What to do After a Data Breach

A data breach is a traumatizing event, regardless of how it occurs, and this has been a particularly active summer for thieves and scammers.

In the past 12 months, Oregon lawyers have reported home and office break-ins, stolen laptops and mobile devices, and malware security intrusions.  If you experience a data breach, here are the key steps you must take:

  1. Contact an IT expert NOW before you pass go.  The scope of the intrusion may reach beyond your stolen mobile device or the specifically infected computer. Until you know better, assume that all connected devices are part of the data breach. This might include your desktop computer, your assistant’s computer, your server, mobile devices used to access your network, and your home computer if you connect remotely to your office.  Fixing security issues will require sleuthing, finding a solution to the problem, protecting existing data and devices not affected by the breach, testing security solutions, and potentially preserving forensic evidence.  Don’t try to DIY!
  2. Change vulnerable user names and passwords.  At the first indication of a data breach, you won’t know exactly what went wrong – only that your information, or your clients’ information, has been been compromised.  With your IT expert’s help, get access to a secure computer to change vulnerable user names and passwords.  [If you modify your login credentials while a keylogger resides on your system, you’ve made the situation worse by supplying the hacker with your newly replaced user names and passwords.]
  3. File a police report.  Realistically, this isn’t likely to help.  However, it may be required under the Oregon Consumer Identity Theft Protection Act [ORS 646A.600- 646A.628] or the terms of your insurance/coverage policy.
  4. Report the breach to your property manager.  If the breach occurred in connection with an office break-in, inform the property manager as soon as possible.  Broken windows and locks should be fixed immediately to avoid further loss.  If you believe inadequate security may have played a role in the break-in, it may be appropriate to assert a claim against the management or building owner. Research the issue or speak to outside counsel. Document your property loss and consider getting a commitment in writing about security improvements.
  5. File claims with commercial carriers.  Submit claims to any applicable insurance carriers: cyber liability and data breach, commercial liability, or others.
  6. Contact the Professional Liability Fund.  If you are an Oregon lawyer, contact the PLF. Beginning in 2013, the PLF added a Data Breach and Cyber Liability Endorsement to all excess coverage plans. The endorsement provides coverage for information security and privacy liability, privacy breach response services, regulatory defense and penalties, website media content liability, and crisis management and public relations services. The endorsement covers many claims that would otherwise be excluded.
  7. Contact the Oregon State Bar.  The OSB General Counsel’s office can give you advice about the ethical implications of a data breach.
  8. Report identity theft to the FTC.  If you are the victim of identity theft, file a report with the FTC as soon as possible.  Review the FTC website for other steps not discussed here [reporting a misused social security number, removing bogus credit charges, replacing government-issued identification cards].
  9. Freeze or place fraud alerts on credit accounts.  A freeze literally locks down your credit. No credit transactions can be authorized until you lift the freeze, temporarily or permanently.  Fraud alerts inform you if someone is attempting to obtain new credit in your name.  Learn more about credit freezes and alerts here.
  10. Protect bank accounts, credit cards, and debit cards.  If banking, credit card, or debit card information was exposed in conjunction with the data breach, you may want to freeze your bank accounts [personal, general, IOLTA]; arrange for fraud protection services; or close your accounts altogether.  Talk to your banks and credit/debit card providers.  If you have automated payments tied to former bank accounts, credit or debit cards, be sure to update your information.  This includes payment accounts associated with federal or state court eFiling systems.  Continue to monitor statements for unauthorized transactions.
  11. Notify clients.  This is never easy, but clients must be informed if confidential information has been compromised. A sample notification letter is available on the PLF website.  Select Practice Management > Forms > Client Relations > “Notice to Clients re Theft of Computer Equipment.”  If you have questions about your ethical duties toward clients, speak to OSB General Counsel [see step 7 above].  Additionally, client notification may be a statutory responsibility under the Oregon Consumer Identity Theft Protection Act [ORS 646A.600-646A.628].
  12. Begin reconstructing files if needed.  Lawyers who are straightforward about an office break-in or theft often find that clients are sympathetic, understanding, and more than willing to help.  With a bit of luck, you should be able to reconstruct most or all of your files from your backup or documents supplied by clients.
  13. Monitor your credit report.  Check your credit reports at annualcreditreport.com for signs of fraud.  Annualcreditreport.com is the only official source for free credit reports authorized by the Federal Trade Commission.
  14. Monitor Craigslist.  If you believe a thief has posted your property for sale, inform police.
  15. Start using encryption.  Read “Encryption Made Simple for Lawyers” as a starter, then check out these resources from the ABA Legal Technology Resource Center. For reviews of encryption products, check out LawSites.  [In the navigation pane on the right, scroll midway down the page to Search LawSites.]  If you want an encrypted password manager – a very good idea – see these top picks for 2015.  Shopping for a new laptop?  Don’t forget that hard drive encryption is automatically built into the MacBook.  Using Windows OS? Sorry, you’ll need to buy your own encryption software.  If all this seems overwhelming, talk to your IT expert.
  16. Backup, backup, backup!  Online backup services are a great way to automatically back up data.  Read more about backup protocols and available resources on the PLF website. Select Practice Management > Forms  > Technology > “How to Backup Your Computer” and “Online Data Storage.”
  17. No cyber liability or data breach coverage?  Buy it!  If your claims weren’t covered, purchase cyber liability and data breach insurance to protect against future loss – privately or through the PLF  as part of our excess program.  [See item 6 above.]
  18. Stay vigilant.  Fixing a data breach does not mean that scammers or hackers will stop.  Watch out for phishing attempts.  Don’t click on suspicious links in emails, texts, or social media messages.  I’ve written over 20 blog posts on the subject of scams. To find the posts, visit my blog’s landing page. In the search box in the upper right corner, enter “scam.”  You’ll also find seven In Brief articles on the PLF website.  Select Practice Management > Publications > In Brief and enter “scam” in the search by keyword or year box.  See also Jennifer Meisberger, “Sophisticated Scams: Protect Your Clients’ Money,” Oregon State Bar Bulletin (June 2015) and the PLF CLE, Protecting Your Firm and Your Client from Scams, Fraud, and Financial Loss.

All Rights Reserved [2015] Beverly Michaelis

Getting Your Head into the Cloud

Whether you’re setting up a practice for the first time or upgrading existing technology, odds are you’re taking a long, hard look at the cloud. Here is a checklist to help you through the process.

Getting Started

Moving your data to the cloud is all about vetting the cloud provider – will they or won’t they keep your client information secure?  Here are your marching orders:

Research the Provider

  1. What is their reputation?
  2. How many years have they been in business?
  3. Are bloggers and news outlets critical or supportive?
  4. Can the provider give you a list of other lawyers who use their product?  (If so, check the provider’s references.)
  5. Talk to friends and colleagues: are they familiar with the product or provider?  What are their thoughts?
  6. If you belong to a listserv, poll the members of the listserv.
  7. Use the power of Google to reveal problems.  A general search using the product or provider name is a good start.  To uncover security issues, Google the product or provider name followed by the words “security concerns” or “data breach.”  To reveal if outages are a problem, search the product or provider name followed by the words “downtime statistics.”

Evaluate Speed and Reliability

Uptime, bandwidth, and general reliability of the Internet matter.

  1. Check on provider uptime statistics as part of your general research – see the discussion above.
  2. Make sure your technology is up to the task.  To use the cloud effectively you must have a fast, reliable Internet connection. If you don’t, contact your ISP.  If there is a remedy (and you can afford it), great.  If not, taking your practice into the cloud is likely not a good choice.

Read the Fine Print

  1. Dig into the provider’s website and follow any links that reference Terms of Service, Terms of Use, Privacy Policy, Security, or Service Agreements.
  2. Contact customer service for clarification of terms if needed.

Educate Yourself about Encryption

Every cloud provider encrypts your data.  The devil is in the details:

  1. Is your data encrypted at all times (in transit and at rest)?
  2. Does the provider hold a master encryption key?  (If so the provider can access your data at any time, thus defeating client confidentiality.)
  3. Is third-party encryption an option?  If the answer is yes, you can lock out the cloud provider.  A master key only permits the provider to unlock their encryption, not yours.  With third-party (AKA client-side) encryption, you – the user – apply your own encryption software before uploading any content to the cloud provider’s site.  Here’s the rub:  encrypting your own content isn’t always an option for compatibility reasons, so check with the provider.

Learn about Data Access Policies – “Authorized” and “Unauthorized”

Getting an answer to the master encryption key question will resolve whether the provider’s employees can freely access your information.  Now you need to ask:

  1. Will the provider notify you if authorities seek access to your account information?  (Some providers comply with subpoenas first and tell you about it later.)
  2. What is the provider’s procedure if a data breach occurs?

Know Before You Go: Security, Backups, Redundancy, and Local Copies of Your Data

  1. Find out what the provider has to say about the physical security of its facilities.  Features like fire suppression, redundant electrical systems, temperature controlled environments, video surveillance, and 24/7 monitoring by security personnel are standard.
  2. Learn everything you can about how your data is backed up. Where, when, and how.  A decent cloud provider has multiple servers that are geographically dispersed.
  3. Consider it a deal breaker if you can’t download a local copy of your own data. Keeping a local copy just makes sense.  First, it protects you if the provider goes out of business (some have).  Second, if the provider suffers a catastrophic breach you’ll still have a pristine copy of your information.  [Caveat: ability to download a local copy of your data does not mean you can work with it offline.  This is simply a way to protect yourself in a worst case scenario.]

Nail down the Details: Support, Training, Data Migration, and Data Integration

Cloud products are generally pretty easy to use, but at some point you’ll need help – maybe at the outset when you import your data – or later when you start using more advanced features of the program.  Either way, ask:

  1. Does the provider offer live telephone support?  Live chat?  Email?  What are the hours?  Is it free or is there a support contract?
  2. What resources does the provider have on its website?  Searchable knowledge base?  User forums?  Blog?  Training videos?  Webinars?
  3. Will the provider help you migrate your existing data?  Are you on your own?  If there is a fee for data migration, get an estimate.
  4. What about product compatibility and integration?  Some users need the cloud product to communicate with an existing piece of software, like QuickBooks or Outlook.  [Tip: don’t just take the cloud provider’s word for it.  Run another Google search: Is (cloud product name) compatible with (existing program)? If the blogosphere has spotted issues, you’ll uncover them quickly enough.

Product Cost and Licensing

Most cloud products are sold on a monthly subscription basis.  Do a bit of research:

  1. What is the current fee per user?  Any price breaks for multiple licenses?
  2. Research historic costs.  If monthly fees have jumped significantly in the recent past, factor this into your choice.
  3. Are product upgrades or new features included in existing subscriptions or is there an additional fee?
  4. What does a single license or a single user account include? Some providers are strict: one user/one license/one device.  Others are more flexible: one user/one license/multiple downloads: desktop, laptop, tablet.

Choose the Right Version

If your cloud provider offers multiple packages or products, proceed cautiously.

  1. Look for a Web page on the provider’s site that will compare the features of each version side by side.
  2. Call customer service when in doubt.
  3. Take advantage of free trials, which are almost universally available. A trial run is the best way to know whether you’re really going to like something.

Cyber Liability and Data Breach – What if the Worst Happens?

If you’ve decided to store your data in the cloud, it might be a good idea to have cyber liability and data breach coverage.

The Professional Liability Fund Excess Claims Made Plan automatically includes a cyber liability and data breach response endorsement with these features:

  • Forensic and legal assistance to determine compliance with applicable law
  • Notifications to individuals as required by law
  • 12 months credit monitoring to each notified client
  • Loss mitigation resources for law firms

If you aren’t eligible or don’t wish to purchase excess coverage through the PLF, contact a commercial carrier.

This is Too Much Work – Can’t You Just Tell Me What to Do or Give Me a List of Recommended Products?

No.  I can’t make this decision for you.  You and I have different likes, dislikes, needs, skill levels, and preferences.  (Think: Windows vs. Mac, Word vs. WordPerfect, or Mayonnaise vs. Miracle Whip.)

If you want to be happy with your choice, you have to make it.  We can talk, I can point you toward resources, or send you comparison charts.  But in the end you are the decider.

[All Rights Reserved 2015 Beverly Michaelis]


NYSBA Crowdfunding Ethics Opinion

In January and April I blogged about the ethics of crowdfunding. In May, when I co-authored Tread Carefully: Crowdfunding Your Law Practice with Amber Hollister, we reported:

No jurisdiction, including Oregon, has published an ethics opinion or other formal guidance on the propriety of crowdfunding. As with all legal applications of new technologies, the ethics law can be slow to catch up with modern-day practice. Nevertheless, a preliminary look at crowdfunding suggests that it is not per se prohibited by the Oregon Rules of Professional Conduct. As with any novel approach to practicing law, whether crowdfunding is permissible depends on the type of funding model used by the lawyer and the specifics of how the lawyer implements the fund-raising campaign. Wise lawyers will proceed with extreme caution.

This changed in late June, when the NYSBA issued Ethics Opinion 1062.  The opinion digest states:

A law firm may engage in certain types of crowdfunding but not others.  Any form of fundraising that gives the investor an interest in a law firm or a share of its revenue would be prohibited.  However, in some circumstances a law firm may give the funding source some kind of reward. For example, a law firm may send a funder non-confidential memoranda discussing legal issues (provided the law firm complies with any applicable advertising rules), or may agree that the law firm will provide pro bono legal services to certain charitable organizations, provided that the lawyer complies with Rule 1.1 regarding competence and the representation does not involve conflicts in violation of Rule 1.7 or Rule 1.9.

The NYSBA opinion is the first of its kind in the nation.  It addressed the issues of competence and conflicts head-on, but did not touch on some other points that my co-author and I raised relating to trust accounting, third-party payment, fees, advertising/promotion, use of disclaimers, and taxation.  Lawyers interested in crowdfunding would be well-advised to give our article a second look.

Are You Losing Clients?

If your client retention rate is less than 90-95%, something is terribly wrong.

You might react by changing your fee agreement – aiming to “punish” the client who terminates your services after a substantial amount of work is done but prior to a recovery.

Unfortunately, this doesn’t solve the underlying problem.  If you fail to keep one in ten (or more than one in ten clients), it is time for some serious soul searching.

Hybrid Fee Agreements Don’t Solve Client Retention Problems

Don’t get me wrong, hybrid fee agreements have their place.  They are very effective in helping lawyers achieve cash flow during long months of toiling away on a contingent fee case.  They are also a creative way to address client push-back against the traditional hourly fee approach.

They are not effective in curing client retention woes.

What Does it Take to Keep Clients?

Improving client retention isn’t rocket science.  In fact, you can do it by following a simple acronym:  TREAT.

T – be Timely

R – Respond to client requests and concerns

E – show Empathy

A – demonstrate Assurance that client matters are being handled competently

T – deliver on the Tangibles.  Don’t send emails, invoices, or correspondence riddled with errors.

Read more about TREATing clients well here.

To simplify: show the same care and concern to your clients that you wish someone would show to you if you were in their shoes.

Remember that Poor Client Retention Can Lead to Bar Complaints and Malpractice Claims

If you need further motivation to kick your client retention up a notch, understand that how you treat clients is connected to everything in your law practice:

  • Client satisfaction and retention
  • Getting paid on time
  • Minimizing fee disputes
  • Future referrals
  • Avoiding bar complaints and legal malpractice claims

Go beyond TREATing clients well.  Do a thorough client relations check-up. This includes understanding the scope of the attorney-client relationship (when you can act and when you need the client’s informed consent) as well as managing client expectations.

Losing Clients on a Regular Basis Just Shouldn’t Happen

I am not currently in private practice, but in regard to client retention, nothing has really changed.

Back in the day, exactly one client terminated our firm.  This particular client read about a case in the news that she judged to be the same as hers.  She then fired us to free herself up to hire the lawyer who handled the case she read about.

In truth, we dodged a bullet when the client made this decision.  She would never have accepted (from us) that her case didn’t have the same value as the one she read about.

I can also share that in all the years I worked for a private law firm, we were on the other side of a client termination exactly once.

My point here is that my firm – and all firms we knew – simply didn’t lose clients.  And this is still true today for the majority of lawyers.  How do I know?

A large part of my job entails helping lawyers or families of lawyers close law practices.   I have been exposed to lawyers who were at the top of their game and lawyers who were not.  I also have a substantial amount of ongoing client contact due to these closures.

The truth is the lawyers need to do a lot wrong, and generally for some period of time, before clients jump ship.  Therefore, you don’t have to follow my client relations tips or suggestions for TREATing clients well 100% of the time.  No one is perfect.  But you should keep clients uppermost in your mind just about every waking moment that you are at work.

We All Know What to Do – Why Can’t We Do It?

None of this is really new.  So why is it so hard?  The number one reason: you are trying to juggle too many cases without the proper resources.  You are practicing beyond your expertise and not weeding out cases and clients; you are practicing within your scope, but your caseload is too high; you are unwilling to invest in staff, technology, or other solutions.

Making money isn’t easy.  As a result, many lawyers skimp.  They try to get by without hiring someone despite the fact they have more work than they can handle.  This trap is referred to as “penny wise and pound foolish.”  Next week I’ll write about how you can make money by spending money and hiring staff.

All Rights Reserved [2015] Beverly Michaelis



The Ethics of Crowdfunding, Revisited

When we last visited the subject of crowdfunding in January, I pointed out some of the ethical barriers to this method of fund raising.  While much depends on the lawyer, crowdfunding could implicate:

  • Improper communications concerning a lawyer’s services – Oregon RPC 7.1
  • Dishonesty, fraud, deceit – Oregon RPC 8.4
  • Fee sharing with a nonlawyer – Oregon RPC 5.4

I also noted that money raised via crowdfunding may well be taxable, even if the lawyer did not meet the minimum threshold to trigger a 1099.

This month I join forces with the venerable Amber Hollister, Assistant General Counsel of the Oregon State Bar.  We have co-authored an article for the OSB Bulletin entitled “Crowdfunding Your Law Practice.”  The article is scheduled for publication in the May issue.

In addition to the above, we identified other troublesome ethics concerns:

  • Potential third payment and trust accounting issues – If you are rewarding donors with a legal consultation in exchange for a donation and receive funds in advance or a donor is construed as “buying” a legal consultation for a third party, be sure to comply with all trust accounting rules.
  • Conflicts of interest are also a concern.  If a consultation is offered as a “perk or reward” in exchange for a donation, will the lawyer be able to perform?  Lawyers would be well-advised to forewarn donors of the necessity of conflict screening.
  • Running afoul of the rule prohibiting the lawyer from giving something of value in exchange for recommending the lawyer’s services – lawyers can’t give enthusiastic donors anything of value for promoting the lawyer’s crowdfunding campaign via social media.

None of this is shared to discourage Oregon lawyers from crowdfunding.  Rather, you need to go in with your eyes open and be sure you are tuned in to the ethics issues.  For a thorough analysis of this subject, refer to the article.

[All Rights Reserved 2015 Beverly Michaelis]


Pro Se Adversaries – Tips for New Lawyers

Dealing with a pro se party raises a number of reasonable concerns:

  • The pro se could misconstrue what I say
  • The pro se may regard me as his or her lawyer
  • The pro se could sue me for legal malpractice

Communicate in Writing Whenever Possible

When you communicate verbally, a pro se can misremember your words, misconstrue your meaning, or even deny the discussion occurred.

When you communicate in writing your words are documented.  It becomes impossible to “misremember” or deny what you said.  Yes, written communication can still be misconstrued, but there is less likelihood of this happening.

Use a 3-Way Disclaimer

  • “I don’t represent you.”
  • “I can’t give you legal advice.”
  • “If you have questions, hire a lawyer.”

Every pro se communication should include this type of disclaimer.   If the pro se party later argues you had a lawyer-client relationship or attempts to assert a legal malpractice claim on the grounds that you failed to protect her interests, you will be in a better position to defend yourself.

Be a Broken Record

The 3-way disclaimer must be used every time you communicate with a pro se.  Does it become repetitive?  Perhaps, but that doesn’t matter.  Some pro se adversaries “get it” from the beginning; some “get it and forget it;” some never “get it.”  This doesn’t mean the pro se is purposely trying to make your life more difficult.  But it does underscore the value of redundancy.

Practice Tips Beyond Pro Se Communication

For more tips on how to work with pro se adversaries, peruse the following:

[All Rights Reserved 2015 Beverly Michaelis]

Family Leave for Solos and Small Firm Lawyers

How do solos and small firm lawyers plan for extended leave when a new member is about to join the family?  It can be hard enough to take a vacation!

Fortunately, there are some answers and good resources to draw upon.  (Jump to the end of this post.)  For now, let’s cover the basics.

Colleagues, Conflicts, and Staffing

The best coverage plan entails having a number of colleagues lined up who are willing to cover your cases.  Remember what your parents said?  Safety in numbers!  If one person can’t cover in an emergency, someone else can.  A team approach works best.

By necessity, any lawyers who might work on client matters must be screened for conflicts.  Clients need to be notified anyway about your upcoming leave.  Use this opportunity to get permission to share information for conflict and representation purposes.  (More on this below.)

If you have staff, great!  They are a huge help any time you are away from the office, more so during extended absences.  They will be a lifeline for everyday communication, including screening mail, email, and calls.  If you don’t have staff, consider getting a temp.  Having someone who can cover day-to-day operations brings peace of mind and ensures that nothing falls through the cracks.

How Do I Tell My Clients?

One option is to send a letter or email.  No surprise there.  But is it the best approach?

Most lawyers anticipating family leave have a number of colleagues in mind to assist in covering their cases.  This alone can make writing a letter or email complicated and confusing:  “I’m going to be out of the office, but you can choose from Lawyer A, Lawyer B, or Lawyer C.”  Huh?

Consider picking up the phone instead.  Call clients and tell them you are taking a medical leave and why.  (Of course, you can omit the “why” part – it is personal and technically no one’s business, but most lawyers taking family leave don’t mind sharing this news.)

Have a conversation with the client about what is happening.  Explain your plan, offer a name of a monitoring lawyer (or team of monitoring lawyers), then get consent to screen for potential conflicts and review the client’s case with the monitoring lawyer(s).  If everything is a “go,” make sure the client understands and agrees to temporary representation by the monitoring lawyer(s).  Don’t forget to discuss how the billing and payment piece will work.

If the client does not agree with your proposed arrangement, you may have to disengage and withdraw from the case.  The client will need to find a new lawyer of their choosing.

Confirming Arrangements in Writing

Assuming you call clients to review your plan, sending a confirming email becomes relatively easy:

“As we discussed, I will be out of the office on a medical leave of absence for ___________ (months/weeks).  During my leave, I propose that _______________ monitor your file.  You agree that I may share information with _____________ so (he/she) may screen for potential conflicts of interest. If no conflicts exist, you agree that I may disclose details of your case to ______________________ for purposes of monitoring your file and attending to any legal work that needs to be accomplished while I am out of the office.  If we discover a conflict that prohibits ___________________ from assisting you, I will contact you immediately.

You will receive a separate written confirmation from ___________________ (the monitoring lawyer) confirming the arrangements we have made.

(Describe next how the client will be billed.)

My assistant, _______________, will be available by phone and email should you have any questions while I am out of the office.  (Provide your assistant’s contact information.)

Rest assured I will stay informed regarding the status of your case.  I anticipate returning to the office on ___________.  If for any reason my return is delayed, I will inform you immediately.

(Optional:  Please reply to this email confirming your understanding and agreement to this arrangement.)

Fee Agreements and Paying the Monitoring Lawyer

If your existing fee agreement has a provision informing the client that you have made arrangements for someone to cover your practice in the event of illness or disability you have laid the necessary foundation for using a monitoring lawyer.  The PLF offers a number of fee agreements and engagement letters that incorporate “assisting attorney” language.  For samples, visit the PLF website.  Select Practice Management > Forms, then Engagement Letters.

If your existing fee agreement has a contract lawyering provision – meaning the client has consented to use of a contract lawyer at a specified rate – it is easy to have the monitoring lawyer step into the contract role.  You may bill the client for contract lawyering services according to your existing fee agreement.

Alternatively, clients can sign separate fee agreements with the monitoring lawyer.

More Answers and Good Resources

There are many excellent articles and resources for lawyers planning family leave:

[All Rights Reserved – 2015 – Beverly Michaelis]

Evaluating Online Lawyer Referral Services

Online referral services can be a good source of business for lawyers entering private practice.  And the pitch is often tempting:  “Sign up with us and you’ll get all the clients you want in [your practice area].  You will be the only lawyer in [your state] to receive referrals from us.”  Scads of clients.  Exclusivity.  Sounds good, doesn’t it?

Bar-operated programs aside, you should take the time to scrutinize offers from for-profit online referral services.  Potential traps abound:


Paying a fixed annual or other set periodic fee not related to any particular work derived from a directory listing violates neither RPC 5.4(a) nor RPC 7.2(a). A charge to Lawyer based on the number of hits or clicks on Lawyer’s advertising, and that is not based on actual referrals or retained clients, would also be permissible.  Helen Hierschbiel, Internet Marketing: Rules of the Road

The key here is that the fee and the work are not connected.  The typical referral service gets this right, but make sure you understand how fees are paid and what conditions apply.  To learn how you might run afoul of the fee sharing prohibition, see Amber Hollister, What Hath the Web Wrought? Advertising in the Internet Age.


Odds are you’ll be required to report back some kind of tracking data to the online referral service.  Assuming this includes only benign information, such as a client identification number, there is no breach of confidentiality.  Services vary, however, so learn exactly what must be reported and why.


…Internet-based advertising is governed by the same rules as other advertising. The basic ground rule is that advertising cannot be false or misleading. See RPC 7.1(a). Because Web pages may be viewed by persons outside of Oregon, lawyers must take care to ensure the advertisement identifies the jurisdictional limits of their practices. Furthermore, while lawyers may include their names in directories or other advertising Web pages, they must not allow a directory to promote them using means that involve false or misleading communications. RPC 7.2(b). Lawyers are responsible for content that they did not create to the extent they know about that content.  Helen Hierschbiel, Internet Marketing: Rules of the Road.

Some online referrers advertise that the lawyers in their network are “Verified.”  They give lawyer-members “Verified” logos or other graphics to place on their websites.  This begs the question: what does “Verified” mean?  By whom?  How?  When?  Unless this statement is adequately explained, it could be considered false or misleading.

Puffery in numbers

If the online referral service is suggesting you should sign up now because they have a gazillion clients waiting in the wings for a lawyer in your practice area, probe that representation.  Ask for numbers, demographics, and details.  If the clients really exist, they should have the information to back up the statement.  How many clients do they anticipate referring to you each month?  What is the basis for that expectation?  How will they ensure the flow of future clients?

Puffery in other ways

Some online referral services tell lawyers they’ve been approved or vetted by a bar association.  Designed to give peace of mind, this statement is more than a little suspicious.

While a referral service may have done its homework to investigate the rules in Oregon, and may have contacted the bar to learn more about the rules, this does not constitute “approval” of the program.  To my knowledge, the bar does not engage in such a process.

If you are approached by a referral service that implies it has been approved by the Oregon State Bar, contact the Oregon State Bar to verify this representation.


Some services promise exclusivity:  sign with us and you will be the only Oregon lawyer to receive referrals in your area(s) of law.  You should be especially skeptical of this representation.  Get it in writing and carefully investigate any potential exceptions or loopholes.

General reputation, references, and complaints

Minimally, run a Google search.  Look beyond the first page of results.  Read any articles, reviews, or posts about complaints that mention the name of the service.  The BBB or like organizations can be a good source of information.

Also take the time to check references.  Ask for the names of other Oregon lawyers who have been using the service for at least six months.


Make sure you understand the cancellation terms. You don’t need a nasty surprise if you decide to get out.  Initial set-up fees are likely to be nonrefundable, but check.

Better Marketing

The PLF has an excellent set of marketing practice aids which include a business development goal checklist, sample marketing plan, and marketing worksheets.  Download these resources at Practice Management > Forms > Marketing on the PLF website.


Many of the issues related to online lawyer referral services are ethical in nature.  Don’t hesitate to contact the OSB General Counsel’s Office when in doubt.

All Rights Reserved [2015] Beverly Michaelis