why?€¦ · 3 © 2017 hinshaw & culbertson llp, an illinois limited liability partnership. all...

1

© 2017 Hinshaw & Culbertson LLP, an Illinois Limited Liability Partnership. All rights reserved.

DRAFT

Meeting the Ethical Duty of Technology Competence under Rule 1.6 for Data & Cyber Security

Steven M. Puiszis, Hinshaw & Culbertson LLP


Security Awareness Training

WHY?


Outside Counsel Guidelines

2


Data Breaches


Law Firm Data Breaches - 2015


28 States Have Adopted a Duty of Technology Competence

• Arizona

• Arkansas

• Colorado

• Connecticut

• Delaware

• Florida

• Idaho

• Illinois

• Iowa

• Kansas

• Massachusetts

• Minnesota

• Nebraska

• New Hampshire

• New Mexico

• New York

• North Carolina

• North Dakota

• Ohio

• Oklahoma

• Pennsylvania

• Tennessee

• Utah

• Virginia

• Washington

• West Virginia

• Wisconsin

• Wyoming

3


Model Rule 1.1's Duty of Competence Requires Understanding the Risks and Benefits of Technology


Rule 1.6: Duty of Confidentiality


Rule 1.6(c)'s Reasonable Efforts to Prevent Unauthorized Access or Disclosure

• Sensitivity of Information

• Likelihood of disclosure if additional safeguards NOT taken

• Cost of additional safeguards

• Difficulty of implementing safeguards

• Extent safeguards adversely impact your ability to represent a client

• Client security requirements or informed consent to forego security measures

4


N.Y. City Bar Ass’n, Op. 2015-3

• Duty of competence includes exercising reasonable diligence to identify and avoid common Internet-based scams

• Identifies 14 "Red Flags"

• Obligation to notify other clients if scam harms other clients involving the loss of client funds



5


Numbers Don't Lie ― Ransomware

1. "Ransomware: Are you Prepared?," SmartFile, June 2016

2. "Cyber-Extortion Losses Skyrocket says FBI," CNN Money, April 2016

3. "Email Phishing Attacks Take Just Minutes to Hook Recipients," WIRED, April 2015

93% of phishing

emails contain ransomware1

93% of phishing

emails contain ransomware1

Ransomware is on pace to

be a $1B crime this

year2

Ransomware is on pace to

be a $1B crime this

year2

Approximately 23% of

employees open phishing

emails3

Approximately 23% of

employees open phishing

emails3


The Numbers Don't Lie

The average amount of time it takes a company to realize they've been breached.

The number of companies

unaware of a breach until

notified by law enforcement.

The average cost of a single data

breach.

210 Days 4 out

of 5$3.79

Million


Global Malware Attacks are Game Changers

6


Data and Cyber Security Is Everyone's Business


More Data Breaches are the Result of Human Error Than Hacking


Strengthen Your Weakest Link Training

7


Some Lawyers Value Convenience Over Security


Sources of Legal or Statutory Liability for Data Breaches

HIPAA – Protected Health Information (PHI) – hefty statutory fines, there is no private right of action*

State Data Breach Notification Laws (Unencrypted PII)

201 CMR 17.00 (Massachusetts)

Lewert v P.F. Chang's China Bistro, 819 F.3d 963 (7th

Cir. 2016); Remijas v Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) – Standing

* Catholic Health Care Services of the Archdiocese of Philadelphia a "B.A." fined $650,000 over theft of 1 unencrypted phone that was not password protected that exposed the PHI of 412 patients.


Develop an Effective & Reliable Approach to Patching Your System

8


Daily Backups – Encrypt, Protect and Test to Mitigate Ransomware Risk


23

Because of poor security, IoT has become the:

THIEVES


Data breach caused by "hack" of third party vendor with remote access to Target's network.

9


Encrypt Laptops, Tablets, Mobile Devices and Portable Storage

Lawyer takes a firm-issued laptop computer on vacation to Mexico and loses it. Lawyer was working for a hospital client involving the termination of a physician's staff privileges over allegedly deficient patient care and medical records of patients treated by the physician are stored on the laptop.


Three Steps for Protecting Against Lost or Stolen Mobile Devices

Strengthen your passwords/ lock device after five unsuccessful logins

Encrypt mobile devices

Enable remote wiping(when available)1

1. Obtain written consent to wipe a BYOD device to avoid a claim under the Computer Fraud and Abuse Act


Which box describes you. . .

DILBERT © 2014 Scott Adams.Used By permission of ANDREWS MCMEEL SYNDICATION.

All rights reserved.

10


Phishing – "Zero Day Exploits"

Lawyer receives an email appearing to be from a client with a link. When the lawyer clicks on the link, a sophisticated rootkit is released that evades the firm's antivirus protection and begins sniffing for passwords used by system administrators. Two weeks later the firm's intrusion detection system notes anomalies in network traffic and alerts "IT" which begins searching for malware in the network.


Ten Tips to Recognize a Phishing Email

1. Poor spelling and/or grammar

2. Offers too good to be true

3. Threat to take action if you don't respond

4. Refers to a transaction you did not make or action you did not take

5. Requests personal information or to send money to cover expenses


Ten Tips to Recognize a Phishing Email

6. Mismatched URL embedded in the email text (hover cursor over the URL)

7. Variation on domain of a website, e.g. www.chase.combecomes www.chase.bankonline.com

8. From a persons or company you do not know or have done business with

9. Emails a from government agency — first contact on an issue

10. Emails with warnings, comments or promises about:

• Suspicious transaction

• A refund you won

• A big prize

• A photo of you

• Your account has been hacked

• A document I promised

• Verifying security questions

11



Cyber Criminals and Hackers Now Using "Soft Targeting"

Emails to lawyers enclosing a law student's resume

Emails to lawyers from a state disciplinary commission about a complaint against the lawyer

Emails to lawyer about a potential engagement

Email to accounting department enclosing invoices or bills

Emails to lawyers or accounting department about a bill of lading, UPS tracking document (especially around the holidays)


Always Check the Domain Extension of the Email Sender

Not all emails end in .com, .org, .gov or .us The domain extension will identify the country of origin:

• [email protected] originated in China

• [email protected] originated in North Korea

• [email protected] originated in Brazil

• [email protected] originated in Estonia

• [email protected] originated in Russia

http://www.webopedia.com/quick_ref/topleveldomains/countrycodeM-R.asp

12


Ways to Avoid a Phish

1. Never click on a link, photo or attachment from anyone you don't know, or involving a transaction you did not make, no matter how harmless it appears or what the attachment purports to be.

2. Never click on a link, photo or attachment you were not expecting to receive, even if you know the sender – call first. Avoid dangerous file types.

3. If you ever open an attachment and are asked to open a zip file, click on a box, enable a new software version, or update or enter information – STOP! Close out of the email immediately.


Never Enable "Macros" in Documents


Recognize Potentially Dangerous File Attachments

• .EXE

• .REG

• .BAT

• .VB, .VBS, .VBE

• .COM

• .CMD

• .WS, .WSF, .WSC, .WSH

• .JAR

• .SCF

• .LNK

• .HTA

• .PIF

• .MSI, .MSP, .MSC

• .CPL

• .PS1, .PS1XML, .PS2, .PS2XML

• .MSH, .MSH1, .MSH2, .MSHXML

• .JS, .JSE

The following types of attachments can execute malicious code and should be avoided:

Watch out for double file extensions .TXT.VBS is not a .TXT file but a potentially dangerous .VBS file

13


Whaling Exploits (Business E-mail Compromise)

Email appears to be from a company's CEO, CFO or high ranking manager – a "big fish," which is why they are called whaling emails.

Requests a prompt wire transfer, or to send payroll or tax information


Avoiding Whaling Exploits

Some email gateways can identify emails that originate from outside the company that are made to look like they come from within.

Develop a policy – No transfer of information containing PHI, PII, non-public financial information, sensitive company information or funds based on only an email.

Train all employees on the whaling policy and enforce it.


Provide VPN & Train on Unsecured Public Wi-Fi Risk

Lawyer insists on using Public Wi-Fi when outside the office or on the road for communicating with clients and working on documents.

14



Unauthorized Use of Cloud Computing

Law firm learns that several of its lawyers are using different cloud-based applications, e.g. Google Docs, Dropbox and Microsoft 365 on their own initiative without firm permission or approval.


Limit Administrative Rights and Protect Administrative Passwords

15


Stay as Current as Possible on Software, Hardware and Servers


Deploy Dual Factor Authentication at Least for Remote Access


Migrating to the Cloud

Law firm is considering migrating to using cloud-based applications for providing legal services to their clients.

16


"Low Tech" Breach Risk

Another breach risk – not properly disposing of equipment containing memory including copiers and fax machines

Not shredding records containing PHI, PII, financial or sensitive information.


Malicious Insider Risk

Terminate access to email, network, VPN, and file sharing applications promptly upon resignation or termination

Disable any active directory accounts, change username/ password for any SAAS

Collect all firm equipment, computers, phone, tablets, thumb drives, CDs, external hard drives, keys or access cards.


Malicious Insider Risk

Check email, exports and downloads of information or documents for a period of time prior to resignation

Monitor username login attempts for one month afterwards

Instruct secretary, assistants, close co-workers not to email any firm or personal information

Background checks before hiring — where permitted by your state

17


Technology Is Not Foolproof

Don't ignore physical and administrative safeguards & training


Control the Use of Flash Drives


Steve PuiszisHinshaw & Culbertson LLP [email protected]

IntroductionToday the issue is not if a law firm will suffer a cyber intrusion, but when, and what type. Therefore, the critical question for any law firm is how well it will respond when the inevitable happens.

A law firm's response to a cyber security incident can be the difference between keeping and losing a client, and maintaining the reputation or perhaps even the stability of the firm. Clients are mandating that their law firms have safeguards in place to prevent a data breach. But technology is far from foolproof, and even the strongest technical, administrative, and physical safeguards are no guarantee that a law firm will not be breached. A client may be willing to forgive a lawyer who was fooled by a phishing exploit

and clicked on a link that launched malware onto the lawyer's computer. A client may understand how an iPhone or laptop computer could be lost or stolen. But a client likely won't forgive a firm that fumbles an opportunity to prevent this type of security incident from turning into a full-fledged breach resulting in the exfiltration of the client's sensitive information. A law firm's unsuccessful efforts to prevent the compromise of client or third-party data will be critically reviewed after the fact, by those clients and third parties as well as their lawyers.

A two-pronged approach addressing both prevention and response is critical to this area of law firm risk management. Law firms should: (1) implement strong safeguards to prevent cyber intrusions and data breaches; and (2) prepare to promptly address such an incident when one occurs. While some might

Prevention and Response: A Two-Pronged Approach to Cyber Security and Incident Response Planning

By: Steven M. Puiszis*

2 – www.hinshawlaw.com –

suggest that developing an incident response plan as part of a two-pronged approach is not ethically required under the reasonable efforts standard of Model Rule 1.6(c), client guidelines are increasingly requiring them. To the extent a response plan may assist in preventing an actual breach, it could be considered a reasonable step under Rule 1.6(c).1

How well a law firm responds to a security incident or cyber intrusion depends on how prepared the firm is when one occurs.

When a breach is suspected, time is of the essence.

Security experts believe the hours immediately following a cyber intrusion are the most critical. Accordingly, the time to prepare for a breach is before one occurs. Trying to determine what steps should be taken under the stress of a potential breach is far from ideal and can potentially result in delays, missteps and mistakes. The cardinal rule of law-firm risk management is to never make a problem worse, and not having measures in place to address a potential breach is inconsistent with that principle.

Cyber security involves the intersection of law and technology. Because even tech-savvy General Counsel may not be familiar with critical features of a law firm's network architecture and its latest cyber security measures, a strong working relationship between the firm's General Counsel (or the equivalent position), and its Chief Information Officer (CIO), Chief Security Officer (CSO), Director of Information Technology (IT), or an outside IT vendor (depending on the firm's structure) is critical to this area of risk management for law firms.

1 Model Rule 1.6(c) requires lawyers to "make reasonable efforts to prevent the . . . unauthorized access to information relating to the representation of a client." Model Rules of Prof'l Conduct R. 1.6(c)(2013). Comment 18 to Rule 1.6 lists a series of six factors to consider in assessing whether reasonable efforts were taken including the sensitivity of the information, the likelihood of disclosure if additional safeguards are not adopted, the cost and difficulty of implementing additional safeguards, the extent to which the safeguards adversely affect the lawyer's ability to represent a client, and whether the client required special security measures be taken or provided informed consent to forego measures that might otherwise be required under the rule. Model Rules of Prof'l Conduct R. 1.6 cmt [18] (2013).

There is no "one-size-fits-all approach" to how a law firm should protect the data in its possession, and the same is true when it comes to developing an incident response plan. Security professionals speak of "defense in depth" or layers of security, but what those layers may consist of can depend on a variety of factors such as a firm's size, geographic footprint, organizational structure, practice areas, technological sophistication, culture and available resources. Those same factors will also influence the processes and steps outlined in the firm's incident response plan.

While incident response plans may vary from firm to firm, their goals are the same and similar concepts are consistently found in various incident response plans to achieve those goals. The primary goal of any incident response plan is to have a process in place that will allow the firm to promptly respond in a coordinated manner to any type of security incident or cyber intrusion. The incident response process should promptly: identify and evaluate any potential network anomaly or intrusion; assess its nature and scope; determine if any data or information may have been accessed or compromised; quarantine the threat or malware; prevent the exfiltration of information from the firm; eradicate the malware, and restore the integrity of the firm's network.

Incident response plans should identify the team members and their backups; provide the means to reach team members at any time an intrusion is reported, and define the roles of each team member. The plan should outline the steps to be taken at each stage of the process, designate the team member(s) responsible for each of those steps, as well as the team member charged with overall responsibility for the response.

Evidence as to how the breach occurred may prove to be critical if litigation, or an administrative or a criminal investigation subsequently occurs and should be preserved in a forensically sound manner. The response plan should identify a team member designated by the firm's general counsel to record information about the intrusion or breach. The record should include how and when the intrusion occurred; who, when, and how it was discovered; the nature of any malware involved; each step taken to contain the intrusion and eradicate the threat; when those steps were taken; and the team member(s) or third parties involved in each step of the process. The response plan should also address how to handle media inquiries, the firm's potential statutory and ethical reporting obligations, and procedures for notifying law enforcement when appropriate.

3– www.hinshawlaw.com –

With the growing recognition of in-firm privilege, the law firm's General Counsel, or an outside counsel equivalent for firms that do not have a general counsel, should play a key role in the response process.2 General Counsel should be involved in contacting any third-party vendors participating in the response process to assist in the provision of legal advice to the firm in an attempt to shield those communications and work product from later discovery if necessary. See In re Target Corp. Customer Data Security Breach Litigation, 2015 WL 6777384 (D. Minn. Oct. 23, 2015)(recognizing and applying attorney-client privilege and work product protection following a data breach); Genesco, Inc., v. U.S.A., Inc., 307 F.R.D. 168 (M.D. Tenn. 2014)(applying attorney-client privilege and work-product protection to bar deposition, records, and communications of forensic investigator following the investigation of a cyber attack). General Counsel should also be involved in assessing any statutory or ethical reporting obligations, and in the drafting process should it be determined if a notification needs to be sent.

The following sections will provide a checklist of concepts that law firms should consider in developing an incident response plan and the risk management steps to consider before a cyber intrusion occurs. A checklist of considerations for when a cyber intrusion occurs is also provided.

Risk Management Steps Law Firms Should Consider Before a Security Incident Occurs

There are risk management steps that a law firm should consider before a cyber intrusion occurs, several of which are outlined below, that may impact the firm's incident response plan and its strategic security considerations:

� Evaluate how information enters, moves through and exits the firm's network.

2 See, e.g., Garvy v. Seyfarth Shaw LLP, 966 N.E.2d 523 (Ill. App. Ct. 2012); St. Simons Waterfront LLC v. Hunter, McLean, Exley & Dunn, 746 S.E.2d 98 (Ga. 2013); RFF Family P'ship. LP v. Burns & Levinson LLP, 991 N.E.2d 1066 (Mass. 2013); Crimson Trace Corp. v. Davis Wright Tremaine LLP, 326 P.3d 1181 (Or. 2014); Edwards Wildman Palmer v. Superior Court, 180 Cal.Rptr. 3d 620 (Cal. Ct. App. 2014).

� Evaluate where information is stored and how it can be accessed by lawyers and staff. Don't overlook third party vendors, the Cloud, personal devices and home computers.

� Identify sensitive, highly sensitive, or confidential information in the firm's possession.

� Since not all information may be of equal value or importance, identify where sensitive or confidential information is stored and evaluate if additional safeguards should be applied to these categories of information.

� Sensitive, highly sensitive or confidential information will frequently include personally identifiable information (PII); personal health information (PHI); trademarks; trade secret; patent or M&A information, and customer data.

� Identify those persons or entities that have physical or electronic access to your network and those that have potential access to sensitive and confidential information. Evaluate if they need or should have access to sensitive or confidential information and block access for those who do not need access. When third parties have electronic access to the network, evaluate segmenting the area of the network they can access.

� Identify potential vulnerabilities at each data access point.

� Evaluate the firm's existing physical, administrative and technical safeguards at each access point to the firm's data.

� Take steps to remediate vulnerabilities or weaknesses at each access point.

� Prioritize remediation steps addressing the most critical vulnerabilities first in light of available resources.

� Consider an outside IT forensic or network security vendor if necessary to assist with identifying vulnerabilities or prioritizing remediation steps.

� Measures that firms should consider to mitigate common attack vectors include: applying newly released patches to close identified vulnerabilities; controlling the use of unsecured public Wi-Fi and the use of dual factor authentication for remote access; encrypting laptop computers; mobile devices; back up and portable storage media; training lawyers and staff about phishing and social engineering exploits, and properly disposing of digital equipment.


� Evaluate your cyber coverage for data breaches or security incidents. Cyber insurance is relatively new and carriers' forms and terms can vary widely between different insurers.

� Review your firm's computer policies and log-on banners to ensure they include consent to real time monitoring of any email traffic or network use.

� Become familiar with the reporting obligations imposed by state data breach notification laws3 and under HIPAA if the firm qualifies as a Business Associate. See 45 CFR §§ 164.400-.414(2014). HIPAA includes reporting obligations to the Secretary of HHS in §164.408 and to the news media in §164.406 (when the breach involves more than 500 residents of the state).

� Check any outside counsel guidelines and business associate agreements for additional reporting obligations.

� Train lawyers and staff on data security and cyber issues including recognizing phishing and social engineering exploits, signs that a computer may be infected and who to contact at the firm in that event.

3 Forty-eight (48) states, the District of Columbia, the Virgin Islands, Puerto Rico and Guam have adopted data breach notification laws that potentially apply to data breaches involving lawyers and law firms. See State Security Breach Notification Laws, National Conference of State Legislatures, (Jan. 12, 2015), http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx. Currently, only Alabama and South Dakota have not enacted a data breach notification law. Id. While state data breach notification laws have many common elements, there are significant variations between them. It is critical to carefully review the law of a particular state. Generally, state data breach laws focus on unencrypted computerized data that includes personally identifying information.

While the definition of personally identifying information varies between states, frequently it is defined as a combination of a person's first name or initial and last name, coupled with one or more of the following: the person's social security number; driver's license number or other state identification number; financial account number; credit or debit account number in combination with any required security code; access code or password that would permit access to a financial account. Several states include biometric data in the definition of personal information, as well as certain types of health insurance information such as policy or subscriber numbers, or information in the person's application or claims history. Publicly available information from federal, state or local governmental records is frequently excluded from the definition of PII under these laws. Several states also encompass the compromise of paper records in their breach notification laws.

� Once the response team and the plan have been developed, consider running tabletop exercises (hypothetical or simulated cyber incidents) to identify gaps in the plan and to insure team members are aware of the steps that each need to take.

Establishing an Incident Response Plan and Team

The Incident Response Team

� A firm's response team should be interdisciplinary because of the various issues potentially raised by a data breach or a security incident.

� Response team members assigned to particular security incidents or cyber intrusions can vary depending on the nature of the incident and the type of information or data involved.

� The function performed by each team member should have at least one designated backup person to ensure availability around the clock, 365 days a year.

� Communications between team members should be addressed in the response plan as team members should not attempt to use a potentially compromised network or phone system (or one that is not functioning) to communicate with one another about the incident or their response activities.

� Response teams frequently include internal and external members. Depending on the size and structure of the firm, internal team members can include:

� Law firm General Counsel or the firm's equivalent; a member of the firm's Management Committee; the firm's CIO, CSO, or Director of IT (or some combination thereof depending on firm structure); members of the firm's IT and Human Resources (HR) Departments (when HR data is compromised); and, members of the firm's Public Relations or Marketing Department(s).

� Evaluate required skill sets to complete each potential step in the response process, and if any firm employee has that skill. If not, determine, identify and evaluate outside vendor candidates.


� Develop law enforcement and third-party vendor contacts as a preparatory step.

� Response teams frequently include external team members, which can include:

� Third party vendors to handle forensic investigations of the firm's network and equipment, support services vendors that handle mailings of breach notifications and track responses; set up toll-free hotlines or call centers and offers of free credit/identity theft monitoring and restoration services. Also consider outside communications/PR support when appropriate.

� If the firm has cyber coverage, check with the carrier about preapproved third-party vendors to handle these functions and consider adding the vendors to your response plan. Cyber carriers frequently have designated lawyers to serve as a "data-breach coach," and many provide coverage for PR assistance.

Developing the Incident Response Plan and Process

� Identify sources of potential "cyber alarms" such as the firm's anti-virus/anti-malware protection, intrusion detection or data loss prevention tools, log alarms, third-party monitoring reports and reports from lawyers or staff.

� Determine the persons at the firm who receive notifications of these cyber alarms, how they are notified and how quickly they can react. Have more than one person receive these notifications.

� Identify and list each internal and external team member and each member's backup. Contact information, including the home, cell phone numbers and personal email address of each team member and backup should be included in the plan.

� Identify the roles and responsibilities of each team member so that every team member knows who is responsible for each step outlined in the plan. Distribute the plan to each team member and evaluate storing the plan in a secure network location that each team member can access.

� General Counsel should designate a team member to record relevant information about the cyber intrusion including steps taken to contain and eradicate the malware. Team members should be instructed to report information to the plan's scrivener and other designated team members on a daily basis and trained on what to say and how to say it.

� Designate the firm's spokesperson in the event of a breach and identify how media inquiries should be handled, and who is responsible for working with internal or third-party communications or PR professionals.

� The response plan should be flexible and be capable of addressing any type of cyber intrusion or security incident ranging from a lost smartphone or laptop computer to an industrial or state-sponsored intrusion or a distributed denial-of-service (DDoS) attack on the firm.

� The plan should include steps to address security incidents or breaches stemming from the mishandling of paper records.

� Identify the team members to whom a suspected incident or intrusion should be reported, and the team member(s) responsible for initially evaluating the intrusion and classifying the incident.

� Set up an 800 phone number and an email address to report suspected cyber incidents or data beaches such as: breach@[insert law firm name].com.

Whenever possible, a law firm should avoid responding to press inquiries or making a public announcement before it can answer:

� How and why the intrusion or incident occurred

� Whether information was acquired or compromised by a hacker or third party

� What the firm is doing to prevent it from happening again

� What the firm is doing to mitigate the harm to anyone affected by the breach and to protect its clients' interests

The goal is to make a single response, not multiple ones, to limit the reputational harm resulting from the incident. If the firm receives a press inquiry before it is ready to provide answers, the appropriate response is that the firm is aware of the incident and is investigating.


� If the initial evaluation does not classify the intrusion as a false alarm, the plan should outline the next steps to be taken depending upon what the evaluation reveals about the nature of the intrusion, the malware involved and the scope of the impact on the network. Appropriate team members should be deployed depending upon the nature of the incident and the extent of the compromise.

� The process outlined in the plan should include periodic or continuous evaluations of the threat and permit or require a change in the response if it is determined that the threat is greater or less than originally evaluated.

� The response plan should also address preservation of critical information such as server and network logs.

� The response plan should require that the team scrivener record when and how the security incident or cyber intrusion occurred, who discovered it and when it was discovered, the type of malware involved, when team members were deployed, and the steps taken to confirm, quarantine and eradicate the threat.

� The plan should have a breach communications outline in place, which takes into account state and federal reporting obligations, obligations imposed by client agreements or guidelines, as well as applicable ethical standards.

� The plan should outline when or at what point in the process the firm's management should be made aware of the intrusion or incident.

� The contact or relationship partner for any client whose information was compromised should be notified once that determination has been made. That partner will assist with communications to the affected client.

Steps Once an Actual Cyber Intrusion or Security Incident Is Confirmed

� Any infected equipment should be disconnected from the network, but not otherwise disturbed. If the equipment is powered off, leave it off and if on leave it turned on. The infected equipment should be secured pending a forensic analysis.

� Remotely wipe any lost or stolen mobile device, to the extent the firm has the technological capability to do so, promptly after notification of the loss or theft. Obtain the prior written consent of the device owner to wipe any personally owned mobile device.

� Internal or external team members responsible for forensically examining any infected equipment and the network should be immediately dispatched to further evaluate the nature and extent of the intrusion.

� Preserve critical logs from your firewall, routers, servers, and network access in a forensically sound manner.

� Details and information about the intrusion and the firm's response should be recorded as they become known.

� Complete the forensic analysis of any compromised equipment and the network.

� Evaluate if any client or firm information was acquired or accessed during the intrusion. Identify the clients, third parties or employees that own any data that was accessed or compromised, or who may be affected as a result of the intrusion.

� Identify, locate and eradicate any malware in the network or on the equipment and restore the integrity of the network.

� Consider retaining a third-party forensic expert to determine if any "back doors" were built into the network and that it is secure. This information may be of critical importance when notifying a client.

� Evaluate the need to contact law enforcement and how to protect client confidentiality.

� Attempt to retrieve any compromised data and take steps to potentially mitigate any harm.

� Restore any exfiltrated information, or in the case of ransomware, any encrypted data or files from backup media.

� Evaluate and address any reporting obligations under state or federal law, client guidelines or agreements, and any ethical obligation to report under Model Rule 1.4 or a state's equivalent provision.

Information provided by the firm's network logs can be critical in establishing that an intrusion was not successful, that data was not acquired by a hacker, or in determining what data was compromised as a result of a breach.


� Evaluate if the intrusion or incident triggers a personal interest conflict for any affected clients under Model Rule 1.7 or a state's equivalent provision.

� Provide notice of the incident to the firm's professional liability or cyber carrier. Preferably this should occur promptly after confirmation of an actual cyber intrusion or security incident.

� Determine what to tell clients, employees or the public about the breach.

� Consider retaining outside counsel specializing in ethics, cyber security and/or the defense of law firms.

� Consider retaining third-party support services vendors for credit monitoring, toll-free hotline, etc.

Post-Incident Evaluations Once the Response Process Is Complete

� Critically evaluate how the intrusion occurred and what steps can be taken to prevent a reoccurrence.

� Address and remediate any vulnerability that caused or contributed to the intrusion or breach.

� Evaluate, address and remediate any other weaknesses or deficiencies uncovered during

the response process in the firm's administrative, physical or technical safeguards.

� Review the response process and evaluate the performance of the team members and determine if the process or their performance can be improved.

� Identify any gaps or weaknesses in the response plan and if necessary modify the plan. Then train team members on any revisions.

� Evaluate the need for additional or specific training for lawyers and staff to address the cause of the intrusion or breach.

� Periodically review and test the plan.

Ethical Reporting ObligationsModel Rule 1.4(a) addresses a lawyer's duty to communicate with a client, and among other things,

requires a lawyer to keep the client reasonably informed about the status of a matter, promptly comply with reasonable requests for information, and promptly inform the client of any circumstance to which informed consent may be required. This includes the "duty to inform the client of material adverse developments, including those resulting from the lawyer's own errors." Colo. Bar Ass'n, Formal Op. 113 (2005).

Educate the Firm About the Response PlanEstablishing an incident response team and plan is a good first step, but do not overlook educating the firm about the incident response plan and the team. This should include instructing lawyers and staff what to do if they suspect a cyber intrusion or security incident has occurred.

� Inform the firm about the development of an incident plan response plan and team members.

� Inform the firm who and how to contact team members if they suspect that a cyber intrusion, a potential breach, or in the case of firms qualifying as a Business Associate, a HIPAA violation has occurred.

� Explain how to handle media inquiries and to whom they should be referred following any suspected or actual intrusion or breach.

� Use this opportunity as another teaching moment to explain possible signs of a compromised computer or a breach.


That does not mean a lawyer must volunteer every mistake or error that occurs during the course of representing a client. State ethics opinions recognize that "[p]rofessional errors exist along a spectrum." Id. These opinions recognize:

[W]hether an attorney has an obligation to disclose a mistake to a client will depend on the nature of the lawyer's possible error or omission, whether it is possible to correct it in the pending proceeding, the extent of the harm resulting from the possible error or omission, and the likelihood that the lawyer's conduct would be deemed unreasonable and therefore give rise to a colorable malpractice claim.

N.Y. State Bar Ass'n, Ethics Op. 734 (2000); Colo. Bar Ass'n, Formal Op. 113 (2005) ("At the other end of the spectrum are errors and possible errors that may never cause harm to the client, either because any resulting harm is not reasonably foreseeable, there is no prejudice to a client's right or claim, or the lawyer takes corrective measures that are reasonably likely to avoid any such prejudice."). Obviously,

whether an ethical duty to report exists will turn on the relevant facts. However, when a lawyer makes "a serious and irremediable error," an ethical duty to report that error to the client is triggered. N.Y. State Bar Ass'n, Ethics Op. 734 (2000).

These general principles should help guide the lawyer's ethical considerations about reporting a security incident or cyber intrusion. A lawyer does not have an ethical duty to report every time the lawyer clicks on a link and malware is launched onto a computer, or every time a hacker gains access to the law firm's network. When a client's data is not accessed or acquired during a security incident, a client has suffered no harm and no ethical duty to report the incident has been triggered. This view is further supported by ethics opinions that have addressed breaches of confidentiality by non-lawyers who are granted access to a law firm's computer network or a lawyer's database. ABA Formal Opinion 95-398 explained:

Where the unauthorized release of confidential information could reasonably be viewed as a significant factor in the representation, for example where it is likely to affect the position of the client or the outcome of the client's legal matter, disclosure of the breach would be required under Rule 1.4(b).

ABA, Formal Op. 95-398 (1995). See also Vt. Bar Ass'n, Advisory Ethics Op. 2003-03 (2003) ("if the breach would affect the outcome of the client legal matter in any fashion, the lawyer would be obligated to tell the client of the breach by the non-lawyer"); Ill. State Bar Ass'n, Advisory Op. 10-01 (2009) ("a lawyer may be obligated to disclose this breach to its client if it is likely to affect the position of the client or the outcome of the client's case"). Take care to also review your agreements and outside counsel guidelines for they may impose a reporting obligation upon the firm when there may be no ethical obligation to report.

A lawyer's duty is to act in the client's best interests in fulfilling a client's expectations for information. Model Rules of Prof'l Conduct R. 1.4 cmt. [5] (2013). Thus, should a data breach occur that results in the unauthorized acquisition of a client's information, Rule 1.4 requires the client be notified about that breach. While a lawyer may be justified in temporarily delaying notifying a client in order to investigate the breach and determine how it occurred, to identify the

� Cursor moving on its own � Frequent crashes and/

or programs frequently locking up

� Hard drive running continuously when the computer is not in use

� Unusually long times for the computer to start or programs to launch

� Computer restarting on its own

� Programs starting and running by themselves

� Disappearance of files or data

� New or different file names appearing

� Disappearing space on the hard drive

� Web pages slow to load � Computer screen looking

distorted � Changed home page of

web browser � Browser launching

multiple tabs


specific information involved, or at the request of law enforcement, a lawyer "may not withhold information to serve the lawyer's own interest or convenience." Model Rules of Prof'l Conduct R. 1.4 cmt. [7] (2013).

Complete candor is a must. A law firm must be reasonably certain that the information provided is accurate, which can be difficult before a forensic examination is completed. A firm should endeavor to avoid any claim that the information provided in a breach communication was only partially true or misleading. Also keep in mind that how a lawyer informs the client of a mistake can be as important as what is said. Attempts to hide a mistake or even a perceived misrepresentation in a breach notification could trigger a claim that Model Rule 8.4(c) was violated. It is professional misconduct for a lawyer to "engage in conduct involving dishonesty, fraud, deceit or misrepresentation." Model Rules of Prof'l Conduct R. 8.4(c) (2013).

Rule 4.1 prohibits making false statements of material fact to third persons. Model Rules of Prof'l Conduct R. 4.1 (2013). Rule 4.3 explains that when dealing with an unrepresented person a lawyer shall not state or imply that the lawyer is disinterested and shall not provide legal advice, other than to secure counsel, if the lawyer reasonably should know that the interests of the person have a reasonable possibility of conflicting with the interests of the lawyer's client. Model Rules of Prof'l Conduct R. 4.3 (2013).

State data breach notification laws require that notice be provided to the individuals whose personal information was acquired or materially compromised and a number also require that notice be provided to third parties including credit reporting agencies and governmental officials. Some states have specific requirements to include in a breach notification, which should be carefully followed when drafting breach notifications. Because breach notifications frequently must be sent to third parties, Model Rules 4.1 and 4.3's requirements will be triggered when notices are required to be sent under state breach notification laws.

Even when no duty to report is triggered under a state’s data breach notification law, a lawyer should carefully evaluate whether under his or her state ethical rules, the client should be advised of the significance of the mistake or the potential for a claim against the lawyer as a result of the data breach. The reported decisions and advisory ethics opinions that have addressed this reporting issue in other contexts are not uniform in their approach or conclusion.

For instance Colo. Bar Ass'n, Formal Op. 113 (2005), states: "The lawyer need not advise the client about whether a claim for malpractice exists, and indeed the lawyer's conflicting interest in avoiding liability makes it improper for the lawyer to do so." See also Fitch v. McDermott, Will & Emery, LLP, 929 N.E.2d 1167, 1184 (Ill. App. Ct. 2010) ("We similarly find no case that would require an attorney to affirmatively advise his client of his negligence and the statute of limitations for suing him."); Expansion Pointe Properties Ltd. P'ship. v. Procopio, Cory, Hargraves & Savitch, LLP, 61 Cal.Rptr.3d 166, 176 (Cal. Ct. App. 2007) (holding no duty to discuss "types of recovery a client may obtain in a potential malpractice action").

However, the Restatement (Third) of the Law Governing Lawyers § 20 cmt. C (2000), takes the position: "If the lawyer's conduct of the matter gives the client a substantial malpractice claim against the lawyer, the lawyer must disclose that to the client." Restatement (Third) of the Law Governing Lawyers § 20 cmt. C (2000) (emphasis added). Similarly, Wisconsin Ethics Opinion E-81-12 (1998), concluded: "an attorney is obligated to inform his or her client that an omission has occurred which may constitute malpractice and that the client may have a claim against him or her for such an omission." See also Olds v. Donnelly, 696 A.2d 633, 643 (N.J. 1997) ("The Rules of Professional Conduct still require an attorney to notify the client that he or she may have a legal-malpractice claim even if notification is against the attorney's own interest"); Matter of Tallon, 447 N.Y.S. 2d. 50, 51 (N.Y. App. Div. 1982) ("An attorney has a professional duty to promptly notify his client of his failure to act and of the possible claim his client may thus have against him."); N.Y. City Bar Ass'n, Formal Op. 2015-3 (2015) ("A lawyer who discovers he has been defrauded in a manner that results in harm to other clients of the law firm, such as the loss of client funds due to an escrow account scam, must promptly notify the harmed clients.").

This should not be confused with an admission of liability. Clearly when an ethical duty to report is triggered by the unauthorized acquisition of information, a lawyer should disclose the facts and circumstances surrounding the data breach, and evaluate if there is a need to suggest to the client that "it may be advisable to consult with an independent lawyer with respect to the potential impact of the error on the client's rights or claims." Colo. Bar Ass'n, Formal Op. 113 (2005).

– www.hinshawlaw.com –

* About the Author: Steven M. Puiszis is a partner and Deputy General Counsel of Hinshaw & Culbertson LLP, and also serves as the firm's Privacy and Security Officer. Steve is the Vice Chair of DRI's Center for Law and Public Policy and is a past President of the Illinois Association of Defense Trial Counsel. His publications include book chapters on mitigating law firm cyber risk and data protection and privacy in the United States published in Risk Management in Law Firms: Strategies for Safeguarding the Future, Globe Business Publishing Ltd. 2014, London, England. Steve also published on the ethical and risk management issues facing law firms that adopt a "BYOD" approach to mobile technology, which appeared in the ABA Center for Professional Responsibility's 2015 Journal of the Professional Lawyer.

ConclusionA cyber intrusion raises a series of complex and challenging issues for law firms that involve a variety of disciplines. Further complicating the problem is the myriad of ways a security incident or cyber intrusions can occur. While the best defense against a breach is a robust data-security program, being prepared when a cyber intrusion occurs is a critical consideration for law firms. A poorly handled incident response can cause reputational harm to the firm as well as the loss of clients and client trust. The steps and considerations outlined above should help lawyers and law firms to be ready when the inevitable happens.

Hinshaw’s Lawyers for the Profession® group, consisting of 60-plus lawyers, is devoted to representing and advising lawyers and law firms on all aspects of the "law governing lawyers." We focus on four broad areas: legal malpractice defense; ethics and professional responsibility representation and counseling; law firm organization and structure; and risk management services, including cyber-related risks. Located in 11 states, our group members try lawyers’ cases nationally wherever needed. Our leading position as lawyers for the profession is further evidenced in the published works of our team, the professional appointments and bar association positions we hold, the frequency with which our members are asked to serve as expert witnesses, and the wealth of lectures and presentations they are invited to make.

Arizona California Florida Illinois Indiana Massachusetts Minnesota Missouri New York Rhode Island Wisconsin London


131239984V1 9153

A LAWYER'S DUTY OF TECHNOLOGICAL COMPETENCE

Steven M. Puiszis

I. Introduction

One of the notable trends in the ethics and professional responsibility arena over the past decade is the evolving recognition of a duty of technological competence. Historically, the concept of a "competent" attorney primarily focused on a lawyer's knowledge of a substantive area of the law coupled with his or her experience and ability to represent a client in a particular engagement. See, e.g., San Diego Cnty. Bar Ass'n, Formal Op. No. 2012-1 (2012). Technology's impact on the legal profession, however, has rendered this historical view of competence outdated. Id.

Accordingly, the ABA's Model Rules were modified in 2012 to confirm that a lawyer's duty of competence requires keeping "abreast of changes in the law and its practice," which includes knowing "the benefits and risks and associated with relevant technology." MODEL RULES OF PROF'L CONDUCT R. 1.1 cmt. [8]. While state ethics opinions had previously addressed various technology issues, the Model Rules had not, and the 2012 amendments to the Model Rules "reflect[ed] technology's growing importance to the delivery of legal and law-related services." Andrew Perlman, The Twenty-First Century Lawyer's Evolving Ethical Duty of Competence, 22 PROF. LAW., 24, 25 (2014).

The obligation to be aware of the "benefits and risks" of relevant technology under Model Rule 1.1 is a nebulous one, but the Chief Reporter of the ABA Commission on Ethics 20/20 explained that the standard had to be because "a competent lawyer's skill set needs to evolve along with technology itself," and "the specific skills lawyers will need in the decades ahead are difficult to imagine." Id.

To date, 28 states‒Arizona, Arkansas, Colorado, Connecticut, Delaware, Florida, Idaho, Illinois, Iowa, Kansas, Massachusetts, Minnesota, Nebraska, New Hampshire, New Mexico, New York, North Carolina, North Dakota, Ohio, Oklahoma, Pennsylvania, Tennessee, Utah, Virginia, Washington, West Virginia, Wisconsin and Wyoming‒have adopted the ABA's 2012 amendments to Model Rule 1.1. While California does not follow a Model Rules' approach, a 2015 State Bar ethics opinion addressing an attorney's ethical duties involving the discovery of electronically stored information relied on Comment 8 to Model Rule 1.1 in reaching the conclusion that the duty of competence requires attorneys to assess their own e-discovery skills and resources. See Cal. State Bar, Formal Op. 2015-193 (2015).

A lawyer's fundamental ethical duty is to provide competent representation to his or her clients. This "requires the legal knowledge, skill, thoroughness and preparation reasonably necessary" for the engagement. MODEL RULES OF PROF'L. CONDUCT R. 1.1 (2013). The duty of competence includes the "use of methods and procedures meeting the standards of competent practitioners." MODEL RULES OF PROF'L CONDUCT R. 1.1 cmt. [5]. In today's digital era, this means that "lawyers are required to take reasonable steps to protect their clients from ill-conceived uses of technology." Anthony E. Davis, The Ethical Obligation To Be Technologically Competent, The New York Law Journal, January 8, 2016.

The concept of technological competence is frequently thought of as encompassing the protection of information in a lawyer or law firm's possession from being inadvertently disclosed,

2 131239984V1 9153

accessed or acquired by third parties. While it's true that the mobility of modern technology makes protecting client information far more difficult than in past years, the duty of technological competence, however, is far broader than simply protecting client information or cyber security. See, e.g., Ariz. State Bar, Ethics Op. 09-04 (2009) (explaining Rule 1.1's competence requirement "appl[ies] not only to a lawyer's legal skills, but also generally to 'those matters reasonably necessary for the representation.'" An attorney’s duty of competence includes, for instance, exercising “reasonable diligence in identifying and avoiding common Internet-based scams.” NY City Bar Ass’n, Formal Op. 2015-3 (2015).

Broadly speaking, there are five realms of technological competence reasonably necessary for most engagements. The first realm involves data security—safeguarding the information that we are provided by our clients. The second realm involves electronic discovery, which can include the preservation, review and production of electronic information for use in litigation. This second realm includes social media discovery which opens a Pandora's box of ethical issues for lawyers. The third realm involves the technology lawyers use to run their practices, which includes the technologies used for communicating with clients and third parties, transmitting information, electronic research, applications for document generation, knowledge management, data analytics, augmented intelligence ("AI"), electronic calendaring, and docketing. Many software applications automatically store information in the "cloud" so this third realm, by necessity, includes competence with cloud-based technologies and storage. The fourth realm involves the technology used by our clients to design and manufacture the products they sell or use in the cases we defend. That can run the gamut from robotics and 3D printing to nano technology or coding used in software components and anything in between. The fifth realm involves the technology used to present information in the courtroom and rules governing the authentication and admissibility of new and emerging technological evidence. This article explores the scope of the duty of technological competence and what it requires of today's lawyers.

II. The Impact of Technology on the Practice of Law

Technology has fundamentally altered the practice of law. It allows lawyers to practice anywhere in the world with an available internet or WiFi connection. Technology has changed how we communicate with clients and one another. Email and text messages have replaced letter writing and phone calls. The smart phones we carry have more computing power than the Apollo 11 spacecraft that took us to the moon. Richard Stengle, Making Sense of Our Wireless World, TIME, Aug. 27, 2012. It is not extravagant to suggest that virtually every aspect of the practice of law has been impacted if not altered by technological advances that have occurred over the past decade.

Computer research has made law libraries and hard copy of texts obsolete. Lawyers now carry access to electronic law libraries with them via their laptop computers, tablets or smart phones. Software programs can generate a wide variety of basic legal documents. Machine intelligence has the ability to "automate simple briefs and memos." John O. McGinnis, Machines v. Lawyers, City Journal, June 4, 2014. Blow ups and white boards used for years in courtrooms are being replaced by LCD projectors or Elmos connected to video monitors. Annotation monitors that allow witnesses to mark electronic exhibits, and evidence cameras that convert paper documents into electronic exhibits to display to a jury are working their way into technology enabled courtrooms.

Fitness trackers, "wearables" and social media are becoming fruitful sources of information that can corroborate or devastate injury claims. Google Glass has been used to create day-in-the-life

3 131239984V1 9153

videos of traumatically injured individuals. GPS tracking and electronic control modules ("black boxes") in motor vehicles can provide detailed and accurate information about location, velocity, speed, acceleration and deceleration rates critical to many disputes. Video cameras mounted on vehicle dash boards or carried by law enforcement officers and the proliferation of surveillance cameras in metropolitan areas are providing evidence that in the past had been limited to the witness' testimony. Drones can even be used to monitor and track movements of vehicles and persons as well as the progress of high-rise construction projects. Electronic record keeping systems, such as electronic health records, are triggering new challenging discovery and trial issues for both lawyers and their clients.

Technology has impacted not only the design of products but also how they are manufactured. Additionally, areas of science, such as serology, critical in many trials held as recently as twenty years ago have been rendered obsolete by scientific advances such as DNA evidence. Technology is moving so rapidly that the issues trial lawyers will be asked to resolve in the near future involving nascent technologies such as 3D printing and autonomous vehicles will be radically different than those we address today. Auto accidents may turn into product liability trials. As one ethics opinion recognized "[l]egal rules and procedure, when placed alongside ever-changing technology, produce professional challenges that attorneys must meet to remain competent." Cal. Stat. Bar, Form Op. 2015-193, 3 (2015).

III. What Does this Duty of Technological Competence Entail?

The 2012 amendment to Model Rule 1.1 precludes a lawyer from pleading ignorance of new technologies, or the risks associated with technology. Lawyers are expected to have at least a basic understanding of the technologies they use, the risks associated with those technologies and the means available to mitigate those risks. See, e.g., N.H. Bar Ass'n, Advisory Op. 2012-13/4 (2013) ("competent lawyers must have a basic understanding of the technologies they use.").

While attorneys need not become technology experts or ″develop a mastery of the security features and deficiencies″ of every available technology:

[T]he duties of confidentiality and competence … do require a basic understanding of the electronic protections afforded by the technology they use in their practice. If the attorney lacks the necessary competence to assess the security of the technology, he or she must seek additional information or consult with someone who possesses the necessary knowledge, such as an information technology consultant.

Cal. State Bar, Formal Op. 2010-179 (2010).

If an attorney lacks a basic understanding of how to use an available technology, or the risks inherent in the technologies used to provide legal services, how can the attorney take "reasonable steps" to competently guard against those risks? The duty of competence is the foundation on which the ethical obligation to protect client information rests.

As with any other skill or practice area, a lawyer’s duty of technological competence can be achieved through continuing study and education or through association with others who are

4 131239984V1 9153

competent in the area. MODEL RULES OF PROF'L CONDUCT R. 1.1 cmts. [2], [8] (2013); Cal. State Bar, Formal Op. 2012-184 (2012) ("If Attorney lacks the necessary competence to assess the security of the technology, she must seek additional information, or consult with someone who possesses the necessary knowledge, such as information technology consultant."); Iowa State Bar Ass'n, Ethics Op. 11-01 (2011) (noting lawyers can meet due diligence technology requirements "by relying on the … services of independent companies, bar associations or other similar organizations or through its own qualified employees").

The duty of competence requires lawyers to be aware of the benefits and risks of emerging technologies that can be used to deliver legal services and how advances in existing technologies can impact the security of information in their possession. See, e.g., N.H. Bar Ass'n, Advisory Op. 2012-13/4 (2013) (observing "[c]ompetent lawyers" must "keep abreast of … changes"). The difficulty that we face on this issue is the speed at which technology is advancing. When it comes to understanding the risks and benefits of technology, the lawyer's duty of competence must evolve as the technologies we use to provide legal services evolve. Cal. State Bar, Formal Op. 2012-184 (2012) (noting "[a]s technologies change, … security standards also may change" and explaining attorneys "should keep abreast of the most current standards so that [they] can evaluate whether the measures taken … to protect client confidentiality have not become outdates").

A. Competence Involving Electronic Discovery

The California State Bar issued an ethics opinion in 2015 addressing ediscovery competence. Cal. State Bar, Formal Op. 2015-193 (2015). The opinion recognized that "[n]ot every litigated case involves e-discovery," but "almost every litigation matter potentially does." Id. at 3 (emphasis in original). Today, companies routinely store their information electronically and it would be unusual for an attorney to not have to deal with the review and production of electronically stored information (“ESI”) at least on a basic level.

The opinion "start[s] with the premise that 'competent' handling of e-discovery has many dimensions." Id. It then explains that at the outset of any case a lawyer should assess "what electronic discovery issues might arise during the litigation including the likelihood that e-discovery will or should be sought by either side" and then "access his or her own e-discovery skills and resources as part of the attorney's duty to provide the client with competent representation." Id. The opinion cautions that when the attorney lacks those skills or resources, the attorney "must try to acquire sufficient learning or skill, or associate or consult with someone with the necessary expertise to assist." Id. The opinion advises that "[a]ttorneys handling e-discovery should be able to perform (either by themselves or in association with competent counsel or expert consultants) the following" tasks:

• Initially assess e-discovery needs and issues, if any;

• Implement/cause to implement appropriate ESI preservation procedures

• Analyze and understand a client’s ESI systems and storage;

• Advise the client on available options for collection and preservation of ESI;

• Identify custodians of potentially relevant ESI;

• Engage in competent and meaningful meet and confer with opposing counsel concerning an e-discovery plan;

5 131239984V1 9153

• Perform data searches;

• Collect responsive ESI in a manner that preserves the integrity of that ESI; and

• Produce responsive non-privileged ESI in a recognized and appropriate manner.

Id. at 3-4. The opinion explains that such a consultant could be an outside vendor, a subordinate attorney or even the client, "so long as they possess the required expertise." Id. at 4. There is a catch, however, the consultation does not absolve an attorney of his or her duty to supervise the work of any attorney, expert, vendor or client assisting the attorney. Id. That duty is non-delegable, and the attorney "retains overall responsibility for the work of the expert he or she chooses, even if the expert is the client or someone employed by the client." Id. Unsupervised reliance on such a consultant does not meet the duty of competence; rather, the attorney must remain actively engaged and provide "appropriate instructions and guidance." Id.

The opinion also highlights why non-waiver orders under Fed. R. Evid. R. 502(d) are becoming increasingly important as a risk management tool for lawyers. Given the volume of electronic discovery produced in many cases, the risk of producing a document protected by attorney-client privilege or work product has exponentially increased. The opinion recognizes that a claw-back agreement may not protect a lawyer against a waiver of attorney-client privilege if a court later determines that the privilege or protected information was not "inadvertently" produced. Inadvertence under Fed. R. Evid. 502(b) among other things examines whether reasonable steps were taken to prevent the disclosure of protected or privileged information before any production occurred. By its express terms, however, once a Fed. R. Evid. 502(d) non-waiver order has been entered, any subsequent disclosure of protected or privileged information in that proceeding will not waive attorney-client privilege or work product protection in that proceeding, or in any other state or federal proceeding.

An ethics opinion issued by the San Diego County Bar Association echoes several of these points including the duty to supervise e-discovery vendors is non-delegable and "is a necessary correlative of the duty of competence." San Diego Cnty. Bar Ass'n, Ethics Op. 2012-1 (2012). That opinion advises "competence begins with an understanding of the sources of the client's ESI" and includes:

• Ensuring the client (including each custodian) understands the types of evidence to be preserved;

• Understanding the client's technology, operating systems, application, software, backup inventories and rotation schedules, electronic records management policies and procedures;

• Identifying likely locations of relevant electronic records and the identities of current and former employees with access to those records, the network, backup, archiving other system operations during the relevant timeframe;

• Understanding and issuing a litigation hold.

The California State Bar's ediscovery ethics opinion did not purport to "define a standard of care of attorneys for liability purposes." Cal. State Bar, Formal Op. 2015-193 at 5, n.9. But that may not prevent an expert from attempting to rely on it as a basis for a standard of care opinion. The

6 131239984V1 9153

California State Bar's ethics opinion further explains that a mere failure to act competently should not trigger discipline under California's ethics rules; rather, intentional or reckless or repeated acts are generally required to warrant discipline. Id. The opinion also did not attempt to "address ethical obligations relating to litigation holds," Id., n.3.

However, a Massachusetts attorney was disciplined for failing to take appropriate steps to prevent the spoliation of ESI. See, Kenneth Paul Reisman, Public Reprimand, No. 2013-21, 2013 WL 5967131 (Mass. B. Disp. Bd., Oct. 9, 2013) (finding a violation of Rule 1.1 for representing a client on "a matter that he was not competent to handle without adequate research or associating with or conferring with experienced counsel"). Due to the attorney's lack of experience with ediscovery, he advised a client it was permissible to wipe allegedly unrelated files from a computer without "conducting research as to his client's legal obligations and without any attempt to confirm that the materials to be deleted were as represented."

As a final point on the issue of ediscovery competence, the Federal Rules of Civil Procedure were amended to address electronic discovery issues. While a full discussion of the 2015 federal rule amendments is beyond the scope of this article, one change in particular bears mentioning. Fed R. Civ. P. 26(b) was amended to reflect that the scope of permissible discovery is now information that is relevant to the parties' claims and defenses and proportional to the needs of the case. The concept of proportionality has been in Rule 26 since 1983, but has been largely ignored by practitioners and judges. Therefore attorneys must view all federal court discovery through the lens of proportionality.

Proportionality is a concept that addresses the marginal utility of the requested discovery. It examines whether a particular issue, witness, or requested information is central to a claim or a defense or is only marginally involved. The more tangential an issue or a witness is to the elements of a claim or defense, or the further removed the requested discovery is from the relevant time frame, the more likely a proportionality objection will succeed since the burden of that potential discovery is weighed against its likely benefit. Proportionality requires a thoughtful and analytic approach to discovery

Rule 26 (b)(1) sets forth a series of factors that a court and parties should consider in making a proportionality determination:

• The importance of the issues at stake in the litigation.

• The importance of the requested discovery in resolving those issues.

• The amount in controversy.

• The parties’ relative access to relevant information.

• The parties’ respective resources.

• Whether the burden or expense of the proposed discovery outweighs it benefit.

There is no hierarchy of importance among Rule 26's proportionality factors; all must be considered in any proportionality determination. While the amount in controversy is an important factor, a proportionality determination involves more than simply a “dollars and cents” analysis. The 2015 Committee Note to Rule 26(b) observes that the public importance of certain litigation issues such as the First Amendment require that they be “measured in philosophic, social, or institutional terms,” not just by the potential monetary recovery that could be obtained. Monetary considerations must be balanced against all of Rule 26(b)(1)'s other factors in every proportionality analysis.

7 131239984V1 9153

Courts and parties are also encouraged in that 2015 Committee Note to consider the use of computer-based methods to search for relevant discovery, such as predictive coding or technology-assisted review, as a way to lessen the burden or expense of discovery in cases involving large volumes of electronically stored information (ESI). In summary, lawyers who are not familiar with electronic discovery should not dabble in it without assistance.

B. Competence Involving Data Security

The days when lawyers could protect information through a "clean desk policy and locked filing cabinets" are long gone. Statutory regulations under HIPAA for instance, impose require the use of technical, administrative and physical safeguard for protected health information by lawyers who qualify as Business Associates under HIPAA. State data breach notification laws also indirectly impose security requirements on lawyers and law firms by requiring the encryption of computerized data containing personally identifiable information. Outside counsel guidelines are another source of security obligations on law firms. The ABA's 2012 amendments to its Model Rules superimposed an ethical obligation to take "reasonable steps" to safeguard client information.

As it pertains to data security, Model Rule 1.6 states that a lawyer "shall not reveal" any information "relating to the representation of a client unless the client gives informed consent, [or] the disclosure is impliedly authorized . . . to carry out the representation." MODEL RULES OF PROF'L CONDUCT R. 1.6(a) (2013). Rule 1.6 is not limited to information protected by the attorney-client privilege but "to all information relating to the representation, whatever its source." MODEL RULES OF PROF'L CONDUCT R. 1.6 cmt. [3] (2013). It extends to disclosures "that do not in themselves reveal protected information but could reasonably lead to the discovery of such information by a third person." MODEL RULES OF PROF'L CONDUCT R. 1.6 cmt. [4] (2013).

Model Rule 1.6 obligates lawyers to take "reasonable measures" to safeguard "the integrity and security" of their electronic files. Ala. State Bar, Ethics Op. 2010-2 (2010). Among other things, this obligation requires that lawyers take "reasonable steps" to ensure that "only authorized individuals have access to the electronic files" and to ensure they "are secure from outside intrusion." Id. (explaining such steps include the use of firewalls, intrusion detection software and backups of all electronically stored files). Model Rule 1.6(c) similarly requires a lawyer to "make reasonable efforts to prevent the inadvertent or … unauthorized access to information relating to the representation of a client." MODEL RULES OF PROF'L CONDUCT R. 1.6(c) (2013).

“What constitutes reasonable efforts is not susceptible to a hard and fast rule, but is contingent upon a series of factors.” ABA Comm on Ethics & Prof’ l. Responsibility Formal Op. 477R (2017). Comment 18 lists factors to consider in assessing whether ″reasonable efforts″ were taken to protect against the inadvertent or unauthorized disclosure of, or access to client information including:

• The sensitivity of the information.

• The likelihood of disclosure if additional safeguards are not taken.

• The cost of employing additional safeguards.

• The difficulty of implementing the safeguards.

• The extent to which the safeguards adversely affect a lawyer's ability to represent a client.

8 131239984V1 9153

• Whether the client required special security measures be taken or provided informed consent to forego security measures that might be required under this rule.

Model Rules of Prof'l Conduct R. 1.6 cmt. [18] (2013). Given these factors, Rule 1.6(c)’s reasonableness standard is “not amenable to a one-size-fits-all analysis.” NY City Bar Ass’n Formal Op. 2017-5 (2017).

Rule 1.6 contemplates a balancing approach when evaluating the security measures that can or should be considered when protecting client information. Various state ethics opinions take a similar approach to the issue. See, e.g., Cal. State Bar, Formal Op. 2010-179 (2010) (outlining factors to consider including "the degree of sensitivity of the information"). Those opinions recognize that particular "facts and circumstances" can dictate the types of "reasonable protective measures" a lawyer must take to protect information in the lawyer's possession. Id.; Iowa State Bar Ass'n, Ethics Op. 11-01 (2011) (recognizing "the degree of protection to be afforded client information varies with the client, matter and information involved"). The level of protection may depend on the "type and sensitivity of client information." N.H. Bar Ass'n, Advisory Op. 2012-13/4 (2013) (addressing cloud computing). As one ethics opinion explained:

The greater the sensitivity of the information, the less risk an attorney should take with technology. If the information is of a highly sensitive nature and there is a risk of disclosure when using a particular technology, the attorney should consider alternatives unless the client provides informed consent.

Cal. State Bar, Formal Op. 2010-179 (2010); see also, Fla. Bar, Op. 12-3 (2013) (addressing cloud issues involving "particularly sensitive information" and noting a "lawyer should consider whether [to] use the outside service provider or use additional security in [these] specific matters"); NY City Bar Ass’n Formal Op. 2017-5 (2017) (suggesting “that an attorney should not carry clients’ confidential information on an electronic device across the border except where there is a professional need, and … should not carry clients’ highly sensitive information except where the professional need is compelling”). These opinions explain that lawyers and law firms should identify types of “highly” sensitive information in their possession.

While ethics opinions explain that additional precautions should be considered in various contexts when "highly" or "particularly" sensitive information are involved, they generally do not define or discuss the types of client information that would be encompassed by that rubric. It seems logical, however, for law firms to consider addressing the sensitivity of client information at the outset of any engagement.

This can be accomplished in several ways. The client can be asked at the file opening stage if the engagement will involve any highly sensitive information or information warranting special security measures. Additionally, the file intake process can be set up to identify any categories of information that state or federal law treat as highly sensitive in nature or that the firm believes should be treated as highly sensitive. Examples could include personally identifying information ("PII"), protected health information ("PHI"), non-public financial information, proprietary information, source code, patents, trademarks, trade dress, trade secrets, a merger and acquisition or a high stake business deal. A firm can then take any steps it deems necessary and appropriate to protect that

9 131239984V1 9153

information, including limiting who is permitted to access that information and how it may be transmitted.

While Comment 18 to Rule 1.6 recognizes that additional safeguards may be required with highly sensitive information, it also notes that the cost and difficulty of implementing or using certain types of safeguards are relevant considerations when evaluating whether to apply additional safeguards. The additional safeguards do not have to be technology based. They can include security awareness training and the development of firm policies involving the use of technology by a firm's lawyers and staff.

The ethical duty to take reasonable precautions clearly does not require measures that will "guarantee" against unauthorized access. See, e.g., Ariz. State Bar, Ethics Op. 09-04 (2009); N. J. Sup. Ct., Op. 701 (2006) (recognizing that a "guarantee" against unauthorized access "is impossible"); Va State Bar, Legal Ethics Op. 1872 (2013) (noting a lawyer is not obligated to "guarantee that a breach of confidentiality cannot occur when using an outside service provider"). Model Rule 1.6's duty of confidentiality ″does not require that a lawyer use only infallibly secure methods″ to store and transmit information. N.C. State Bar, Formal Ethics Op. 6 (2012); N.Y. City Bar Ass’n Formal Op. 2017-5 (2017) (recognizing 'reasonable' protective measures need not be foolproof”).

Various state ethics opinions reference a number of technological options available to protect client information. Ariz. State Bar, Ethics Op. 09-04 (2009) ("In satisfying the duty to take reasonable security precautions, lawyers should consider firewalls, password protection schemes, encryption, antivirus measures, etc."). Given the speed at which technology is evolving, state ethics opinions generally avoid recommending any particular security measure for fear it will be quickly outmoded. See, e.g., Iowa State Bar Ass'n, Ethics Op. 11-01 (2011) ("It is beyond the Committee's ability to conduct a detailed information technology analysis …. Even if we had that ability our analysis would soon be outdated.").

As a result, state ethics opinions generally leave it to the "sound professional judgment" of the attorney to determine what type of security measures should be taken. Ariz. State Bar, Ethics Op. 05-04 (2005) ("Precisely which of these software and hardware systems should be chosen–and the extent to which they must be employed–is beyond the scope and competence of the Committee. This is the kind of thing each attorney must assess."); N. J. Sup. Ct., Op. 701 (2006) (explaining a lawyer "is required to exercise sound professional judgment on the steps necessary to secure client confidences against foreseeable attempts at unauthorized access"); Mass. Bar Ass'n, Ethics Op. 12-03 (2012) ("Ultimately, the question of whether the use of Google docs, or any other Internet based data storage service provider, is compatible with [a] Lawyer's ethical obligation to protect his clients' confidential information is one that Lawyer must answer for himself based on the criteria set forth in this opinion….").

Comment 18 to Rule 1.6 further notes that whether additional steps are required to comply with other laws such as state and federal laws governing data privacy is beyond the scope of the Rule. MODEL RULES OF PROF'L CONDUCT R. 1.6 cmt [18] (2013). However, HIPAA's Security Rule applies to lawyers and firms that qualify as "business associates" and requires various physical, administrative and technical safeguards to ensure the confidentiality, integrity and access to electronic personal health information. See 45 C.F.R. §§ 160.101-160.552, 164.102-164.106, 164.302-164.318 (2014).

10 131239984V1 9153

An attorney's duty of confidentiality and the corresponding duty to take appropriate measures or reasonable steps to protect information in a lawyer's possession do not require an attorney-client relationship to exist before those duties are triggered since the duty of confidentiality applies once information is received from a "prospective" client. See MODEL RULES OF PROF'L CONDUCT R. 1.18(b) (2013) (addressing information received from "prospective" clients and explaining "[e]ven when no client-lawyer relationship ensues, a lawyer … shall not use or reveal that information, except as Rule 1.9 would permit"). Rule 1.6's duty of confidentiality does not end upon the termination of the attorney-client relationship. See MODEL RULES OF PROF'L CONDUCT R. 1.6 cmt. [20] (2013); N.Y. City Bar Ass’n Formal Op. 2017-5 (2017) (noting Rule 1.6(c)’s reasonable efforts requirement applies to “information obtained from prospective, current and former clients”). Rule 1.9(c) extends the duty of confidentiality to "former clients" and provides: "A lawyer who has formerly represented a client in a matter or whose present or former firm has formerly represented a client . . . shall not thereafter . . . (2) reveal information relating to the representation except as these Rules would permit or require with respect to a client." MODEL RULES OF PROF'L CONDUCT R. 1.9(c) (2013).

Given today's level of data breach risk, records and data should be kept no longer than necessary. Firms should consider developing information governance strategies to protect the privacy and security of client data, which obviously includes a record retention schedule and procedures to retain and securely dispose of information in accordance with that schedule. At the end of any engagement, any records that can be returned to the client should be returned. Any remaining records should be retained in accordance with the firm's record retention schedule and ultimately be disposed of in a secure fashion.

Data protection requires careful and proper disposal of client records. Paper records should be shredded and electronic records should be erased or rendered unreadable. Proper disposal of any equipment, such as copiers or fax machines with memory that store electronic information should include having that memory erased before being sold or returned. The same steps should be taken for mobile devices before they are sold or reused by the firm or its lawyers.

i) California 2016 Data Breach Report

In February 2016, the California Attorney General released the California Data Breach Report 2012-2015, available at: https://oag.ca.gov/breachreport2016, which lawyers, especially those practicing in California should be aware when it comes to data security. While the report provides that it is issued "for informational purposes and should not be construed as legal advice or as policy of the State of California," in that report the California Attorney General takes the position:

The 20 controls in the Center for Internet Security's Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.

California Data Breach Report 2012-2015 at v.

The Center for Internet Security, however, explains that its Critical Security Controls are "not a one-size fits all solution, in either content or priority." The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0 at 3, available for download at: https://www.cisecurity.org/critical-

http://src.bna.com/cFY


https://oag.ca.gov/breachreport2016


https://www.cisecurity.org/critical-controls/

11 131239984V1 9153

controls/. Moreover the Center itself recognizes that "[e]ven a relatively small number of Controls cannot be executed all at once," Id., which seems to contradict the California Attorney General's opinion about reasonable security measures. Nonetheless, California law firms should carefully review the CIS controls and consider those that are applicable. The 20 Security Controls each contain a series of sub controls that also should be considered.

Those 20 Security Controls address the following data security issues:

1. Inventory of Authorized and Unauthorized Devices.

2. Inventory of Authorized and Unauthorized Software.

3. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers.

4. Continuous Vulnerability Assessment and Remediation.

5. Controlled Use of Administrative Privileges.

6. Maintenance, Monitoring and Analysis of Audit Logs.

7. Email and Web Browser Protections.

8. Malware Defenses.

9. Limitation and Control of Network Ports, Protocols and Services.

10. Data Recovery Capability.

11. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches.

12. Boundary Defense.

13. Data Protection.

14. Controlled Access Based on the Need to Know.

15. Wireless Access Control.

16. Account Monitoring and Control.

17. Security Skills Assessment and Appropriate Training to Fill Gaps.

18. Application to Software Security.

19. Incident Response and Management.

20. Penetration Testing.

C. Electronic Communication and Transmission of Client Information Competence

Model Rule 1.6 takes a similar approach to the transmission of client information. Comment 19 to the Rule explains that "reasonable precautions" must be taken "to prevent the information from coming into the hands of unintended recipients." Special security measures such as encryption are not required "if the method of communication affords a reasonable expectation of privacy." MODEL RULES OF PROF'L CONDUCT R. 1.6 cmt. [19] (2013).

https://www.cisecurity.org/critical-controls/

12 131239984V1 9153

Comment 19 explains that factors to consider in evaluating the "reasonableness of the lawyer's expectation of confidentiality" include:

• The sensitivity of the information.

• The extent to which the privacy of the communication is protected by law.

• The extent to which the communication is protected by a confidentiality agreement.

Ethics opinions that have addressed the issue, historically did not require lawyers to generally encrypt email communications containing confidential client information under ordinary circumstances because the risk of unauthorized disclosure with email was viewed to be no greater than with other communication technologies. See, e.g., Cal. State Bar, Formal Ethics Op. 2010-179 (2010) (collecting ethics opinions). The ABA, in Formal Opinion 99-413, observed:

The Committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy. . . . The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of law.

ABA Comm. on Ethics & Prof'l Responsibility Formal Op. 413 (1999). The ABA in Formal Op. 99-413, however, explained:

The conclusions reached in this opinion do not, however, diminish a lawyer's obligation to consider with [his/her] client the sensitivity of the communication, the costs of its disclosure, and the relative security of the contemplated medium of communication. Particularly strong protective measures are warranted to guard against the disclosures of highly sensitive matters. These measures might include the avoidance of e-mail, just as they would warrant the avoidance of telephone, fax, and mail.

While encryption of email may not be ordinarily required for routine communications, ethics opinions also recognized that when highly sensitive information is involved, it may be appropriate to only transmit that information electronically if it is encrypted. See, e.g., Ill. State Bar Ass'n, Advisory Op. 96-10 (1997) ("[T]here may be unusual circumstances involving an extraordinarily sensitive matter that might require enhanced security measures like encryption. These situations would, however, be of the nature that ordinary telephones and other normal means of communication would also be deemed inadequate."); N.Y. State Bar Ass'n, Op. 709 (1998) (explaining where the information transmitted is "of such an extraordinarily sensitive nature that it is reasonable to use only a means of communication that is completely under the lawyer's control, the lawyer must select a more secure means of communication than unencrypted Internet e-mail"). New Jersey in an advisory ethics opinion suggested that lawyers should consider password protecting confidential documents sent over the

13 131239984V1 9153

internet. N.J. Sup. Ct. Op. 701 (2006), at n.1. See also Tex. Prof’l. Ethics Comm. Op. 648 (2015) (identifying six scenarios in which lawyers should consider using encryption or some other security precaution).

Not only has the threat landscape significantly changed since the ABA issued Opinion 99-413, but the ways lawyers and clients communicate with one another is radically different. Smart phones, text messaging, WiFi and Bluetooth did not exist when that opinion was issued.

Model Rule 1.6, recognizes that "special circumstances" can require additional precautions be taken such as encryption. MODEL RULES OF PROF'L CONDUCT R. 1.6 cmt. [19] (2013). In its latest ethics opinion addressing this issue, the ABA cautioned that “lawyers must, on a case-by-case basis, constantly analyze how they communicate electronically about client matters.” ABA Comm. On Ethics & Prof’l Responsibility Formal Op.477 (2017). Factors to consider include the sensitivity of the information involved, the proposed mode of electronic communication, the client’s technological sophistication or limitations and available security measures. Id. The comments to Rule 1.6 further explain that a client can either require the implementation of special security measures not otherwise required under the Rule or, with informed consent, can forego security measures that the Rule would otherwise require. Id.

Several state laws require the encryption of records and files containing personally identifying information that is electronically transferred. See 201 Mass. Code Reg. 17.04 (2015); Nev. Rev. Stat. §§ 603a.0100.920 (2015). HIPAA's Security Rule, which applies to lawyers and law firms that qualify as business associates also requires measures to guard against the unauthorized access to protected health information when it is electronically transmitted. 45 C.F.R. §164.312(e)(1) (2014). Generally, this is accomplished through email encryption, but if a business associate determines that email encryption cannot be reasonably accomplished, it must document that determination and implement an alternative means to protect the transmission of electronic personal health information. Obviously, lawyers must comply with state or federal laws or regulations requiring encryption of specific types of information.

Since the level of protection required to protect client communications can vary between clients and even between engagements for the same client, lawyers should consider discussing with the client whether any special security measures are required when transmitting information electronically before opening a file. Lawyers can then confirm in an engagement letter the client's position as to whether any special security measures are required for that particular engagement. ABA Comm. on Ethics & Prof’l Responsibility Formal Op. 477 (2017).

The obligation to competently safeguard client, information extends to the metadata in documents transmitted by lawyers. Or. State Bar Ass'n, Formal Op. No. 2011-187 (updated 4/24/15); Tex. St. Bar. Prof. Ethics Comm. Op. 665 (2016). Metadata is broadly defined as data about data or data about documents. When a computer is used to create a document, the computer will generate fields of information about the document such as the date it was created, who created it, the number of prior versions of the document, when it was last viewed or modified and who viewed or modified the document. The information can't be seen on a computer screen or on the document when it is printed, but can be readily found by checking the document's properties. A document could also contain track changes or embedded comments from a client. A lawyer would not send his or her notes about a client's changes to a document when mailing that document to opposing counsel. Those same precautions should be taken when emailing a document that may contain client's thoughts or

14 131239984V1 9153

comments; the metadata in the document can be protected by converting it to a .pdf format or by scrubbing the metadata and comments from the document before the document is emailed. Id. A list of metadata ethics opinions can be found at: http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/metadatachart.html.

Finally, because many companies reserve the right to review an employee's use of the computers, tablets or smart phones supplied by the company for work purposes, the ABA issued Formal Opinion 11-459 to address that scenario. That opinion explains that a lawyer should advise the client to avoid using those devices to communicate with the lawyer, and the lawyer should avoid sending emails to a client's work email account in order to prevent third parties from accessing confidential communications. See, e.g., Scott v. Beth Israel Medical Center, 847 N.Y.S.2d 436 (2007) (holding the attorney-client privilege was lost when the plaintiff used the company's email system to communicate with his attorney in light of the company's email monitoring policy); accord., Holmes v. Petrovich Dev. Co., LLC, 191 Cal. App. 4th 1047 (2011).

D. Cloud Computing and Cloud Storage Competence

The term cloud computing refers to the shared use of applications, computing services, and physical or virtual resources over the internet. N. H. Bar Ass'n, Advisory Op. 2012-13/4 (2013). Examples of cloud computing applications available to lawyers and law firms include Google Docs, Carbonite, SugarSync, Dropbox and Microsoft Office 365. Documents generated or shared through web-based applications like these are generally stored in the "cloud." Web or internet based email systems such as Gmail and Yahoo Mail also store email and attachments in the "cloud."

Cloud storage refers to an internet-based model of remote data storage on servers typically owned by third parties that host the data, generally at off-site locations. Ala. State Bar, Ethics Op. 2010-02 (2010). Cloud storage is simply today's version of a warehouse for electronic records. In other words, references to the "cloud" are merely "a fancy way of saying stuff's not on your computer." Pa. Bar Ass'n, Formal Op. 2011-200 (2011) (quoting Quinn Norton, Byte Rights: Every Silver Lining Has its Cloud, MAXIMUM PC, Sept. 2010, at 12).

Cloud computing resources are made available or deployed in one of four ways:

1. Public clouds which are available for use over a public network by anyone;

2. Private clouds which are available for use solely by the employee of a single organization;

3. Community clouds which are available to organizations or entities within the same or related service industries or community; or

4. Hybrid clouds, which can involve a combination of a public cloud provider with a private cloud platform to perform distinct functions for a single organization. A hybrid cloud provides an organization the flexibility to store information in a private cloud while relying on applications and other computing resources from a public cloud to create or transmit information.

http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/metadatachart.html

http://www.americanbar.org/groups/departments_offices/legal_technology_resources/resources/charts_fyis/metadatachart.html

15 131239984V1 9153

Cloud applications and cloud-based storage typically go hand-in-hand with many of today's software applications and web based email accounts. Cloud-based applications and mobile technology permit lawyers greater flexibility in how they can access and share documents, information or work. Documents or emails can be accessed wherever, whenever and however network or WiFi access can be obtained. Cloud applications and storage can provide significant cost savings to lawyers and firms by eliminating the need to purchase, maintain, upgrade and patch hardware, servers and software applications on an on-going basis; to employ staff to perform those functions; or to rent space to house that equipment. And the security measures that reputable, certified cloud storage providers have in place may exceed the security of many law firms. See, e.g., N.J. Sup. Ct. Op., 701 (2006) (recognizing that "[p]roviding security on the Internet against hacking and other forms of unauthorized use has become a specialized and complex facet of the industry" and "it is not necessarily the case that safeguards against unauthorized disclosure are inherently stronger when a law firm uses its own staff to maintain a server").

The use of the cloud, however, implicates the lawyer's duty of competence under Rule 1.1. See N. H. Bar Ass'n, Advisory Op. 2012-13/4 (2013) ("A competent lawyer using cloud computing must understand and guard against the risks inherent in it."). Because use of the cloud means that client information will be stored on a third party's servers, it poses a different set of security risks, as third parties may be permitted to have some form of access to client information.

A lawyer's duty to safeguard information under its control cannot be transferred or delegated to a third party, nor is it lessened simply because the lawyer stores client information with a cloud provider. See Alaska Bar Ass'n, Ethics Op. 2014-3 (2014) (noting the "[d]uties of confidentiality and competence are ongoing and not delegable"); Cal. State Bar, Formal Op. 2012-184 (2012) (explaining "outsourcing does not change Attorney's obligation to take reasonable steps to protect and secure the client's information"). Thus, mobile technology's use of the cloud also triggers consideration of Model Rules 1.6, 1.15, 5.1 and 5.3.

Yet how many lawyers have considered whether their use of cloud-based applications or web-based mail accounts on their mobile devices trigger these issues? And how many lawyers have checked Google's terms of service for instance, and evaluated the potential impact of those service terms on the duty to maintain the confidentiality and security of client information? Google's terms of service, which are available at: http://www.google.com/intl/en/policies/ terms/, provide:

When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights you grant in this license are for the limited purpose of operating, promoting, and improving our Services, and to develop new ones. This license continues even if you stop using our Services ….

Twenty (20) states have issued ethics opinions addressing the use of cloud computing or cloud storage. The ABA maintains a list of state ethics opinions. Cloud Ethics Opinions Around the U.S., ABA, http://www.americanbar.org/groups/departments_offices/legal_technology_resources/ resources

http://www.google.com/intl/en/policies/

http://www.americanbar.org/groups/departments_offices/legal_technology_resources%20/resources/charts_fyis/cloud-ethics-chart.%20html

16 131239984V1 9153

/charts_fyis/cloud-ethics-chart. html (last visited March 12, 2016)(the website lists 19 state ethics opinions but does not reference the Alaska Bar Ass'n, Ethics Op. No. 2014-3).

While there are variations in these ethics opinions, they generally permit the use of cloud computing and cloud storage, but require the lawyer to exercise reasonable care in the selection of a cloud vendor and in assessing the vendor's procedures for safeguarding the confidentiality of client information. See, e.g., N. Y. State Bar Ass'n, Ethics Op. 842 (2010) (concluding that lawyers may ethically use cloud storage so long as they take "reasonable care to ensure that the system is secure and that client confidentiality will be maintained"); Ala. State Bar, Ethics Op. 2010-02 (2010) (determining "a lawyer may use 'cloud computing' or third-party providers to store client data provided that the attorney exercises reasonable care in doing so"). They require a lawyer to evaluate whether a cloud provider’s terms of use, policies, practices and procedures are compatible with the lawyer’s professional obligations. See Mass. Bar Ass'n, Ethics Op. 12-03 (2012).

The New York State Bar has suggested that exercising "reasonable care" in this context "may" require:

• Verifying the cloud storage provider has an enforceable obligation to preserve confidentiality and will notify the lawyer if served with process requiring the production of client information.

• Investigating the adequacy of the cloud provider's security, policies, recoverability methods, and other procedures.

• Employing available technology to guard against reasonably foreseeable attempts to infiltrate the data that is stored.

• Investigating the cloud provider’s ability to purge any copies of the data, and to move the data to a different host for any reason.

N.Y. State Bar Ass'n, Ethics Op. 842 (2010). Pennsylvania Formal Opinion 2011-200 suggests several other factors that lawyers should consider, including whether the cloud provider:

• Explicitly agrees that it has no ownership or security interest in the data.

• Includes in its terms of service or service level agreement an explanation of how confidential client information will be handled.

• Provides a method for retrieving data if the provider goes out of business, the service has a break in continuity or the agreement is terminated.

• Employs technology built to withstand a reasonably foreseeable attempt to infiltrate data, including penetration testing.

• Provides the law firm with the right to audit the provider's security procedures and to obtain copies of any security audits performed.

• Agrees to host the data only within a specified geographic area.

http://www.americanbar.org/groups/departments_offices/legal_technology_resources%20/resources/charts_fyis/cloud-ethics-chart.%20html

17 131239984V1 9153

Pa. Bar Ass'n, Formal Op. 2011-200 (2011). On this last point, a California state ethics opinion addressing a virtual law practice suggests lawyers should:

[A]ddress and minimize exposure of the client to legal issues triggered by both the international movement, and/or storage, of information in the cloud, and the potential subcontracting out of one vendor's services to unknown third-party vendors, which may impact confidentiality, without the prior written consent of Attorney and affected clients.

Cal. State Bar, Formal Op. 2012-184 (2012). Pennsylvania Opinion 2011-200, further explains that should the data be hosted outside of the United States, then the law firm should determine that "the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States." Pa. Bar Ass'n, Formal Op. 2011-200 (2011). It further suggests that a lawyer investigate the cloud provider’s:

• Security measures, policies and recovery methods.

• System for backing up data.

• Security of its data centers and if storage is provided in multiple centers.

• Safeguards against disasters, including multiple server locations.

• History, including the length of time it has been in business, and its funding and stability.

• Process used to comply with data subject to a litigation hold.

Id. A lawyer's obligation to confirm that a cloud provider can reliably maintain the confidentiality of client information can be satisfied through "compliance with industry standards," provided those standards "meet the minimum requirements imposed on the [l]awyer" by the State Rules of Professional Conduct. Or. State Bar, Formal Op. 2011-188 (2011). A lawyer should verify that the cloud provider will either return or securely delete information from the cloud once an engagement ends or there is no longer a need to retain the information and then evaluate the process to be used to accomplish that task. N. H. Bar Ass'n, Advisory Op. 2012-13/4 (2013). "Otherwise, the lawyer's duty to take reasonable steps to protect the security and confidentiality of that data" will continue indefinitely. Alaska Bar Ass'n, Ethics Op. 2014-3 (2014).

A highly relevant inquiry is whether the cloud provider has ever suffered a security breach, and if so, how the breach (or breaches), occurred and what steps have been taken to prevent a reoccurrence. See N. Y. State Bar Ass'n, Ethics Op. 842 (2010) (explaining that if a lawyer learns of a data breach of an "online storage provider," the lawyer must investigate whether the breach involved the client's data, notify any affected clients, "and discontinue use of the service unless the lawyer receives assurances that any security issues have been sufficiently remediated"); see also Alaska Bar Ass'n, Ethics Op. 2014-3 (2014) (noting a "lawyer must notify the impacted client if the lawyer learns that the provider's security was breached and the client's confidence or secret was revealed").

Given the increasing importance of encryption to data security, lawyers should inquire if the cloud provider encrypts information both in transit and at rest. And if a cloud provider periodically

18 131239984V1 9153

transmits data between servers at remote locations, the lawyer should confirm the data is encrypted while in transit so it remains adequately protected while en route.

As with any other use of technology, lawyers "should conduct periodic reassessments" of these factors to verify that a cloud vendor's security measures "have not become outdated" in light of changing technology or "that changes in the vendor's business environment or management have not negatively affected [their] adequacy." Cal. State Bar, Formal Op. 2012-184 (2012). See also Ala. State Bar, Ethics Op. 2010-02 (2010) (explaining lawyers "have a continuing duty to stay abreast of appropriate security safeguards that should be employed by the lawyer and the third-party provider").

Finally, law firms should consider rules and policies that prohibit the use of public clouds by attorneys or staff that have not been carefully evaluated and approved by the firm. This would include the use of mobile technology and applications that store sensitive or confidential client information in public clouds without the firm's prior express authorization.

i). Is Client Consent Required?

Whether client consent is required for the use of cloud computing appears to be an open question. Several of the ethics opinions that discuss the issue suggest that its use may be ″impliedly authorized″ under Model Rule 1.6 so long as reasonable efforts are used to ensure the data is adequately safeguarded. See, e.g., Pa. Bar Ass'n, Formal Op. 2011-200 (2011) ("This may mean that a third party vendor, as with 'cloud computing,' could be 'impliedly authorized' to handle client data provided that the information remains confidential, is kept secure, and any disclosure is confined only to necessary personnel."); N.H. Bar Ass'n, Advisory Op. 2012-13/4 (2013)("As cloud computing comes into wider use, storing and transmitting information in the cloud may be deemed an impliedly authorized disclosure to the provider, so long as the lawyer takes reasonable steps to ensure that the provider of cloud computing services has adequate safeguards."); Nev. State Bar, Formal Op. 33 (2006) (explaining if the third party electronic storage vendor "can be reasonably relied upon to maintain the confidentiality [of client information] and agrees to do so, then the transmission is permitted by the rules even without client consent").

In an opinion addressing remote access to client files, the New York State Bar Association took the position that when a law firm is able to make a determination that the security measures in place are reasonable, client consent is unnecessary. N. Y. State Bar Ass'n, Ethics Op. 1019 (2014). The use of the cloud, however, is just another form of outsourcing. See Pa. Bar Ass'n, Formal Op. 2011-200 (2011). Thus, while ABA Formal Opinion 08-451 does not specifically address use of the cloud, it simply cannot be ignored. The ABA's Opinion 08-451 takes the position that when an outsourcing relationship is attenuated, client consent is required before information covered by Rule 1.6 is shared with "outside" entities or individuals "over whom the firm lacks effective supervision and control." ABA Comm. on Ethics & Prof'l Responsibility Formal Op. 08-451 (2008).

The California State Bar ethics opinion addressing a virtual law practice that was entirely cloud based similarly explained that a "virtual" attorney:

[S]hould consider whether her ethical obligations require that she make appropriate disclosures and obtain the client's consent to the fact that an outside vendor is providing the technological base of Attorney's law

19 131239984V1 9153

firm, and that, as a result, the outside vendor will be receiving and exclusively storing the client's confidential information.

Cal. State Bar, Formal Op. 2012-184 (2012). Several other state ethics opinions suggest that client consent may be required when highly sensitive information is involved. Cal. State Bar, Formal Op. 2010-179 (2010) ("If the information is of a highly sensitive nature and there is a risk of disclosure when using a particular technology, the attorney should consider alternatives unless the client provides informed consent."). New Hampshire, for instance, explains "where highly sensitive data is involved, it may become necessary to inform the client of the lawyer's use of cloud computing and to obtain the client's informed consent." N. H. Bar Ass'n, Advisory Op. 2012-13/4 (2013). Ohio State Bar Association's Informal Advisory Opinion 2013-03 appears to echo this view, stating "[i]n exercising judgment about whether to consult with the client about storing client data in 'the cloud,' the lawyer should consider, among other things, the sensitivity of the client's data." Ohio State Bar Ass'n, Informal Advisory Op. 2013-03 (2013); see also Alaska Bar Ass'n, Ethics Op. 2014-3 (2014) ("Where highly sensitive data are involved, it may behoove a lawyer to inform the client of the lawyer's use of cloud computing and to obtain the client's informed consent.").

The Pennsylvania Bar Association, while not explicitly requiring informed consent, concludes "it may be necessary, depending on the scope of representation and the sensitivity of the data involved, to inform the client of the nature of the attorney's use of 'cloud computing' and the advantages as well as the risks endemic to online storage and transmission." Pa. Bar Ass'n, Formal Op. 2011-200 (2011)(further explaining that under Rule 1.4, "'adequate information' should be provided to the client so that the client understands the nature of the representation and 'material risks' inherent in an attorneys methods").

Other states' ethics opinions provide more explicit guidance on the issue. Massachusetts Opinion 12-03 addressed the use of Google Docs and concluded that while the use of an internet-based service provider would not violate Rule 1.6 under normal circumstances, a lawyer "remains bound to follow an express instruction from his client that the client's confidential information not be stored or transmitted by means of the Internet, and that he should refrain from storing or transmitting particularly sensitive client information by means of the Internet without first seeking and obtaining the client's express consent to do so." Mass. Bar Ass'n, Ethics Op. 12-03 (2012).

One of the difficulties surrounding the issue of client consent is that no two cloud applications or vendors are the same. Cloud vendors employ different procedures and safeguards. Moreover, cloud computing has a myriad of potential uses by a law firm. Obtaining client consent for a specific project, such as an e-discovery review platform in litigation or a file sharing application when collaborating on a transaction, is eminently reasonable and can be easily accomplished.

When, however, a cloud based application or computing resource will be used enterprise-wide on an on-going basis by a lawyer or law firm, obtaining client consent can raise a number of problematic issues. Who is the appropriate person at each client to contact? Can a client’s failure to respond and object to the use of the cloud be considered implied consent to its use? How much information about the cloud provider and its security measures should be provided to the client to make the consent informed? These are just a few of the vexing questions that firms must navigate. It is unrealistic, for instance, to expect a law firm to have two email systems, one that is cloud-based and a second for those clients that do not consent to the firm's cloud-based email system. So long as a firm has carefully evaluated the cloud-based application, its security and its procedures for

20 131239984V1 9153

safeguarding the confidentiality of client information, the firm should be ethically permitted to use the application.

In light of the quagmire of ethics opinions surrounding the issue of client consent involving a lawyer's use of the cloud, lawyers should carefully evaluate the issue in the context in which the cloud-based application(s) would be used. Given the various ethics opinions noted above, lawyers should carefully address the issue of client consent where highly sensitive information may be involved. Remember when seeking client consent, a lawyer must disclose the risks of using that technology so that the client's consent is "informed." See N. Y. State Bar Ass'n, Ethics Op. 1019 (2014).

Lawyers and law firms should also consider addressing the use of the cloud in their engagement letters, explaining how they use the cloud and its potential ramifications in terms that clients can understand. Then a client cannot claim he or she did not know about the lawyer's use of the cloud should a breach occur.

E. Competence Involving Law Practice Management Technology

The ethics opinions cited in earlier sections of this article advise lawyers that they must have a basic understanding of the technologies they use in providing legal services to clients. The failure to fully understand any such technology, the misuse or the overreliance on such a technology can potentially lead to disastrous consequences. One notable area of technological risk is missed filing deadlines involving electronic calendaring and docketing applications.

Symbiotics, Inc. v. Ortlieb, 432 Fed. Appx. 216 (4th Cir. 2011), addressed a notice of appeal that was filed one day late because an attorney failed to realize that the Microsoft Windows Calendar he used to compute the due date for the appeal did not automatically advance to January 2010, but had reverted to January 2009. Id. at 218. The district court granted a motion to extend the time to appeal under Rule 4(a)(5)(A) of the Federal Rules of Appellate Procedure because the attorney "less than completely understood [the] electronic workings of a commonly used software product." Id. at 219-20. The Fourth Circuit reversed holding:

Counsel's total dependence on a computer application–the operation of which counsel did not completely comprehend–to determine the filing deadline for a notice of appeal is neither 'extraneous' to nor 'independent' of counsel's negligence.

Id. at 220. While the Symbiotics decision may seem a harsh result, it is far from extraordinary as the Federal Circuit's recent decision in Two-Way Media LLC v. AT&T, Inc., 782 F.3d 1311 (2015), demonstrates.

In Two-Way Media, a $40 million patent infringement verdict resulted in the filing of several post-trial motions by AT&T including motions for judgment as a matter of law ("JMOL") and a motion to file those JMOL motions under seal. Id. at 1313. AT&T's attorneys received a notice of electronic filing ("NEF") labeled: "Order Granting [ ] Motions for Leave to File Sealed Document." The district court's underlying orders could be viewed by clicking on the hyperlink. The district court granted the motion to file the JMOL motions under seal, but also denied those JMOL motions, which triggered the time for filing an appeal. Id. The attorneys representing AT&T failed to realize the district court had denied their JMOL motions, and as a result, failed to timely file the notice of appeal. AT&T's

21 131239984V1 9153

attorneys argued that the electronic notices they received were misleading since they only referenced the motion to seal and, therefore, excusable neglect existed which permitted the filing of a belated notice of appeal. Id. at 1315-16.

Both the district court and the Federal Circuit rejected AT&T's excusable neglect argument finding "it was not excusable for AT&T's lawyers to rely on the email notification and neglect to read the order in light of the circumstances surrounding the NEFs.″ Id. at 1316. The appellate court in Two-Way Media declined "to give 'an interpretation of [Federal Appellate] Rule 4(a)(6) that allows parties to ignore … the electronic information' at their fingertips." Id. at 1317 (quoting Kuhn v. Sulzer Orthopaedics, Inc., 498 F.3d 365, 371 (6th Cir. 2007) (involving an attorney's failure to register with the district court's CM/ECF system because he did not have the scanners or software necessary to meet the technical requirement for electronic filing)).

In Sulzar Orthopaedics, the Sixth Circuit unsurprisingly ruled that an attorney's lack of available technology explanation did qualify as excusable neglect for a blown deadline because the attorney "was still required to register with the CM/ECF system" to receive email notifications of the court's orders. 498 F.3d at 370.

Robinson v. Wix Filtration Corp., LLC, 599 F.3d 403 (4th Cir. 2009), similarly involved the failure to timely respond to a motion for summary judgment where an attorney's computer was infected by malware causing the attorney not to receive electronic notice that a motion for summary judgment had been filed. The district court had earlier entered a scheduling order that included a redline for filing dispositive motions during the timeframe the attorney's computer was affected by the malware. The appellate court affirmed the district court's refusal to allow a late response to the summary judgment motion, reasoning the lawyer's failure to notify opposing counsel or the court about the malfunction of his computer system was inexcusable. Id. at 413. The attorney, knowing that a deadline for dispositive motions had been entered should have accessed the court's docket, if for no other reason to keep the client reasonably informed as to the status of the case. Id. The court in Robinson cited a series of decisions from other federal circuits holding an attorney's failure to receive a notice of filing did not absolve counsel of his duty to stay apprised of the status of the case. Id. In other words, a technology failure will not relieve an attorney of his or her ethical obligations to a client.

F. Social Media Competence

Over the past decade, social media networks such as Facebook, LinkedIn, Twitter YouTube, Instagram or Snapchat have become wildly popular. Facebook, for instance reported it had over 1.5 billion monthly active users as of December 31, 2015. http://newsroom.fb. com/Company-Info/. Social media users frequently discuss various aspects of their personal and professional lives with their friends and followers on these networks.

More and more lawyers are communicating or posting information using various forms of social media. Lawyers should recognize that their social media posts or communications have no borders, and reach multiple jurisdictions. Therefore, lawyers should endeavor to comply with the ethical rules of each jurisdiction in which they practice. The difficulty lawyers face in this regard is that there are subtle yet potentially significant variations in various states' Rules of Professional Conduct.

There have been a plethora of state and local ethics opinions addressing the use of social media on a variety of issues. So it is important to review the ethics rules in any state in which a lawyer

http://newsroom.fb/

22 131239984V1 9153

practices and any applicable ethics opinions. Social media ethics opinions have addressed compliance with the duty of confidentiality; when a lawyer's social media posts must comply with a state's advertising rules, the risk of creating unintended attorney-client relationships, the permissible use of social media to investigate parties, witnesses and jurors, and the permissible scope of a lawyer's advice concerning a client's social media information in light of the obligation to preserve information when litigation is reasonably anticipated.

The duty of competence applies to a lawyer's use of social media. The ABA in an ethics opinion noted:

As indicated by [Model] Rule 1.1, Comment 8, it is important for a lawyer to be current with technology. While many people simply click their agreement to the terms and conditions for use of an [electronic social media] network, a lawyer who uses an [electronic social media] network in his practice should review the terms and conditions, including privacy features – which change frequently – prior to using such a network.

ABA Comm. on Ethics & Prof'l Responsibility, Formal Op. 466 (2014). See also, D.C. Bar Legal Ethics Comm., Ethics Op. 370 (2016) (“The guiding principle for lawyers with regard to the use of any social network site is that they must be conversant in how the site works. Lawyers must understand the functionality of the social networking site, including its privacy policies.”); Pa. Bar Ass'n, Formal Op. 2014-300 (2014) ("Lawyers must be aware of how those websites operate and the issues they raise in order to represent clients whose matters may be impacted by content posted on social media websites.").

Generally speaking, attorney advertising and solicitation rules do not apply when a lawyer uses social media for purely personal purposes. When social media is used to develop business by a lawyer or a law firm, then a state's advertising and solicitation rules will apply. See e.g., Cal. State Bar Comm. on Prof’l Responsibility and Conduct, Formal Op. No. 2012-186 (2012) (solicitation). Between those two landmarks lies a large field of grey.

A lawyer's social media profile that merely provides biographical information and the lawyer's current and past employment does not constitute attorney advertising. N.Y. Cnty. Lawyers’ Ass’n, Formal Op. 748 (2015). At least one ethics opinion, however, takes the position that where an attorney's profile, "includes a detailed description of practice areas and types of work done in prior employment, the user should include the words 'Attorney Advertising' on the lawyer's … profile." Id. Additionally what some lawyers view as bragging about the results achieved for clients can trigger a state's advertising rules. Moreover, statements made on social media that are reasonably likely to create an expectation about the results a lawyer can achieve, or social media profiles that contain endorsements or testimonials from clients may require a disclaimer in some states to the effect "prior results do not guarantee a similar outcome." Id.

A lawyer should not describe himself or herself as a "specialist" in any social media profile unless certified as such by an approved private organization in a state where that description is specifically permitted, or by an authority that has jurisdiction over the specialization, such as patent attorneys or proctors in admiralty. MODEL RULE OF PROF’L CONDUCT R. 7.4(d) (2013). This does not

23 131239984V1 9153

prohibit a lawyer from identifying one or more areas of the law in which the lawyer practices or a lawyer's experience in a given practice area.

Some social media sites permit third parties to add an endorsement or recommendation to a lawyer's profile. Attorneys have an obligation to monitor those to ensure they are not false or misleading, and to remove or correct any endorsement or recommendation that is misleading or inaccurate. See, e.g., N. C. Bar Ass'n, Formal Op. 8 (2012); Pa Bar Ass’n. Comm. on Legal Ethics and Prof’l Responsibility Formal Op. 2014-300 (2014). False, misleading or deceptive communications are prohibited, and those same considerations apply to social media endorsements.

Another risk for lawyers involves inadvertently creating an attorney-client relationship by answering questions posed on a lawyer's personal account or a law firm's social media site. Lawyers can safely provide a general answer to general legal issues or questions, but when they provide specific legal advice to a specific problem posed on social media they run the risk of unintentionally creating an attorney-client relationship, or at least triggering a belief in the mind of the party asking the question that such a relationship exists. Lawyers therefore should take care in responding to legal inquiries on social media accounts and liberally use disclaimers.

The use of social media by lawyers and employees of law firms trigger several distinct risks to client information. First is the obvious risk that confidential client information may be disclosed in violation of Model Rule 1.6. Accordingly, many law firms have developed social media policies that prohibit the disclosure of any information relating to a firm matter, or relating to the legal services provided to current or former clients of the firm, or relating to information provided by a former or current client. Additionally, lawyers who blog or who are active on social media should consider running a conflict check before blogging or tweeting about an actual case because another member of the Firm could be representing one of the parties in that or another engagement.

Lawyers have an obligation to preserve client confidences even in the face of a negative on-line review by a former client. While lawyers may be entitled to reveal confidential information to establish a defense to a controversy between the lawyer and a client, or to establish a defense to a charge or claim against a lawyer based upon conduct in which the client was involved, or to respond to allegations in any proceeding concerning the lawyer's representation of the client, MODEL RULES OF PROF'L CONDUCT R. 1.6 (c)(5) (2013), responding to a negative online review does not trigger this exception. See, e.g., Pa. Bar Ass'n, Formal Op. 2014-300 (2014). A lawyer who feels a response should be made to a negative on-line review is truly in a no-win situation because any response must not only be accurate and truthful, but also must not reveal any information relating to the representation of the client.

A less obvious social media risk to client information is the role it plays in phishing or targeted spear phishing exploits of hackers and cyber criminals. Spear phishing involves a phony or spoofed email that appears to be from a person, company or organization that the intended target knows. Successful spear phishing exploits rely on familiarity with the intended target. Hackers scan social media sites looking for information about a target that can be exploited, such as a list of friends, photos or posts about the target's recent activities. Cyber criminals hope that because the phishing email appears to be from someone the target knows, they will be less careful and provide information they would not otherwise provide to a stranger, or click on a link or an attachment in the email containing some form of malware. There is no magic bullet to defeat these exploits and the only

24 131239984V1 9153

realistic means to prevent a successful spear phishing attack is through ongoing training and reminders to all lawyers and staff of law firms.

A lawyer may view the public profile, public portion, or the public posts on any social media account of a party or a witness. Pa. Bar Ass'n, Formal Op. 2014-300 (2014). Ethics opinions however, preclude attorneys from sending a request to view the private portion of a social media account of a party, or any witness who the lawyer knows is represented by counsel. Id. The opinions also generally prohibit the use of deception by lawyers when contacting a witness either directly by the lawyer or indirectly through an investigator, paralegal or third party to seek private social media information. Id.

While a lawyer may send a request to view the private portion of an unrepresented person's social media account (a "friend" request), the ethics opinions are split as to what information a lawyer must include in such a request to avoid it being deceptive. In New York City for instance, a lawyer who uses his or her real name and profile does not need to disclose the reason for making the request. N. Y. City Bar Ass'n, Formal Op. 2010-2 (2010). Other states, however, advise lawyers to disclose they are a lawyer for a party, Mass. Bar Ass'n, Advisory Op. 2014-5 (2014), or their involvement in a disputed or litigated matter, N.H. Bar Ass'n Ethics Op. 2012-13/05, or the "lawyer's affiliation and purpose for the request." San Diego Cnty. Bar Ass'n, Formal Op. 2011-2 (2011). Accordingly, lawyers should review their state's applicable ethics opinions on this issue.

The same rules generally apply to jurors; lawyers are permitted to view the public information posted on a juror or a prospective juror's social media account unless otherwise prohibited by law or a court order. See, e.g., ABA Formal Op. No. 466 (2014). But lawyers are not ethically permitted to send a request to view the private areas of a juror's social media account or profile. Id. That would constitute an ex parte communication with a juror. Id.

The fact that some social media networks automatically alert a person that their profile has been viewed generally does not preclude lawyers from reviewing a prospective juror's public social media posts. Id. The New York City Bar Association, however, has taken a position that some would describe as extreme, advising that a lawyer's review of a juror's publicly available social media information which triggers an automatic notification by a social media network constitutes an impermissible contact with a juror. N. Y. City Bar Ass'n, Formal Op. 2012-2 (2012). So New York practitioners should determine which social media networks generate these types of messages.

Finally, a lawyer can advise a client about taking down social media information. However lawyers should carefully assess whether: 1) the information is potentially relevant to a pending dispute or litigation and/or subject to an existing litigation hold, 2) litigation that is reasonably anticipated, which would trigger a common-law duty to preserve potentially relevant social media information, and 3) the removal or deletion of the social media information would otherwise violate a state's substantive law. See Pa. Bar Ass'n, Formal Op. 2014-300(2014)("A lawyer may, however, instruct a client to delete information that may be damaging from the client's page, provided the conduct does not constitute spoliation or is otherwise illegal, but must take appropriate action to preserve the information in the event the it is discoverable or becomes relevant to the client's matter."). Lawyers should take great care on this issue, and instruct clients, preferably in writing, to preserve any information that is taken down should an issue or a question later arise as to the relevancy of the information to a client matter. Id.

25 131239984V1 9153

Nothing, however, prohibits a lawyer from advising a client to change the client's privacy or security settings on any social media account, or from making publically available information private, so long as it is properly preserved. See, e.g., State Bar Ass’n 2014 Formal Ethics Op. 5 (2014); Fla. Bar Ass’n Prof’l Ethics Comm., Op. 14-1 (2015) revised online, Sept. 21, 2016. Where lawyers can run into trouble is when they advise clients to remove or delete social media information once litigation is reasonably anticipated, or has ensued.

IV. Conclusion

While lawyers need not become masters in technology, we can no longer ignore it. Clients are demanding that we use available technology to increase our efficiency and responsiveness. While some suggest that lawyers can no longer be technological luddites, perhaps a better comparison is the old cobbler's guild which at one time controlled shoe making. Where are they now? Lawyers must be willing to embrace technology, or become the 21st Century's version of the shoemakers' guild. But technology brings risks and the 2012 Amendments to the ABA's Model Rules require that we become familiar with those risks and take reasonable measures to guard against them.

About the Author:

Steven Puiszis is a partner in the Chicago office of Hinshaw & Culbertson LLP. He serves as Hinshaw's General Counsel–Privacy, Security & Compliance, and is a member of the Firm’s Lawyers for the Professions Practice Group, counseling and defending both lawyers and law firms in ethics, disciplinary and professional liability matters as well as data protection and cyber security.

Steve is Chair of DRI's Center for Law and Public Policy. He is a Past President of the Illinois Association of Defense Trial Counsel. He has written book chapters on law firm risk management, data protection and privacy in the U.S., mitigating law firm cyber risk, ethics, and electronic discovery. Steve has also authored Illinois Governmental Tort and Section 1983 Civil Rights Liability, Third Edition, Lexis Publishing. He is a graduate of Loyola University of Chicago’s School of Law and began his career as a prosecutor in the Office of the Cook County State's Attorney.