technology to increase the level of security and (iii) Limitations on who is permitted to monitor the use of the technology to what extend and on what grounds.

2- Legal ramifications to third parties of intercepting the information

3- The degree of sensitivity of the information

4- The possible impact on the client of an inadvertent disclosure

5- The urgency of the situation

6- Client instructions and circumstances

The Takeaway: As time goes by, lawyers will find themselves wondering whether they can ethically use new technologies and California’s Opinion will help provide that answer.  The opinion provides these “technology permissibility factors” (my term) that a lawyer could use to evaluate the permissibility of those new technologies.

Granted, the California Opinion may not be binding in your jurisdiction, but it wouldn’t be such a bad idea to consider the factors when you find yourself in a pickle in the absence of a direct ruling from your home jurisdiction.  Consider how a disciplinary board would react if you were faced with a new technology, but before using it you evaluated the California “technology permissibility factors” and wrote a memo to the file detailing your analysis.  I would expect that a disciplinary board would look favorably upon you in a hearing situation.

Share