hot topics in legal ethics - emlf 6 – 1 energy & mineral law foundation 2017 annual institute...
TRANSCRIPT
Paper6–1
Energy&MineralLawFoundation2017AnnualInstitute
HotTopicsinLegalEthics
DavidG.RiesClarkHillPLCPittsburgh,PA
April,2017
This interactive session explores selected high profile ethics issues that attorneys are facingtoday. Using hypotheticals, it will cover competence, confidentiality, e-mail, marketing, socialmediaandmore.
I.AmericanBarAssociationDevelopmentsandResourcesA. ABAModelRulesofProfessionalConduct1
• CurrenteditionofModelRulesisthe2016edition.
• Nowserveasmodelforrulesin49states(allbutCalifornia)andintheDistrictofColumbiaandtheVirginIslands.CaliforniaisintheprocessofadoptingrulesbasedontheModelRules.
• RulesandCommentsareamendedperiodicallybytheABA.
• Ittakestimeafteramendmentsforthevariousstatestoconsiderthemandeitheradopt,partiallyadopt,orrejectamendments.
• StaterulesvaryfromModelRulesinbothminorandsignificantways.
• It’scriticaltoconsulttherulesandcommentsadoptedbytherelevantstate(s).
B. ABACenterforProfessionalResponsibility
• ABACenterfocusingonlegalandjudicialethics,professionalregulation,professionalism,andclientprotection.
• WebsiteincludestheABAModelRulesandComments,ABAEthicsOpinions,andlinkstoethicsresources,includingstateethicsresources.www.americanbar.org/groups/professional_responsibility.html
1CopiesofthecurrentABAModelRules,withcomments,areavailableontheABAwebsiteatwww.americanbar.org/groups/professional_responsibility.html(clickon“Resources,”thenon“ModelRulesofProfessionalConduct”)andprintcopiesareavailablefromtheABAServiceCenter,750NorthLakeShoreDrive,Chicago,IL60611-4497,1-800-285-2221.
Paper6–2
• ABA/BNALawyer’sManualonProfessionalConduct(printandonlinereferencemanual,withbiweeklycurrentreports).www.bna.com/products/lit/mopc.htm
C. ABAETHICSearch
• AresearchserviceforlawyersthatprovidescitationstorelevantABArules,ethicsopinions,andotherethicsresourcesrelatedtoinquiriesmadetoit.www.americanbar.org/groups/professional_responsibility/services/ethicsearch.html
• Nochargeforbasicresearch;chargesformoreadvancedsearches.
D. ABACommissiononEthics20/20
• Appointedin2009toperformathoroughreviewoftheABAModelRulesofProfessionalConductandtheU.S.systemoflawyerregulationinthecontextofadvancesintechnologyandgloballegalpracticedevelopments.
• LastcomprehensivereviewbeforeitwastheEthics2000Commission.
• SubmittedproposalsforconsiderationattheABA2012AnnualMeeting,includingTechnologyandConfidentiality,TechnologyandClientDevelopment,Outsourcing,PracticePendingAdmission,AdmissionbyMotion,andDetectionofConflictsofInterest.TheseproposalswereadoptedandtheABAModelRuleswereamendedinaccordancewiththem.
• AdditionalproposalswereapprovedattheABA2013MidyearMeeting,includingUnauthorizedPracticeofLaw;MultijurisdictionalPracticeofLaw,RegistrationofIn-HouseCounsel,ProHacViceAdmission,andChoiceofRuleforethicsanddiscipline.
• TheCommissionreferredfeedivisionandnonlawyerownershipoflawfirmstotheABAStandingCommitteeonEthicsandProfessionalResponsibilityforfurtherconsideration.
• TheCommission’sIntroductionsandOverviewsandReportsandResolutions,aswellasdetailedbackgroundinformation,areavailableontheCommission’swww.americanbar.org/groups/professional_responsibility/aba_commission_on_ethics_20_20.html
II.TheEthics20/20Amendments:CompetenceandConfidentialityTheCommissionfoundthat technologyhastransformedhowattorneyscommunicatewithclientsandhowtheyprocessandstoreinformationrelatingtoclients.Thishascreatednewissuesaboutlawyers’obligations,includingthedutytoprotectconfidentialinformation.Theamendments to Model Rules 1.1 and 1.6 require attorneys to take competent andreasonablemeasurestoprotectclientinformation.
A. ABAModelRule1.1:Competence:
“A lawyer shall provide competent representation to a client. Competentrepresentation requires the legal knowledge, skill, thoroughness andpreparationreasonablynecessaryfortherepresentation.”
Paper6–3
“MaintainingCompetence
[8]Tomaintaintherequisiteknowledgeandskill,alawyershouldkeepabreastof changes in the law and its practice, including the benefits and risksassociatedwithrelevanttechnology,engageincontinuingstudyandeducationand comply with all continuing legal education requirements to which thelawyerissubject.”
B. ModelRule1.6:ConfidentialityofInformation:
“(a) A lawyer shall not reveal information relating to the representation of aclientunless…
(c) A lawyer shall make reasonable efforts to prevent the inadvertent orunauthorizeddisclosureof,orunauthorizedaccess to, informationrelating totherepresentationofaclient.”
Comment
***
“ActingCompetentlytoPreserveConfidentiality
[18] Paragraph (c) requires aA lawyermust to act competently to safeguardinformation relating to the representation of a client against unauthorizedaccessby thirdparties andagainst inadvertentorunauthorizeddisclosurebythelawyerorotherpersonswhoareparticipatingintherepresentationoftheclientorwhoaresubjecttothelawyer’ssupervision.SeeRules1.1,5.1and5.3.Theunauthorizedaccess to,or the inadvertentorunauthorizeddisclosureof,information relating to the representation of a client does not constitute aviolationofparagraph(c)ifthelawyerhasmadereasonableeffortstopreventthe access or disclosure. Factors to be considered in determining thereasonableness of the lawyer’s efforts include, but are not limited to, thesensitivity of the information, the likelihood of disclosure if additionalsafeguardsarenotemployed,thecostofemployingadditionalsafeguards,thedifficulty of implementing the safeguards, and the extent to which thesafeguards adversely affect the lawyer’s ability to represent clients (e.g., bymakingadeviceor importantpieceofsoftwareexcessivelydifficulttouse).Aclient may require the lawyer to implement special security measures notrequiredbythisRuleormaygiveinformedconsenttoforgosecuritymeasuresthat would otherwise be required by this Rule. Whether a lawyer may berequiredtotakeadditionalstepstosafeguardaclient’sinformationinordertocomplywithotherlaw,suchasstateandfederallawsthatgoverndataprivacyor that impose notification requirements upon the loss of, or unauthorizedaccess to, electronic information, is beyond the scope of these Rules. For alawyer’sdutieswhensharinginformationwithnonlawyersoutsidethelawyer’sownfirm,seeRule5.3,Comments[3]-[4].
Paper6–4
[19]Whentransmittingacommunicationthatincludesinformationrelatingtotherepresentationofaclient,thelawyermusttakereasonableprecautionstopreventtheinformationfromcomingintothehandsofunintendedrecipients.This duty, however, does not require that the lawyer use special securitymeasuresifthemethodofcommunicationaffordsareasonableexpectationofprivacy. Special circumstances, however, may warrant special precautions.Factors to be considered in determining the reasonableness of the lawyer'sexpectationofconfidentialityincludethesensitivityoftheinformationandtheextenttowhichtheprivacyofthecommunicationisprotectedbylaworbyaconfidentiality agreement. A client may require the lawyer to implementspecial security measures not required by this Rule or may give informedconsent to the use of a means of communication that would otherwise beprohibitedbythisRule.Whethera lawyermayberequiredtotakeadditionalsteps in order to complywith other law, such as state and federal laws thatgoverndataprivacy,isbeyondthescopeoftheseRules.”
C. ModelRule5.3:ResponsibilitiesRegardingNonlawyerAssistance
Therulewasamendedtoexpanditsscope. “Assistants”wasexpandedto“Assistance,”extendingitscoveragetoalllevelsofstaffandoutsourcedservicesrangingfromcopyingservices to outsourced legal services. This requires attorneys to employ reasonablesafeguards,likeduediligence,contractualrequirements,supervision,andmonitoring,toinsurethatnonlawyers,bothinsideandoutsidealawfirm,provideservicesincompliancewithanattorney’sdutyofconfidentiality.
D. Attorneys’AdditionalDutiestoSafeguardInformation
Inadditiontothedutiesintheseethicsrules,attorneysalsohavecommonlawdutiestoprotect confidential information andmay have contractual and regulatory duties. See,“CybersecurityforAttorneys:UnderstandingtheEthicalObligations,”LawPracticeTodaywebzine (March 2012) and “Safeguarding Confidential Data: Your Ethical and LegalObligations,” Law Practice Magazine (July/August 2010). The Commission recognizedthesedutiesintheamendmentstocomments[18]and[19]toModelRule1.6.
E. Existing,NotNewObligations
TheEthics20/20Commissionnotedthattherequirementsforcompetenceintechnologyandcompetentandreasonablemeasurestosafeguardconfidentialitywerenotnew:
Rule 1.1 Comment [8]: “The proposed amendment, which appears in aComment, does not impose any new obligations on lawyers. Rather, theamendment is intended to serve as a reminder to lawyers that they shouldremainawareoftechnology,includingthebenefitsandrisksassociatedwithit,aspartofalawyer’sgeneralethicaldutytoremaincompetent.”ABACommissiononEthics20/20,ReporttoResolution105ARevised,(2012).
Rule1.6(c):“Thisduty isalreadydescribedinseveralexistingComments,buttheCommissionconcludedthat, in lightofthepervasiveuseoftechnologyto
Paper6–5
store and transmit confidential client information, this existing obligationshouldbestatedexplicitlyintheblackletterofModelRule1.6.”ABA Commission on Ethics 20/20, Report to Resolution 105A Revised,Introduction(2012).
III.CompetenceinTechnology
A.KeyRules
Rule1.1:Competence
Rule1.6:Confidentiality
Rule1.4:Communication
Rules5.1,5.2,5.3:Supervision
B.AmendedModelRule1.1Comment[8]MaintainingCompetenceincludesthefollowinginexplainingthescopeoftheduty:“…includingthebenefitsandrisksassociatedwithrelevanttechnology…”
C.Tocomplywiththedutyofcompetenceintechnology:Knowrelevanttechnology,learnit,orgetqualifiedassistance.
D.AndrewPerlman,“TheTwenty-FirstLawyer’sEvolvingEthicalDutyofCompetence,”TheProfessionalLawyer(December2014)(DeanofSuffolkUniversityLawSchoolandReporteroftheABAEthics20/20Commission):
“Just twenty years ago, lawyers were not expected to know how to protectconfidential information from cybersecurity threats, use the Internet formarketingandinvestigations,employcloud-basedservicestomanageapracticeandinteractwithclients,implementautomateddocumentassemblyandexpertsystemstoreducecosts,orengageinelectronicdiscovery.Today,theseskillsareincreasingly essential, and many lawyers want to know whether they areadaptingquicklyenoughtosatisfytheirethicaldutyofcompetence.”
Paper6–6
DeanPerlman’sexamplesofcriticalcompetencies:
1.Cybersecurity
2.InternetMarketingandInvestigations
3.EmployingCloud-BasedServices(inthepracticeoflaw)
4.LeveragingNewandEstablishedLegalTechnology/Innovation
(Examples: “automated document assembly, expert systems (e.g., automatedprocessesthatgenerate legalconclusionsafterusersansweraseriesofbranchingquestions), knowledge management (e.g., tools that enable lawyers to findinformationefficientlywithinalawyer’sownfirm,suchasbylocatingapre-existingdocumentaddressinga legal issueor identifyinga lawyerwhoisalreadyexpert inthesubject), legalanalytics(e.g.,using“bigdata”tohelpforecasttheoutcomeofcasesanddeterminetheirsettlementvalue),virtuallegalservices,andcloud-basedlawpracticemanagement.”)
E.StateBarofCalifornia,StandingCommitteeonProfessionalResponsibilityandConduct,FormalOpinionNo.2015-193.(competenceine-discovery)
Digest:
“Anattorney’sobligationsundertheethicaldutyofcompetenceevolveasnewtechnologiesdevelopandbecomeintegratedwiththepracticeoflaw.Attorneycompetencerelatedtolitigationgenerallyrequires,amongotherthings,andata minimum, a basic understanding of, and facility with, issues relating toe-discovery,includingthediscoveryofelectronicallystoredinformation(“ESI”).Onacase-by-casebasis,thedutyofcompetencemayrequireahigherleveloftechnicalknowledgeandability,dependingonthee-discoveryissuesinvolvedinamatter,andthenatureoftheESI.Competencymayrequireevenahighlyexperienced attorney to seek assistance in some litigation matters involvingESI. An attorney lacking the required competence for e-discovery issues hasthree options: (1) acquire sufficient learning and skill before performance isrequired; (2) associate with or consult technical consultants or competentcounsel;or (3)decline the representation. Lackof competence ine-discoveryissues also may lead to an ethical violation of an attorney’s duty ofconfidentiality.”
The opinion lists the following skills and resources thatmay be necessary for competenthandling of e-discovery, depending on the complexity of e-discovery in the case. If theyapplyinthecase,anattorneymusteitherhaveoracquirethenecessaryskillsorengagetheresourcestoprovidethem-eithercompetentco-counselorexpertconsultants:
1. initiallyassesse-discoveryneedsandissues,ifany;
2. implement/causetoimplementappropriateESIpreservationprocedures;
3. analyzeandunderstandaclient’sESIsystemsandstorage;
4. advisetheclientonavailableoptionsforcollectionandpreservationofESI;
Paper6–7
5. identifycustodiansofpotentiallyrelevantESI;
6. engageincompetentandmeaningfulmeetandconferwithopposingcounselconcerningane-discoveryplan;
7. performdatasearches;
8. collectresponsiveESIinamannerthatpreservestheintegrityofthatESI;and
9. produceresponsivenon-privilegedESIinarecognizedandappropriatemanner.
F. Exterro, an e-discovery service provider, recently published the results of a survey offederal judges and e-discovery attorneys.2 The survey asked judges and experiencede-discoveryattorneysabouttheirobservationsaboutattorneycompetenceine-discovery.Oneof thequestionswas“Howwouldyouassesse-discoverycompetencytodayamongattorneysascomparedtofiveyearsago?”29%ofjudgesand5%ofattorneysrespondedthat it is “MuchBetter,”while 57%of judges and64%of attorneys responded “SlightlyBetter.”Noneofthejudgesrespondedthatitis“SlightlyWorse”or“MuchWorse.”
G.MassachusettsBoardofBarOverseers,PublicReprimandNo.2013-21 (October9, 2013)(competence in e-discovery) (attorney sanctioned for violation of duties of competenceand communication for improper advice to client about duty to preserve electronicallystoredinformation,resultingincourtsanctionstoclient):
“Therespondent’sadvicetohisclienttoscrubcertainfilesfromtheharddriveofa laptopincontraventionofacourtorderconstitutedunlawfulobstructionof anotherparty’s access to evidence, in violationofMass. R. Prof. C. 3.4(a).The respondent’s failure to adequately communicate to his client hisobligations under the court order and the potential prejudice of alteringpropertysubjecttothecourtorderwasconductinviolationofMass.R.Prof.C.1.4. Finally, the respondent’s conduct of handling a matter that he was notcompetent to handle without adequate research or associating with orconferringwithexperiencedcounsel,andwithoutanyattempttoconfirmthenature and content of the proposed deletions, was conduct in violation ofMass.R.Prof.C.1.1.”
2 Exterro,2ndAnnualFederalJudgesSurvey,ViewsfromBothSidesoftheBench(February2016), www.exterro.com/judges-survey-16.
Paper6–8
IV.CompetentandReasonableSafeguardsAmended Model Rules 1.1 and 1.6 and Comments together require attorneys to takecompetentandreasonablemeasurestosafeguardinformationrelatingtoclients.
A. KeyRules
Rule1.1:Competence
Rule1.6:Confidentiality
Rule1.4:Communication
Rules5.1,5.2,and5.3:Supervision
B. CybersecurityPrograms
At the ABA Annual Meeting in August, 2014, the ABA adopted a resolution oncybersecurity that is consistent with a comprehensive approach to competent andreasonablesafeguards:3
3Availableatwww.americanbar.org/content/dam/aba/images/abanews/2014am_hodres/109.pdf.
Paper6–9
“RESOLVED,ThattheAmericanBarAssociationencouragesallprivateandpublicsector organizations to develop, implement, and maintain an appropriatecybersecurityprogramthatcomplieswithapplicableethicalandlegalobligationsand is tailored to the nature and scope of the organization and the data andsystemstobeprotected.”
C. Theresolutionrecommendsanappropriatecybersecurityprogramforallprivateandpublicsectororganizations,whichincludeslawfirms.
D. “Reasonable”Safeguards:SecurityFrameworksandStandards
1. There are numerous security frameworks, standards and guidance documentsthatcanbeusedforimplementinglawfirminformationsecurityprograms.Itisimportantto select and use one or more that fit the size of the firm and the sensitivity of theinformationtouseasanoverallapproach.Thiscanbeadauntingtaskwiththealphabetsoupofavailableresources:NIST,ISO,FTC,SANS,US-CERT,ILTAandmore.
2. The National Institute of Standards and Technology (NIST), part of the U.S.Department of Commerce, has published the NIST Framework for Improving CriticalInfrastructure,Version1.0(February12,2014).4WhiletheFrameworkisaimedatsecurityof critical infrastructure, it is based on generally accepted security principles that canapply to all kinds of businesses and enterprises, including law firms. The core securityFunctions in the Framework are “identify, protect, detect, respond and recover.” InJanuary2017,NISTpublishedadraftupdatetotheFramework.
3. TheISO27000seriesofstandards,publishedbytheInternationalOrganizationforStandardization (ISO), are consensus international standards for a comprehensiveInformationSecurityManagementSystem(ISMS), includingitselements,processes,andcontrols.5Thesystemsaredescribed in ISO/IEC27000:2014–OverviewandVocabulary.There are various additional standards in the series that provide additional details.Together,theyprovidetheoverallframeworkanddetailsforestablishing,implementing,
4. In addition to the Framework, NIST has published numerous security standardsandguidancedocumentsandperiodicallyupdatesthem.Whilecompliancewithmanyofthemisrequiredforgovernmentagenciesandgovernmentcontractors,theycanbeusedas guidancebyotherenterprises, including law firms.Manyof themare very technicaland more appropriate for government agencies and large companies (and large lawfirms),butsomearebasicandtailoredforsmallandmidsizebusinesses.
NIST Special Publication 800-53, Revision 4, Security and Privacy Controls for FederalInformation Systems and Organizations (April 2013) and standards referenced in itprovide a comprehensive catalog of controls and a process for selection andimplementationofthemthroughariskmanagementprocess.monitoring,andcontinuallyimprovinganISMS.
4www.nist.gov/itl/csd.TheFrameworkisavailableatwww.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.5www.iso.org.
Paper6–10
5. ThereareNISTstandardsandguidancedocumentsthataretailoredtosmallandmid-sizebusinesses.NIST’sSmallBusinessInformationSecurity:TheFundamentals,NISTR7621,Revision1(November2016providesNIST’srecommendationsforsmallbusinessestoestablishreasonablyeffectivecybersecurityprogramsbasedontheNISTFramework.Itdefinestypicalsmallbusinessesasoneswithupto500employees,butrecognizesthatitmayvarywiththetypeofbusiness.
6. US-CERT, a part of theU.S.DepartmentofHomeland Security, haspublishedanumber of cybersecurity resources 6 for businesses, control systems, governmentagencies,andconsumers,includingonesforsmallandmidsizebusinesses.7Theyincluderesourceslikea“ToolkitforSmallandMidsizeBusinesses”and“WhyEverySmallBusinessShouldUsetheNISTCybersecurityFramework.”
E. “Reasonable”MustBeViewedintheContextofCurrentThreats
New York State Bar Association Ethics Opinion 1019, “Confidentiality; Remote Access toFirm’sElectronicFiles,”(August,2014):
“Cyber-securityissueshavecontinuedtobeamajorconcernforlawyers,ascyber-criminals have begun to target lawyers to access client information,including trade secrets, business plans and personal data. Lawyers can nolonger assume that their document systems are of no interest to cyber-crooks.Thatisparticularlytruewherethereisoutsideaccesstotheinternalsystembythirdparties,includinglawfirmemployeesworkingatotherfirmoffices,athomeorwhentraveling,orclientswhohavebeengivenaccesstothefirm'sdocumentsystem.”
F. EncryptionofLaptopsandMobileDevices
Protection of laptops, smartphones, tablets, and other mobile devices presents a goodexampleofapplicationoftherequirementof“reasonableefforts”toaspecificcategoryoftechnology.Mobiledevicespresentagreatsecurityriskbecausetheycanbeeasilylostorstolen.TheVerizon2014DataBreachInvestigationReport(covering2013)explainstheriskandasolutiontoit–encryption–thisway:8
“PHYSICALTHEFTANDLOSSRECOMMENDEDCONTROLS
Theprimaryrootcauseofincidentsinthispatterniscarelessnessofonedegreeoranother.Accidentshappen.People lose stuff.People steal stuff.And that’snevergoingtochange.Butthereareafewthingsyoucandotomitigatethatrisk.
6www.us-cert.gov/security-publications.7www.us-cert.gov/ccubedvp/getting-started-business.8www.verizonenterprise.com/DBIR/2014.
Paper6–11
Encryptdevices
Considering thehigh frequencyof lost assets,encryption is as close to a no-brainer solution as it gets for this incident pattern. Sure, the asset is stillmissing,butat least itwill savea lotofworry,embarrassment,andpotentiallawsuitsbysimplybeingabletosaytheinformationwithinitwasprotected.”
(Emphasisadded.)
While each attorney and law firm should determine what is reasonable in theircircumstances,thisraisesthequestion:doesfailuretouseencryptionformobiledevices–ano-brainersolution–complywiththedutytoemployreasonablesafeguards?
G. EncryptionofE-Mail
Comment [19] toModelRule1.6 (quotedabove) requires attorneys to take “reasonableprecautions” to protect the confidentiality of electronic communications. Its languageabout “special securitymeasures” has oftenbeen viewedby attorneys as providing thatattorneys never need to use “special security measures” like encryption.9While it doesstatethat“specialsecuritymeasures”arenotgenerallyrequired,itcontainsqualificationsandnotesthat“specialcircumstances”maywarrant“specialprecautions.”It includestheimportant qualification – “if the method of communication affords a reasonableexpectationofprivacy.”(Emphasisadded.)Thereare,however,questionsaboutwhetherInternete-mailaffordsareasonableexpectationofprivacy.
Respectedsecurityprofessionalsforyearshavecomparedunencryptede-mailtopostcardsorpostcardswritteninpencil.10
AJune2014postbyGoogleontheGoogleOfficialBlog11
9Encryption is a process that translates a message into a protected electronic code.
The recipient (or
anyoneinterceptingthemessage)musthaveakeytodecryptitandmakeitreadable.E-mailencryptionhasbecomeeasiertouseovertime.Transportlayersecurity(TLS)encryptionisavailabletoautomaticallyencrypt e-mail between two e-mail gateways. If a law firm and client each have their own e-mailgateways,TLScanbeusedtoautomaticallyencryptalle-mailsbetweenthem.
Avirtualprivatenetworkis
an arrangement in which all communications between two networks or between a computer and anetworkareautomaticallyprotectedwithencryption.See,DavidG.RiesandJohnW.Simek,“EncryptionMadeSimpleforLawyers,”GPSoloMagazine(November/December2012).10E.g.,B.Schneier,E-MailSecurity-HowtoKeepYourElectronicMessagesPrivate,(JohnWiley&Sons,Inc.1995)p.3;B.Schneier,Secrets&Lies:DigitalSecurityinaNetworkedWork,(JohnWiley&Sons,Inc.2000) p. 200 ("The commonmetaphor for Internet e-mail is postcards: Anyone – letter carriers, mailsorters,nosydeliverytruckdrivers-whocantouchthepostcardcanreadwhat'sontheback.");andLarryRogers, Email – A PostcardWritten in Pencil, Special Report, (Software Engineering Institute, CarnegieMellonUniversity2001).11“TransparencyReport:ProtectingEmailsasTheyTravelAcrosstheWeb,”GoogleOfficialBlog(June3,2014)(“…wesendimportantmessagesinsealedenvelopes,ratherthanonpostcards.…Emailworksinasimilarway.Emailsthatareencryptedasthey’reroutedfromsendertoreceiverarelikesealedenvelopes,and less vulnerable to snooping—whether by bad actors or through government surveillance—thanpostcards.”)http://googleblog.blogspot.com/2014/06/transparency-report-protecting-emails.html.
Paper6–12
andaJuly2014NewYorkTimesarticle12usethesameanalogy–comparingunencryptede-mailstopostcards.
Consistentwiththequestionsraisedbysecurityexpertsaboutthesecurityofunencryptede-mail,someethicsopinionsexpressastrongerviewthatencryptionmayberequired.Forexample,New JerseyOpinion 701 (April, 2006) notes at the end: “where a document istransmittedto [theattorney]…byemailover the Internet, the lawyershouldpasswordaconfidentialdocument(asisnowpossibleinallcommonelectronicformats,includingPDF),since it isnotpossible tosecure the Internet itselfagainst thirdpartyaccess.”13Thiswasovernineyearsago.
CaliforniaFormalOpinionNo.2010-179statesthat“encryptingemailmaybeareasonablestep for an attorney in an effort to ensure the confidentiality of such communicationsremain sowhencircumstances call for it,particularly if the informationat issue ishighlysensitiveandtheuseofencryptionisnotonerous.”
AnIowaopiniononcloudcomputingsuggeststhefollowingasoneofaseriesofquestionsthat attorneys should ask when determining appropriate protection: “Recognizing thatsomedatawillrequireahigherdegreeofprotectionthanothers,willIhavetheabilitytoencrypt certain data using higher level encryption tools of my choosing?” Iowa EthicsOpinion11-01.
APennsylvaniaethicsopiniononcloudcomputingconcludesthat“attorneysmayuseemailbutmust, under appropriate circumstances, take additional precautions to assure clientconfidentiality.” Itdiscussesencryptionasanadditionalprecaution thatmaybe requiredwhenusingserviceslikewebmail.PennsylvaniaFormalOpinion2011-200.
TexasEthicsOpinion648(2015)takesthesameapproach:
“In general, considering the present state of technology and email usage, alawyer may communicate confidential information by email. In somecircumstances,however,a lawyershouldconsiderwhethertheconfidentialityoftheinformationwillbeprotectedifcommunicatedbyemailandwhetheritisprudenttouseencryptedemailoranotherformofcommunication.”
12MollyWood, “EasierWays to Protect Email FromUnwanted Prying Eyes,”New York Times (July 16,2014) (“Security experts say email is a lot more like a postcard than a letter inside an envelope, andalmostanyonecanreaditwhilethenoteisintransit.Thegovernmentcanprobablyreadyouremail,ascanhackersandyouremployer.”)www.nytimes.com/2014/07/17/technology/personaltech/ways-to-protect-your-email-after-you-send-it.html?_r=0.13File passwordprotection in some software, like current versions ofMicrosoftOffice, AdobeAcrobat,andWinZipusesencryptiontoprotectsecurity.Itisgenerallyeasiertousethanencryptionofe-mailandattachments.However,theprotectioncanbelimitedbyuseofweakpasswordsthatareeasytobreakor“crack.”
Paper6–13
Summarizingthesemorerecentopinions,aJuly,2015ABAarticlenotes:14
“The potential for unauthorized receipt of electronic data has caused someexpertstorevisitthetopicandissue[ethics]opinionssuggestingthatinsomecircumstances, encryption or other safeguards for certain emailcommunicationsmayberequired.”
Comment19toRule1.6alsolists“the extent towhichtheprivacyofthecommunicationisprotectedby law”asafactortobeconsidered.ThefederalElectronicCommunicationsPrivacy Act 15 and similar state laws make unauthorized interception of electroniccommunications a crime. Some observers have expressed the view that this should bedeterminativeandattorneysarenotrequiredtouseencryption.Thebetterviewistotreatlegalprotectionasonlyoneofthefactorstobeconsidered.Asdiscussedbelow,someofthe newer ethics opinions conclude that encryptionmay be a reasonablemeasure thatshouldbeused,particularlyforhighlysensitiveinformation.
H.SafeguardingClientFunds
The North Carolina State Bar recently issued 2015 Formal Ethics Opinion 6, “Lawyer’sProfessional ResponsibilityWhen Third Party Steals Funds from Trust Account” (October2015)thatappliesthedutyofreasonablemeasurestosafeguardclientfunds.InterpretingthestateequivalentofModelRule1.15,SafeguardingProperty,to7differentinquiries.Itsheadnotestates:
“Opinion rules thatwhen fundsare stolen froma lawyer’s trustaccountbyathird partywho is not employedor supervisedby the lawyer, and the lawyerwasmanaging the trustaccount in compliancewith theRulesof ProfessionalConduct, the lawyer is not professionally responsible for replacing the fundsstolenfromtheaccount.”
Significantly,inoneexample,theopinionconcludesthatthelawyerwouldhaveanethicalobligation to reimburse a client for real estate closing funds that the lawyer wiretransferredtoahacker’sbankaccountinresponsetoaspoofede-mail,wherethelawyerhad instructions to send it by mail and did not verify the change in disbursementinstructions.
Theopinionis limitedtoalawyer’sprofessionalresponsibilityrequirementsanddoesnotopineonalawyer’slegalliability.
14PeterGeraghtyandSusanMichmerhuizen,“EncryptionConniption,”EyeonEthics,YourABA(July2015)www.americanbar.org/publications/youraba/2015/july-2015/encryption-conniption.html.1518U.S.C.§§2510etseq.
Paper6–14
V.LawyerMarketingandAdvertisingA. KeyRules
ModelRule1.1:Confidentiality
ModelRule7.1:CommunicationConcerningaLawyer'sServices
ModelRule7.2:Advertising
ModelRule7.3:SolicitationofClients
ModelRule7.4:CommunicationofFieldsandPracticeandSpecialization
B. ClientConfidentiality
As discussed above, ABA Model Rule 1.6 covers Confidentiality of Information. It starts asfollows:
“(a)Alawyershallnotrevealinformationrelatingtotherepresentationofaclientunlesstheclientgivesinformedconsent,thedisclosureisimpliedlyauthorizedinordertocarryouttherepresentationorthedisclosureispermittedbyparagraph(b).”
Itbroadlyprotects“informationrelatingtotherepresentationofaclient.”
Some states’ rules have a narrower scope and protect defined information, like secrets andconfidences.Forexample,NewYorkRule1.6(a)defines“confidentialinformation”as:
“Confidential information” consists of information gained during or relating totherepresentationofaclient,whatever its source, that is (a)protectedby theattorney-clientprivilege,(b)likelytobeembarrassingordetrimentaltotheclientifdisclosed,or(c)informationthattheclienthasrequestedbekeptconfidential.“Confidential information” does not ordinarily include (i) a lawyer’s legalknowledge or legal research or (ii) information that is generally known in thelocal community or in the trade, field or profession to which the informationrelates.
Paper6–15
VirginiaRule1.6(a)provides:
(a)Alawyershallnotrevealinformationprotectedbytheattorney-clientprivilegeunderapplicablelaworotherinformationgainedintheprofessionalrelationshipthattheclienthas requested be held inviolate or the disclosure ofwhichwould be embarrassing orwouldbelikelytobedetrimentaltotheclientunlesstheclientconsentsafterconsultation,except for disclosures that are impliedly authorized in order to carry out therepresentation,andexceptasstatedinparagraphs(b)and(c).
TheCommentstoABAModelRule7.2:Advertising,includesthefollowingonidentificationofclientsinadvertising:
“[2] This Rule permits public dissemination of information concerning …with theirconsent,namesofclientsregularlyrepresented;”(Emphasisadded.)
ABAFormalOpinion10-57,“LawyerWebsites,”(August2010)alsoprovidesthatconsentisrequired:
“Specific information that identifies current or former clients or the scope oftheirmattersalsomaybedisclosed,aslongastheclientsorformerclientsgiveinformed consent as required by Rules 1.6 (current clients) and 1.9 (formerclients).”(Emphasisadded.)
NewYorkRule7.1,Advertising,includesasimilarrequirement:
“(b) Subject to the provisions of paragraph (a), an advertisementmay includeinformationasto:…
(2)namesofclientsregularlyrepresented,providedthattheclienthasgivenpriorwrittenconsent;
(Emphasisadded.)
Asnotedabove,NewYorkRule1.6hasanarrowerdefinitionof“confidentialinformation”thanABAModelRule1.6.
As discussed below, advertising by attorneys is protected commercial free speech. Adisciplinarypanelapplied thisconstitutionalprotection toa lawfirmblog.HoraceFrazierHunter v. Record No. 121472 Disciplinary Action (VA Feb. 28, 2013) (law firm blog thatpostedpublicinformationaboutclosedcriminalcaseswithoutclientconsentwasprotectedcommercialfreespeech.)
Paper6–16
C. Specialization,ExpertiseandCertification
ABAModelRule7.4:CommunicationofFieldsofPractice&Specialization,provides:
(a)Alawyermaycommunicatethefactthatthelawyerdoesordoesnotpracticeinparticularfieldsoflaw.(b)[patentpractice](c)[admiralty](d)Alawyershallnotstateorimplythatalawyeriscertifiedasaspecialistinaparticularfieldoflaw,unless:
(1)thelawyerhasbeencertifiedasaspecialistbyanorganizationthathasbeenapprovedbyanappropriatestateauthorityorthathasbeenaccreditedbytheAmericanBarAssociation;and(2)thenameofthecertifyingorganizationisclearlyidentifiedinthecommunication.
Several state ethics opinions have concluded that lawyers may not use various terms,including“expert”or“experienced,”inadvertising:
Paper6–17
NewYorkStateBarAssociationOpinion1021 (9/12/2014) (“…a lawyermaynotadvertisethatthelawyeristhe‘Best,’‘MostExperienced,’or‘HardestWorking.’”“Tous,theuseoftheword ‘expert’ is exactly the sortofdescription that theComment intends lawyers toavoid...”)
TennesseeFormalEthicsOpinion2004-F-149 (2004) (lawyersmaynotclaimthattheyare“No. 1,” “one of the best,” “better,” “top,” “excellent,” “qualified,” “highly qualified,”“experienced,”“reputable,”“efficient”or“preferred”becausesuchclaimsareunverifiable)
VirginiaStateBarOpinion1750(3/20/01,rev.4/4/06and12/18/08)(lawyersmaynotclaimtobean“expert”ortohave“expertise”)
AnABAethic’scolumnsummarizedtherestrictionsonusingtheterm“expert”asfollows:
“The ethical prohibitions against referring to oneself as an expert come fromcase lawandethicsopinionsconstruingABAModelRules7.1 (CommunicationsConcerning a Lawyer’s Services), 7.2 (Advertising) and 7.4 (Communication ofFieldsofPracticeandSpecialization).…Statebarethicsopinionsareunanimousonthispoint.”
PeterGeraghty, “ThinkTwicebeforeyoucall yourselfanexpert,”EyeonEthics, YourABA(March2013).
InBatesv.StateBarofAriz.,433U.S.350(1977),theSupremeCourtheldthat(1)truthfuladvertisingbyalawfirmisprotectedcommercialfreespeechand(2)astatemayimposereasonablerestrictionstoprotectthepublic.
TheSupremeCourtappliedthisruletoattorneycertificationinPeelv.Atty.Registration&DisciplinaryComm’n,946U.S.91(1990).TheCourtreversedanIllinoiscensureofanattorneyforincludingonhisletterheadthathewascertifiedbytheNationalBoardofTrialAdvocacyasaciviltrialspecialistonthegroundthatitwasprotectedcommercialfreespeech.
IllinoisRule7.4,CommunicationofFieldsofPracticeandSpecialization,nowprovides:
“(c)Exceptwhenidentifyingcertificates,awardsorrecognitionsissuedtohimorherbyanagencyororganization,alawyermaynotusetheterms“certified,’’“specialist,’’“expert,’’oranyother,similartermstodescribehisqualificationsasalawyerorhisqualificationsinanysubspecialtyofthelaw…Ifsuchtermsareusedtoidentifyanycertificates,awardsorrecognitionsissuedbyanyagency,governmentalorprivate,orbyanygroup,organizationorassociation,thereferencemustmeetthefollowingrequirements:(1) thereferencemustbetruthfulandverifiableandmaynotbemisleadingin
violationofRule7.1;(2) thereferencemuststatethattheSupremeCourtofIllinoisdoesnotrecognize
certificationsofspecialtiesinthepracticeoflawandthatthecertificate,awardorrecognitionisnotarequirementtopracticelawinIllinois.
Inarecentcase,Searcyv.Fla.Bar,40F.Supp.3d1290(N.D.Fl.2015),thedistrictcourtheldthataFloridaruleprohibitinga lawfirmwebsitefromstatingthat it“hasexpertisein”or
Paper6–18
“specializesin”apracticeareaisunconstitutionalasapplied.
EthicalissuesintheuseoftheInternetandsocialmediaforattorneymarketingisacurrenttopic of discussion. See, Pennsylvania Bar Association, Formal Opinion 2014-300, “EthicalObligations forAttorneysUsingSocialMedia” (September2014. It isbeyond the scopeof thisoutline.
Caution:Becausestateethicsrulesandopinionsdifferonwhatispermissibleinmarketingand advertising, it is important to understand and follow rules in the relevantjurisdiction(s).
VI.AttorneysandSocialMedia–CaseInvestigation
A.KeyRules
ModelRule4.1TruthfulnessinStatementstoOthers
ModelRule4.2CommunicationwithPersonRepresentedbyCounsel
ModelRule4.3DealingwithUnrepresentedPerson
ModelRule8.4Misconduct
B.ModelRule4.1:TruthfulnessinStatementstoOthersprovidesinrelevantpart:
Inthecourseofrepresentingaclientalawyershallnotknowingly:
(a)makeafalsestatementofmaterialfactorlawtoathirdperson;or…
C.ModelRule8.4:Misconduct,providesinrelevantpart:
“Itisprofessionalmisconductforalawyerto:***
(c)engageinconductinvolvingdishonesty,fraud,deceitormisrepresentation;”
Paper6–19
D.EthicsOpinions
NewYorkStateBarAssociation,EthicsOpinion#483(September2010)coverstheissueofattorneys’accesstopublicsocialmediapages.Itconcludes:
“A lawyerwhorepresentsaclient inapending litigation,andwhohasaccesstotheFacebookorMySpacenetworkusedbyanotherpartyinlitigation,mayaccessand review thepublic socialnetworkpagesof thatparty to search forpotentialimpeachmentmaterial.Aslongasthelawyerdoesnot"friend"theotherpartyordirectathirdpersontodoso,accessingthesocialnetworkpagesofthepartywillnot violate Rule 8.4 (prohibiting deceptive or misleading conduct), Rule 4.1(prohibiting false statements of fact or law), or Rule 5.3(b)(1) (imposingresponsibility on lawyers for unethical conduct by nonlawyers acting at theirdirection).”
OregonStateBarAssociationFormalOpinionNo2013-189givesthefollowinganswerstoaccessing a social media site of an opposing party, a witness, or a juror for caseinvestigation:
“1.Lawyermayaccesspubliclyavailableinformationonasocialnetworkingwebsite.”
“2.LawyermayrequestaccesstononpublicinformationifthepersonisnotrepresentedbycounselinthatmatterandnoactualrepresentationofdisinterestismadebyLawyer.”
“3.LawyermaynotadviseorsupervisetheuseofdeceptioninobtainingaccesstononpublicinformationunlessOregonRPC8.4(b)applies.”
Thesequestionsaretheheadingsfordiscussionthatfollowseachofthem,withadditionaldetails.
PennsylvaniaBarAssociation,FormalOpinion2014-300,“EthicalObligationsforAttorneysUsingSocialMedia”(September2014).Itsconclusionsinclude,amongothers:
“Attorneys May Not Ethically Contact a Represented Person Through a SocialNetworkingWebsite.”
“AttorneysMay Generally Contact an Unrepresented Person Through a SocialNetworkingWebsiteButMayNotUseaPretextualBasisForViewingOtherwisePrivateInformation.”
“AttorneysMayUseInformationDiscoveredonaSocialNetworkingWebsiteinaDispute.”
DistrictofColumbiaBar,EthicsOpinion371,“AttorneysMayUse InformationDiscoveredon a SocialNetworkingWebsite in aDispute” (November 2016). Its conclusions include,amongothers:
“Competent and zealous representation under Rules 1.1 and 1.3 may requireinvestigationofpotentiallyrelevantsocialmediapostingsofadversepartiesandtheircounsel,otheragents,andexperts.”
Paper6–20
“A lawyer's reviewofa representedperson'spublicsocialmediapostingsdoesnotviolatetheRulebecausenocommunicationoccurs.”
“AswithRule4.2,reviewofpublicpostingsofanunrepresentedpersondoesnotimplicatetheRulebecauseitdoesnotconstituteacommunication.Ontheotherhand, requesting access to information protected by privacy settings wouldtrigger the requirementsofRule4.3(b).Rules4.1and8.4(c)alsoapply tosuchsocialmediacommunication.TocomplywiththesethreeRules, insocialmediacommunication with unrepresented persons, lawyers should identifythemselves,statethattheyare lawyers,andidentifywhomtheyrepresentandthematter.”
“Rules 4.1 and 8.4 generally preclude pretexting or other misrepresentationduring review of social media by a lawyer or his or her agents, includingrequestingaccesstoinformationprotectedbyprivacysettings.”
Caution: Because state ethics opinions differ on attorneys’ use of social media, it isimportanttounderstandandfollowrulesintherelevantjurisdiction(s).
VII.AdditionalInformationABA/BNALawyer’sManualonProfessionalConduct(printandonlinereferencemanual,withbiweeklycurrentreports)www.bna.com/products/lit/mopc.htm
AmericanBarAssociation,ABACompendiumofProfessionalResponsibilityRulesandStandards,2016Edition(collectionofprofessionalresponsibilityrules,standardsandselectedethicsopinions)
AmericanBarAssociation,AnnotatedModelRulesofProfessionalConduct,8thEd.(2015)
AmericanBarAssociation,ModelRulesofProfessionalConduct,2016Edition
AmericanBarAssociationWebsite–www.americanbar.org
CenterforProfessionalResponsibility–www.americanbar.org/groups/professional_responsibility.html(includesonlineversionofthecurrentModelRulesofProfessionalConductandheadnotestoABAethicsopinions.)
ETHICSearch-(aservicethatperformsbasicresearchforattorneysonethicsquestionssubmittedtoit,oftenwithoutcharge)www.americanbar.org/groups/professional_responsibility/services/ethicsearch.html
W.Fortune,R.UnderwoodandE.Imwinkelried,ModernLitigationandProfessionalResponsibilityHandbook:TheLimitsofAdvocacy,SecondEd.(WoltersKluwer,April2017Update)
C.Harvey,MacMcCoyandB.Smith,“10TipsforAvoidingEthicalLapsesWhenUsingSocialMedia,”BusinessLawToday(January2014)www.americanbar.org/publications/blt/2014/01/03_harvey.html
Paper6–21
G.Hazard,Jr.,andW.Hodes,TheLawofLawyering,FourthEdition,(WoltersKluwer,Dec.2016Update)
R.HedgesandA.Wagner,“CompetencewithElectronicallyStoredInformation:WhatDoesItMeanandHowCanAttorneysAchieveIt?”BNAInsights(April1,2015)
A.Perlman,“TheTwenty-FirstLawyer’sEvolvingEthicalDutyofCompetence,”TheProfessionalLawyer(2014),availableathttp://papers.ssrn.com/sol3/papers.cfm?abstract_id=2532995.
A.Peyton,“KilltheDinosaurs,andOtherTipsforAchievingTechnicalCompetenceinYourLawPractice,”RichmondJ.L.&Tech.(March2015)
D.Richmond,B.FaughnanandM.Matula,ProfessionalResponsibilityinLitigation,SecondEdition(AmericanBarAssociation2016)
R.RotundaandJ.Dzienkowski,LegalEthics:TheLawyer'sDeskbookonProfessionalResponsibility,2017–2018Ed.(ThomsonWest2017)
S.Sabnis,“AttorneyEthicsintheAgeofSocialMedia,”ABASectionofLitigation,ProfessionalServicesLiability(June2016)http://apps.americanbar.org/litigation/committees/professional/articles/spring2016-0616-attorney-ethics-age-social-media.html