ethics, law and technology - texasbarcle the topic i was assigned is very broad “ethics, law and...
TRANSCRIPT
Ethics, Law and Technology
Jeff Jacobs Jacobs Esq. PLLC
Houston, Texas
Nailing It: The Tools You Need for Today’s Practice
May 15-16, 2008
Jeff Jacobs received a bachelor’s degree in electrical engineering and a master’s degree in
electrical engineering, and spent four years as an engineer for the Missile Systems Division of
Raytheon Company, a large defense-industry electronics contractor.
He received his J.D. from Tulane in 1994 and became registered with the United States Patent
and Trademark Office, and has drafted and prosecuted hundreds of patent applications for clients in
the electronics industry over the past fourteen years.
He is chair of both the Cyberlaw Section (formerly the Computer and Online Law Section) and
the Law Practice Management Section of the Houston Bar Association.
ETHICS, LAW AND TECHNOLOGY I. INTRODUCTION
Throughout this paper, I switch between legal and technical perspectives. When discussing technical
perspectives, I mention tactics, such as looking at the metadata embedded in documents received from
opposing counsel, or checking a potential employee’s MySpace page before hiring. Some states, such as
Florida, do not allow attorneys to look at metadata in such documents. Please keep in mind that some of
these tactics might not be permissible in your jurisdiction. Therefore, when I say “you can look at metadata” I
am describing a technical feasibility, not a legal authority. It is up to you to do whatever research you need to
do to make sure that these tactics are permissible in your jurisdiction.
Also, of course, the law can change. Since this audience is composed entirely of attorneys, I really don’t
need to mention that. But before relying on anything here, you can and should double-check the accuracy of
what I have written here.
Since the topic I was assigned is very broad “Ethics, Law and Technology” I have selected a few issues
that have interested me recently. If any of you has any thoughts on any of these issues, or would like to
suggest a few additional topics, I hope you will email me and let me know.
Also, I should mention that I have not participated in any disciplinary process or malpractice proceeding,
so all my opinions on ethical issues are purely theoretical. I hope that anyone who has personal knowledge
of these issues will contact me, even if anonymously, and let me know about their experiences.
Also, when quoting source materials, I have taken the liberty of bolding and italicizing phrases that I find
interesting or relevant, even where such emphasis is not present in the source materials. Instead of littering
this paper with “emphasis added,” I leave it to the interested reader to look at the original material. Excerpts
from sources are not always complete.
II. THEFT OF NOTEBOOK COMPUTERS A. HYPO:
A client has instructed you to investigate a third party. Your client explicitly instructs you to maintain the
investigation in confidence. Let’s assume that you have only one legal specialty or area of practice.
#1: Wife asks you to investigate a woman she thinks is having an affair with Husband; She thinks her
husband is stealing community assets and stashing money in accounts owned by his mistress, his business
associates, and his family members.
#2: CEO asks you to investigate whether mid-level manager is stealing customer lists or company assets.
#3: Insurer has asked you to investigate insured’s post-accident lifestyle. You accumulate some personal
information regarding the non-client, and this personal information is on your computer.
#1-3: In each case, you have already hired an investigator, who has used “skip trace” investigating
software and asset locating services to provide you with a financial dossier of the person you have been
asked to investigate. The investigator has emailed you the dossier, and it is now on your computer.
Then: your computer is stolen.
#4: Same as any of #s 1-3, but the computer was in the sole possession of one of your employees. As I
discuss below, many employees take work home; some borrow computers from their offices; some forward
copies of their work-related emails to their personal email addresses so that they can more easily work from
home, or so that they can keep copies of their work product.
B. QUESTIONS:
1) Do you notify the third party, who personal information was on your computer, that there might be a
heightened risk of identity theft? Does your ethical duty conflict with your statutory obligations? If statutory
obligations trump ethical obligations, can a constitutional right to counsel trump the statutory obligations? The
question is not whether you notify the client; the question is whether you notify the third party whose
information was on the stolen computer.
2) If you notify the third party whose information was on the stolen computer, do you then have to notify
your client that you have notified the third party?
3) If the thief turns out to be an identity thief or a stalker, do you have any liability?
C. TEXAS BUSINESS & COMMERCE CODE
Sec. 48.103(c): “A person that conducts business in this state and owns or licenses computerized data
that includes sensitive personal information shall disclose any breach of system security, after discovering or
receiving notification of the breach, to any resident of this state whose sensitive personal information was, or
is reasonably believed to have been, acquired by an unauthorized person.” [(b) is similar, for businesses.]
Sec 50.003: “A person that owns or licenses data…that includes identifying information of a resident of
this state must promptly notify the resident of any alleged breach of the security of the person’s data system,
regardless of whether the resident’s identifying information has been accessed by an unauthorized person.”
Notice must be written, electronic (per 15 USC 7001), or per business’s own notification policy, or (if
notice itself costs more the $250,000) by broadcast media, email, or web site posting. If more than 10,000
persons, then all consumer reporting agencies (15 USC 1681a) must also be notified. –48.102 (f)(g) & (h)
Attorney general may bring suit even if the offense has not yet resulted in any harm to anyone. Fines:
between $2000 and $50,000 per violation. –TBC&C 48.201(a) and (b).
Sec. 48.102(a): “A business shall implement and maintain reasonable procedures, including taking any
appropriate corrective action, to protect and safeguard from unlawful use or disclosure any sensitive personal
information collected or maintained by the business in the regular course of business.”
Sec. 48.102(b): “A business shall destroy or arrange for the destruction of customer records containing
sensitive personal information within the business’s custody or control that are not to be retained by the
business. Exceptions: financial institutions 15 USC 6809.
D. TDRPC: PREAMBLE, PARAGRAPH 4:
“A lawyer’s conduct should conform to the requirements of the law…”
E. TDRPC: PREAMBLE, PARAGRAPH 16:
“…The fact that in exceptional situations the lawyer under the Rules has a limited discretion to disclose a
client confidence does not vitiate the proposition that, as a general matter, the client has a reasonable
expectation that information relating to the client will not be voluntarily disclosed …”
F. TDRPC: RULE 1.03 COMMUNICATION
“•(a) A lawyer shall keep a client reasonably informed about the status of a matter and promptly comply
with reasonable requests for information.
•(b) A lawyer shall explain a matter to the extent reasonably necessary to permit the client to make
informed decisions regarding the representation.”
G. TDRPC: RULE 1.05 CONFIDENTIALITY OF INFORMATION
(a) Confidential information refers to both privileged and unprivileged client information. Privileged
information refers to the information of a client protected by the lawyer-client privilege of Rule 5.03 of the
Texas Rules of Evidence or of Rule 5.03 of the Texas Rules of Criminal Evidence or by principles of attorney-
client privilege governed by Rule 5.01 of the Federal Rules of Evidence of the United States Courts and
Magistrates. Unprivileged client information means all information relating to a client or furnished by a client,
other than privileged information, acquired by the lawyer during the course of or by reason of the
representation of the client.
(b) Except as permitted by paragraphs (c) and (d), or as required by paragraphs (e) and (f), a lawyer shall
not knowingly:
-1) reveal confidential information of a client or a former client to:
- - (a) a person that the client has instructed is not to receive the information; or
- - (b) anyone else, other than the client, the client’s representatives, or the members, associates, or
employees of the lawyer’s law firm.
- 2) Use confidential information of a client to the disadvantage of the client unless the client consents
after consultations.
(c) A lawyer may reveal confidential information:
- 4) When the lawyer has reason to believe it is necessary to do so in order to comply with a court order, a
Texas Disciplinary Rule of Professional Conduct, or other law.
H. TDRPC RULE 1.14: SAFEKEEPING PROPERTY
(b) …Except as stated in this Rule or otherwise permitted by law or by agreement with the client, a lawyer
shall promptly deliver to the client or third person any funds or other property …
I. TDRPC RULE 1.14: SAFEKEEPING PROPERTY, COMMENTS
Paragraph 1: A lawyer should hold property of others with the care required of a professional fiduciary. …
J. TDRPC 1.15 DECLINING OR TERMINATING REPRESENTATION
…
(d) Upon termination of representation, a lawyer shall take steps to the extent reasonably practicable to
protect a clients interests, such as … surrendering papers and property to which the client is entitled…
K. ABA MODEL RULES 1.6: DUTY OF CONFIDENTIALITY
•“(a) A lawyer shall not reveal information relating to the representation of a client unless the client gives
informed consent, the disclosure is impliedly authorized in order to carry out the representation or the
disclosure is permitted … by [certain limited and specific situations].”
•
•ABA Model Rule 1.6 official comment:
“A lawyer must act competently to safeguard information relating to the representation of a client against
inadvertent unauthorized disclosure by the lawyer ….”
•“Factors to be considered in determining the reasonableness of the lawyer’s expectation of confidentiality
include the sensitivity of the information…A client…may give informed consent to the use of a means of
communication that would otherwise be prohibited by this rule.”
•“The duty of confidentiality continues after the client-lawyer relationship has terminated.”
L. TDRPC: RULE 5.03 RESPONSIBILITES REGARDING NONLAWYER ASSISTANTS
With respect to a non-lawyer employed or retained by or associated with a lawyer:
(a) a lawyer having direct supervisory authority over the non-lawyer shall make reasonable efforts to
ensure that the persons conduct is compatible what the professional obligations of the lawyer; and
(b) a lawyer shall be subject to discipline of the conduct of such person that would be a violation of these
rules if engaged in by the lawyer if:
- (1) the lawyer orders, encourages, or permits the conduct involved; or
- (2) the lawyer:
- - (i) is a partner in the law firm in which the person is employed, retained by, or associated with; or is the
general counsel of a government agency legal department in which the person is employed, retained, or
associated with; or has direct supervisory authority over such person; and
- - (ii) with knowledge of such misconduct by the non-lawyer knowingly fails to take reasonable remedial
action to avoid or mitigate the consequences of that persons [person’s] misconduct.
M. TDRPC: RULE 5.03 RESPONSIBILITES REGARDING NONLAWYER ASSISTANTS, COMMENTS
Paragraph 1: … A lawyer should give such assistants appropriate instruction and supervision concerning
the ethical aspects of their employment, particularly regarding the obligation not to disclose information
relating to representation of the client, and should be responsible for their work product. …
Paragraph 2: Each lawyer in a position of authority in a law firm or in a government agency should make
reasonable efforts to ensure that the organization has in effect measures giving reasonable assurance that
the conduct of non-lawyers employed or retained by or associated with the firm or legal department is
compatible with the professional obligations of the lawyer. This ethical obligation includes lawyers having
supervisory authority or intermediate managerial responsibilities in the law department of any enterprise or
government agency.
N. SOME THOUGHTS ON CONFLICTING OBLIGATIONS
TDRPC Rule 1.14 requires safeguarding of a client’s property, and TDRPC Rule 5.03 makes you liable
for the ethical breaches of your employee. (Curiously, RDRPC Rule 1.05 does not seem to contain any
ethical culpability for negligent violations of the duty of confidentiality, since paragraph (b) only mentions
disclosures that occur “knowingly.”) You will also be hampered with respect to you obligation to keep the
client informed in the future, if the computer contained your only copies of relevant information. The ethical
considerations seem clear; there is no quandary as to what to do with respect to these ethical obligations.
Note that proper file storage and proper supervision of non-lawyer assistants are distinct ethical duties.
It should be mentioned that the reasonableness of relying on a subordinate to protect information can
depend on: the lawyer’s subjective expectations of the particular subordinate; the lawyer’s subjective
expectations of the workforce generally; local/regional/national custom, which can vary from one field of law to
another, and whether the assistant belongs to an organization that has ethical responsibilities (paralegals,
etc.); ease of using technology; costs/risks of safeguards and expectations whether safeguards would be
effective.
The ethical quandary, therefore, is whether to tell; the conflict arises only with respect to the disclosure
requirement of the statutory security breach provisions of the business code, not the with respect to the
computer theft itself.
If your computer (or a file) containing personal information is stolen or lost, the Texas Business &
Commerce Code, as well as paragraph 4 of the TDRPC’s Preamble, would seem to require notification to the
nonclient whose personal information was compromised. On the other hand, TDRPC Rule 1.05 seems to
prohibit notification to the nonclient whose personal information was compromised. TDRPC Rule 1.03 seems
to require that, if the lawyer notifies the nonclient whose personal information was compromised, the lawyer
must inform the client that the nonclient was notified.
O. SOURCES OF TORT LAW:
If the computer thief were a stalker instead of an identity thief, you could have additional tort liability:
Prosser & Keeton, Law of Torts (302B can create liability for creating an unreasonable risk of a
foreseeable harm to another; 201 states that an actor may have a duty to protect the plaintiff if he “greatly
increased the risk of harm to the plaintiff from the criminal acts of others.”) Similar tort liability is set forth in
the Restatement (Second) of Torts, Section 314.
Case law also indicates potential tort liability to a victim of stalking:
Remsberg v. Docusearch, 149 NH 148, 816 A.2d 1001 (2002); Bell v. Michigan Council 25, 2005 WL
356306 (Mich. Ct. of App. 2005).; Poli v. Mountain Valleys Health Centers, Inc., 2006 WL 83378 (E.D.Cal.
2006); Cobell v. Norton, 391 F.3d 251 (D.C. Cir. 2004). You are the only one who can prevent the
foreseeable harm: Palsgraf, Kline
But: Dupont v. Aavid Thermal Tehs., Inc., 798 A.2d 587, 592 (NH 2002) (“the general duty to protect
citizens from criminal attacks is a government function” and is not defendant’s job.)
Is the theft of a notebook computer containing client files really unforeseeable?
P. POSSIBLE SUGGESTIONS:
The Business & Commerce Code statutes contain an exception where the contents whose confidentiality
has been breached were encrypted. There is no statutorily established standard for encryption, but simply
requiring a password might be enough. Even though password-protecting a file is not exactly the same thing
as encryption, there are similarities. Therefore, you might want to buy a screen-saver that requires a
password. Put it on your all computers in your office. Require all persons in your office to change their
passwords whenever any employee is terminated, since employees often know one another’s passwords.
Know what info is on each computer. That way, if the computer is lost or stolen, you might be able to limit
your mitigation.
Have a plan. If a computer is lost or stolen, identify which persons might be affected.
If you have to notify, offer to help. Any offer to help, e.g. simply buying one year’s worth of a credit
monitoring company’s services (which can be cheap), can mitigate.
Auto-audit software can crawl through your entire network and backup all of the versions of all of your
computer files, and can log which employee/hard drive has which version of which computer files.
III. METADATA, UNINTENDED DISCLOSURES AND E-DISCOVERY There are a lot of reported incidents of people and entities being hurt by the inadvertent release of
metadata. I have included a few below. Of course, as with any hearsay, there is always a possibility that
some of the facts stated below may be in error, or may even have been “planted” by rivals. Before relying on
any of these specifics, you should double-check to make sure the information is accurate and current.
A. HYPO:
You, your colleagues at your firm and your client have been collaborating on a document, which you are
now planning to send to someone outside the attorney/client circle of privilege (e.g., opposing counsel, a
court, a governmental agency, a witness, etc.) The document has been heavily edited, but you have removed
all of the privileged/work-product information.
Unfortunately, unbeknownst to you, the document does contain metadata. The recipient of your
document can find out a lot more than you want to reveal.
B. METADATA EXPLAINED:
“Metadata” refers to invisible information about a document, including all changes, deletions, and
additions, and who made them, and any electronic notes that have ever been attached to the document. Such
information is not visible on the screen, and you might have trouble finding it in your own documents.
Nevertheless, this information usually accompanies the document when it is electronically transmitted.
Metadata can include the names of the document’s author and all collaborators who have edited or
commented on the document, the organizational relationship among the author and collaborator (such as
which department they work in), any computer information such as which version of Microsoft Word or which
operating system was used on the computer where the document was created, the computer hard drive ID
(and in some cases microprocessor ID, and even the default printer name and its model number) of all
computers (including email and other servers) on which the document has ever resided and through which
the document has ever been transmitted, as well as full email headers of all emails to which the document
has been attached, all previous versions of the document including text that has been deleted, and even text
from other documents that happen to be stored on the same hard drive or that were open at the same time.
Also, software vendors can create other kinds of metadata; no list can ever be complete.
Metadata can be important. For example, if you bill a client for two hours work drafting a document but
the document metadata shows that it was created only 20 minutes before it was emailed to the client, you
might have some explaining to do to the client. If you are seeking an “emergency” TRO but your document
shows it has been created weeks ago, your adverse counsel might want you to explain why you didn’t file
earlier.
Think of all of the times you’ve used a template or form to create similar documents in two different cases;
did you create the document for one client, send that document out, and then cut and paste to insert the
name of the second client? Would you be embarrassed if the second client undid the changes and saw the
original document pertaining to the first client?
Note also that many courts, e.g. the Florida Supreme Court, require all filings by attorneys to be
electronic. You are going to have to submit electronic documents (which can contain metadata), but you are
going to have an opportunity to examine the metadata of the documents proffered by the other side in the
case. December 1, 2006 amendments to the Federal Rules of Civil Procedure, Fed.R.Civ.P. 30(b)(6) and
analogous state-court rules, Pa. R. Civ. P. 205.4(g)(2). These documents might be rich in metadata.
C. QUESTIONS:
1) Are you being unethical if you send a document with confidential information in the metadata? Many
ethical standards forbid a lawyer to "knowingly" reveal a client's confidences or secrets. If you are aware of
the existence of metadata, even if only in theory, then if you transmit a document containing confidential
information in the metadata, is your revelation done “knowingly?”
2) Is the recipient being unethical in using software to mine the metadata? Mining metadata is hardly an
“inadvertent glance.”
3) Can you get a protective order prohibiting adverse counsel from mining metadata? Does doing so
merely increase the likelihood that the recipient will think of mining the metadata?
4) Should documents created by a non-lawyer be treated the same way as documents created by
adverse counsel? In other words, should mining internal corporate memos that were not created in
contemplation of litigation be treated the same as documents that have been eFiled with a court or that have
been propounded as discovery?
5) Does a failure to examine metadata, either in documents being sent out or in documents being
received, constitute incompetence?
6) Can software that automatically washes metadata ever constitute spoliation? Can it ever violate a
discovery order?
7) Which version of the document is stored “in the ordinary course of business,” the version with the
metadata intact, or the version with the metadata scrubbed?
8) Should leaving metadata in a document be as culpable and as punishable as violating HIPAA’s or
GLBA’s privacy/confidentiality rules?
9) What do attorney-malpractice insurers think?
10) Given the fact that some metadata is stored externally to the document, and some is actually stored
in the NTFS files, email server caches, etc. then can you really ever provide an “entire” document without
providing your entire computer network?
11) Should metadata be analogized to notes inadvertently provided to opposing counsel and redacted
material (the recipient isn’t supposed to use)? Or is metadata the whole point of the FRE’s shift from paper to
electronic discovery? When a lawyer starts to use a technology (e.g., Word), is the lawyer required to
understand all of the consequences?
12) Metadata can be inadvertently destroyed, possibly in violation of a preservation order or document
retention policy. Some systems will only store three dates in metadata: modified, accessed, or created; when
you backup or copy a document, or even if you just open it and look at it or use “insert file” to insert it into
another document, one of the dates can be replaced with the backup/copy date. In other words, you might
violate the court order while you are trying to comply with the court order! Should this be punishable by
sanctions?
D SPOLIATION
After the loss of the compute, any client, former employee, etc. who becomes involved in litigation against
your firm might be entitled to sanctions under spoliation and eDiscovery rules.
E. TDRPC: RULE 1.05 CONFIDENTIALITY OF INFORMATION
(a) Confidential information refers to both privileged and unprivileged client information. Privileged
information refers to the information of a client protected by the lawyer-client privilege of Rule 5.03 of the
Texas Rules of Evidence or of Rule 5.03 of the Texas Rules of Criminal Evidence or by principles of attorney-
client privilege governed by Rule 5.01 of the Federal Rules of Evidence of the United States Courts and
Magistrates. Unprivileged client information means all information relating to a client or furnished by a client,
other than privileged information, acquired by the lawyer during the course of or by reason of the
representation of the client.
(b) Except as permitted by paragraphs (c) and (d), or as required by paragraphs (e) and (f), a lawyer shall
not knowingly:
-1) reveal confidential information of a client or a former client to:
- - (a) a person that the client has instructed is not to receive the information; or
- - (b) anyone else, other than the client, the client’s representatives, or the members, associates, or
employees of the lawyer’s law firm.
- 2) Use confidential information of a client to the disadvantage of the client unless the client consents
after consultations.
(c) A lawyer may reveal confidential information:
- 4) When the lawyer has reason to believe it is necessary to do so in order to comply with a court order, a
Texas Disciplinary Rule of Professional Conduct, or other law.
F. TDRPC: Rule 1.01 Competent and Diligent Representation
(a) A lawyer shall not accept or continue employment in a legal matter which the lawyer knows or should
know is beyond the lawyer’s competence, unless:
- (1) another lawyer who is competent to handle the matter is, with the prior informed consent of the
client, associated in the matter; …
G. TDRPC: RULE 5.03 RESPONSIBILITES REGARDING NONLAWYER ASSISTANTS
[see text of the Rule and its Comments above, in the discussion of the theft of a notebook computer.]
H. OTHER JURISDICTIONS: ETHICAL RULES RELATING TO METADATA
Some states have answered these questions specifically. Some impose an ethical duty on the sender to
wash away the metadata before sending the document; others impose an ethical duty on the recipient not to
look at the metadata. I include New York (which now imposes a duty on both), Florida and California because
they are most specific to metadata. I also include the ABA because, well, it’s the ABA.
(1) New York (State)
(a) New York State Bar Opinion 749 (2001) (punishing only the recipient for mining)
The circumstances of the present inquiry present an even more compelling case against surreptitious
acquisition and use of confidential or privileged information than that presented by the "inadvertent" or
"unauthorized" disclosure decisions. First, to the extent that the other lawyer has "disclosed," it is an
unknowing and unwilling, rather than inadvertent or careless, disclosure. In the "inadvertent" and
"unauthorized" disclosure decisions, the public policy interest in encouraging more careful conduct had to be
balanced against the public policy in favor of confidentiality. No such balance need be struck here because it
is a deliberate act by the receiving lawyer, not carelessness on the part of the sending lawyer that would lead
to the disclosure of client confidences and secrets.
Nor need we balance the protection of confidentiality against the principles of zealous representation
expressed in Canon 7. Our Code carefully circumscribes factual and legal representations a lawyer can
make, people a lawyer may contact, and actions a lawyer can take on behalf of a client. Prohibiting the
intentional use of computer technology to surreptitiously obtain privileged or otherwise confidential information
is entirely consistent with these ethical restraints on uncontrolled advocacy.
(b) New York State Bar Opinion 782 (Dec. 8, 2004) (punishing both sender and recipient) concludes:
http://www.nysba.org/Content/NavigationMenu/Attorney_Resources/Ethics_Opinions/Opinion_782.htm
...Lawyer-recipients also have an obligation not to exploit an inadvertent or unauthorized transmission of
client confidences or secrets. In N.Y. State 749, we concluded that the use of computer technology to access
client confidences and secrets revealed in metadata constitutes "an impermissible intrusion on the attorney-
client relationship in violation of the Code." N.Y. State 749 (2003). See also N.Y. State 700 (1997) (improper
for a lawyer to exploit an unauthorized communication of confidential information because doing so would
constitute conduct "involving dishonesty, fraud, deceit or misrepresentation" and "prejudicial to the
administration of justice" in violation of DR 1-102(A)(4) and DR 1-102(A)(5), respectively). [FN4]
“Lawyers have a duty under DR 4-101 to use reasonable care when transmitting documents by e-mail to
prevent the disclosure of metadata containing client confidences or secrets.”
(2) Florida
(a) Florida Bar Association Opinion 93-3 (February 1, 1994):
“An attorney who receives confidential documents of an adversary as a result of an inadvertent release is
ethically obligated to promptly notify the sender of the attorney's receipt of the documents.”
(b) Florida RPC Rule 4-1.6(a): “(a) Consent Required to Reveal Information. A lawyer shall not reveal information relating to
representation of a client except as stated in subdivisions (b), (c), and (d), unless the client gives informed
consent.”
(c) Florida Bar Association Opinion 06-2 (September 15, 2006):
“A lawyer who is sending an electronic document should take care to ensure the confidentiality of all
information contained in the document, including metadata. A lawyer receiving an electronic document should
not try to obtain information from metadata that the lawyer knows or should know is not intended for the
receiving lawyer. A lawyer who inadvertently receives information via metadata in an electronic document
should notify the sender of the information's receipt. The opinion is not intended to address metadata in the
context of discovery documents….
In order to maintain confidentiality under Rule 4-1.6(a), Florida lawyers must take reasonable steps to
protect confidential information in all types of documents and information that leave the lawyers’ offices,
including electronic documents and electronic communications with other lawyers and third parties….
The duties of a lawyer when sending an electronic document to another lawyer and when receiving an
electronic document from another lawyer are as follows:
(1) It is the sending lawyer’s obligation to take reasonable steps to safeguard the confidentiality of all
communications sent by electronic means to other lawyers and third parties and to protect from other lawyers
and third parties all confidential information, including information contained in metadata, that may be
included in such electronic communications.
(2) It is the recipient lawyer’s concomitant obligation, upon receiving an electronic communication or
document from another lawyer, not to try to obtain from metadata information relating to the representation of
the sender’s client that the recipient knows or should know is not intended for the recipient. Any such
metadata is to be considered by the receiving lawyer as confidential information which the sending lawyer did
not intend to transmit. See, Ethics Opinion 93-3 and Rule 4-4.4(b), Florida Rules of Professional Conduct,
effective May 22, 2006.
(3) If the recipient lawyer inadvertently obtains information from metadata that the recipient knows or
should know was not intended for the recipient, the lawyer must “promptly notify the sender.”
The foregoing obligations may necessitate a lawyer’s continuing training and education in the use of
technology in transmitting and receiving electronic documents in order to protect client information under Rule
4-1.6(a). As set forth in the Comment to Rule 4-1.1, regarding competency:
To maintain the requisite knowledge and skill [for competent representation], a lawyer should engage in
continuing study and education.”
(3) California
When an attorney inadvertently receives privileged documents in discovery, the attorney “may not read a
document any more closely than is necessary to ascertain that it is privileged.” Rico v. Mitsubishi Motors
Corp., 2007 WL 4335934 (Cal. 2007) (defendant counsel left unlabeled work product on a table and stepped
out of the room while awaiting plaintiff’s counsel to arrive; plaintiff found no one in the room and read the
notes).
(4) The ABA
(a) ABA Model Rule 1.6, including comments
Abanet.org/cpr/mrpc/rule_1_6.html
Comment (2): a lawyer may have an ethical obligation to elicit embarrassing information from a client.
(b) Paragraph 17, Comment to Rule 1.6
[17] When transmitting a communication that includes information relating to the representation of a
client, the lawyer must take reasonable precautions to prevent the information from coming into the hands of
unintended recipients. This duty, however, does not require that the lawyer use special security measures if
the method of communication affords a reasonable expectation of privacy. Special circumstances, however,
may warrant special precautions. Factors to be considered in determining the reasonableness of the lawyer's
expectation of confidentiality include the sensitivity of the information and the extent to which the privacy of
the communication is protected by law or by a confidentiality agreement. A client may require the lawyer to
implement special security measures not required by this Rule or may give informed consent to the use of a
means of communication that would otherwise be prohibited by this Rule.
(c) (Withdrawn, 2005) Rule 4.4 of the ABA Model Rules
Once a lawyer receives a document, he has an obligation only to notify the sender that he has received it.
(d) ABA Model Rule 5.3
[Requires a lawyer to give non-lawyer “assistants” appropriate instruction and supervision concerning the
ethical aspects of their employment, particularly regarding the obligation not to disclose information relating to
representation of the client.]
(e) ABA Formal Opinion 05-437 (2005).
“A lawyer who receives a document from opposing parties or their lawyers and knows or reasonably should
know that the document was inadvertently sent should promptly notify the sender in order to permit the
sender to take protective measures. To the extend formal opinion 92-368 opined otherwise, it is hereby
withdrawn.”
(f) (Withdrawn, 2005) ABA Opinion 92-368 Inadvertent Disclosure of Confidential Materials (1992),
a lawyer who receives an errant fax or a misdirected letter would have an obligation to refrain from
examining them and should contact the sending lawyer to ask for instructions
(g) ABA Formal Opinion 99-413 (http://www.abanet.org/cpr/fo99-413.html), •Standing Committee On
Ethics And Professional Responsibility, March 10, 1999, “Protecting the Confidentiality of Unencrypted E-
Mail”
“A lawyer may transmit information relating to the representation of a client by unencrypted e-mail sent
over the Internet without violating the Model Rules of Professional Conduct (1998) because the mode of
transmission affords a reasonable expectation of privacy from a technological and legal standpoint. The same
privacy accorded U.S. and commercial mail, land-line telephonic transmissions, and facsimiles applies to
Internet e-mail. A lawyer should consult with the client and follow her instructions, however, as to the mode of
transmitting highly sensitive information relating to the client's representation.”
In a footnote, the ABA urges each lawyer to “consider with her client the sensitivity of the communication, the
costs of its disclosure, and the relative security of the contemplated medium of communication. Particularly
strong protective measures are warranted to guard against the disclosure of highly sensitive matters. …The
lawyer must, of course, abide by the client's wishes regarding the means of transmitting client information.
http://www.abanet.org/cpr/ethicsearch/inadvertent_disclosure.html
(5) Other states
Alaska Ethics Opinion 98-2 (Www.Alaskabar.Org/Index.Cfm?Id=4871); Arizona Opinion 93-14 (9/23/93);
Colorado Opinion 102 (3/21/98) And Opinion 108
(Www.Cobar.Org/Group/Display.Cfm?Genid=1830&Printerversion=Y); Connecticut Opinion 96-4 (3/14/96);
Delaware Bar Association Opinion 2001-2 (Www.Dsba.Org/Assocpubs/Pdfs/2001-2.Pdf); District Of Columbia
Opinion 256 (5/16/95) And 318 (12/02)
(Http://Www.Dcbar.Org/For_Lawyers/Ethics/Legal_Ethics/Opinions/Opinion318.Cfm,
Http://Www.Dcbar.Org/For_Lawyers/Ethics/Legal_Ethics/Opinions/Opinion256.Cfm); Illinois Opinion 96-10
And 98-4 (1/99) (Www.Isba.Org/Ethicsopinions/96-10.Asp,
Http://Www.Isba.Org/Ethicsopinions/98%2d04.Asp); Kentucky Opinion E-374 Revised (11/95)
(Http://Www.Kybar.Org/Documents/Ethics_Opinions/Kba_E-374.Pdf); Maine Opinion 146 (12/9/94)
(Http://Www.Mebaroverseers.Org/Ethics%20opinions/Opinion%20146.Htm); Maryland Opinion 00-04
(2/16/00); Massachusetts Opinion 94-6 (3/22/94)
(Http://Www.Massbar.Org/Publications/Ethics_Opinions/Article.Php?C_Id=592&Vt=2,
Http://Www.Massbar.Org/Publications/Ethics_Opinions/Article.Php?C_Id=616&Vt=2); Massachusetts Opinion
99-4 (7/15/99); Michigan Opinion Ri-179 (11/16/93) (Http://Www.Michbar.Org/Opinions/Ethics/); New York
State Opinion 749 (12/14/01) And 700 (5/7/98)
(Http://Www.Nysba.Org/Content/Navigationmenu/Attorney_Resources/Ethics_Opinions/Committee_On_Profe
ssional_Ethics_Opinion_700.Htm,
Http://Www.Nysba.Org/Content/Navigationmenu/Attorney_Resources/Ethics_Opinions/Committee_On_Profe
ssional_Ethics_Opinion_749.Htm); North Dakota Opinion 95-14 (12/4/95); Ohio Supreme Court Ethics
Committee Opinion 93-11 (12/3/93) And 99-2
(Http://Www.Sconet.State.Oh.Us/Boc/Advisory_Opinions/1993/Op%2093-011.Doc And
Www.Sconet.State.Oh.Us/Boc/Advisoryopinions/1999/Op_99-002.Doc); Oregon Opinion 1998-150 (4/98);
Pennsylvania Opinion 99-150 (11/18/99); Philadelphia Opinion 94-3 (6/94); South Carolina Ethics Opinion 97-
08 (Www.Scbar.Org//Member/Opinion.Asp?Opinionid=469); Utah Opinion 99-01 (1/29/99)
(Http://Www.Utahbar.Org/Rules_Ops_Pols/Ethics_Opinions/Op_99_01.Html); Vermont Ethics Opinion 97-5
(Www.Vtbar.Org/Ezstatic/Data/Vtbar/Attorney_Judicial_Resources_Advisory_Ethics_Opinions/1997/97-
05.Pdf); Virginia Opinion 1702 (11/24/97) (Http://Www.Vacle.Org/Opinions/1702.Txt);
Http://Www.Sband.Org/Data/Ethics/95-14.Pdf).
I. ANECDOTES AND CASE STUDIES
(1). National Politics: The Bush administrations “Plan for Victory” speech had been authored by a political
scientist who had conducted polls to determine conditions under which the public would support a war with
mounting casualties in Iraq, and had written that Americans would support any number of casualties if the
word “Victory” were used. President Bush had denied relying on polls to word his speeches. Shane had
found that the “Author” (in metadata) was “feaver_p.” Dec. 3 and 4, 2005, the New York Times (Scott Shane).
(2). Metadata in a DNC press release on Justice Alito’s nomination revealed who in the DNC had authored it.
The DNC tried to act surprised that he had been nominated, but they had actually created a file on many
possible nominees; the authors names and the date the document was created were in the metadata.
(3). Local Politics: California’s AG, Bill Lockyer, sent out an electronic document calling peer-to-peer file-
sharing software "a dangerous product." Metadata revealed that the document had actually been authored by
“stevensonv," referring to Vans Stevenson, a senior vice president with the Motion Picture Association of
America.
(4). International Politics: The U.N. had attempted to remove the name of President al-Assad’s brother,
Maher, his brother-in-law, Assef al-Shawkat (who is married to President al-Assad’s sister, Bushra), and other
high-ranking Syrian officials from its press releases regarding the assassination of Lebanon's former prime
minister, Rafik Hariri on Feb. 14, 2005, but metadata revealed their names.
(5). Employee records: HIPAA, ERISA, and the common law invasion of privacy doctrine, to protect their
employees' medical and financial information. Tony Blair had apparently plagiarized a post-doc thesis on
Iraqi security from Ibrahim al-Marashi. The Danish prime minister apparently plagiarized his 2004 New Year’s
speech.
(6). Newspapers: The Washington Post scanned-to-PDF and online-published a letter from the Washington
D.C. sniper, who had stolen a credit card and demanded that $10 million be deposited into it. The newspaper
tried to redact the credit card owner’s name and account number, but anyone with Acrobat could remove the
redaction. 26 October 2002.
(7). A digital photo taken at a Rolland, Oklahoma residence of an anonymous source (interviewed by Brian
Krebs of the Washington Post) contained GPS location data, pinpointing the source.
(8). Merck/Vioxx: New England Journal of Medicine editor Gregory Curfman claims to have recovered
relevant data that Merck deleted from its submissions regarding Vioxx in 2000; Merck had forgotten to turn off
Track Changes. On April 11, 2006, in New Jersey, Merck was hit wit $9 Million verdict for withholding
evidence from the FDA.
(9). Compilers: Metadata that a compiler inserted into executable code was the vital evidence to convict Farid
Essebar (of Morrocco) as the “Diabl0” who released the “Zotob” worm.
(10). RIAA: Media companies embed all sorts of information in their products (digital movies, compact
disks, etc.).
(11). Pseudo-porn: Cat Schwartz, of TechTV, apparently took some nude photos of herself and then cut-
and-pasted clothing into the photos, possibly aware that some of her viewers would know how to undo the
edits. It only takes one: the photos were reposted to the Internet.
(12). You should look at the ABA section on Family Law’s “Family Advocate” magazine, Winter 2006 (Vol.
28, No. 3) for more incidents.
(13). Press Releases and SEC regulation: In early March, 2006, Google’s online slide show mentioned a
“personal data storage” service that was not ready for the public. There were projections that revenues would
grow 58% when the service came on line, and Google had to explain to regulators that it hadn’t been trying to
surreptitiously pumping its own stock. Similarly, in Australia, Westpac got in hot water in 2005 after emailing
a spreadsheet leaking current financial info before the info had been submitted to the Australian regulators.
(14). FTC: The FTC accidentally revealed an antitrust investigation into Whole Foods decision to shut
down Wild Oats stores, and its efforts to encourage suppliers to drive up WalMart’s costs; a court put the FTC
documents on its court-run web site.
(15). Peer Review: Many professors and scientists who submit articles for publication have discovered the
identities of their peer reviewers via metadata.
(16). Dell: in 2006, Dell posted a page to its website from which a link to an internal document had been
deleted. The link could be recovered, and the document obtained; it revealed pricing for future products.
(17). Classified info: Metadata in a military press release disclosed details of an incident in which an Italian
reporter, Mr. Nicola Calipari, was killed by U.S. troops in Iraq; info the military had tried to black out included
(1) the normal protocols for roadblocks and (2) the fact U.S. troops had violated those protocols.
(18). Police extranets: In April, 2006, a police department’s press release (which was posted on several
web sites) included passwords. The extranet was set up so that reporters and others could log onto the
police department’s computer system and download press releases. Some of the passwords included
profanity.
(19). Many companies have databases on their customers, including personally identifiable information
such as social security numbers. Many simply delete these columns from their spreadsheets when emailing
them out to subcontractors and business associates; unfortunately, the recipients can undelete. This is
essentially how many of the data breaches you’ve been reading about have occurred.
J. TECHNOLOGY SOLUTION:
(1) Seeing the metadata
Some metadata is easy to see in any Microsoft Word document.
Under the “File” dropdown menu you can find “Properties” which will tell you the total editing time of a
document, as well as “Custom” properties (you can actually add some additional custom properties with new
metadata).
Under the “Tools” dropdown menu you can find “Track Changes” which can be set to keep track of all
changes to the document (including who makes the changes) while hiding from the user the fact that the
changes are being tracked! You can turn on “Track Changes” to a document you have received and maybe
see some metadata you weren’t supposed to see.
Other features might allow you to “Undo” changes to see what the document once looked like; you might
be able to recover “Versions,” too. You might want to look at the Help feature, or read about these features
on line.
Note, however, that you are not going to see all of the metadata that could potentially be in the document.
Copyrighted content often has “watermarks” and other invisible ID information; if you buy two copies of the
latest compact disk the watermarks will be different. If a bootleg copy of a compact disk turns up, the
copyright owner can use a retailer’s cash register records and credit card company records to track down the
bootlegger. Under the Digital Millennium Copyright Act, if there is any copyrighted content at all in your
document, removing the metadata can actually be illegal.
Metadata can be in anything: web pages, spread sheets, emails, scanned images, among many other
types of files. But metadata is not limited to computers. Some digital cameras actually insert longitude and
latitude info into digital photos, along with the timestamp/datestamp, camera settings.
Not all of the metadata pertaining to a document is in the document itself. Some of it is in other
documents on the computer that created it, or on which it was edited, or through which it was transmitted.
The World Wide Web Consortium (W3C) has standardized HyperText Markup Language (HTML) and
eXtensible Markup Language (XML) metadata; XML has Resource Description Framework (RDF), which was
developed by Platform for Internet Content Selection. RDF is used to create maps of web sites, so that a link
from one page of a web site can find another page of the web site, even if the web site is moved to another
server. Windows NT products use NTFS, and Apple OS X uses Hierarchal File System. These are stored
externally to the document, but can go with the document when you email it. There are also hidden folders
and files. Discrepancies between the NTFS metadata and document metadata can reveal tampering.
(2) Removing the metadata
Some people say that if you convert your document from Word to Rich Text Format (RTF) and then
convert the RTF document to Portable Document Format (PDF), you have less metadata; the problem is, you
still have some. Commercial software is available to reveal some of the metadata in any document, be it
Microsoft Word, WordPerfect, Adobe PDF, Excel, PowerPoint, etc. Converting files to PDF format with
AdobeAcrobat will strip out most metadata. For this reason many law firms today have adopted a practice of
sending only PDF documents to clients or opposing counsel, especially if the recipient doesn’t need to edit
the document.
Word, PowerPoint, and Excel users should turn off the Fast Saves feature. To do this click on Tools, then
Options, then the Save tab, and uncheck “Allow Fast Saves.” Fast saves allows a computer to quickly save a
file by not removing deleted text from it. When computers were much slower, it was perhaps a helpful feature.
However, with more powerful computers in use today, you won’t notice any difference with this feature turned
off.
WordPerfect has a feature called Undo/Redo History, it allows you to view past changes in a document in
terms of what was cut, copied, and even deleted. Click on the Option button, and then uncheck “Save
Undo/Redo Items with Document” to turn it off. This does not remove all metadata. WordPerfect users should
visit the Corel knowledge base at http//support.corel.com/ and search for “minimizing metadata.”
Of course, even if you remove the metadata from your document, copies of the document containing the
metadata may remain on other people’s computers. Sharing documents can occur at any time, e.g. if your
firm has a web site, an extranet, or intranet. An extranet lets you, your coworkers, co-counsel, and clients
access documents from outside the firm’s offices; an intranet lets them access your documents from inside.
Anyone with access to your document can make a copy of it before you scrub out the metadata, and the copy
will have the metadata.
For Word, Excel, and PowerPoint users, the most widely used metadata scrubber is the Metadata
Assistant sold by Payne Consulting Group (www.payneconsulting.com). Other metadata removal programs
for the Microsoft suite of products include ezClean by SoftWise Consulting (www.kkl.com) and Workshare
Protect by Workshare (www.workshare.net).
Unfortunately, there is no software program for easily and automatically removing metadata from
WordPerfect documents.
If you use a document management system, make sure that you remove metadata before resaving a
document to another client/matter. Metadata might be less dangerous if it is contained within one
client/matter, but if you use a template from one client to create a document for another, metadata can be
disastrous.
Turn on “Track changes” (to see what is there) and then turn it off (to hide what is there), before sharing
documents; similarly, with Comments. “Accept all changes” should get rid of most of this metadata.
Metadata washers: In general, whichever software company creates your document software should not
be the same software company who creates your metadata scrubber. Some companies will leave in the
metadata that their own software uses. Payneconsulting.com, kkl.com, workshare.net, docscrubber.com,
EZClean, etc. are inexpensive tools to scrub metadata out of Word, PowerPoint and Excel documents.
Remember, though, that each type of software can store documents in multiple formats. PDFs created by a
Microsoft Word utility and PDFs created by Adobe Acrobat might have completely different types of metadata.
You might want to save a copy that retains the metadata; metadata can be helpful in tracking security
breaches. Also, instead of deleting the metadata, you might want to replace it with the name of your firm, or
with the warning you typically include in emails: “This document may contain privileged information…”
If you work for a large firm, you can create a firm-wide policy of scrubbing all outgoing documents and
examining all incoming documents, and you can have your IT department enforce it.
Since Microsoft Word documents have so much metadata, you might want to remove all Microsoft Word
documents from your website
If you have a template or a document you use to create other documents, remove all metadata from it.
(3) Deposing in a way that can obtain metadata-containing files
Sometimes documents superficially appear identical, although they are quite different when metadata is
considered. For example, if you email a copy of a document to a colleague, the copy on the colleague’s hard
drive might have metadata that can include all of the routing information pertaining to the email. If a
document has been moved from one computer system to another, some metadata might have been lost and
other metadata might have been added. Printouts of the documents might seem identical. You will probably
want all copies, even if they seem duplicative. Of course, you might not necessarily want to alert the adverse
party that the documents are not in fact identical.
Asking the right people: You can (e.g., Fed.R.Civ.P. 30(b)(6)) designate a member of the IT staff of the
adverse party as a “corporate representative” and send a notice that lists topics of inquiry (such as the
adverse party’s data system), to obligate the other side to provide a witness or witnesses who have
knowledge of the topics you list. You can probably ask: who is responsible for (a) archiving, storing,
managing, backing up, retaining, deleting, and otherwise handling data, (b) designing, maintaining, and/or
purchasing the company's computer hardware, (c) designing, maintaining, and/or purchasing the company's
computer software or writes the code, (d) designing, maintaining, and/or purchasing any interface between
differing company databases, (e) inputting data, (f) troubleshooting or “help-desking” any computer problems
for the adverse party? Who might have emails relevant to the suit? (The member of the adverse party’s IT
staff can confirm.) How are these responsibilities assigned within the corporation (e.g., do different
departments store emails on different servers)? Does the computer system automatically limit access to the
document, e.g. by “permissions” or similar techniques?
Once you have a list of the people and of the computer systems, you can formulate your requests for
electronic discovery.
Getting the right metadata-mining software: You can probably ask about data and other records, forms
and formats, policies and procedures, quantities of data (to determine burden of production), types of devices
and systems, etc. and then buy the right metadata mining software appropriate for what you might get.
(4) Types of metadata to look for
Timing: since a lot of metadata relates to dates and times (e.g., the “MAC” data that stores the most
recent modification and access dates and the creation date of a document), you can ask for the dates on
which: (a) data was backed up, (b) the computer was last turned on, (c) data retention policies were
implemented, (d) specific IT-related events occur in relation to the timeline of your case, (e) the litigation hold
(assuming a litigation hold was issued in this case) was implemented. Remember: data can generally be
“searched for” based on metadata. If the court determines that your discovery requests are too voluminous or
burdensome, you can use these dates to restrict your request. Also, these dates can be used to determine
“adverse inferences” due to spoliation. You might ask: Does backing up the data ever erase any of the MAC
dates, replacing any of the MAC dates with the date of the backup?
Many corporate (and law firm) document systems use custom metadata, such as document type and
department info, which can be embedded inside the metadata of the document. When you save a document
at your own law firm, do you have to select your practice area (patent, real estate, etc.), document type
(pleadings, general correspondence, etc.), client number, matter number, author, secretary’s initials, etc.?
Companies like PCDocs/Hummingbird, DocsOpen, Worldox, iManage/Interwoven, ProLaw/Thomson Elite,
GroupWise, Lotus Notes, etc. each put different types of metadata into the documents.
Metadata often includes author name or initials, company or organization name, identification of computer
or network server or hard disk where document is saved, names of previous document authors, document
revisions and versions, hidden text or cells, template information, other file properties and summary
information, non-visible portions or embedded objects, personalized views and comments, but this is only a
partial list. This metadata can reveal editorial comments, strategy considerations, legal issues raised by the
client or lawyer and legal advice provided by the lawyer.
(5) Other places where documents containing “smoking gun” metadata might be located.
Many employees forward emails and documents to their personal email accounts, which they generally
have an easier time accessing when working from home. The IT guys at the corporation can use metadata to
find that a document has been forwarded to an outside (personal) email account. The “smoking gun”
document might still exist, even if it is no longer on any of the company’s computer systems. You might want
to think about this sort of metadata when drafting your discovery requests.
Some devices can actually backup data on other devices with which they are networked. For example, if
you send an email from the accounting department to the shipping department of any corporation, the email
could be backed up on dozens of servers along the way. The litigation hold might not have been
implemented on those servers! If you are looking for documents, you might first want to ask how the
computers are networked together: which computers are used to store/process/etc. the relevant data, and
then ask which device are networked to those computers. You might want to ask about networks before
asking for documents.
Sometimes IT people offload data temporarily to whatever storage media happens to be handy while
fixing a hardware problem, and then restore the data where it is supposed to be. These storage media might
normally be used for data other than the data pursuant to your discovery requests, but you might want the
witness to search them anyway. Think about other types of data, even data that isn’t relevant to your case.
What data are generated, viewed, downloaded, created, processed, stored, etc. on a day-to-day basis, and
where might those files be found?
Think about Storage Area Networks (“SANs”), those data backup businesses that help America’s
corporations recover from disasters. The document might be there, even if the corporation has deleted the
document pursuant to an internal document retention/deletion policy.
Look at “efiled” documents. Some courts, particularly Federal bankruptcy courts, require documents to
be “e-filed.” (I have heard of a lawyer in Dallas who sued the Northern District, alleging that he lacked the
technical competence to efile and that the court had no authority to require it.) Efiling documents means that
a lot of the documents ancillary to litigation will be submitted electronically, and may submitters may not know
to wash away the metadata.
On-line resumes. Many job-seekers include their social security numbers on their resume for emailing to
potential employers, and then delete it for posting to the Internet. Undeleting from resumes that are posted
on-line can be an effective tool for identity thieves.
K. CONCLUSION:
Sender: I don’t know if it is an ethical breach to send a document whose metadata contains privileged
information to an adverse party, court, expert witness, or other outsider. The ethical rule prohibiting the
revelation of confidential information includes the word “knowingly,” and I doubt many lawyers who reveal
confidential information do so knowingly. But as public familiarity with metadata grows, the ethical
requirement might be broadened to included “should have known.”
Recipient: I don’t know if it is an ethical breach to mine documents received from an adverse party for
metadata that might contain privileged information of the adverse party.
IV. ATTORNEY’S USE OF WEB-BASED EMAIL A. HYPO:
Hotmail, Gmail, Yahoo Mail, etc., offer individuals free email, document storage, on line databases for
storing contacts, and many other services. Many attorneys use these services as part of their day-to-day
practice; some have a free web-based email as their only email addresses; some store their documents and
contacts lists on line, and many do not have backups.
This can lead to a number of problems, some of which are technical, some of which are legal, and some
of which are ethical. The technical problems include occasional loss of information. A number of users (who
also used Firefox 2.0) reported that all of their Gmail emails and contacts were auto deleted.
http://www.techcrunch.com/2006/12/28/gmail-disaster-reports-of-mass-email-deletions. The legal problems
include a possible breach of contract: many of the free web-based email services have a “Terms of Service”
agreement that bans commercial use of their web sites. The ethical problems, though, are what we are here
to discuss. Before addressing them, however, I think a brief description of the Internet might be helpful. If
you are familiar with computer networking, please feel free to skip this next section.
B. HOW THE INTERNET SENDS MESSAGES.
This is a very brief and generalized explanation of the Internet, which (of course) omits many important
features. I am only including this to introduce a concept of networking. It is over-simplified and slightly
inaccurate in many respects, but it mentions a few important points.
(1) Networks
The Internet is a network (or a network of networks), and therefore consists of many “nodes.” You can
think of each node as a large computer system or systems, with servers, routers, switches, and other
electronic gadgets. Each node is connected to one or more other nodes by the telephone company. Some
nodes are owned by huge corporations; some are owned by universities; some are owned by government
agencies; and some are owned by businesses including law firms. Many are owned by ISPs, including ISPs
you’ve never heard of, in other parts of the country or the world.
You can think of a node as a dot on a piece of paper. Each connection to another known can be
represented as a line connecting the nodes. To get from a node at the left edge of the piece of paper to a
node at the right edge of the piece of paper, you might have to pass through several intervening nodes. That
is how networks operate. You start at any node, and you move along a connection to another node, and then
along another connection to yet another node, and you keep moving until you reach your destination node.
Each node has one or more “IP addresses” associated with it. (An IP address is a group of four numbers,
each of which is between zero and 1023. When written, the numbers are generally separated by dots.)
Of course, each node can also run software, the way your personal computer can run software like
Microsoft Word and Excel. When you double-click on a document, your computer “knows” which software to
use to open the document; if you double-click on a Microsoft Word document, for example, your computer
won’t open Excel. The same thing happens on a web server. When the server tries to open a “packet,” the
packet knows which software, or web site, to use to process the packet. (This is imprecise, but gives you a
general idea.)
A web site is really nothing more than software that is loaded on a server. Each web site has one or
more IP addresses, and each packet has a destination IP address. If there is a match, then the server will
use the software (i.e., the web site) to “open” the packet. The server that hosts the web site can look at the
address in the packet, and can “run” the appropriate web site.
DNS servers have lists of domain names and lists of IP addresses. If a destination address of a packet
includes a domain name but does not include an IP address, and if the DNS server can find the domain name
in one of its lists, then the DNS server will append a corresponding IP address onto the packet.
You also have an IP address (or, your browser does while your browser is running). If you work for a
large firm or a large corporation, your employer probably owns a node of the Internet. If you have broadband,
such as DSL or cable Internet, you have an IP address that does not change; you have a “static” IP address
that remains the same all of the time. If you have a dial-up connection, your computer will place a telephone
call to an ISP’s local “point of presence” each time you try to connect to the Internet. The point of presence is
a large room filled with computer, switches, routers, and other equipment, and a lot of phone numbers. For
dial-up, you call into the ISP, and the ISP assigns you one if its IP addresses until you disconnect. After you
disconnect, the ISP will assign the same IP address to someone else.
(2) Packets
When you do anything at all on the Internet, whether it be sending an email or browsing or clicking on a
web site, you are sending one or more packets to another node. Each packet you send will have a
destination address, and will also have your IP address and some other information. The node that receives
your packet will try to find the destination hosted on itself; if it can find a web site or other software with the IP
address that your packet is addressed to, it simply executes that software. On the other hand, if it can’t find
any software that has that IP address, either on itself or in any of its lists, then the node forward you packet to
every other node with which it is connected. If it doesn’t hear back within a predetermined time, it sends you a
packet to tell you that the “Web site was not found.”
Each other node that receives the packet and can’t find the web site’s IP address locally will likewise
forward your packets to all of the nodes with which that node is connected. It doesn’t take long before your
packets have been blasted all over the Internet. For a few moments, these “intermediate” nodes will
remember (a) which phone line brought your packet, and (b) your packet’s source IP address (that is, your IP
address). The intermediate nodes associate the phone line that brought your packet with your packet’s
source IP address.
Eventually, the packets find a node on which that IP address resides. The IP address might be
associated there with a web site. The web site knows the IP address assigned to you, since it is in the
packet’s address field. The web site can thus send you packets, which your browser can present on your
computer’s monitor. However, this “reply” packet has a source IP address that identifies the web site, and a
destination address associated with your browser. It is only sent via the phone line that brought your packets.
The intermediate web sites can forward packets efficiently by sending the packets only back via the phone
lines associated with the appropriate destination IP address.
The interesting thing to observe here is that your packets are bouncing all over the world. Any server at
any node might be an intermediate node that forwards your packet to the appropriate place. Some of the
packets, of course, include your usernames, passwords, credit card numbers, bank account numbers, etc. Of
course, “secure” web sites use encryption, but free web-based emails do not generally use encryption. Some
intermediate nodes get overworked forwarding all of these packets, and actually load a copy (called a mirror)
of the web site that gets visited a lot.
(3) An example
Let’s assume you have a Gmail account. Anyone who sends an email to your Gmail account will include
“@gmail.com” at the end of your email address. A DNS server will associate that email with any of the IP
addresses owned by Gmail. A Gmail server will thus receive the email, after the email passes through the
intervening nodes between the sender and the web server, and the web server will store the email.
When you want to receive your emails, you first log into the Internet, and your own ISP will assign you a
dynamic IP address. When you try to log onto Gmail, your ISP’s server will forward a request packet,
probably through several intervening servers, from your computer to any of the Gmail IP addresses. The web
site will then send back (through the intervening addresses) the information that allows your browser to
request your Gmail username and password. When you type your username and password, your login
information goes back from your browser (through the intervening addresses) to your ISP’s server and then
to the web site. Your emails are then delivered from the web site through those intervening nodes back to
your ISP’s server, and then to your browser.
(4) The important thing about networks
One important point is that each email you send or receive, and each click to each web site you visit, can
pass through many intervening “nodes.” Each of these nodes can see all of your traffic, if they have any
interest in doing so.
Unless the web site you are visiting is on the particular node to which you are connected, the node will
transmit your packets somewhere else. Those nodes might not have the web site, either; they will retransmit
your packets. Your packets can bounce around the world before they find the destination web site you
wanted to visit.
To see this in action, simply open any email you have received, and view Full Headers. You can see all
of the nodes through which the email bounced around, while it was headed in your direction. The Internet is
so quick, it seems almost instantaneous, but the emails actually move through many nodes on their way to
you.
“Packet Sniffing” is a technique used at intermediate nodes to eavesdrop on packets that are being
forwarded. It generally is used only to test networks; an ISP or other owner of an intermediate node wants to
test its connection to a particular university’s node, so it sniffs packets addressed to and from some software
loaded on the university’s node. In general, it deletes its copies of your packets when its test is complete.
Even if the packets are not sniffed at an intermediate node, some personnel at the recipient’s ISP will be
able to see the email. If you and/or your client use an ISP, the recipient’s ISP and the sender’s ISP always
have access to the email; they are always part of the path through the Internet. Most large law firms and
corporations effectively own their own ISPs: the firm’s or corporation’s IT staff essentially runs an ISP. Thus,
if you send an email to your client using the client’s “work” email address, your client's employer (more
specifically, the employer’s IT staff) can see the email. Similarly, intervening ISPs (nodes) might sniff traffic in
the ordinary course of business, to test their networks, and might have a backup copy of your emails. Any of
these people who are not under the control of an attorney might be subject to discovery.
C. THE ETHICS ISSUE
The ethical quandary arises from the fact that some personnel at the recipient’s ISP might not understand
the need to maintain your confidences. For example, many non-lawyers seem to think that if they try to hide
the identities of the parties, or if they don’t publish too widely, they can republish whatever they like.
Slashdot-type online communities for system administrators often have “You gotta hear what one of my idiot
clients did!” postings. Reading these, I can sometimes figure out some of what is going on in a case.
Many attorneys who use these web-based email systems (free or paid) mistakenly believe that the ISPs
and others cannot access their emails and documents. They think that the law or a “contract” will protect
them from eavesdropping. It won’t.
What if you receive a notification that the security of your account has been compromised? What
obligations, if any, do you have under the breach notification statutes?
What about your affirmative ethical obligation to train non-lawyers who handle confidential material on
your behalf?
Can you really ethically rely on the security policies of the web site provider?
D. ELECTRONIC COMMUNICATIONS PRIVACY ACT (ECPA), WIRETAP ACT, STORED
COMMUNICATIONS ACT
[Below, where I discuss surveillance software, I describe these laws, including case law interpreting them.
Please review my discussion below if you think that any of these laws will protect your confidences when you
use the Internet.]
E. TEXAS BUSINESS & COMMERCE CODE, TDRPC PREAMBLE (PARAGRAPHS 4 AND 16),
TDRPC RULE 1.05 (CONFIDENTIALITY OF INFORMATION), TDRPC RULE 1.14 (SAFEKEEPING
PROPERTY)
[Above, where I discuss the theft of a notebook computer, I describe these ethical obligations and some
Texas breach notification statutes. Please review my discussion above if you think that your obligation to
protect client confidences does not extend to the Internet.]
F. ABA FORMAL OPINION 99-413:
[Above, where I discuss metadata, I describe this opinion. Please review my discussion above to see
another possible defense to an ethics challenge. ABA Formal Opinion 99-413,
(http://www.abanet.org/cpr/fo99-413.html), Standing Committee On Ethics And Professional Responsibility,
March 10, 1999, “Protecting the Confidentiality of Unencrypted E-Mail”]
G. TDRPC: RULE 5.03 RESPONSIBILITES REGARDING NONLAWYER ASSISTANTS
With respect to a non-lawyer employed or retained by or associated with a lawyer:
(a) a lawyer having direct supervisory authority over the non-lawyer shall make reasonable efforts to
ensure that the persons conduct is compatible with the professional obligations of the lawyer; and
(b) a lawyer shall be subject to discipline of the conduct of such person that would be a violation of these
rules if engaged in by the lawyer if:
- (1) the lawyer orders, encourages, or permits the conduct involved; or
- (2) the lawyer:
- - (i) is a partner in the law firm in which the person is employed, retained by, or associated with; or is the
general counsel of a government agency legal department in which the person is employed, retained, or
associated with; or has direct supervisory authority over such person; and
- - (ii) with knowledge of such misconduct by the non-lawyer knowingly fails to take reasonable remedial
action to avoid or mitigate the consequences of that persons [person’s] misconduct.
H. TDRPC: RULE 5.03 RESPONSIBILITES REGARDING NONLAWYER ASSISTANTS, COMMENTS
Paragraph 1: … A lawyer should give such assistants appropriate instruction and supervision concerning
the ethical aspects of their employment, particularly regarding the obligation not to disclose information
relating to representation of the client, and should be responsible for their work product. …
Paragraph 2: Each lawyer in a position of authority in a law firm or in a government agency should make
reasonable efforts to ensure that the organization has in effect measures giving reasonable assurance that
the conduct of non-lawyers employed or retained by or associated with the firm or legal department is
compatible with the professional obligations of the lawyer. This ethical obligation includes lawyers having
supervisory authority or intermediate managerial responsibilities in the law department of any enterprise or
government agency.
Has any lawyer here really given instruction and supervision to any Yahoo, Google, Hotmail, etc. personnel?
Does ABA Op. 413 really apply to documents that are stored online?
I. SOLUTION:
There does not seem to be any ethical problem with relying on web-based emails, as long as two precautions
are followed:
(1) Download copies of everything, to protect yourself from an ISP disaster. To the extent you have an
ethical obligation to keep records, you want those records (or a copy of them) where you can find them. Even
if you have a client-accessible extranet, you should be able to store a copy of all of your documents in a
location to which only you have access.
(2) Encrypt whatever you send out or store on-line. This is very easy to do. One way is simply to send
encrypted email attachments. (Remember that even where a communication is confidential, the fact that
there was a communication is not confidential. The post office does not violate the Fourth Amendment by
photocopying the outside of envelopes you send to your client, and the fact that you sent an email to your
client is not itself privileged. Only the content of the communication is privileged. You can be required to
disclose the fact that you talked to the client, even where you don’t have to reveal the content of the
communication.) Therefore, you have no obligation to encrypt the envelope.
If you don’t have a VPN, then you can encrypt by simply creating a Notepad text file or a Word document
that includes the message you want to send. Encrypt that Notepad text file or a Word document (you will
create an encrypted file). Encrypting is easy: with some encryption software, you simply drag the icon for the
document you want to encrypt into the icon for the encryption software, and the encrypted file is created in the
same folder where the Notepad text file was located. Once you have the encrypted file, simply send an email
that reads “Please see attached” and include the encrypted file as an attachment. The ISPs and intervening
nodes will be able to see the packets, but they won’t be able to see the content of the message. In other
words, when you send an encrypted file as an attachment, the web-based email provider will be able to see
(a) the “Please see attached” part of the message, and (b) the encrypted file, but generally will not be able to
(or will not bother to) decrypt the encrypted file to find the content of the communication.
There are “add-ins” called “Virtual Private Networks” (VPNs) that encrypt automatically. When you install
these add-ins, they actually modify your email software such that, whenever you try to send an email to
anyone else who has the same add-in, your email is automatically encrypted. Ask your client whether the
client uses any encryption internally, and ask if you can be included in any VPN they might have. You can
even have an encrypted extranet, or a web site that gives access to encrypted documents. Many attorneys
and law firms have document management software that lets their attorneys (and, in some cases, their
clients) access documents from home. You and your clients can put encrypted documents on your extranet,
and only you and your clients will be able to decrypt them (if your encryption is strong enough).
The ethical rules don’t seem to say that you need to use strong encryption. Any effort toward encrypting
your emails might be enough.
OUTSOURCING AND COLLABORATING LEGAL WORK A. QUESTIONS:
(1). Is it ethical for a Texas attorney to hire an attorney in another country to work on a client matter?
Does it matter whether the lawyer to be hired is licensed in Texas and merely lives abroad? Does it matter
whether the lawyer to be hired is licensed in the country of residence?
(2). Does it matter whether the Texas attorney who is going to “supervise” the work, and who is also
going to communicate with the client, has competence necessary to supervise the work?
(3). How can fees be apportioned with the subcontracting attorney?
(4). Is it ethical for a Texas attorney to hire a non-lawyer in another country to work on a client matter?
(5). At what stage is client consent required?
(6). Is this really different from (a) hiring a temp or contract attorney; (b) letting an employee or contract
attorney telecommute; (c) letting the temp or contract attorney telecommute; (d) outsourcing to a lawyer in
another state but within the U.S.?
(7). There are lots of issues such as bar membership, confidentiality, L-type and H-type visa restrictions
(both here and in India), difficulties in doing background checks of employees, etc. that can hinder your efforts
to outsource work to foreigners.
(8). In what situations can client authorization be insufficient to make outsourcing okay?
(9). In what situations can owning the foreign company that hires the foreign personnel (lawyers, non-
lawyers) be insufficient to make outsourcing okay?
(10). Does outsourcing to India, for example, constitute unlicensed practice of law in India? Note that it
may be illegal under Indian law for a U.S. firm to practice in India; therefore, an Indian law firm or other
business might be required.
B. FACTUAL BACKGROUND OF THIS ISSUE
(1). Many firms that outsource offer clients two prices, including a higher price for promising to keep all of the
work within the firm.
(2). Your firm might be disrupted. U.S. associates can sabotage a firm’s efforts to outsource some of the
work. Some firms solve this problem by offering each project to their own associates first (with reduced-
billable-rate or partial-billable-time credit), and then only outsource the low value work that their associates
don’t want to do. If you do, what would you require of subcontractor’s infrastructure (disaster recovery, data
security, ease of access for monitoring work and running metrics by your own personnel, etc.),
subcontractor’s personnel (certifications, bar memberships in India, training, etc. evaluation of employees),
subcontractor’s financial strength (bonding, insurance, forfeitable assets in U.S.), referrals and reputation?
(3). Remember: when you outsource to them, they might outsource to someone else!
(4). Going rate for Indian attorneys: $20 to $40 per hour. Ethical rules might prohibit you from billing them out
at more than cost, though.
(5). Your client might have confidentiality obligations to its clients. In working with a foreign law firm, you
might need to disclose information of your client’s clients, i.e. information you’re your client has entrusted to
you. Your client might have obligations to its customers: HIPAA, GLBA, CAPPS II, etc. You might need to
get a business associate contract (HIPAA) or similar document signed, at the very least.
C. TDRPC: RULE 1.01 COMPETENT AND DILIGENT REPRESENTATION
(a) A lawyer shall not accept or continue employment in a legal matter which the lawyer knows or should
know is beyond the lawyer’s competence, unless:
- (1) another lawyer who is competent to handle the matter is, with the prior informed consent of the
client, associated in the matter; …
D. SOME THOUGHTS ON RULE 1.01
Remarkably, the TDRPC do not seem to define “lawyer” or “another lawyer.” It is not clear whether
someone licensed to practice law in another state, or in another country, but not in Texas, would be a “lawyer”
within the meaning or 1.01(a)(1). If such a person is not “another lawyer” within the meaning or 1.01(a)(1),
then it would not seem even informed consent could bring such outsourcing within the Rule.
The Rule is silent as to whether a lawyer who is competent can outsource to another lawyer who is also
competent, but it would seem permissible.
As we see below, some firms that do not have any patent or trademark expertise are outsourcing to
Intellectual Property law firms in India. Also, when representing a client in its foreign business activities, many
U.S. firms associate with a foreign law firm. Of course, client consent is obtained.
Some firms have outsourced their computer support and IT functions, computer file backup, email
services, and telephone receptionist functions to Indian businesses. When you call these firms, your call is
routed to a call center in India where a receptionist takes a message or forwards your calls to the attorney’s
extension, possibly into voice mail. Thus, the Indian business has some access to confidential files,
privileged and work product. I will discuss this below with reference to TDRPC: Rule 5.03.
E. TDRPC: 1.04 FEES
(1)Text of the Rule:
“(a) A lawyer shall not enter into an arrangement for, charge, or collect an illegal fee or unconscionable
fee. A fee is unconscionable if a competent lawyer could not form a reasonable belief that the fee is
reasonable.
…
(f) A division or arrangement for division of a fee between lawyers who are not in the same firm may be
made only if:
- (1) the division is:
- - (i) in proportion to the professional services performed by each lawyer; or
-- (ii) made between lawyers who assume joint responsibility for the representation; and
- (2) the client consents in writing to the terms of the arrangement prior to the time of the association or
referral proposed, including
(i) the identity of all lawyers or law firms who will participate in the fee-sharing arrangement, and
(ii) whether fees will be divided based on the proportion of services performed or by lawyers agreeing to
assume joint responsibility for the representation, and
(iii) the share of the fee that each lawyer or law firm will receive or, if the division is based on the
proportion of services performed, the basis on which the division will be made; and
(3) the aggregate fee does not violate paragraph (a).”
(2). TDRPC: 1.04, Comments
Paragraph 10: A division of fees is a single billing to a client covering the fee of two or more lawyers who
are not in the same firm….
Paragraph 12: …if each participating lawyer performs substantial legal services on behalf of the client, the
agreed division should control even though the division is not directly proportional to actual work performed.
…
Paragraph 14: In the aggregate, the minimum activities that must be undertaken by the referring or
associating lawyers pursuant to an agreement for a division of fees are substantially greater than those
assumed by a lawyer who forwarded a matter to other counsel, undertook no ongoing obligations with respect
to it, and yet received a portion of the handling lawyer’s fee once the matter was concluded, as was permitted
under the prior version of this rule….
(3). Some thoughts on the comments to TDRPC Rule 1.04
Paragraph 12 of the comments to TDPRC mentions “substantial legal services on behalf of the client” but
does not say “substantial legal services on behalf of the client on the same matter.” Therefore, if you do
some “substantial” litigation work for the client and if you outsource all of your real estate transactional work,
for example, then whatever agreement you might have for division of fees might be permissible; you will have
done substantial legal services for the client, albeit not on the matter being outsourced. It does not seem that
the “substantial legal services on behalf of the client” needs to be on the particular matter forwarded to
support an agreed split of fees. On the other hand, Paragraph 14 indicates appears to prohibit a split of fees
for a particular matter where “a lawyer … forwarded a matter to other counsel, undertook no ongoing
obligations with respect to it…”
Client consent in writing prior to the time of the association or referral also appears to be necessary.
Identification of foreign law firms, without particular recital of the names of the individual foreign attorneys,
might be permissible.
There are several different types of outsourcing. One type is to firm partners, associates or other
employees who simply reside in a foreign office. Another type of outsourcing is to a “captive” business
comprised of non-lawyers who work only for the outsourcing firm; the captive business is generally owned by
the firm or by its partners. A third type of outsourcing is freelance, where the foreign business has many law
firms as clients. Different ethical considerations might apply to different cases.
When splitting fees, there is apparently a lot more leeway when all of the payees are attorneys, and when
all of the payees are part of the same firm, regardless of where they are licensed and where they are located.
F. TDRPC RULE 1.05, CONFIDENTIALITY OF INFORMATION, COMMENTS
[See text of the TCRPC, quoted above.]
Comments, paragraph 7: In the course of a firms [firm’s] practice, lawyers may disclose to each other and
to appropriate employees …
Is your disclosure of your client’s confidences to the subcontractor (absent client consent) itself a
violation? Would a Nondisclosure Agreement (NDA) with the subcontractor absolve you of ethical fault?
Note that data security standards in India are often higher than in the U.S. (Note the number of personal
records that have been made available via “Choicepoint” type disclosures.) Many Indian outsourcing
companies are clamping down on security and confidentiality to address U.S. and European fears of identity
theft. Measures include ID cards, prohibiting workers from taking any personal items into work spaces,
shredding conversation notes, call monitoring or recording, watching workers carefully, masking sensitive
data, removing any hardware from PCs that would allow downloading or copying data, and video surveillance.
Business Week (8/16/04)
Other professions, such as medical transcription (HIPAA) and banking (GLBA), outsource despite
confidentiality and privacy regulation. Ernst & Young has hundreds of accountants in India who process US
tax returns, and one Indian company has 15 radiologists in Bangalore (all US-trained and licensed) to
interpret chest x-rays and CT scans from US hospitals (at one-half the cost). Down and Out in White-Collar
America Fortune (6/23/03).
G. TDRPC RULE 5.01 RESPONSIBILITIES OF A PARTNER OR SUPERVISORY LAWYER
(1) Text of the Rule:
“A lawyer shall be subject to discipline because of another lawyer’s violation of these rules of professional
conduct if:
(a) the lawyer is a partner or supervisory lawyer and orders, encourages, or knowingly permits the
conduct involved; or
(b) the lawyer is a partner in the law firm in which the other lawyer practices, is the general counsel of a
government agency’s legal department in which the other lawyer is employed, or has direct supervisory
authority over the other lawyer, and with knowledge of the other lawyer’s violation of these rules knowingly
fails to take reasonable remedial action to avoid or mitigate the consequences of the other lawyer’s violation.”
(2) Official Comments
Paragraph 3: … In some instances, a senior associate may be a supervising attorney.
H. TDRPC RULE 5.02 RESPONSIBILITIES OF A SUPERVISED LAWYER
(1) Text of the Rule:
A lawyer is bound by these rules notwithstanding that the lawyer acted under the supervision of another
person, except that a supervised lawyer does not violate these rules if that lawyer acts in accordance with a
supervisory lawyer’s reasonable resolution of an arguable question of professional conduct.
I. SOME THOUGHTS ON TDRPC RULES 5.01 AND 5.02
Any foreign lawyers to whom you outsource work might be “supervised lawyers” under TDRPC Rule 5.02.
The foreign law firm to which you outsource work may be able to rely on your interpretation of U.S., Texas,
and local laws and relevant ethical obligations. Therefore, even if you get the foreign law firm to agree to be
bound by U.S. and Texas law and relevant ethical obligations, the foreign law firm might be able to evade all
financial responsibility simply by relying on you to interpret those laws and obligations.
J. TDRPC: RULE 5.03 RESPONSIBILITES REGARDING NONLAWYER ASSISTANTS
[see text of the rule and its comments above in the discussion of the theft of a notebook computer]
K. TDRPC RULE 5.05 UNAUTHORIZED PRACTICE OF LAW
“A lawyer shall not:
…
(b) assist a person ho is not a member of the bar in the performance of activity that constitutes the
unauthorized practice of law.”
L. TDRPC: RULE 5.04 PROFESSIONAL INDEPENDENCE OF A LAWYER
Text of the Rule:
…
(b) A lawyer shall not form a partnership with a non-lawyer if any of the activities of the partnership consist
of the practice of law.
Official comments
Paragraph 1: … The principal reasons for these limitations are to prevent solicitation by lay persons of
clients for lawyers and to avoid encouraging or assisting non-lawyers in the practice of law. …
M. TDRPC: RULE 5.05 UNAUTHORIZED PRACTICE OF LAW
Text of the rule:
A lawyer shall not:
(a) practice law in a jurisdiction where doing so violates the regulation of the legal profession in that
jurisdiction; or
(b) assist a person who is not a member of the bar in the performance of activity that constitutes the
unauthorized practice of law.
Official comments
Paragraph 2: Neither statutory nor judicial definitions offer clear guidelines as to what constitutes the
practice of law or the unauthorized practice of law. All too frequently, the definitions are so broad as to be
meaningless and amount to little more than the statement that the practice of law is merely whatever lawyers
do or are traditionally understood to do….
Paragraph 3: Rule 5.05 does not attempt to define what constitutes the unauthorized practice of law but
leaves the definition to judicial development. …
Paragraph 4: Paragraph (b) of Rule 5.05 does not prohibit a lawyer from employing the services of
paraprofessionals and delegating functions to them. So long as the lawyer supervises the delegated work,
and retains responsibility for the work, and maintains a direct relationship with the client, the paraprofessional
cannot reasonably be said to have engaged in activity that constitutes the unauthorized practice of law. …
N. TDRPC: RULE 7.04 ADVERTISEMENTS IN THE PUBLIC MEDIA
Text of the Rule:
…
(l) If an advertising lawyer knows or should know at the time of an advertisement in the public media that
a case or matter will likely be referred to another lawyer or firm, a statement of such fact shall be
conspicuously included in such advertisement. …
(o) A lawyer may not advertise in the public media as part of an advertising cooperative or venture of two
or more lawyers not in the same firm unless each such advertisement:
- (1) states that the advertisement is paid for by the cooperating lawyers;
- (2) names of each of the cooperating lawyers;
- (3) sets forth conspicuously the special competency requirements required by Rule 7.04(b) of lawyers
who advertise in the public media; …
Official comments
…Experience has shown that attorneys not in the same firm may create a relationship wherein one will
finance advertising for the other in return for referrals. Nondisclosure of such a referral relationship is
misleading to the public.
O. TDRPC RULE 8.05 JURISDICTION
(a) A lawyer is subject to the disciplinary authority of this state, if admitted to practice in this state or if
specially admitted to a court of this state for a particular proceeding. In addition to being answerable for his or
her conduct occurring in this state, any such lawyer may also be disciplined in this state for conduct occurring
in another jurisdiction or resulting in lawyer discipline in another jurisdiction, if it is professional misconduct
under Rule 8.04. …
P. SOME THOUGHTS ON TDRPC RULES 5.01, 5.02, 5.05 AND 8.05
The Rules presuppose that the supervising/supervisory attorney has greater experience and familiarity
with the rules, and therefore is in a better position to determine what is permissible. The Rules also suppose
that the supervised attorney has a right to defer to reasonable interpretations of the Rules made by the
supervising/supervisory attorney. But that is not the case in inter-jurisdictional outsourcing. When
outsourcing work to another jurisdiction, it is the supervised attorney who has more familiarity with the local
rules than the supervising attorney. The Texas Disciplinary Rules of Professional Conduct do not seem to
take that into account.
If the attorney to whom you are outsourcing work is not permitted to do that work, per the ethical rules in
that attorney’s jurisdiction, are you breaching your obligations by outsourcing that work to that attorney? For
example, in many jurisdictions, non-lawyers generally cannot be paid on contingency. (In the New York City
Bar, this is called the “mark-up” rule.) If the foreign attorney to whom you are outsourcing your work has non-
lawyer assistants on contingency in violation of that attorney’s local rules, are you in trouble? If you know that
your subcontractor in a foreign jurisdiction is engaging in conduct that would permissible under the TDRPC
but is a breach in that foreign jurisdiction, are you culpable for encouraging the breach? Do you have an
obligation to become aware of your subcontractor’s local rules (and breaches of those local rules)? You are
the supervising or supervisory attorney; under TDRPC Rules 5.01 and 5.02 the foreign attorney relies on you.
What if the foreign attorney does what is permitted locally but would be prohibited in Texas?
Note also that your firm probably has a few attorneys who are only licensed in another state, or who are
awaiting their bar exam results, but who are doing legal work that you trust and don’t really review very
thoroughly. You don’t treat these people as non-lawyers. If your firm is a national firm with offices
everywhere except one state where a particular associate is licensed, and you advertise (or engage in other
conduct) nationally in a way that violates the rules of that associate’s licensing jurisdiction, are you liable for
an ethical breach?
If outsourcing abroad were prohibited by the Texas Disciplinary Rules of Professional Conduct, but is
permissible in New York, can you simply subcontract or partner with a New York lawyer and let that lawyer
sub-subcontract abroad?
If you want to outsource to a foreign firm, and you think the Texas Disciplinary Rules of Professional
Conduct on the sort of foreign outsourcing you are contemplating are ambiguous, you might want to read the
San Diego opinion cited below. It cites a large number of authorities.
Q. “ZEAL”
(1) TDRPC Preamble, Paragraph 3
In all professional functions, a lawyer should zealously pursue client’s interests within the bounds of the
law….
(2) Rule 1.01, comments, paragraph 6
…Having accepted employment, a lawyer should act with competence, commitment and dedication to the
interest of the client and with zeal in advocacy upon the client’s behalf. …
(3) Some comments on “Zealously:”
Some foreign firms are actually far more zealous in representing clients than the U.S. firms that hire them.
One Indian firm actually searched the U.S. patent database, found flaws in some patents, and offered to do
the paperwork to correct the flaws for free, simply to introduce themselves to the U.S. firms. Over the Horizon
(June 2006, PDF, p. 22)
R. ABA MODEL RULE 5.3: RESPONSIBILITY REGARDING NONLAWYER ASSISTANTS
Text of the Rule:
•With respect to a non-lawyer employed or retain by or associated with a lawyer:
(a) a partner, a lawyer who individually or together with other lawyers possesses comparable managerial
authority in a law firm, and the law firm shall make reasonable efforts to ensure that the firm has in effect
measures giving reasonable assurance that the person’s conduct is compatible with the professional
obligations of the lawyer;
•(b) a lawyer having direct supervisory authority over the non-lawyer shall make reasonable efforts to
ensure that the person’s conduct is compatible with the professional obligations of the lawyer; and
•(c) A lawyer shall be responsible for conduct of such a person that would be a violation of the Rules of
Professional Conduct if engaged in by a lawyer if:
–(1) the lawyer orders or, with the knowledge of the specific conduct, ratifies the conduct involved; or
–(2) the lawyer is a partner or has comparable managerial authority in the law firm in which the person is
employed, or has direct supervisory authority over the person, and knows of the conduct at a time when its
consequences can be avoided or mitigated by fails to take reasonable remedial action….
Official comments to ABA Model Rule 5.3 (in part):
“Lawyers generally employ assistants in their practice, including secretaries, investigators, law student
interns, and paraprofessionals. Such assistants, whether employees or independent contactors, act for the
lawyer in rendition of the lawyer’s professional services. A lawyer must give such assistants appropriate
instruction and supervision concerning the ethical aspects of their employment, particularly regarding the
obligation not to disclose information relating to representation of the client, and should be responsible for
their work product. The measures employed in supervising non-lawyers should take account of the fact that
they do not have legal training and are not subject to professional discipline.
“[The Rule]…requires lawyers with managerial authority within a law firm, and the firm itself, to make
reasonable efforts to establish internal policies and procedures designed to provide reasonable assurance
that non-lawyers in the firm will act in a way compatible with the Rules of Professional Conduct.”
S. ETHICAL RULES IN OTHER JURISDICTIONS
Many jurisdictions have rules that are very different from Texas’s. Some have rules specific to
outsourcing. New York and San Diego love outsourcing, but have different rules for whether the client has to
be notified that the work is being outsourced and how the client can be billed.
(1). New York State Bar
(a). N.Y. State Opinion 721 (1999). A New York lawyer may ethically use a research firm if the lawyer
exercises proper supervision, which involves “considering in advance the work that will be done and reviewing
after the fact what in fact occurred, assuring its soundness.”
(b). N.Y. State Opinion 774 (2004). There is no need to check conflicts with respect to non-lawyers!
(c). N.Y. State Opinion 715 (1999). The lawyer’s obligations to disclose the use of a contract lawyer and to
obtain client consent depend upon whether client confidences and secrets will be disclosed to the contract
lawyer, the degree of involvement that the contract lawyer has in the matter, and the significance of the work
done by the contract lawyer. (“participation by a lawyer whose work is limited to legal research or tangential
matters would not need to be disclosed…”)
(d). N.Y. State Opinion 762 (2003) (a New York law firm must explain to a client represented by lawyers in
foreign offices of the firm the extent to which confidentiality rules in those foreign jurisdictions provide less
protection than in New York).
(e). DR 1-104(C) should not apply in the case of an overseas non-lawyer because that person does not “work
at the firm,” whereas DR 1-104(D) should apply because the overseas non-lawyer is “retained by” the New
York lawyer. Nonetheless, the Committee believes that these two phrases were intended to be equivalent. To
conclude otherwise and make the individual lawyer, but not the law firm, responsible for supervising the
overseas non-lawyer would be difficult to justify and could also easily lead to untoward results. For example, a
law firm seeking to cabin responsibility under DR 1-104(D)(2) for the conduct of the overseas non-lawyer
could simply refuse to appoint anyone to supervise the non-lawyer.
(2). New York City Bar
It is ethically permissible to use offshore resources, including lawyers and non-lawyers overseas and in other
jurisdictions, as well as other legal support services, if the lawyer supervises the work, preserves confidences,
avoids conflicts, bills appropriately, and (in some circumstances) obtains advance client consent. “Thus,
there is little purpose in requiring a lawyer to reflexively inform a client every time that the lawyer intends to
outsource legal support services overseas to a non-lawyer.” Association of the Bar of the City of New York
Committee on Professional and Judicial Ethics, Formal Opinion 2006-3. Also, N.Y. City Formal Opinion 1995-
11; N.Y. City 884 (1974); DR 1-104; DR 3-101 (DR 3-101(A), ; DR 3-102;, DR 4-101; DR 5-105; DR 5-107;
DR 6-101; EC 2-22; EC 3-6; ;EC 4-2; EC 4-5; Judiciary Law § 478; Spivak v. Sachs, 16 N.Y.2d 163, 168, 211
N.E.2d 329, 331, 263 N.Y.S.2d 953, 956 (1965); N.Y. City Formal Opinion 1995-11.
(3). Los Angeles County
Generally, outsourcing is okay. “[T]he attorney must review the brief or other work provided by [the non-
lawyer] and independently verify that it is accurate, relevant, and complete, and the attorney must revise the
brief, if necessary, before submitting it to the . . . court.” L.A. County Bar Assoc. Op. 518 ( June 19, 2006) at
8-9. Professional Responsibility and Ethics Committee of the Los Angeles County Bar Association
(4). San Diego
Attorneys can take complex (patent litigation) cases, despite lacking any expertise at all, if they subcontract to
competent foreign-only attorneys in India.
The opinion cites: RPC 1-300; Baron v. City of Los Angeles (1970) 2 Cal.3d 535; Birbower, Montalbano,
Condon & Frank, PC v.Superior Court (1998) 17 Cal.4th 119; Bluestein v. State Bar (1974) 13 Cal.3d 162;
Caressa Camille, Inc. v. Alcoholic Beverage Control Appeals Bd. (2002) 99 Cal.App.4th 1094; Chicago Title
Ins. Co. v. Superior Court (1985) 174 Cal.App.3d 1142; Crane v. State Bar (1981) 30 Cal.3d 117; Gafcon, Inc.
v. Ponsor & Associates (2002) 98 Cal.App.4th 1388; Matter of Phillips (Rev.Dept. 2001) 4 Cal.State Bar Ct.
Rpt. 315; People ex rel. Lawyers’ Institute of San Diego v. Merchants Protective Corp. (1922) 189 Cal. 531;
Upjohn Co. v. United States (1981) 449 U.S. 383; Vaughn v. State Bar (1972) 6 Cal.3d 847; California
Business and Professions Code §6067, §6068, §6125, and §6126; California Evidence Code §912; ABA
Model Rules 1.1, 5.1, and 5.3; Rules of Court 227, 965, and 983; Rules of Professional Conduct 1-100, 1-300,
3-110, and 3-500; ABA Ethical Consideration 3-6; ABCNY Formal Op. 2006-3; Cal. State Bar Form. Opn.
1982-68; COPRAC Formal Opinion 1994-138 and 2004-165; Los Angeles County Bar Association
Professional Responsibility and Ethics, Committee Opinion No. 518 (June 19, 2006); New York Committee on
Professional and Judicial Ethics, Formal Opinion, 2006-3 (August 2006); Orange County Bar Formal Opinion
No. 94-2002 (1994); State Bar Opinion 1987-91; David Lazarus, Looking Offshore: Outsourced UCSF notes
highlight privacy risk; How one offshore worker sent tremor through medical system, S.F. Chron., March 28,
2004; Marcia Proctor, Considerations in Outsourcing Legal Work, Mich. Bar Journal, September 2005;Eileen
Rosen, Corporate America Sending More Legal Work to Bombay, ;NY Times, March 14, 2004; Indian
Evidence Act of 1972. http://www.sdcba.org/ethics/ethicsopinion07-1.htm,. See also http://blog.law-
scribe.com/2007/04/san-diego-bar-ethics-opinion-2007-1-on_19.html;
http://www.law.com/jsp/llf/PubArticleLLF.jsp?id=1178096674507.
Personal note: I have no idea how the bar can expect the California lawyer who lacks any patent law
expertise to “supervise” a patent litigation case. If you want to outsource, you might consider partnering with
a lawyer in San Diego.
(5) The ABA
ABA Formal Opinion 93-379 (1993)
“…A lawyer may not charge a client for overhead expenses generally associated with properly maintaining,
staffing and equipping an office; however, the lawyer may recoup expenses reasonably incurred in connection
with the client’s matter for services performed in-house, such as photocopying, long distance telephone calls,
computer research, special deliveries, secretarial overtime, and other similar services, so long as the charge
reasonably reflects the lawyer’s actual cost for the services rendered. A lawyer may not charge a client more
than her disbursements for services provided by third parties like court reporters, travel agents and expert
witnesses, except to the extent that the lawyer incurs costs additional to the direct cost of the third party
services…. “
Comments, at 8: “It is the view of the Committee that, in the absence of disclosure to the contrary, it would be
improper if the lawyer assessed a surcharge on these disbursements over and above the amount actually
incurred unless the lawyer herself incurred additional expenses beyond the actual cost of the disbursement
item. …”
[This opinion is generally cited for it discussion of double-billing. But it discusses many kinds of improper
billing practices. In this opinion were operative in Texas, would it be improper to bill overseas non-lawyers at
more than cost?]
(6) New Jersey
In re Opinion 24 of Committee on Unauthorized Practice of Law, 128 N.J. 114, 123, 607 A.2d 962 (1992)
(7) D.C.
In New Reality: Temps Must Join DC Bar ($), the Legal Times (June 27, 2005) reports District of Columbia
bar regulators ruled that contract lawyers must be admitted to the DC bar to avoid the unauthorized practice
of law.
T. SOME THOUGHTS ON OUTSOURCING
If you are interested in finding foreign law firms that are seeking U.S. legal work, please contact me.
There are hundreds of them, in places like India, Mauritius (most lawyers here are bilingual in French and
English, so can do almost any international work), Finland, South Africa, and the Philippines.
U. PARTICULAR FIRMS
The popular media have published reports of big firms outsourcing to foreign law firm and other
corporations. I include these with significant risk of error: please note that some of these firms do not do any
significant amount of outsourcing of legal work, or have merely investigated outsourcing, or outsource only
non-legal work like public relations or IT functions. Please look at the cited articles (or better yet, contact the
firms) to see the extent of their outsourcing activities. Haynes and Boone LLP (Houston Business Journal,
6/1/07); Milbank Tweed Hadley & McCloy (many articles); Orrick, Herrington & Sutcliffe LLP (many articles);
Pillsbury Winthrop Shaw Pittman (Some firms have non-law businesses, such as business consulting, and
outsource almost all of this work. Law Firm Adds Another Shingle: Consultant, New York Times, 10/14/05);
Howrey (Howrey Opens Office in India, Gives Clients Lower-Cost Option, describing Firm's Pune office and a
long-term goal of expanding its support services worldwide, American Lawyer, Feb 2008); Clifford Chance
(many sources); Jones Day (Jones Day, Kirkland Send Work to India to Cut Costs, Cynthia Cotts and Liane
Kufchock, Bloomberg, Aug. 21,
http://www.bloomberg.com/apps/news?pid=20601103&sid=aBo8DnfekWZQ&refer=news); Kirkland & Ellis;
Seyfarth Shaw; White & Case (Small World in Law Firm Inc., 10/07).; Allen & Overy (many sources); Lovells
(a U.K. firm; Press release, July 2003); Law Abroad (a UK firm; South African lawyers, using automated
systems to manage the work, Legal Technology Insider, Issue 159); Schwegman Lundberg Woessner & Kluth
(a well known 55-lawyer patent firm in Minneapolis); “BigLaw”
V. “LAWSOURCING”
There are websites dedicated to helping lawyers collaborate for work. Lawyers who have projects calling
for particular legal expertise, or simply needed extra manpower, can post their needs, and other lawyers who
are having trouble finding work can reply. Projects are bid, like an auction.
W. SITES
http://blog.law-scribe.com/
http://blogs.wsj.com/law/2007/11/27/temp-attorneys-the-india-edition
http://www.bloomberg.com/apps/news?pid=20601103&sid=aBo8DnfekWZQ&refer=news
http://www.dbrownonline.com/2006/10/offshore_lawyers_for_contracto.html
http://www.law.com/jsp/article.jsp?id=1202732098332
http://www.law.harvard.edu/news/bulletin/2006/fall/feature_2.ph
http://www.llrx.com/features/legaloutsourcing.htm
http://www.nycbar.org/Ethics/eth2006.htm
http://www.prismlegal.com/index.php?option=content&task=view&id=88&Itemid=70
http://www.prismlegal.com/wordpress/index.php?cat=5
http://www.prismlegal.com/wordpress/index.php?m=200610#post-507
http://www.sqglobalsolutions.com/
X. OTHER SOURCES
35 Tex. Int’l L.J. 289, 313 Bridging Ethical Borders: International Legal Ethics with an Islamic Perspective
(“Although difficult to imagine, a Muslim party or client may expect a higher degree of confidentiality than a [
U.S.] lawyer is accustomed to.”, M. McCary,2000).
Accenture Outlook Journal, Adam Johnson & John D. Rollins, Outsourcing: Unconventional Wisdom,
(October 2004, at
http://www.accenture.com/Global/Services/By_Industry/Travel/R_and_I/UnconventionalWisdom.htm)
American Lawyer Change of Venue; Cost-Conscious General Counsel Step up Their Use of Offshore
Lawyers, Creating Fears of an Exodus of U.S. Legal Jobs, (, Jennifer Fried, quoting Professor Geoffrey
Hazard, Jr. of University of Pennsylvania Law School who stated that if foreign attorneys are “acting under the
supervision of U.S. lawyers, I wouldn’t think it would make much difference where they are.”, Dec. 2003).
American Lawyer magazine, Briefed in Bangalore (November 2004)
Andy Haven’s IndianLegalOutsourcing and legalmarketingblog blogs.
Asia Law In-house or Outsourced? The Future of Corporate Counsel (George W. Russell, July/Aug. 2005)
Business Week (8/16/04)
Business Week Subcontinental Drift (1/16/06)
Business Week The New Global Job Shift (cover story, February 3, 2003)
Corporate Counsel Magazine Cracking the Whip (Feb 03)
Corporate Legal Times (July 2005) Overhyped, Underused, Overrated: The Truth About Legal Offshoring
Corporate Legal Times (September 2004)
Deloitte Consulting, Calling a Change in the Outsourcing Market (April 2005, PDF)
Down and Out in White-Collar America (June 23, 2003).
Economist, The Next Wave (December 14, 2005)
Fortune (June 14th 2003)
Future of Legal Secretaries (Legal Times, May 2003)
Harvard Law School Alumni Bulletin (Fall 2006)
Information Week, Legal Research And Back-Office Work To Go Offshore Next (12/9/03)
International Litigation and Arbitration, Proskauer (an entire book free on the web, without registration).
John Tredennick, Outsourcing for the Small Law Office: Lessons from “The World is Flat” (Trial Magazine,
Fall 2006)
Law Firm, Inc., (Aug/Sep 2004)
Law Practice Today (April 2006)
Law Practice Today In Your Next Office— Bangalore? 7/10/2005
Legal Outsourcing and Offshoring, published in LLRX.com (11/12/06)
Legal Technology Insider, Issue 159
Legal Technology Journal Good chemistry, Eversheds (Issue 6, fall 2007).
Legal Times, ad for CBFGROUP in the November 8th issue.
Legal Week CMS Cameron McKenna is exploring moving back-office functions to India (11/2/06, UK)
Legal Week, 6/6/07
legalweek.com (10/2/06)
Los Angeles County Bar Assoc. Formal Opinion 473 (Jan. 1994);
National Law Journal (March 29, 2004)
New Hampshire Bar Assoc. Ethics Comm. Formal Opinion 1989-90/9 (July 25, 1990).
New Jersey Law Journal, Legal-Work Outsourcing Cuts Costs; DuPont’s pitch to in-house counsel: Save
millions by sending legal work to companies other than law firms (Nov. 17, 2003, as carried on law.com)
New York Law Journal, 23 Jan 2008
New York State Bar Association Committee on Professional Ethics Opinion (“N.Y. State Opinion”) 721 (1999).
New York Times A Law Firm Adds Another Shingle: Consultant (10/14/05)
New York Times Law Firm Outsourcing (10/27/2006)
New York Times, Corporate America Sending More Legal Work to Bombay (Ellen L. Rosen, quoting
Professor Stephen Gillers of NYU School of Law as stating that “even though the lawyer [in the foreign
country] is not authorized by an American state to practice law, the review by American lawyers sanitizes the
process.” Mar. 14, 2004)
New York Times, Corporate America Sending More Legal Work, to Bombay: U.S. Firms Face Challenge Over
Outsourcing Legal Work to India (Ellen L. Rosen, Mar. 14, 2004)
New York Times, Even Law Firms Join the Trend to Outsourcing (Jonathan D. Glater, Jan. 13, 2006)
New York Times: Law Firms Are Starting to Adopt Outsourcing (10/27/06)
Ohio Bd. of Comm’rs on Grievances and Discipl. Opinion No. 90-23 (Dec. 14, 1990) (finding a duty under DR
5-107(A)(1) to “disclose to the client the temporary nature of the relationship in order to accept compensation
for the legal services”);
Oliver v. Board of Governors, Kentucky Bar Ass’n, 779 S.W.2d 212, 216 (Ky. 1989) (recommending
“disclosure to the client of the firm’s intention, whether at the commencement or during the course of
representation, to use a temporary attorney service on the client’s case, in any capacity, in order to allow the
client to make an intelligent decision whether or not to consent to such an arrangement.”);
Outsourcing Your Life (Wall Street Journal, 6/2/07)
Recorder, 25 Jan 2008
Recorder, Outsourcing Reaches Corporate Counsel (8/25/04)
Small Firm Business, How to Protect Confidentiality When Outsourcing, (Mary Daly, Sept. 12, 2005).
Small Firm Business, Should Small Firms Get on Board with Outsourcing? (Ann Sherman, Sept. 12, 2005).
SME Outsourcing Business Process Outsourcing Propels the 21st Century, (Fakir Chand, October 2003, at
http://smeoutsourcing.com/viewnew.php?id=9bd912e64b470d2f28ea096a56bdebd0)
Star Tribune (Jan. 16, 2004) reporting that West is running a small test of using lawyers in India for some of
its publishing operations.
Trial Magazine, Outsourcing for the Small Law Office: Lessons from “The World is Flat.” (John Tredennick,
“small law practices have ample opportunities to outsource.”, Fall 2006)
Twin Cities Pioneer Press, Law firm cuts rates by outsourcing to India (March 3, 2004)
Wall Street Journal Legal Services Enter Outsourcing Domain (page B1, 9/28/05).
Wall Street Journal, More U.S. Legal Work Moves to India’s Low-Cost Lawyers (Eric Bellman & Nathan
Koppel, Sept. 28, 2005)
VI. BLOGGING, WIKIS, WEB SITES, AND ADVERTISING A. FIRM-SPONSORED WEB-BASED ATTORNEY ADVERTISING, BLOGGING, WIKIS
(1) General Information on Wikis and Blogs
Wikis are web sites that a very large number of people have authority to modify. (The term is from “wiki-
wiki” which means “faster” in Hawaiian.) A well-known example is “wikipedia.” Anybody can modify a wiki,
and anyone can see a list of all modifications and what the wiki looked like before any modification. The
entire history of the wiki is available for viewing. Generally, the person making the modification can be traced.
Movie studios have used wikis to get public comments on their movies. Political campaigns have used them
to let campaign workers collaborate. Novice real estate investors use wikis to share experiences and advice
about their deals.
Legal wikis are starting to grow. Wex, from Cornell Law School, is a wiki that allows lawyers to tell their
war stories, offer legal definitions of terminology (like Wikipedia), and collaboratively-share legal knowledge.
Firms are starting to have wikis. Some have pages that only their own lawyers can access; other pages
for the firm’s lawyers, co-counsels, and clients; and still other pages for the general public. For example, you
could have a list of tasks on a wiki, and leave the assignment of the tasks open to your team, or post
documents that everyone can work on collaboratively. As each attorney reviews a document, for example,
that attorney can modify the list to make clear that the document has already been modified. Wikis can be a
valuable place for associates to share their thoughts on projects as a team; you can watch their messages as
they work together on the project. Wikis are useful for sharing tasks, and for seeing how a project is evolving.
When they are open to the public, though, they can be problematic. For bouncing ideas off of colleagues,
wikis can be very useful.
I attended a conference a few months ago that had its own wiki. Each speaker had posted his/her
resume on a separate page of the wiki, and then attendees posted questions for the speakers. The speakers
also posted questions for one another, and thus managed to avoid duplicative presentations.
The United States Court of Appeals for the Seventh Circuit has its own wiki.
http://www.ca7.uscourts.gov/wiki/index.php?title=Main_Page.
Wikis can be social; instead of sending around an email when you have spare tickets to a ballgame, you
can simply post on the wiki. Most wiki pages have tabs along the top of each page that give access to a main
page, a discussion area, and a history of all changes.
Blogs are generally more heavily monitored than wikis, and one person generally controls the content.
Many lawyers have set up blogs, and some require registration.
Other online venues include social networking sites, such as MySpace, Facebook, and LinkedIn. On
March 13, 2008, the news reported that AOL (formerly America Online) bought BEBO, which is a site I had
never heard of. Social networking sites are essentially like chatrooms and listservs from years ago. Some of
these attorneys get in heated exchanges with strangers, clients, potential clients, former clients, adverse
counsel, adverse clients, fact witnesses, court officials, etc. Some lawyers inappropriately assume
correspondents are in Texas, and consequently offer misleading legal advice; some offer the names of their
firms to validate their advice, implicating the firm in the advice. Some use firm-owned computers to offer this
advice.
Strangers can make updates, and others viewing the wiki might think the updates are firm-sponsored.
(2) Ethical Questions
(a). Is a publicly accessible wiki, blog, or page at a social networking site “advertising” within the Texas Bar
rules? If so, then can limiting access only to those who have registered obviate the need to follow the
advertising rules?
(b). If you give correct advice in a blog and then the law changes, do you have an obligation to update your
advice?
(c). Who owns the blog if the blogging associate leaves: the associate or the firm? What if the associates
supervising partner leaves? Does the DNS registration determine who owns the blog/wiki/site? Does
copyright law?
(d). If your firm lets one of its attorneys run a public blog, could you run afoul of “contact” restrictions? For
example, could you be accused of accidentally: contacting represented persons (public blogs and wikis can
be seen by anyone), witness tampering or jury pool poisoning (if you describe “hypothetical” cases that are
too similar to an actual case at trial the blogging attorney doesn’t know about), violating a court-issued gag
order (the blogging attorney might not know about a gag order issued to another lawyer in another office of
your firm), soliciting or advertising to prospective clients, etc.? Would allowing members of the public to
register help or hurt you ethically?
(e). What if each post includes some political discourse or matter of public concern?
(f). Contact with a represented person: If the husband is a businessman who might subscribe to a listserv to
which you contribute, can you discuss the case in your listserv? What if an expert witness available for hire
by the husband’s lawyer subscribes to the listserv? (See also Model Rules of Professional Conduct 4.2.)
•What if they browse your website – have you “communicated?”
(3) TDRPC: Rule 4.02 Communication with One Represented by Counsel
“(a) In representing a client, a lawyer shall not communicate or cause or encourage another to
communicate about the subject of the representation with a person, organization or entity of government the
lawyer knows to be represented by another lawyer regarding that subject, unless the lawyer has the consent
of the other lawyer or is authorized by law to do so.
(b) In representing a client a lawyer shall not communicate or cause another to communicate about the
subject of representation with a person or organization a lawyer knows to be employed or retained for the
purpose of conferring with or advising another lawyer about the subject of representation, unless the lawyer
has the consent of the other lawyer or is authorized by law to do so.
(c) …
(d) When a person, organization, or entity of government that is represented by a lawyer in a matter
seeks advice from regarding the matter from another lawyer, the second lawyer is not prohibited by paragraph
(a) from giving such advice without notifying or seeking consent of the first lawyer.
(4) TDRPC: Rule 4.03 Dealing with Unrepresented Person
In dealing on behalf of a client with a person who is not represented by counsel, a lawyer shall not state
or imply that the lawyer is disinterested. When the lawyer knows or reasonably should know that the
unrepresented person misunderstands the lawyer’s role in the matter, the lawyer shall make reasonable
efforts to correct the misunderstanding.
(5) TDRPC: 7.02 Communications Concerning a Lawyers Services, Comments
Paragraph 1: The rules within Part VII are intended to regulate communications made for the purpose of
obtaining professional employment. They are not intended to affect other forms of speech by lawyers, such
as political advertisements or political commentary, except insofar as a lawyer’s effort to obtain employment
linked to a matter of current public debate.
Paragraph 3: Sub-paragraph (a)(1) recognizes that statements can be misleading both by what they
contain and what they leave out. Statements that are false or misleading for either reason are prohibited. A
truthful statement is misleading if it omits a fact necessary to make the lawyer’s communication considered as
a whole not materially misleading. A truthful statement is also misleading if there is a substantial likelihood
that it will lead a reasonable person to formulate a specific conclusion about the lawyer or the lawyer’s
services for which there is no reasonable factual foundation.
Paragraph 4: Sub-paragraphs (a)(2) and (3) recognize that truthful statements may create “unjustified
expectations.” …
Paragraph 5: Sub-paragraphs (a)(4) recognizes that comparisons of lawyer’s services may also be
misleading unless those comparisons “can be substantiated by reference to verifiable objective data.” …
Statements comparing a lawyer’s services with those of another where the comparisons are not susceptible
of precise measurement or verification…can deceive or mislead prospective clients.
Paragraph 8: Thus, this Rule does not prohibit communication of information concerning a lawyer’s name
or firm name, address and telephone numbers; the basis on which the lawyer’s fees is determined, including
prices for specific services and payment and credit arrangements; names of references and with their
consent, names of clients regularly represented; and other truthful information might invite the attention of
those seeking legal assistance….
Paragraph 14: …A lawyer may state an ability to communicate in a second language without any further
elaboration. However, if a lawyer chooses to communicate with potential clients in a second language, all
statements or disclaimers required by the Texas Disciplinary Rules of Professional Conduct must also be
made in that language….
[Note that TDRPC Rule 7.02 is contained within “Part VII: Information About Legal Services”]
(6) TDRPC: Rule 7.03 Prohibited Solicitations & Payments
(f) … for purposes of this Rule, a website for a lawyer or law firm is not considered a communication
initiated by or on behalf of that lawyer or firm.
(7) TDRPC: Rule 7.03 Prohibited Solicitations & Payments, Comments
Paragraph 1: … Thus, forms of electronic communications are prohibited that pose comparable dangers
to face-to-face solicitations, such as soliciting business in “chat rooms,” …
Paragraph 2: Nonetheless, paragraphs (a) and (b) unconditionally prohibit those activities only when profit
for the lawyer is a significant motive and the solicitation concerns matters arising out of a particular
occurrence, event, or series of occurrences or events. As long as the conditions of subparagraphs (a)(1)
through (a) (3) are not violated by a given contact, a lawyer may engage in in-person, telephone or other
electronic solicitations when the solicitation is unrelated to a specific occurrence, event, or series of
occurrences or events. …
(8) TDRPC: Rule 7.04 Advertisements in the Public Media
(a) A lawyer shall not advertise in the public media by stating that the lawyer is a specialist, except as
permitted under Rule 7.04(b), or as follows:
A lawyer admitted to practice before the United States Patent Office may use the designation “Patents,”
“Patent Attorney,” or “Patent Lawyer,” or any combination of those terms. A lawyer engaged in the trademark
practice may use the designation “Trademark,” “Trademark Attorney,” or “Trademark Lawyer,” or any
combination of those terms. A lawyer engaged in patent and trademark practice may hold himself or herself
out as specializing in “Intellectual Property Law,” “Patent, Trademark, Copyright Law and Unfair Competition,”
or any of those terms.
(b) a lawyer who advertises in the public media:
- (1) shall publish or broadcast the name of at least one lawyer who is responsible for the content of such
advertisement; and
- (2) shall not include a statement that the lawyer has been certified or designated by an organization as
possessing special competence or a statement that the lawyer is a member of an organization the name of
which implies that its members possess special competence, except that …[several exceptions]
…
(j) a lawyer or firm who advertises in the public media must disclose the geographic location, by city or
town, of the lawyer’s or firm’s principal office. A lawyer or firm shall not advertise the existence of any office
other than the principal office other than the principal office, unless:
- (1) that other office is staffed by a lawyer at least three days a week; and
- (2) the advertisement states:
- - (i) the days and times during which the a lawyer will be present at that office; or
- - (ii) that meetings with lawyers will be by appointment only.
(9) TDRPC: Rule 7.04, comments
Paragraph 6: Some advertisements, sometimes known as tombstone advertisements, mention only such
matters as the name of the lawyer or law firm, a listing of the lawyers associated with the firm, office
addresses and telephone numbers, office and telephone service hours, dates of admission to the bar, the
acceptance of credit cards, and fees. The content of such advertisements is not the kind of information
intended to be regulated by Rule 7.04(b). However, if the advertisement in the public media mentions any
area of law in which the lawyer practices, then, because of the likelihood of misleading material, the lawyer
must comply with paragraph (b).
Paragraph 16: …Paragraph (j) does not require, however, that a lawyer or firm specify which of several
properly advertised offices is its “principal” one, as long as the principal office is among those advertised and
the advertisement discloses the city or town in which that office is located.
(10) TDRPC: Rule 7.05, Prohibited Written, Electronic, or Digital Solicitations …
(b)Except as provided in paragraph (f) of this Rule, a written, electronic, or digital solicitation
communication to prospective clients for the purpose of obtaining professional employment:
…
-- (1) shall, in the case of an electronic mail message, be plainly marked “ADVERTISMENT” in the subject
portion of the electronic mail at the beginning of the message’s text;
…
(11) TDRPC: Rule 7.05, Prohibited Written, Electronic, or Digital Solicitations, comments
Paragraph 4: Newsletters or other works published by a lawyer that are not circulated for the purpose of
obtaining professional employment are not within the ambit of paragraph (b) and (c).
(12) TDRPC: Rule 7.07 Filing requirements for public advertisements and written, rcorded, electornic, or
other digital solicitaiotns
(a) Except as provided in paragraphs (c) and (e) of this Rule, a lawyer shall file with the Advertising
Review Committee of the State Bar of Texas, no latter than the mailing or sending by any means, including
electronic, of a written, audio, audio-visual, digital or other electronic solicitation communication:
- (1) a copy of the written, audio, audio-visual, digital or other electronic solicitation communication being
sent or to be sent to one or more prospective clients for the purpose of obtaining professional employment,
together with a representative sample of the envelopes or other packaging in which the communication is
enclosed;
- (2) a completed lawyer advertising and communication application; and
- (3) a check or money order payable to the State Bar of Texas for the fee set by the Board of Directors.
Such fee shall be for the sole purpose of defraying the expense of enforcing the rules related to such
solicitations.
(b) Except as provided in paragraph (e) of this Rule, a lawyer shall file with the Advertising Review
Committee of the State Bar of Texas, no latter than the first dissemination of an advertisement in the public
media, a copy of each of the lawyer’s advertisements in the public media. …
(c) Except as provided in paragraph (e) of this Rule, a lawyer shall file with the Advertising Review
Committee of the State Bar of Texas, no latter its first posting on the internet or other comparable network of
computers information concerning the lawyer’s or lawyer’s firm’s website. As used in this Rule, a “website”
means a single or multiple page file, posted on a computer server, which describes a lawyer or law firm’s
practice or qualifications, to which public access is provided through publication of a uniform resource locator
(URL). The filing shall include:
- (1) the intended initial access page of a website;
- (2) a completed lawyer advertising and communication application; and
- (3) a check or money order payable to the State Bar of Texas for the fee set by the Board of Directors.
Such fee shall be for the sole purpose of defraying the expense of enforcing the rules related to such
solicitations.
(e) The filing requirements of paragraphs (a), (b) and (c) do not extend to any of the following materials,
provided those materials comply with Rule 7.02(a) through (c) and, where applicable, Rule 7.04(a) through
(c):
(1) an advertisement in the public media that contains only part or all of the following information,
- (i) the name of the lawyer or firm and lawyers associated with the firm, with office addresses, electronic
addresses, telephone numbers, office and telephone service hours, telecopier numbers, and a designation of
the profession such as “attorney,” “lawyer,” “law office,” or “firm”;
- (ii) the particular areas of law in which the lawyer or firm specializes or possesses special competence;
- (iii) the particular areas of law in which the lawyer or firm practices or concentrates or to which it limits it
practice;
- (iv) the date of admission of the lawyer or lawyers to the State Bar of Texas, to particular federal courts,
and to bars of other jurisdictions;
- (v) technical and professional licenses granted by this state and other recognized licensing authorities;
- (vi) foreign language ability;
- (vii) fields of law in which one or more lawyers are certified or designated, provided the statement of this
information is in compliance with Rule 7.02(a) through (c);
- (viii) identification of prepaid or group legal service plans in which the lawyer participates;
- (ix) the acceptance or non-acceptance of credit cards;
- (x) any fee for initial consultation and fee schedule;
- (xi) any publicly available information concerning legal issues, not prepared or paid for by the firm or its
lawyers, such as news articles, legal articles, editorial opinions, or other legal developments or events, such
as proposed or enacted rules, regulations, or legislation;
- (xii) in the case of a website, links to other websites;
- (xiii) that the lawyer or firm is a sponsor of a charitable, civic, or community program or event, or is a
sponsor of a public service announcement;
- (xiv) any disclosure or statement required by the rules; and
- (xv) any other information specified from time to time in orders promulgated by the Supreme Court of
Texas;
…
(6) a solicitation communication that is not motivated by or concerned with a particular past occurrence or
event or a particular series of past occurrences or events, and also is not motivated by or concerned with the
prospective client’s specific existing legal problems of which the lawyer is aware;
(7) a solicitation communication if the lawyer’s use of the communication is to secure professional
employment was not significantly motivated by a desire for, or by the possibility of obtaining pecuniary gain; or
(8) a solicitation communication that was requested by the prospective client.
(13) You might want to have some procedures for limiting the number of employees who can blog from work,
or participate in the firm’s publicly accessible blogs; you can post contact info and create a procedure for
anyone who feels aggrieved by a post to submit a complaint; you can even delay posts until a partner in your
firm reviews the publication. A statement disavowing responsibility for third party’s posts, and reserving a
right to make revisions, might also help reduce the risks of being sued.
(14) Firm liability for the conduct of others on the firm’s blog
The Communications Decency Act, Section 230, might give some protection when an outsider posts
something defamatory, etc. on the firm’s blog. § 230(c)(1) states that “[n]o provider or user of an interactive
computer service shall be treated as the publisher or speaker of any information provided by another
information content provider.”
Many rules can impose ethical fault on the firm, or for lawyers of the firm, who knows that an employee of
the firm is violating the rules. For example, see TDRPC Rule 5.01 (Responsibilities of a partner or
supervisory lawyer), Rule 5.02 (Responsibilities of a supervised lawyer), Rule 5.03 (Responsibilities regarding
Non-lawyer Assistants), Rule 5.04 (Professional independence of a lawyer), Rule 5.05 (Unauthorized Practice
of Law)
If a firm or an attorney knows that an employee is blogging from home during non-work hours, but has
posted a resume or otherwise identified the blogger’s relationship with the firm to gain credibility with the
audience of the blog, the firm or lawyer should probably attempt some remedial measures.
However, some remedial measures might be illegal, particularly if the supervisory attorney is a
government agent.
(15) Conclusion:
Law firms are increasingly going to run wikis, blogs, and web sites. Lawyers will continue to boast of
winning difficult cases in the guise of advocating political reform of the difficulties they faced. The line
between political comments and advertisements are going to continue to blur. Sites might be organized as
with the following parts: a web page accessible to the general public and inviting people to register for the
blog; a blog accessible to members of the public who have “registered” by submitted their email address or
requested some information, thereby subjecting themselves to advertising; newsletters sent to registered
members, copies of which are posted on the blog; an unmonitored wiki for registered members to discuss
public issues; a monitored wiki for each client matter, available only to co-counsel, in-house counsel for the
client, firm attorneys, expert witnesses, and others who are on one side of the litigation or matter; etc.
B. NONSPONSORED BLOGGING AND WIKIS
(1) Hypo:
Your employees/associates are participating in chatrooms, blogs, and other public forums. Some of this
activity in on their own time, some is during working hours; some of this activity uses firm computers, some
uses home (personal) computers. You are worried there might be a leak of your client’s privileged/work-
product information. You are worried that they could give advice to a stranger that is inappropriate legal
advice in the stranger’s jurisdiction.
(2) Questions:
1. Can you ban your employees from blogging?
2. Can you require your non-lawyer employees from identifying their association with your firm? (If you
don’t, some non-lawyer employees might inadvertently imply that they have greater legal expertise than they
actually possess.)
3. Can you require your non-lawyer employees, and your attorney employees, to submit their blog entries
for your approval?
4. If your associates use a blog from home to (i) trash your firm or (ii) attempt to set up a rival firm, can you
punish the associate?
5. Can you take ownership of the blog from the employee, if the employee terminates employment?
(3) “Doocing”
There have been several celebrated cases of employees being fired for blogging inappropriately.
1. A blogger named Heather B. Armstrong was fired for complaining about work conditions at her job and
the people she worked with, even though she did not identifier her employer. Her web site, Dooce.com, gave
the name to this sort of adverse employment action.
2. A flight attendant named Ellen Simonetti, nicknamed the “Queen of Sky,” was fired for posting a seductive
photo of herself wearing her Delta uniform on her web site, although she never explicitly identified Delta
Airlines as her employer.
3. Unnamed bloggers employed by Apple revealed their employer’s trade secrets (Apple sued the ISP,
December 2004)
4. Michael Hanscom was an independent contractor for at Microsoft who created a “funny” doctored photo
of Apple G5 computers being delivered to Microsoft’s corporate headquarters. The photo was captioned
"Even Microsoft wants G5s." He was terminated.
5. Mark Jen was fired from Google for blogging about some new products, the new-employee orientation
program, and a company-sponsored party.
6. Boston University professor Michael Gee was fired for blogging that one of his students was “incredibly
hot.” He did not have tenure, though.
7. Even U.S. Attorneys get fired for blogging. David Lat, a.k.a. the "Article III Groupie," was softly fired for
hosting a blog entitled "Underneath Their Robes" and describing the "superhotties" among the federal court
judges.
(4) Anti-Doocing laws Some states prohibit an employer from attempting to regulate or prohibit lawful conduct during non-
working hours. Most of the case law on these statutes relates to bans on homosexual activity or cigarette
smoking, e.g., Colorado Revised Statutes 24-34-402.5, Indiana Annotated Statutes 22-5-4-1, North Carolina
General Statutes Section 95-28.2b. Some of these exempt the employer from liability where the business has
fifty or fewer employees. Many states have anti-discrimination statutes.
Federal laws such as the National Labor Relations Act ("NLRA"), the Civil Rights Act of 1964 ("Title VII"),
the Federal Whistle-Blower Statutes, and "anti-SLAPP" laws should be consulted before firing anyone for
blogging on their own time.
(5) Suggestion:
You should consider a firm-wide policy about blogging from home. If an employee signs the blogging
policy, you might then be able to get specific performance of the policy.
VII. ADEQUACY OF DISCLAIMERS A. HYPO #1:
You are concerned that potential clients attempting to hire the firm will send you confidential information
regarding their cases, unsolicited, and that receiving this confidential information might prevent you from
representing the adverse party. Therefore, your firm’s website has a notice that unsolicited emails are not
kept in confidence. (I have seen this disclaimer on lots of law firm sites.)
B. QUESTIONS:
What if someone who sends an unsolicited email to the firm is subsequently accepted as your client; can
you recover confidentiality as to the (unsolicited) email preceding the representation, or is confidentiality
permanently waived as to that one unsolicited email?
Your site did imply that the pre-engagement email would not be kept in confidence!
C. SUGGESTION:
Instead of saying that it will not be kept in confidence, consider saying that it will not be kept in confidence
unless the sender is or eventually becomes a client. If you want to be particularly careful, you can also say
that unsolicited emails will not preclude your firm from representing anyone including an adverse party and
that the firm may use the info to benefit its clients whoever those clients may be.
D. HYPO #2:
Does your firm’s website have a notice that browsing your site does not create an attorney-client
relationship, or that articles you post are for general educational information? Many non-lawyers who cannot
afford a large-firm lawyer will browse sites and rely on articles found there, without regard to the inapplicability
of the articles to their specific factual situation.
E. QUESTIONS:
(a) If a non-client browses your website, finds an article you’ve written and inappropriately relies on your
article for legal advice, are your disclaimers sufficient to protect you from a malpractice lawsuit?
(b) Is such a “browse-wrap” notice sufficient to disavow the attorney-client relationship?
Was the sender disavowal of the attorney-client relationship really consensual?
F. CONSIDERATIONS
There have been many cases in which a business hides arbitration provisions, among other clauses,
somewhere on their web sites, and then tried to bind customers to arbitration. In many of these cases, the
customers testify that they were not aware of the provisions. The legal sufficiency of “browse-wrap”
provisions is not as settled as the legal sufficiency of “click-wrap” provisions. Not necessarily. Specht v.
Netscape Communications, 306 F.3d 17 (2nd Cir. 2002), discussing differences between click-wrap v.
browse-wrap online contracts.
Many online businesses have web sites that customers can use to purchase merchandise. Some of
these web sites include limitations of warranties, arbitration provisions, and other clauses that can be
detrimental to the customers who shop on these web sites. Such web sites are said to be “browse wrap,”
since customers can see the limitations in their browsers. However, although there have been several
decided cases on the issue, there remains some controversy as to whether customers are actually on notice
of these provisions. On the other hand, some web sites require customers to affirmatively click on each
provision before the web site processes the transaction. Such web sites are said to be “click wrap” since
customers must click on each provision to process a transaction.
The enforceability of click wrap contracts is more certain and settled than the arguable enforceability of
browse wrap contracts. Therefore, you might want to require visitors to your web site to affirmatively click that
they understand that they should not rely on the legal articles you post on your web site, before giving then
access to the articles.
G. SUGGESTION:
Make the person who wants to send you an unsolicited email affirmatively click that he/she understands
that he/she is not a client, is not protected by an obligation of confidentiality, etc.
Consider the following disclaimer: Prospective clients should not use the email addresses of our attorneys
as a means for to submit confidential, nonpublic, or private information to us, even in a good faith effort to hire
us. By clicking “I accept,” you acknowledge that we have no obligation to maintain the confidentiality of any
information you submit to us, unless we have already agreed to represent you or we later agree to do so.
VII SURVEILLANCE ISSUES A. SURVEILLANCE SOFTWARE HYPO:
#1: You want to know what your employees are doing on line while they are at work. You want to install
surveillance software on the computers in your own firm, but you might inadvertently pick up some personal
conversations.
#2: You have a client who believes that a spouse, employee, or child is doing something improper, and
wants to install surveillance software on the computers at home, even if the surveillance software
inadvertently picks up some personal conversations.
B. SURVEILLANCE SOFTWARE QUESTIONS:
(1) Can you install surveillance software on your own employee’s computer? If you do, must you tell the
employee?
(2) If the employee telecommutes from home, can you install surveillance software on the employee’s
home computer? Can you look at other files on that computer, e.g. to make sure no one else has also
installed surveillance software?
(3) Can your client install surveillance software on a computer used by a spouse, employee, or child?
Note: these can be legal issues as well as ethical issues.
C. EFFECTIVENESS
Electronic surveillance is much more effective than human snooping. It never tires, never forgets, works
from a great distance, can hide in tiny places, amplifies sound, is impossible to discover, and it doesn’t charge
by the hour. Nefarious snoopers can pretend someone else installed it if it is discovered.
D. EASE OF INSTALLING SURVEILLANCE SOFTWARE
This section is most relevant to smaller firms, which don’t have their own IT staff to monitor employees.
Employers can buy many varieties of surveillance software (TechAssist, Spector/SpectorSoft, eBlaster,
etc.). Surveillance software captures everything done online: email, chat, IM, porn, etc., and also captures
everything done offline: financials, MicrosoftWord, etc. It can also snoop within password-protected and/or
encrypted files and email accounts, since the surveillance software actually captures the passwords
themselves. It can store or email to you a complete history, and is un-removable and undetectable by
common “surveillance removal software” such as Nitrous Anti-Spy, SpyCop, AdAware, and Spybot Search &
Destroy.
It is important to think of surveillance software as residing between the keyboard and the microprocessor,
recording key clicks, and between the microprocessor and the monitor, recording images and text from emails
and web sites. The employee cannot avoid surveillance software by using passwords, since the passwords
themselves would be typed into the keyboard where they would be recorded.
Surveillance software is very likely to capture something, if there is something to capture: 57% of online
time is spent communicating, i.e., email, IM, & chat.– FBI
Note that even without surveillance software, the employee’s browser is probably keeping track of what
websites he visits, and meta-text readers and hex editors can reveal snippets of documents. You can often
recover data from “erased” hard drives.
Note that surveillance software has been used by many clients, too. In divorce cases, spouses frequently
snoop one another’s computer activities. There are even courts that allow a custodial parent to install
surveillance software on a computer the child uses even though the computer in question is located at the
non-custodial parent’s home!
E. LEGITIMATE REASONS FOR INSTALLING SURVEILLANCE SOFTWARE
Law firms and other employers are frequently sued. When sued, law firms and other employers may be
subject to electronic discovery. If the law firm might have to produce a document, then the law firm should be
entitled to a copy. Rule 26(a) explicitly defines electronically stored information (ESI) as discoverable; Rule
26(f) mandates early meet-and-confer sessions specifically to resolve eDiscovery issues; Rule 26(b)(2)
provides guidance regarding claims that requested eRecords are unduly burdensome to produce; Rule
26(b)(5) addresses the inadvertent production of privileged information during eDiscovery; Rule 37(f) covers
the loss of potential evidence in the course of routine records disposal; 16(b); 33(d); 34(a); also Zubaulake v.
UBS Warburg LLC, 217 FRD 309 (SDNY 2003); Rowe Entertainment v. William Morris Agency, 205 FRD 421
(SDNY 2002)
There are a lot of legitimate reasons why an employer would want to know what an employee is doing on
line. Some employees correspond inappropriately with clients, potential clients, and coworkers, or download
inappropriate content from the Internet, exposing the employer to civil or criminal liability. Some are trying to
set up rival businesses or developing contacts that rightly belong to the employer. Some are simply wasting
time, and the employer would certainly have a right to know.
Some employers have a policy of hanging on to everything (Active or Online Data; Near-Line Data;
Internet Data; Metadata; Replicant Data / File Clones; Residual Data; Backup Data;Legacy Data) and emails.
All of this might be useful in litigation, as well as for other reasons. Many employees have a similar policy, so
that if something goes wrong with a project they can find an email or other document that can shift blame to
someone else.
Parents of minor children want to know what their children are doing on line. Anyone who has watched
the news lately has seen horrible stories of the dangers children face on line. However, risks of physical harm
are not the only justifiable parental concerns. Some parents want to know what music their children are
downloading, who their children’s friends are, what schools are assigning for homework, and other matters.
Parents have a recognized right to some of this information.
Spouses also have been very active in the surveillance society. Many celebrity divorces include tales of
infidelity, hiding marital assets, and other offenses, discovered through the use of surveillance, particularly
surveillance software. Some of this is, of course, legitimate.
F. LEGAL ARGUMENTS FOR BANNING SURVEILLANCE OR FOR EXCLUDING EVIDENCE
Subjects of surveillance also have legitimate complaints. Surveillance improperly administered can
violate a Tort law of Privacy (We are going to see that all law has been driven by tort law), Tort law of
Trespass to Chattels, Criminal law (Wiretap Act, Stored Communications Act), Evidence code, and
professional codes of ethics. If the employee works from home and the surveillance is conducted there, then
there might also be a trespass tort. In the marital case, surveillance can violate other torts, such as trespass
to chattels (if the computer was separate property), Spousal Emotional Abuse, IIED, NIED, etc.
In this section of this paper, I am going to discuss such torts, and also criminal statutes including the
Wiretap Act and the Stored Communications Act of the Electronic Communications Privacy Act. Many
subjects of surveillance incorrectly believe that properly-implemented surveillance violates these statutes.
Also, in marital cases, many spouses point out that Congress never included spouses in ECPA Title III’s
exceptions (explained below). I hope that the limits of these statutes can be made clear.
G. LEGAL REBUTTALS TO THESE ARGUMENTS
One of the most important counter-arguments available to the “snooper” is consent. Consent, including
“vicarious” consent and “implied” consent, can arise when the computer was at least partially owned by the
snooper (employer, parent, spouse), or the computer was in area available to the snooper. Another count-
argument is financial interest, particularly where the snooper was at least partially responsible for paying for
the Internet account. In the employment context, the employer has generally paid for the computer and the
Internet subscription, and the computer is in a place available to the employer and the employer’s agents. In
the parental context, the parent has generally paid for the computer and the Internet subscription, and the
computer is generally located I the family home in an area available to the parent, although complications can
arise when the parents live separately and one parent wants to “snoop” on the computer that the child uses at
the other parent’s home. In the divorce case, ownership of the computer and the Internet account can be
complicated to determine, and one spouse might have only limited access to the location where the computer
is located. The divorce situation can also be complicated by considerations of “spousal immunity” and a
“marital home” exception to the Wiretap Act.
In addition to consent and ownership, the snooper can make “moralistic” arguments for allowing evidence
that was improperly acquired. In many situations, admissibility is for the court to determine. If the conduct
revealed (hiding assets, child abuse) is much worse than the fact of snooping, a court might allow the
“snooped” evidence to be admitted.
Moreover, as the law has evolved, expectations of privacy are often not subjectively sincere and might
not be objectively reasonable.
In a litigation context, a court might consider the tortiousness, criminality or ethicalness of the evidence’s
acquisition when determining admissibility. For this reason, even if a case does not relate specifically to a
tort, the law of torts can be implicated.
H. HISTORY OF THE TORT LAW OF PRIVACY
According to a famous 1890 law review article authored by Samuel Warren and Louis Brandeis, , the right
to privacy is "the most comprehensive of rights and the right most valued by civilized men.” “Privacy” torts
depend on an “expectation of privacy.” William L. Prosser also wrote extensively on he right to privacy, e.g.
Privacy, 48 Cal. L. Rev. 383, 383 (1960). These concepts were picked up by the Restatement (Second) of
Torts 652D (1977).
According to Prosser and the Restatement, there are four “Privacy” torts: an intrusion into seclusion
(“Seclusion intrusion”), identity appropriation; disclosure of secrets; and false publicity. Thus, snooping can
violate two types of tort laws. The snooping itself may intrude upon “seclusion,” and using the information
obtained from snooping may be “disclosure of secrets.”
However, the trend has been to lose both subjective and objective expectations of privacy. Even
attorney-client privilege is under attack. "[Privilege] is to be strictly confined within the narrowest possible
limits consistent with the logic of its principle.” In re Horowitz, 482 F.2d 72, 81 (2d Cir.), cert. denied, 414 U.S.
867 (1973). Accordingly, it can be harder than in previous generations to prove that acquisition of evidence
was tortious. Snooping that would have shocked courts in years past is routinely admitted under the modern
diminished subjective and objective expectations of privacy.
I. WIRETAPS AND SURVEILLANCE SOFTWARE
Because so many people confuse wiretaps with surveillance software, I want to include a brief summary
of the differences. Understanding the Wiretap Act requires an understanding of both the Fourth Amendment
and tort law.
J. HISTORY OF FOURTH AMENDMENT LAW
A long time ago, the Fourth Amendment to the U.S. Constitution was interpreted using legal terminology
imported from trespass law. In Olmstead v. United States, 277 U.S. 438, 476 (1928), the federal government
was allowed to tap a lawyer’s telephone and to use resulting recordings against the lawyer’s clients, as long
as the government installed the wire tap at a junction box outside of the lawyer’s office. The Fourth
Amendment applied only to a “constitutionally protected area,“ and so the police could tap a lawyer’s phone at
junction box if they did not enter the room.
In response to Olmstead, Congress passed the Communications Act of 1934 which explicitly prohibited
all law enforcement use of wiretapping. 47 U.S.C. §605 (1958). The limits were statutory, though, and not
constitutional. Private entities could wiretap at will, without any limitation.
Everything changed in the 1960s. The Supreme Court imported legal terminology from privacy tort law,
rather than from trespass tort law. Katz v. United States, 389 U.S. 347 (1967) overturned Olmstead,
concluding that the "Fourth Amendment protects people, not places." A person must demonstrate an "actual
(subjective) expectation of privacy" and "the expectation [must] be one that society is prepared to recognize
as "reasonable.'" 389 U.S. at 360-61 (Harlan, J., concurring). Berger v. New York, 388 U.S. 41, 60 (1967)
applied the new constitutionally-based limits, rather than statutory limits, on the Federal government,
criticizing an “unconstitutional general warrant,” and a "roving commission.“ Lee v. Florida, 392 U.S. 378
(1968), overruling Schwartz v. Texas, 344 U.S. 199, 203 (1952); Lee now prohibits local police from using
evidence obtained by violating federal Constitution.
K. HISTORY OF THE WIRETAP ACT: OCCSSA TITLE III AND ECPA TITLE I
In 1968, Congress responded to Katz with an effort to expand governmental wiretapping to its
constitutional limits, while criminalizing most private wiretapping. This was a complete reversal of the 1934
law. The “Omnibus Crime Control And Safe Streets Act” (OCCSSA). OCCSSA was extremely well
considered, and dealt with a lot of areas of crime. Title III dealt with wiretapping. (18 U.S.C. 2511)
In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA). ECPA’s Title I, which
applies to “wiretaps,” is almost identical to OCCSSA Title III, with the word “electronic” added without much
thought. A very weak argument could be made that this applies to surveillance software. (ECPA has a lot to
say about cloning and tapping cell phones, cordless phones, etc.) 18 U.S.C. §§ 2510, 2701, 2511(2)(g)(i)
According to 18 U.S.C. § 2510(1) (1992), "Wire communication" means “any aural transfer made in
whole or in part through the use of facilities for the transmission of communications by the aid of wire, cable,
or other like connection between the point of origin and the point of reception (including the use of such
connection in a switching station) furnished or operated by any person engaged in providing or operating such
facilities for the transmission of interstate or foreign communications or communications affecting interstate or
foreign commerce” [removed by 2002 amendment: “and such term includes any electronic storage of such
communication”]…[removed by 1994 amendment: “, but such term does not include the radio portion of a
cordless telephone communication that is transmitted between the cordless telephone handset and the base
unit”].
L. STATE WIRETAP LAWS (INCLUDING TEXAS)
Texas’s wiretapping statute is very similar to ECPA Title I. Tex. Pen. Code Ann. 16.02; Tex. Code Crim.
P. Ann. art. 18.20. States can give higher protections than is available under Federal law: States like Florida
(Fla. Stat. Ann. 934.03(3)(d)(2000); also Wood v. Florida, 654 So.2d 218, 220 (Fla. Dist. Ct. App. 1995) )) ,
Pennsylvania (18 Pa. Cons. Stat. Ann. 5704(4)(1998)), Maryland (Md. Code Ann., Cts. & Jud. Proc. 10-
402(c)(3)(1998), and California (Cal. Penal Code 631(a)(1998)) require both parties to consent before a
recording is legal. States can give lower protections. Mississippi has an explicit marital exception to its
wiretap law. Wright, 70 So.2d 274 (Miss. 1997).
Every state except Vermont has a state-law wiretapping statute. 18 U.S.C. 2510-2522 (1994); Ala.
Code 13A-11-31 (1994); Alaska Stat. 42.20.310 (Michie 1998); Ariz. Rev. Stat. Ann. 13-3005 (West 1989);
Ark. Code Ann. 5-60-120 (Michie 1997); Cal. Penal Code 632 (West 1988 & Supp. 1998); Colo. Rev. Stat.
18-9-303 (1997); Conn. Gen. Stat. Ann. 53a-189 (West 1994); Del. Code Ann. tit. 11, 1336 (1995); D.C.
Code Ann. 23-542 (1996); Fla. Stat. Ann. 934.03 (West 1996 & Supp. 1999); Ga. Code Ann. 16-11-62
(1996); Haw. Rev. Stat. 803-42 (1993); Idaho Code 18- 6701 (1997); 720 Ill. Comp. Stat. Ann. 5/14-2 (West
1993); Ind. Code Ann. 35-33.5-5-5 (Michie 1998); Kan. Stat. Ann. 21-4002 (1995); Ky. Rev. Stat. Ann.
526.020 (Banks-Baldwin 1995); La. Rev. Stat. Ann. 15:1303 (West 1992); Me. Rev. Stat. Ann. tit. 15, 710
(West 1980 & Supp. 1998); Md. Code Ann., Cts. & Jud. Proc. 10-402 (1998); Mass. Ann. Laws ch. 272,
99(c)(1) (Law. Co-op. 1992); Mich. Comp. Laws Ann. 750.539c (West 1991); Minn. Stat. Ann. 626A.02
(West 1983 & Supp. 1999); Miss. Code Ann. 41-29-533 (1993 & Supp. 1998); Mo. Ann. Stat. 542-402
(Supp. 1998); Mont. Code Ann. 45-8-213 (1997); Neb. Rev. Stat. 86-702 (1994); Nev. Rev. Stat. Ann.
200.620 (Michie 1997); N.H. Rev. Stat. Ann. 570-A:2 (1986 & Supp. 1998); N.J. Stat. Ann. 2A:156A-3 (West
1985 & Supp. 1998); N.M. Stat. Ann. 30-12-1 (Michie 1997); N.Y. Penal Law 250.05 (Consol. 1989); N.C.
Gen. Stat. 15A-287 (1997); N.D. Cent. Code 12.1-15-02 (1997); Ohio Rev. Code Ann. 2933.52 (Banks-
Baldwin 1997); Okla. Stat. Ann. tit. 13, 176.3 (West 1994 & Supp. 1999); Or. Rev. Stat. 165.543 (1997); 18
Pa. Cons. Stat. Ann. 5703 (West 1983 & Supp. 1998); R.I. Gen. Laws 11-35-21 (1994); S.C. Code Ann. 16-
17-470 (Law. Co-op. 1985 & Supp. 1997); S.D. Codified Laws 23A-35A-20 (Michie 1998); Tenn. Code Ann.
39-13-601 (1997); Tex. Code Crim. P. Ann. art. 18.20 (West Supp. 1999); Utah Code Ann. 76-9-403 (1995);
Va. Code Ann. 19.2-62 (Michie 1995); Wash. Rev. Code Ann. 9.73.030 (West 1998); W. Va. Code 62-1D-3
(1997); Wis. Stat. Ann. 968.31 (West 1998); Wyo. Stat. Ann. 7-3-602 (Michie 1997).
M. WIRETAP ACT (ECPA TITLE III; OCSSA TITLE I)
18 U.S.C. § 2510(1) (1992) "Wire communication" means
•“any aural transfer made in whole or in part through the use of facilities for the transmission of
communications by the aid of wire, cable, or other like connection between the point of origin and the point of
reception (including the use of such connection in a switching station) furnished or operated by any person
engaged in providing or operating such facilities for the transmission of interstate or foreign communications
or communications affecting interstate or foreign commerce” [removed by 2002 amendment: “and such term
includes any electronic storage of such communication”]…[removed by 1994 amendment: “, but such term
does not include the radio portion of a cordless telephone communication that is transmitted between the
cordless telephone handset and the base unit”].
N. CASE LAW APPLYING THE WIRETAP ACT.
Case law has applied the Wiretap Act only to:
real-time interception (before the “destination”)
of aural communications (i.e., not security-camera video, photos, or text messages)
using an instrumentality of interstate commerce
without consent (consent may be inferred, and is sometimes vicarious) - If any one party consents,
recording is legal.
in states that do not have a marital exception (some courts infer Congressional reluctance to regulate
domestic matters, which are best left to states).
Does not ever include stored voicemail. 18 U.S.C. 2510(1) (2001).
O. WHERE IS THE “WIRETAP?”
Much of what people think violates the Wiretap Act does not actually violate the Wiretap Act. Wiretap
case law only applies to real-time interception (before the “destination”) of aural communications (i.e., not
security-camera video, photos, or text messages) using an instrumentality of interstate commerce without
consent. Where surveillance software is installed, wiretap law is inapplicable.
Much of what people think violates the Stored Communications Act does not. ECPA’s Title II applies only
to “stored” communications, and does not require excluding evidence, and Title III is merely a list of
exceptions.
Therefore, the careful snooper has generally not violated federal criminal law by installing surveillance
software. Since the careful snooper has not committed a tort, either, the evidence gets in, and the snooper is
not punished at all.
Applying these principles, there seems to be a Magic Moment: communications lose wiretap protection at
the recipient’s ISP; the last node that services the public.
P. CASES ALLOWING SURVEILLANCE SOFTWARE EVIDENCE
–US v. Turk, 526 F.2d 654 (5th Cir. en banc 1976);
–Steve Jackson Games, Inc. v. US Secret Service, 36 F.3d 457 (5th Cir. 1994);
–United States v. Moriarity, 962 F. Supp. 217, 220-21 (D. Mass. 1997).
–Fraser, 135 F. Supp. 2d 623 ("The common meaning of 'intercept' is 'to stop, seize, or interrupt in
progress or course before arrival.“);
–United States v. Scarfo, 180 F. Supp. 2d 572, 581-83 (D.N.J. 2001);
–United States v. Steiger, 318 F.3d 1039 (11th Cir. 2003) “…a contemporaneous interception -- i.e., an
acquisition during flight' -- is required to implicate the Wiretap Act with respect to electronic communications.“
Also, In re Doubleclick, Inc., 154 F. Supp. 2d 497, 511-13 (S.D.N.Y. 2001)
In all of these cases, the snooping was allowed, no one was punished for snooping, and the evidence got
in.
Q. MARITAL EXCEPTION: ANOTHER REASON TO ALLOW THE WIRETAP EVIDENCE
Even if the communication were an actual wiretap, some courts (2nd and 5th circuits) refuse to punish a
spouse, presuming that “marital harmony” authorizes the wiretap. Consent is irrelevant; marriage itself
trumps lack of consent. Marital taps always get in and the tapper goes unpunished; non-marital taps never
get in, and the tapper is jailed.
The most widely discussed is Simpson, in which a husband could introduce recordings he tapped from
his estranged wife’s phone. This case has been criticized, since marital harmony is nonsense when the
purpose is to get evidence for a divorce. (Does Simpson represent an archaic view of women and of
marriage?) The Simpson court assumes Congress wants to leave “marriage” to the states, and therefore that
Congress intended to exclude marriages from its Wiretap Act.
R. IMPLIED CONSENT, VICARIOUS CONSENT, INTERSPOUSAL IMMUNITY, AND “MARITAL
HOME”
Some courts have created doctrines of implied consent, vicarious consent, inter-spousal immunity, and
“marital home” exceptions. 18 U.S.C. § 2510(5)(a)(i).
In the 2nd and 5th Circuits: (Most of these are actual wiretaps, and not surveillance software.)
Simpson v. Simpson, 490 F.2d 803 (5th Cir. 1974); Farr 940 P.2d 679 (Wa. Ct. App. 1997); Heggy v.
Heggy, 944 F.2d 1537 (10th Cir. 1991), cert. denied 503 U.S. 951 (1992); Robinson v. Robinson, 499 So.2d
152 (La. Ct. App. 1986); Heyman v. Heyman, 548 F. Supp. 1041 (N.D. Ill. 1982); Anonymous v. Anonymous,
558 F.2d 677 (2nd Cir. 1977); London v. London, 420 F. Supp. 944 (S.D.N.Y. 1976); Schieb;
Newcomb, 944 F.2d at 1536; White v. White (781 A.2d 85, from New Jersey); M.G. v. J.C., 603 A.2d 990;
Scott v. Scott, 649 A.2d 1372; Cacciarelli v. Boniface, 737 A.2d 1170.
No one gets punished for tapping a spouse, and evidence gets in.
In the 4th, 6th, 8th, 10th Circuits: There is no marital exception; nonconsensual wiretapping is illegal, and all
consensual wiretaping cannot be excluded.
Pritchard v. Pritchard, 732 F.2d 372 (4th Cir. 1984); Kratz v. Kratz, 477 F. Supp. 463 (E.D. Pa. 1979); USA v.
Jones, 542 F.2d 661 (6th Cir. 1976); Turner v. P.V. Int'l Corp., 765 S.W.2d 455 (Tex. Ct. App. 1988); People
v. Otto, 831 P.2d 1178 (Ca. 1992); Kempf v. Kempf , 868 F.2d 970 (8th Cir. 1989); Collins v. Collins, 904
S.W.2d 792 (Tex. Ct. App. 1995); Platt v. Platt, 951 F.2d 159 (8th Cir. 1989); Ransom v. Ransom, 324 S.E.2d
437 (Ga. 1985); and Markham v. Markham, 272 So. 2d 813 (Fla. 1973).
This “general rule” can produce bizarre results, too, since consent trumps everything.
S. VICARIOUS CONSENT
Consent may be inferred from joint ownership of the computer. If the person who owns the computer
does not consent, but someone with authority over that person does consent, then consent to the surveillance
may be found. This situation generally arises when a child refuses to allow surveillance into a computer, but
a parent with custody over the child does consent. Although parents suspected of abuse are not allowed to
record or surveil conversations between their children and Child Protective Services, “Vicarious consent” does
allow a custodial parent to record the child’s conversations, if the court believes the reason for the wiretap
was the child’s welfare or best interests.
Remarkably, the custodial parent can generally record (tap) anyone’s – including the non-custodial
parent’s - conversations with the child anywhere, even if all parties to the conversation are unaware of the
recording. The custodial parent’s vicarious consent is enough.
Some courts have granted summary judgment to custodial parents who recorded minor children's
telephone conversations with non-custodial parents: Thompson v. Dulaney, 970 F.2d 744, 748 (10th Cir.
1992); Pollock v. Pollock, 975 F. Supp. 974 (W.D. Ken. 1997); Silas v. Silas, 680 So. 2d 368 (Ala. Civ. App.
1996); Cacciarelli v. Boniface 737 A.2d 1170 (N.J. Sup. Ct. Ch. Div. 1999); Campbell v. Price, 2 F. Supp. 2d
1186 (E.D. Ark. 1998); and State v. Diaz, 706 A.2d 264 (N.J. Super. Ct. App. Div. 1998).
T. STORED COMMUNICATIONS ACT, ECPA TILE II
•18 U.S.C. § 2701: Stored Communications
(a) Except as provided in subsection (c) of this section whoever –
(1) intentionally accesses without authorization a facility through which an electronic communication
service is provided; or
(2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents
authorized access to a wire or electronic communication while it is in electronic storage in such system shall
be punished as provided in subsection (b) of this section.
18 U.S.C. § 2702 imposes a confidentiality obligation on ISPs, but there is a very broad “good faith”
exception.
If you recall the description of how the Internet sends messages (section IV. B of this paper), you will
recognize that (in general) the subject of the surveillance does not own the server. For example, if the subject
of the surveillance must dial-up or visit a web site to download some email, the email will be stored at a server
until downloaded. Once downloaded onto a personal computer where surveillance software find them, the
files not obtained from a facility “through” which they are traveling. Also, if the snooper is authorized to
access the facility, then there is no violation to snooping into “private” files under the Stored Communications
Act.
In other words, the protections of the Stored Communications Act only extend until “Magic Moment” when
the email reaches the last server – which is fine if your firm owns the server, but if you outsource to an ISP (or
use Yahoo or Google) then you are relying on them to keep your confidence. Even if you use Secure Sockets
Layer 7 (SSL7) encryption, you are relying on your ISP/ASP. SSL7 generally only works between servers;
the emails are already decrypted when you download them.
The Stored Communications Act (ECPA Title II) only protects the data while it is stored by one of those
intervening nodes. It might apply while the data is stored at your ISP’s server. However, it does not protect
data that has been downloaded to your computer. And that is where surveillance software finds it.
U. EVEN IF APPLICABLE, THE SCA HAS NO EXCLUSION FROM EVIDENCE
The SCA has no explicit exclusion of evidence provision. The remedies are set forth in the statute itself:
civil damages are available under § 2707, and are discretionary, not mandatory, in that the court “may” (not
“shall”) award damages of only $1000. Also, criminal prosecution for the snooper is available under §
2701(b), with incarceration up to two years. However, there is no exclusion from evidence under 2518(10)(c).
In fact, § 2707's civil cause of action and § 2701(b)'s criminal penalties are the only judicial remedies and
sanctions. § 2708, entitled 'Exclusivity of Remedies,’ should prevent exclusion from evidence.
V. ECPA’S EXCEPTIONS: TITLE III
What about Title III? Can Title III preclude admissibility of the snooped evidence? In a word, no. Title III
eliminates protection for some of what most people know is being recorded, such as pen registers, and
“attributes” used for routing, may be freely accessed. The government can access this freely, but
(theoretically) is supposed to notify a federal judge (who cannot object, and who cannot notify even the
Congress that the info has been accessed). (Includes Carnivore-type email filters.) Title III also immunizes
switchboard operators, agents of communications service providers, and some governmental employees,
who get information as part of their jobs.
One interesting aspect of Title III is that it does not mention spouses. Spouses would therefore be
prohibited from tapping phones and hacking ISPs, just like everyone else. It is on this basis that Simpson has
been criticized.
W. OTHER LAWS SURVEILLANCE MIGHT VIOLATE
Congress has enacted many different privacy laws. Most of these depend on the type of information
being surveilled, which is problematic, since only those who have seen the information are in a position to
know whether the information was to be protected. For example, after Judge Robert Bork’s videotape rentals
were made known during his confirmation hearings, Congress enacted statutory protection for records of
videotape rentals. However, there is no presumption that files on a computer system within a video rental
business are protected from surveillance or disclosure; some records may pertain to inventory or other
matters distinct from customer records. One would have to look at a particular file and see the records, and
recognize the records as pertaining to videotape rental, before realizing that the records were protected. Of
course, then it would be too late.
Here are a few laws that might be violated by surveillance software (this list is far from exhaustive): ; Bank
Secrecy Act; Cable Communications Policy Act (1984) – Privacy of Subscriber info; CALEA; CAN-SPAM Act:
18 U.S.C. § 1037 (2003); CAPPS II – airline passenger data; Children's Online Privacy Protection Act of
1998, 15 U.S.C. 6501-6503 (2002) ; Drivers Privacy Protection Act (1994), 18 U.S.C. 2721-2725 (2002) ;
Electronic Communications Privacy Act (1986), 5 U.S.C. 552a (2002); Electronic Fund Transfer Act; Fair and
Accurate Credit Transactions Act (2003); Fair Credit Reporting Act; Family Educational Rights and Privacy
Act (1974) 20 U.S.C. 1232g (2002); Federal Communications Act, 47 U.S.C. § 605 (1934; 1994); FRCA;
HIPAA Privacy Rules (April 14, 2004); Home Equity Loan Consumer Protection Act; Homeland Security Act
(2003); HR 1731 (2004), HR 2036 (2003), 45 CFR 164.308(a)(6)(ii); No Child Left Behind Act (2001); Privacy
Act (1974), 18 U.S.C. 2510-2522, 2701-2709 (2002); Privacy Protection Act (1980); Right to Financial Privacy
Act (1978); Telecommunications Act (1996) (in particular, Section 222); USA PATRIOT Act (2001); Video
Privacy Protection Act (1988) (“Bork”) 18 U.S.C. 2701 (2002); Wireless Communications and Public Safety
Act (1999) – privacy aspects of E911; 5 USC 552a (b) and (g); 15 USC 1693, 1666, 6102-07, 5701, 5711-
13, 5721, 5724; 18 USC 1028(a)(5), 1028(a)(7), 1029, 1030(a)(4), 1301-03, 1343 , 1344, 1956, 1957, 2326,
2510-2522, 2721; and 39 USC 3005, 1341-45.
X. USE OF A HOME COMPUTER
Remember that when you are using your home computer to access your work computer, software can be
downloaded. There are interesting questions of law relating to whether an employee who uses a home
computer to “telecommute” or work remotely has consented to the employer’s installation of surveillance
software on that employee’s home computer. Most people have information on their home computer that they
consider private.
Don’t use your home computer to blog. If you get involved in litigation, you don’t want to have to turn over
your private computer, which can have personal banking and other personal information.
Y. EUROPEAN PERSPECTIVE
Europe doesn’t try to segment types of personal information into little boxes. All personal info is
protected. I love the ponderousness of this type of language (“designed to serve man”):
The European Union’s Directive 95/46/EC of 1995: “Whereas data-processing systems are designed to
serve man; whereas they must, whatever the nationality or residence of national persons, respect their
fundamental rights and freedoms, notable the right to privacy,…”
VIII. FACEBOOKING A. FACEBOOKING LAWFIRM EMPLOYEES
Many young people, including law students and other potential employees, have joined social networking
sites such as Facebook and MySpace. There, they and their friends post potentially embarrassing vacation
and party photos (e.g., drunk or in other embarrassing situations) personal stories, resumes with education,
work history, career interests, favorite music, favorite movies, family information, blog entries, links to profiles
of their friends, etc. which they publish without any hesitation. You can find out about the student’s race,
religion, political views, etc. Using these sites to conduct an investigation into someone’s background is
called “Facebooking.” By facebooking a potential employee, you might find that answers to all of those
questions you are not supposed to ask during an interview, such as age, health and physical disability, sexual
orientation, marital status, or whether they have children.
Of course, you can also search Facebook for potential employees. (Remember, though: when I say “you
can…” I am referring to a technical feasibility, not to a legal or ethical authority.)
(1) Is facebooking unethical?
(2) Is it illegal? If you don’t offer a candidate a job, can the fact that you have facebooked the candidate
create a labor-law liability?
(3) Can it lead to tort liability? For example, if a candidate for a job were of a non-White race, and if there
were photos posted on the candidate’s Facebook page, and if you did not offer the candidate a job, could you
be sued for discrimination? What if the Facebook page revealed that the candidate had children, or smoked
cigarettes, or had done drugs?
(4) Would the Fair Credit Reporting Act require you to disclose that information found on Facebook was the
basis for the decision?
(5) Does it violate Facebook’s Terms of Service, restricting use of the web site to “noncommercial” activities?
You are not posting anything commercial, but you are using information commercially. What should the terms
of service be interpreted as prohibiting? Are you “exceeding authorized access” under the Federal Computer
Fraud And Abuse Act?
(6) Is it a tort? Parties to a transaction (e.g., employment) are not generally covered by the tort of
interference with a business transaction; only third-parties can be liable for this tort.
(7) Is it bad PR? If a potential employee can determine that you visited his/her blog after getting his/her
resume, and he/she has posted something personal that is ripe for a discrimination claim, word can spread
that you have discriminated, even if you haven’t.
B. ON THE OTHER HAND,
(1) Does participation in a social networking site waive some expectations of privacy?
(2) Should ordinary youthful stupidity be more heavily penalized in this generation than in previous ones,
simply because in the modern surveillance society more is recorded?
(3) How much research into a potential employees background is appropriate, given the ubiquity and ease of
modern online research tools? Might you be liable for negligent hiring if you don’t facebook your potential
employees?
IX. ETHICS OF COMPUTER SECURITY Law firms are businesses. Many businesses face security breaches, and many have statutory (HIPAA,
GLBA, etc.) as well as ethical obligations to safeguard confidentiality of information on their customers and
clients. However, many law firms to are not even aware of these developments in corporate security. In
other words, many attorneys conceptually understand the need to protect confidences, but have a hard time
implementing procedures.
A. HERE’S A QUIZ:
(1) •Do you really encrypt everything that is confidential?
(2) •Could someone in your office – but on the other side of an ethical wall - look at the documents you’ve
saved to the firm server, even if only by accident? (If someone on the other side of the ethical wall searched
for a document using keywords, would your documents be hit? Even if that person didn’t look at the
document, would the fact of the search show up on electronic discovery as a breach of the ethical wall?)
(3) •If a document were deleted from the firm server, would you be able to recover/know?
(4) •Have you discussed security with an IT person lately? (There is always something new to learn, and a
conversation can make the IT people more comfortable bringing problems to your attention.)
(5) •How long has it been since anyone at your firm got any security training?
(6) •If you lost your ability to send/receive email, or check your online phone contacts list, could you operate
until the system were restored?
(7) •How long/complicated is your password?
(8) •How long has it been since you ordered your own IT staff to try to break into your system or hired an
outside expert to do so? How long has it been since you’ve tested your firewalls, virus software, etc.?
(9) •What consequences does your firm attach to someone who is sloppy about security (e.g. mandatory
training, seating them temporarily in a less comfortable office, etc.)?
(10) •How long has it been since you’ve discussed recent CNN-reported security breaches, much less
breaches reported in media only your IT guys would read?
(11) •Has a child ever used your computer? (Children download a lot of games, which often have spyware.)
(12) •Have you ever sent storage media to opposing counsel, a court, an expert witness, or anyone subject to
discovery? (Think: data recovery, if the disks had ever previously been used for anything else.)
(13) •Do you send unencrypted email? Do you know how to encrypt email?
(14) •What security measures did you take the last time an employee left your firm? Did you make everyone
change his or her passwords? (When I worked for a large firm, I knew the passwords of some of my
coworkers, including secretaries.)
(15) •Have you polled your workforce to see if anyone has any security-related suggestions? (Receptionists,
mailroom personnel, and janitors often notice security problems.)
(16) •If someone tried to access your system, would you know?
(17) •If you had a crash, would you reinstall from a floppy?
B. OTHER SECURITY SUGGESTIONS
(1) •Encrypt. Partition. Backup. Discuss. Train. Plan.
(2) •Require long and complicated passwords that are changed frequently to access files.
(3) •Notify staff that you will try to break, and search for, their passwords - make people worry that you will
catch them being sloppy, even if there is no breach. Make people paranoid about insiders. Make them sign
your security procedures. Attach consequences.
(4) •Discuss publicized security breaches so staff will know breaches do occur – make people paranoid about
outsiders. Train, educate staff, including sending some to security courses. No children on computers; no
storage media to opposing counsel.
(5) •Notify staff that email is not particularly secure.
(6) •Plan for employee termination – make everyone change all passwords.
(7) •Ask staff for suggestions; they may know of weak areas.
(8) •Technology: install and test firewalls, virus software.
(9) •Check access logs and access rights. Unusual accesses may actually be a hacker.
(10) •Write-protect program files on floppies. You don’t want a virus affecting your “reinstall” software.
(11) •Plan for disasters – power-surge protection, offsite backups.
C. FINAL EXAM: WHICH OF THESE ACTIVITIES IS ETHICAL?
(1) •Bringing, or letting a secretary bring, a family member into the office on a weekend, and letting the family
member wander around the office or use an Internet-connected computer. (Unauthorized downloads)
(2) •Keeping archived computer disks in an offsite mini-storage secured with a padlock. (Easy break-ins)
(3) •Using a notebook computer whose operating system does not require a password.
(4) •Using a screen-saver that does not include a confidentiality warning or password.
(5) •Changing passwords every three months, every year, or whenever you think of it. (How often is
enough?)
(6) •Using a 10-letter word and a numeral as a password. (How long/complicated is enough?)
(7) •Using one hard-to-guess password (or similar passwords) on more than one system. (Better to use
many.)
(8) •Writing passwords near the computer (e.g. in a purse left in the office during lunch).
(9) •Forwarding emails from a secure firm email account to a personal/home email computer so you can work
from home over the weekend.
(10) •Leaving computers in a client’s conference room while going out to lunch with the client.
(11) •Giving any media (e.g., disks) to a client or opposing counsel.
(12) •Checking email from a client’s, hotel’s, coffee shop’s, or Kinko’s computer or WAP (does the computer
have key-logging software installed? Does it matter whether a VPN is used?)
(13) •Using remote technical assistance.
(14) •Letting a child use a computer that is sometimes used for confidential communications.
(15) •Working from home from a computer on which your personal bank, credit card companies, etc. have put
cookies.
(16) •Under-use/over-use of confidentiality warnings on faxes and email signature-files.
(17) •Shredding paper files (note: technology allows reassembly of paper shreds!).
(18) •Using an online server, such as Yahoo Briefcase, to store files. (Gmail offered 1 GIG, now unlimited!).
X. USE OF ETHICAL WALLS WITHIN A FIRM, WHERE ALL ATTORNEYS SHARE A DOCUMENT SERVER
A. FACTUAL SITUATION
Many large firms, and a few small firms, attempt to isolate a lawyer or other employee who has a potential
conflict from exposure to facts of a case. For example, if an associate who has worked on a particular case
moves to a firm that is adverse with respect to that particular case, the new firm might try to isolate the
associate from contact with information on the case. Other attorneys are warned not to discuss the case with
that associate, and that associate is warned not to discuss the case with anyone at the firm.
Sometimes, attorneys in one office of the firm have represented one party to a present litigation, and now
attorneys in another office of the firm want to represent the other party. As long as the two groups of
attorneys have not discussed the case or anything that could be relevant to the case, many firms will create
an “ethical wall” to separate the groups of attorneys. The problem, however, arises when the group of
attorneys who will continue representing the client searches for a document on the firm’s computer system,
and accidentally finds and reads a confidential document created by the other group of attorneys.
A similar situation can arise when firms merge. Litigation can be so complex and involve so many parties,
a conflict (and a need for an ethical wall) might not be discovered until after the law firms have begun sharing
office space and other facilities, such as a document management system that allows document searching.
Ethically, informed client consent can theoretically allow attorneys of a firm to work adversely, on opposite
sides of a case, even though they remain part of the same firm. The problem, however, is that the associate
continues to share access to a computer system. Sometimes attorneys at the old firm might email the
associate a quick question, or the associate might have brought forms to the firm that contain confidential
information pertaining to the former representation. Also, if documents and files are stored in the same file
room, secretaries and others who are not familiar with the matter might accidentally grab a document or file
from the other side of the ethical wall.
B. TDRPC 1.06: CONFLICT OF INTEREST: GENERAL RULE
(a) A fundamental principle recognized by paragraph (a) is that a lawyer may not represent opposing
parties in litigation. …
(b) In other situations and except o the extent permitted by paragraph (c), a lawyer shall not represent a
person if the representation of that person:
- (1) involves a substantially related matter in which that person’s interests are materially and directly
adverse to the interests of another client of the lawyer or the lawyer’s firm; or
- (2) reasonably appears to be or become adversely limited by the lawyer’s or law firm’s responsibilities to
another client or to a third person or by the lawyers [lawyer’s] or law firm’s own interests.
(c) A lawyer may represent a client in the circumstances described in (b) if:
- (1) the lawyer reasonably believes the representation of each client will not be materially affected; and
- (2) each affected or potentially affected client consents to such representation after full disclosure of the
existence, nature, implications, and possible adverse consequences of the common representation and the
advantages involved, if any.
C. TDRPC 1.06, COMMENT 2:
A fundamental principle recognized by paragraph (a) is that a lawyer may not represent opposing parties
in litigation. …
E. FINAL THOUGHTS
Can an “ethical wall” really be constructed within any firm, where all lawyers of the firm share the same
computer network? What does it mean for the files to be stored separately?
When one attorney in a firm has a conflict prohibiting representation of a client, the firm might decide to
continue to represent the client after circulating an email notifying the other members of the firm to “screen”
the conflicted attorney from any information relating to the case – but all members of the firm, including the
conflicted attorney, continue to use the same computer network.
One approach might be to set up a document management system to “password-protect” all documents
related to a case that were created by the attorneys who are no longer authorized to work on the case. Such
documents might also be removed from the document management system and stored on backup tapes.
Merely telling the personnel not to discuss the case might be inadequate when the personnel share the same
computer system.
XI. HACKS Many attorneys seem to be unaware of some of the less publicized computer security threats, so I would
like to mention a few that I think are very clever or interesting. Many hackers are incredibly clever and
innovative in their ability to see vulnerabilities that many experts simply don’t see.
A. SESSION HIJACKING
Have you ever been browsing a web site and inexplicably been logged off of it? It might be worse than
annoying to have to log back in.
A bad guy might have installed a malware script onto any web site that you visit that requires a password:
a bank’s web site, a web-based email web site, a bar association web site, etc. The script includes a popup
that is full-screen size: it looks like the web site’s login page, and makes you think that you have lost your
connection or that your session has expired; it asks you to log in again. The bad guy then gets your
password.
This might seem like a too-simple-to-work technique, but it has made the news.
B. CROSS-SITE SCRIPTING
Hypo:
While you are logged into one web site that requires a password, you open a second window in which
you visit a second web site. The second web site has been infected with a malware script. The malware
script executing in the second window copies your session ID, password, or cookies that the web site in the
first window has placed on your computer. The bad guy then gets your password. (Don’t think that the bad
guys are only interested in what you have intentionally stored on your hard drive.)
For example, let’s say that you want to check your bank balance on line. You go to the bank’s secure
web site and enter your account number, user name and password. Your bank now places a temporary
session cookie on your computer, one that will expire or be deleted soon. But while you are on that web site,
you open a second window in which you check the latest sports scores. The web site in the second window
is infected; its malware copies your session cookies. If a crook moves fast, your account can be vulnerable.
Example:
It is still uncertain how serious a javascript flaw in Gmail is, and whether it has been fixed completely. The
flaw allows spammers to harvest contact details from a user's account by launching a cross-site scripting
attack. To exploit the flaw, the hacker adds a piece of code to their website server, which in turn gives them
access to the Gmail contacts of passing browsers, if users are signed in to their Gmail account.
http://community.zdnet.co.uk/blog/0,1000000567,10004743o-2000331828b,00.htm
Tech solution:
If you visit a web site that requires login information, don’t visit any other web sites until you have logged
out of that web site.
C. REDIRECTS
A bad guy creates a web site that is identical to a web site you visit frequently that requires a password to
access. The bad guy then inserts a single line of code into the actual web site that you want to visit, which
redirects visitors to the fake web site.
There really isn’t much you can do about this. Even if you type the URL into the address bar, you can
wind up going to the bogus site.
D. EXTRANETS
An extranet is a web site or other computer system that can be accessed by many people securely from
outside. For example, many firms allow their clients (or co-counsel) to access documents on the firm’s
document system. To anyone with a password, the extranet looks like a web site. To anyone else, access is
denied. The client-accessible area can be physically stored with your own documents, or can be separate. It
can overlap with your own internal document system. Extranets can be compromised, and sometimes
exploited by hackers.
There are a lot of things that can go wrong with an extranet, including uploading and downloading
infected files. Since I mentioned extranet previously in this paper, I want to mention that security can be a
problem.