Practical Advice for Virtual Law Offices

Last week we discussed the ethical implications of WSBA Advisory Opinion 201601, “Ethical Practices of the Virtual Law Office.”  As the Committee on Professional Ethics noted, virtual practitioners must take care with supervision, confidentiality, avoiding misrepresentation, and conflicts of interest.  Understandable, but what exactly does that mean?  Here is some practical advice.

online-1799664__480

Adequate supervision in a virtual workplace

In a virtual workplace lawyers and staff don’t work in proximity.  How do you ensure that remote workers receive “adequate supervision?”  The WSBA opinion mentions taking “additional measures,” but does not describe what those may be. Virtual employers should consider the following:

  1. Establish policies just as you would in a traditional office setting:  dedicated working hours when employees are expected to be within reach of their phones or computers; vacation allowance; sick leave policy; how you will measure performance; and so on.
  2. Create procedures for employees to follow.  Specifically, how will you distribute assignments and exchange completed work?  Technology is bound to be the solution, so see the discussion below about confidentiality.  Remember to address the “mundane” office tasks too: calendaring, accounting, conflict checking, etc.
  3. Require all remote workers to sign a confidentiality pledge or agreement.  The Professional Liability Fund has samples on its website.
  4. Get fully educated about legalities:  “In 2011, an Oregon appeals court found in favor of a J.C. Penney Co. Inc. home decorator who was injured after she tripped over her dog while working at home. Although the state workers’ compensation board had held her injuries were not work-related, the appeals court reversed, finding the employee had been working from her home as a term and condition of employment.”
    On-the-job injuries aren’t the only problem: be aware of Fair Labor Standards Act troubles, choice of jurisdiction, protecting proprietary information [forms bank, brief bank, customized practice management software], and the Americans with Disabilities Act.  The list doesn’t end there.
  5. Talk to an employment lawyer about securing your right to inspect employees’ remote workplaces and monitoring employees’ use of technology.
  6. Don’t neglect the need for face time. Management experts recommend regular web meetings and occasional in-person meetings for an optimal virtual workplace.
  7. Revisit your ethical responsibilities as a supervisor in Oregon.

Confidentiality

Advisory Opinion 201601 revisits the ethical requirements for cloud computing and email communication, the gist of which is:

  • A lawyer may use online data storage systems to store and back up client confidential information as long as the lawyer takes reasonable care to ensure that the information will remain confidential and the information is secure from risk of loss.
  • Email communication with clients is allowed, except lawyers must warn clients if they believe there is a significant risk of third party access.

Oregon takes a similar stance on cloud computing:  “Lawyer may store client materials on a third-party server as long as Lawyer complies with the duties of competence and confidentiality to reasonably keep the client’s information secure within a given situation.” OSB Formal Opinion No. 2011-188 [Revised 2015.]  For more details, see this post.  See Also OSB Formal Opinion No. 2016-191, “Client Property: Electronic-Only or “Paperless” Client Documents and Files,” which includes a further discussion about electronic client files.

As to email, Oregon lawyers are forewarned to:

  1. Use proper security measures in cases where information is “particularly sensitive or subject to a confidentiality agreement.”
  2. Avoid email entirely if a client requests it.
  3. Scrub for metadata.

See “Safeguarding Client Information in a Digital World,” and “Competency: Disclosure of Metadata,” OSB Formal Opinion No. 2011-187 [Revised 2015].

No mention is made about a duty to warn clients of third party access where the lawyer believes there is a significant risk.  However, it would be foolish not to do so.  Consider the example mentioned in the WSBA opinion: where the lawyer knows her client is using an employer-provided email account.

We’ve discussed this issue before. Your email may not be protected by lawyer-client privilege if your client is reading it at work.  Before you begin communicating by email, take note of the client’s address.  Does the domain correlate to their place of employment?  Don’t use it!  Even if the address is @gmail.com or a similar web-based service, don’t assume your client only reads and prints email at home.  Have a discussion about where, when, and how your client reads your confidential communications and follow the other advice mentioned here.

Another quick word about using the cloud

Virtual practices could not exist without the cloud, a VPN, or some means of hosting and exchanging client information.  Beyond the basics of taking reasonable care to protect confidentiality, implement policies and procedures as described above.  Focus on security and steps to take when a virtual employee stops working for you.  Remote workers can put your law practice at risk if they upload or exchange content that contains malware or ransomware. A study commissioned by a security firm in the UK and Germany found:

  • One in four employees admitted breaking security policies.
  • Nearly two in five said either they, or someone they know, have lost or had stolen a device in a public place.
  • Three-quarters of these devices – such as laptops, mobile phones and USB sticks – contained work-related data, including confidential emails (37%), confidential files (34%) and customer data (21%).
  • Approximately one in ten lost financial data or access details such as login and password information, exposing even more confidential information to the risk of breach.

It is equally important to have a checklist for departing staff that ensures revocation of login credentials, return of workplace property, and disposition of ongoing email or voice communications directed to someone who no longer works for you.

Consider talking to an employment law attorney, or as a starter, see the Professional Liability Fund’s (PLF’s) Checklist for Departing Staff.

Duty to avoid misrepresentation

Advisory Opinion 201601 warns that lawyers may not imply the existence of a physical office or formal law firm where none exists. Therefore, unless you’ve arranged for ready access to meeting spaces or the ability to see clients on a drop-in basis, don’t imply those resources exist.  Posting or implying that you are part of a firm on your website, social media, or elsewhere is also a no-no.  (The same is true for office sharers, an example given in the ethics opinion.)

Avoiding conflicts of interest

Advisory Opinion 201601 points out that virtual offices must ensure that the conflicts checking system is equally accessible to all members of the practice, lawyers and staff, and that such access is reliably maintained.  This only makes sense.

Be sure to add your calendaring system, billing system, client matter records, and everything else you need to operate virtually as a law practice.  All of it must be equally accessible and reliably maintained.

Will the cloud be your savior when it comes to accessibility and reliability?  Probably, but it can’t help you with issues like when to run a conflict check, how to run a conflict check, or the need to circulate a new client list to everyone in the office.  As noted above, procedures will be key!  For help, contact a friendly practice management expert, like myself or one of the advisors at the PLF. While you’re on the PLF site, check out the many publications, practice aids, and forms that will assist you with establishing office protocols.

All Rights Reserved Beverly Michaelis 2017

The Standard for Email Communications

What is the standard for electronic client communications?  Can lawyers freely use email, without a worry or care about encryption?

In “Odds & Ends – Safeguarding Client Information in a Digital World,” Oregon State Bar General Counsel Helen Hierschbiel sets us straight:

The first ethics opinions that addressed the use of electronic communications prohibited lawyers from using cell phones and unencrypted e-mail…. More recently, ethics authorities condone the practice, recognizing that the expectation of privacy in these modern methods of communication is comparable to and as reasonable as that of older methods of communication. For example, ABA Formal Ethics Op 99-413 (1999) states:

E-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy… The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of [the law].

Does this mean lawyers get a free pass to use unencrypted email?

The answer is no, as Helen points out.  Special precautions need to be taken if:

  • The information to be transmitted is particularly sensitive
  • The contents of the email are subject to a confidentiality agreement
  • The client instructs the lawyer to avoid using email

Can a client waive the security risks associated with unencrypted email?

Yes.  “If a client requests it, a lawyer may … be allowed to use … a particular type of electronic communication notwithstanding expectations of privacy in the communication method.”

What role does metadata play?

As Helen notes, metadata may be a bigger danger than unauthorized interception of email  messages:

[C]ompetent representation requires that lawyers understand what information may be hidden in documents that they plan to send by e-mail so that appropriate steps can be taken to protect against inadvertent disclosure of what could be confidential or sensitive information. See, e.g., Arizona Ethics Op 07-03(2007) (lawyer must take “reasonable precautions” to prevent communication of metadata containing client information) and ABA Formal Op 06-442.

Since Helen’s article was published, Oregon has issued its own metadata opinion: Competency: Disclosure of Metadata, OSB Formal Opinion 2011-187.

Where does this leave us with encryption?

If your clients have consented to use of unencrypted email (or don’t care) and your messages are not particularly sensitive or subject to a confidentiality agreement, why should you give a whit about encryption?  In a phrase: ease of use.

What used to be difficult is no longer.

In the article “Encryption So Easy a Lawyer Can Do It,” Bob Ambrogi discusses three incredibly simple solutions that allow lawyers to send encrypted messages.  No more clunky interface requiring the sender to transmit keys before the recipient decrypts the message.  No more need for both parties to use the same software.  (Although a simple plug-in may be needed, depending on the software you choose.)

With secure cloud-based solutions like Enlocked, Virtru, or Delivery Trust from Identillect, Ambrogi concludes:

What all three programs have in common is that they make encryption as easy as the push of a button.  If you use email to communicate with clients or colleagues about sensitive matters – and what lawyer does not? – you have no excuse not to encrypt.”

 [All Rights Reserved 2015 Beverly Michaelis]

Smartphone Email Signatures

Does your standard e-mail signature include a disclaimer?  Perhaps the IRS Circular 230 Disclosure:

To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. federal tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

Or maybe yours seeks to protect confidentiality and the attorney-client privilege:

This message may contain sensitive and private privileged information.  If you are not the intended recipient, or if you believe you have received this message in error, please notify me immediately by reply e-mail.  Please keep the contents confidential and delete the message and any attachments from your system.

Whether such disclaimers work is a debate for another day.  For the purpose of today’s post, let’s assume they do and you want to include a disclaimer in your e-mail signature.  Easy enough – when you are working on your desktop or laptop – but long e-mail signatures are not supported by mobile devices like the iPhone.  What can users do?

One option is to post the e-mail communication policy/disclaimer on your firm’s Web site.  If your device will support a signature that contains an outside link, problem solved.  Here is an example:

This can be done on the iPhone using an app like the Signature Creator Tool that supports HTML signatures with URLs.

If that sounds like too much work, another choice would be to include appropriate disclaimers in the client’s initial fee agreement so the client understands up front that all communication by e-mail is subject to the conditions contained in the initial disclaimer.  In that case, if an attorney preferred, his or her mobile e-mail signature could look like this:

 

If you are beyond the initial fee agreement stage and don’t want to hassle with special apps that support HTML signatures with URLs, then do a mass paper mailing or mass e-mail to all clients including a copy of the firm’s disclaimer and e-mail communication policy.  Explain to clients that your policies and disclaimer apply to all messages, whether sent by tablet, smartphone, desktop, laptop, or some future means yet to be invented.  If you are particularly concerned, ask clients to acknowledge and consent to your terms.  This can be done by signing and returning the policy/disclaimer or by replying to your e-mail blast.  (If you send a group or broadcast e-mail to all clients, be sure to put addresses in the bcc: field).

Copyright 2012 Beverly Michaelis

The Perils of Privilege and Client Email

“The e-mails sent via company computer under the circumstances of this case were akin to consulting her lawyer in her employer’s conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints about her employer would be overheard by him,” the court saidHolmes v. Petrovich Development Co.

If this sounds familiar, it’s because you’ve heard from me before about the perils of client e-mail.  So what’s a lawyer to do?  The most conservative approach is to admonish clients not to read, download, or access e-mail at work.  True, some jurisdictions have drawn a distinction between employees using work vs. personal e-mail accounts, but if the activity is occurring at work while using the employer’s computer, be safe and tell clients it’s a no-no.  If nothing else, consider the other ways clients could inadvertently waive the privilege, such as printing the e-mail to a shared printer or discussing it with co-workers (incredibly tempting).

Our “Using E-mail in the Office” practice aid has some useful guidelines for lawyers who regularly use e-mail as a means of communication.  If you’re an Oregon lawyer, login to the PLF Web site, select Practice Aids and Forms, then “Client Communication.”  While there, consider visiting our collection of engagement letters.  Select Practice Aids and Forms, then Engagement Letters.  Our “Engagement Letter and Fee Agreement – Alternate” is a longer form engagement letter that includes specific language about e-mail communication:

To reduce cost to you, and to expedite communications, we routinely use unencrypted e-mail.  Use of unencrypted e-mail necessarily involves some risk of accidental disclosure of confidences notwithstanding care on our part and yours.  Specifically, all our e-mail messages include headers designating the message as “confidential and privileged.”  Furthermore, unless you have retained us on a business matter involving your work, we will send e-mail only to your personal e-mail address.  Since we endeavor to designate messages as “confidential and privileged,” and avoid e-mailing you at work, we believe a court would recognize our intent to preserve client confidences and hold that the attorney-client privilege applies to our e-mail messages.  However, preserving the attorney-client privilege depends in part on you.  Some jurisdictions have held that no attorney-client privilege applies when an employee uses a computer at work to access personal e-mail over the employer’s Internet connection.  Therefore, we ask that you refrain from reading, downloading, or responding to attorney-client e-mail while at work.  Because the attorney-client privilege belongs to the client, we will abide by your instructions and directions respecting communication by e-mail.  If you wish to avoid the responsibility of an accidental waiver of the attorney-client privilege, we will communicate via telephone, facsimile, ordinary mail, and Fed Ex, but not via the Internet.  Unless we receive instructions from you to the contrary, it is understood we are authorized to use unencrypted e-mail to communicate with you and others about your case. 

The Holmes case was particularly egregious.  Having sued her employer, Holmes did the unthinkable – she used her work e-mail account to communicate with her lawyer about her employment discrimination claim.  This move, coupled with the employer’s standing policy – employee e-mails were not confidential and subject to monitoring – did her in.  Most plaintiffs aren’t this careless, but it’s important to remember that your communication is only privileged if it remains between you and your client.  Also keep in mind that while sending unencrypted e-mail is generally okay, there are times when it may not be permitted.

Copyright 2011 Beverly Michaelis