Tag Archives: attorney client privilege

Attorney-Client Privilege and Cloud Storage

Posted on by
1

Do your clients or their agents use cloud storage for case-related documents?  Do they transmit information using unsecured hyperlinks?

If the answer is yes, your client may have waived its claim of privilege to the stored information. This is the lesson learned in Harleysville, where a federal court in Virginia held that an insurance company waived the attorney-client privilege when the insurer’s investigator used an unsecured account to share claim-related information.

Key Facts in Harleysville

  • Insurer’s counsel knew or should have known that the information posted to the cloud account was publicly available because counsel had themselves used the unsecured hyperlink to access and download the claims file.
  • As a result, counsel “failed to take reasonable measures to ensure and maintain the document[s’] confidentiality, or to take prompt and reasonable steps to rectify the error.”
  • The court analogized the insurer’s actions to “leaving its claims file on a bench in the public square” and warned that if a company chooses to use a new technology, “it should be responsible for ensuring that its employees and agents understand how the technology works, and, more importantly, whether the technology allows unwanted access by others to its confidential information.”

Source: Don’t Let New Technology Cloud Your Legal JudgmentProskauer commercial litigation blog.

Lessons Learned

As Proskauer points out:

  • Attorneys and clients are responsible for their own technological choices as well as those of the client’s agents
  • Technological ignorance on the law firm’s part is no excuse

What You Should Do Now

  • Conduct a cyber security audit of your firm’s practices and systems.
  • Establish a secure system for confidential file sharing if one is not already in place. Address other issues uncovered during the security audit.
  • Create file sharing policies and procedures.
  • Train everyone now; conduct annual training sessions thereafter.  Address protocols for uploading and downloading files.  All law firm members – attorneys, staff, administration, bookkeeping – need to know the warning signs of receiving or forwarding content from unsecured hyperlinks.
  • Talk to clients about file storage and sharing practices.  Do they use agents, like the investigator in Harleysville?  If so, how do they exchange documents? Consider offering an on-site client training lunch to go over dos and don’ts.

All Rights Reserved 2017 Beverly Michaelis

 

 

New Ethical Guidelines for Client Files

Posted on by
4

Ethics scrabbleLast week the Oregon State Bar issued OSB Formal Opinion 2017-192, which supersedes OSB Formal Opinion 2005-125.  This is the second opinion in the last six months to address the subject of client files.

Opinion 192 provides answers to the following questions:

  1. What is the “client file?”
  2. Is the client entitled to everything?  Are there any exceptions?
  3. Do lawyers have the right to retain their own copy of the file?
  4. Is it ethical to charge clients for the cost of duplicating file material?
  5. In what form may the file be produced?
  6. When may a lawyer charge for the cost of locating and segregating file documents?
  7. May a lawyer charge for extracting data from law firm software?

Interesting questions, some of which present issues of first impression.  Let’s break it down.

What is the “client file?”

A client file is “the sum total of all documents, records, or information (either in paper or electronic form) that the lawyer maintained in the exercise of professional judgment for use in representing the client.” OSB Formal Opinion 2017-192.

Is the client entitled to everything?

The lawyer is obligated to deliver the “entire client file.”  Under OSB Formal Opinion 2017-192 the “entire client file” includes:

  • Documents and property provided by the client
  • Litigation materials (pleadings, memoranda, discovery materials)
  • All correspondence
  • All items that the lawyer obtained from others, including expert opinions, medical or business records, and witness statements
  • All electronic documents, records, and information that the lawyer maintained for use in the specific client matter, including email, word processing documents on a server, audio files, digital photographs, and text messages
  • Lawyer’s notes (see below)
  • Internal memoranda that may constitute “attorney work product.”

This sounds like everything, but it isn’t.

There are seven identified exceptions to producing the entire client file.  These are discussed below.

What may a lawyer withhold and when?

Exception 1 – Withholding the entire file – attorney fee liens

A lawyer may have the right to withhold the client file in its entirety if she has a valid attorney fee lien.  See Helen Hierschbiel, Difficult Paradigm: Are lien rights absolute?  (Whether this is ever a good idea would require another blog post.  Suffice to say, if you stand on your statutory right to assert a lien, don’t be surprised when your client files an ethics complaint.)

Exception 2 – confidential information belonging to another client

Lawyers are not obliged to release documents or information to which the client is not entitled.  For example, a legal memo or document from a prior case used for reference in the current client file.  In fact, releasing such information would be a breach of the former client’s confidentiality.

However, if the lawyer’s reliance on the memo or document is “relevant to a dispute between current lawyer and client,” the lawyer may be obliged to produce a redacted version of the memo or document.

Practice Tip:  Pulling memos, documents, or pleadings from one file to use in another is a very common practice, but do yourself a favor.  Save this content as non client-specific legal research, templates, or forms to the extent possible.  Sanitize and redact once, then save the content to reuse whenever needed.

Exception 3 – lawyer notes or communications relating to the lawyer-client relationship (discipline and malpractice)

Emails and documents showing that the lawyer consulted counsel to explore his exposure to discipline or malpractice liability are “not part of the client file and need not be produced to the client or provided during a change in representation.”

Practice Tip:  Always keep a separate file for documents or communications that fit within this exception.

Exception 4 – Documents created for internal use by the lawyer or law firm

Documents “created for internal use primarily for the lawyer’s own purpose” need not be produced to the client.  These include:

  • Internal work assignments
  • Routine conflicts review
  • Client’s creditworthiness
  • Time and expense records

Practice Tip:  Before you whoop and holler over your ability to withhold “time and expense records,” be aware you still have an obligation to provide clients with an accounting of their funds under Oregon PRC 1.15-1(d).

Also, while they may not be part of the “client file” under this opinion that doesn’t mean that you are scot-free. Picture a fee dispute where the time and expense records differ signifcantly or relevantly from your client accounting.  Or a legal malpractice claim where the only proof of a key client conversation appears in a time entry, not in your client billings.  In either circumstance, it is conceivable that your time and expense records would be discoverable.  See Footnote 3 of the opinion which discusses the broader standards that apply under ORCP 36 or FRCP 26.

Exception 5 – Metadata and information contained in law firm software

Electronic documents or information “that could be construed as computer metadata, or which would otherwise be too burdensome and expensive to identify, locate, and produce in a readable or accessible format” need not be produced as part of the client file.

What kind of documents or information could be “too burdensome and expensive to identify, locate and produce” besides metadata?  Client data contained in proprietary software, such as a docketing program.  Discussion aside, the opinion suggests that “to the extent a summary or report can be created by the software, the lawyer should include that as part of the client file.”  Could a client be charged for the cost of extracting or converting data from such a program?  No, unless the fee agreement provided differently. See the discussion below.

Practice Tip:  Be careful if you rely upon this exception for anything other than metadata or client information contained in proprietary software.

Remember that email and text messages are expressly part of the client file under this opinion.  If you don’t have a good system for capturing this type of communication, you should make it your number one priority.  I’ve written many times about capturing email as part of the client file.  See Part 1 and Part 2 of this article.

If you text frequently with clients, take a long, hard look at Zipwhip.  This service enables text messages to be received and sent using your law office’s existing landline or toll-free number.  Text conversations can be saved as a PDF document in the client’s folder, which ensures compliance with OSB Formal Opinion 2017-192.

Exception 6 – Substantive prohibitions against delivering legal documents to clients

If substantive law or court order prohibits delivery of documents in whole or in part to a client, the law or order must be obeyed.

Exception 7 – disclosure and lack of objection

The final stated grounds for producing less than the entire client file is based on “appropriate disclosure” and lack of client objection.  This makes perfect sense.  If the client agrees to accept less than the entire file, it should be the client’s choice.

Practice Tip:  If you’re going to rely on “appropriate disclosure” and the lack of an objection on the client’s part to producing the entire file – document it and create a clear trail of what you did provide.  This may be important later if the client misremembers what you did or did not produce.  (See Footnote 6 to the opinion.)

Unknown exceptions

Could there be other classes of documents or information that may be withheld?  Yes. Anything is possible, and the opinion acknowledges this with the following admonition:
“As a general proposition, however, unless there is a valid reason for not providing documents as discussed above, all documents from the client file should be provided.”

Do lawyers have the right to retain their own copy of the file?

“A lawyer has a right to retain a copy of the client file,” no ifs, ands, or buts.

Practice Tip:  Occasionally business or corporate clients may pressure lawyers to surrender or destroy their copy of the client file.  Point these clients to this opinion. Better yet: address this subject up front in your written engagement letter/fee agreement to avoid hassles later.

Can lawyers charge clients for duplication expenses?

Lawyers cannot charge clients for:

  • Copies of original documents given to the lawyer by the client
  • Copies of original documents prepared by the lawyer for the client and held by the lawyer at the client’s request (for example: original wills or trust agreements)

These copies must be made at the lawyer’s expense.  This is in keeping with former opinion 125.  As to other documents which lawyers may scan or photocopy, presence of a fee agreement is key:

Fee agreement provides for duplication charges

If you were smart enough to cover this ground in your fee agreement, you can bill the client for photocopy and scanning costs.  The original document exceptions discussed above still apply.  (Mini tip:  if you withdraw or the client fires you mid-matter, read Footnote 8.  Your right to enforce payment of the cost of duplicating the file may have to yield, temporarily, to the client’s need to have the file for an ongoing legal matter.)

No fee agreement or fee agreement provides client is entitled to copies without separate charge

If you did not reserve the right to separately charge for duplication expenses in your fee agreement, then the client is entitled to one copy, without charge, of any documents not previously provided.

Duplicate copies of documents or information previously sent

In either case, if a client wants duplicate copies of documents or information previously provided, “the lawyer is entitled to charge for those costs.”

Practice Tip:   Address the topics of copying documents and charging for duplicates in your fee agreement.

In what form may the file be produced?

OSB Formal Opinion 2017-192 briefly revisits the ground covered by its predecessor: OSB Formal Opinion 2016-191.  You’ll recall that opinion 191 spoke to a lawyer’s ethical obligations in keeping or producing an electronic-only copy of a file.  To bottom-line it for purposes of Opinion 192, providing clients with an electronic copy of their client file is fine, if they can access it.  If they can’t, you are obliged to provide the file in a format “that can be accessed or read by the client.”  For some, this may mean producing a paper file. See this post for a complete discussion.

When may a lawyer charge for the cost of locating and segregating file documents?

A lawyer may not charge:

  • For the cost of locating or segregating documents the lawyer chooses not to produce
  • A “clearly excessive” or “unreasonable” amount for producing the client file.

A lawyer may charge for the cost of:

  • Locating and segregating documents the lawyer is prohibited from producing (see the discussion above regarding exception 6).
  • Locating and segregating documents when the client has requested only certain portions of the file
  • Reproducing documents or information already made available to the client
  • Costs associated with production of a file “to the extent the lawyer could have charged the client for the same work if the request had been made during the lawyer-client relationship.”  In other words, did you allow for billing the client for such costs as part of your original fee agreement?  If yes, and so long as you aren’t passing on the cost of segregating documents you don’t want to produce, you’re golden.

What about the cost of extracting or converting data from law firm software, like a docketing program?

As mentioned above, extracting or converting client data contained in proprietary software may fit the “too burdensome” exception.  However, if produced, a lawyer cannot require the client to bear this cost “absent an agreement to the contrary.” Translation: like so many other points, you need to cover this in your fee agreement.

How does all of this square in the event of a legal malpractice action?

That, my friends, is a good question!  Up to this point, we’ve only discussed a lawyer’s ethical obligations, not the standard that might apply in discovery should a legal malpractice action occur.  If you have concerns about file production in conjunction with a claim or suit brought by a client, contact the Professional Liability Fund.

Parting Thoughts

OSB Formal Opinion 2017-192 is a lot to chew.  And as noted above, it is one of two opinions issued in the last six months governing client files.  I hope this post has helped, at least a bit.  I am planning a CLE in June to address the issues raised by this opinion and its predecessor.  Watch my blog for an announcement.

All Rights Reserved Beverly Michaelis 2017.

 

 

 

 

Practical Advice for Virtual Law Offices

Posted on by
1

Last week we discussed the ethical implications of WSBA Advisory Opinion 201601, “Ethical Practices of the Virtual Law Office.”  As the Committee on Professional Ethics noted, virtual practitioners must take care with supervision, confidentiality, avoiding misrepresentation, and conflicts of interest.  Understandable, but what exactly does that mean?  Here is some practical advice.

online-1799664__480

Adequate supervision in a virtual workplace

In a virtual workplace lawyers and staff don’t work in proximity.  How do you ensure that remote workers receive “adequate supervision?”  The WSBA opinion mentions taking “additional measures,” but does not describe what those may be. Virtual employers should consider the following:

  1. Establish policies just as you would in a traditional office setting:  dedicated working hours when employees are expected to be within reach of their phones or computers; vacation allowance; sick leave policy; how you will measure performance; and so on.
  2. Create procedures for employees to follow.  Specifically, how will you distribute assignments and exchange completed work?  Technology is bound to be the solution, so see the discussion below about confidentiality.  Remember to address the “mundane” office tasks too: calendaring, accounting, conflict checking, etc.
  3. Require all remote workers to sign a confidentiality pledge or agreement.  The Professional Liability Fund has samples on its website.
  4. Get fully educated about legalities:  “In 2011, an Oregon appeals court found in favor of a J.C. Penney Co. Inc. home decorator who was injured after she tripped over her dog while working at home. Although the state workers’ compensation board had held her injuries were not work-related, the appeals court reversed, finding the employee had been working from her home as a term and condition of employment.”
    On-the-job injuries aren’t the only problem: be aware of Fair Labor Standards Act troubles, choice of jurisdiction, protecting proprietary information [forms bank, brief bank, customized practice management software], and the Americans with Disabilities Act.  The list doesn’t end there.
  5. Talk to an employment lawyer about securing your right to inspect employees’ remote workplaces and monitoring employees’ use of technology.
  6. Don’t neglect the need for face time. Management experts recommend regular web meetings and occasional in-person meetings for an optimal virtual workplace.
  7. Revisit your ethical responsibilities as a supervisor in Oregon.

Confidentiality

Advisory Opinion 201601 revisits the ethical requirements for cloud computing and email communication, the gist of which is:

  • A lawyer may use online data storage systems to store and back up client confidential information as long as the lawyer takes reasonable care to ensure that the information will remain confidential and the information is secure from risk of loss.
  • Email communication with clients is allowed, except lawyers must warn clients if they believe there is a significant risk of third party access.

Oregon takes a similar stance on cloud computing:  “Lawyer may store client materials on a third-party server as long as Lawyer complies with the duties of competence and confidentiality to reasonably keep the client’s information secure within a given situation.” OSB Formal Opinion No. 2011-188 [Revised 2015.]  For more details, see this post.  See Also OSB Formal Opinion No. 2016-191, “Client Property: Electronic-Only or “Paperless” Client Documents and Files,” which includes a further discussion about electronic client files.

As to email, Oregon lawyers are forewarned to:

  1. Use proper security measures in cases where information is “particularly sensitive or subject to a confidentiality agreement.”
  2. Avoid email entirely if a client requests it.
  3. Scrub for metadata.

See “Safeguarding Client Information in a Digital World,” and “Competency: Disclosure of Metadata,” OSB Formal Opinion No. 2011-187 [Revised 2015].

No mention is made about a duty to warn clients of third party access where the lawyer believes there is a significant risk.  However, it would be foolish not to do so.  Consider the example mentioned in the WSBA opinion: where the lawyer knows her client is using an employer-provided email account.

We’ve discussed this issue before. Your email may not be protected by lawyer-client privilege if your client is reading it at work.  Before you begin communicating by email, take note of the client’s address.  Does the domain correlate to their place of employment?  Don’t use it!  Even if the address is @gmail.com or a similar web-based service, don’t assume your client only reads and prints email at home.  Have a discussion about where, when, and how your client reads your confidential communications and follow the other advice mentioned here.

Another quick word about using the cloud

Virtual practices could not exist without the cloud, a VPN, or some means of hosting and exchanging client information.  Beyond the basics of taking reasonable care to protect confidentiality, implement policies and procedures as described above.  Focus on security and steps to take when a virtual employee stops working for you.  Remote workers can put your law practice at risk if they upload or exchange content that contains malware or ransomware. A study commissioned by a security firm in the UK and Germany found:

  • One in four employees admitted breaking security policies.
  • Nearly two in five said either they, or someone they know, have lost or had stolen a device in a public place.
  • Three-quarters of these devices – such as laptops, mobile phones and USB sticks – contained work-related data, including confidential emails (37%), confidential files (34%) and customer data (21%).
  • Approximately one in ten lost financial data or access details such as login and password information, exposing even more confidential information to the risk of breach.

It is equally important to have a checklist for departing staff that ensures revocation of login credentials, return of workplace property, and disposition of ongoing email or voice communications directed to someone who no longer works for you.

Consider talking to an employment law attorney, or as a starter, see the Professional Liability Fund’s (PLF’s) Checklist for Departing Staff.

Duty to avoid misrepresentation

Advisory Opinion 201601 warns that lawyers may not imply the existence of a physical office or formal law firm where none exists. Therefore, unless you’ve arranged for ready access to meeting spaces or the ability to see clients on a drop-in basis, don’t imply those resources exist.  Posting or implying that you are part of a firm on your website, social media, or elsewhere is also a no-no.  (The same is true for office sharers, an example given in the ethics opinion.)

Avoiding conflicts of interest

Advisory Opinion 201601 points out that virtual offices must ensure that the conflicts checking system is equally accessible to all members of the practice, lawyers and staff, and that such access is reliably maintained.  This only makes sense.

Be sure to add your calendaring system, billing system, client matter records, and everything else you need to operate virtually as a law practice.  All of it must be equally accessible and reliably maintained.

Will the cloud be your savior when it comes to accessibility and reliability?  Probably, but it can’t help you with issues like when to run a conflict check, how to run a conflict check, or the need to circulate a new client list to everyone in the office.  As noted above, procedures will be key!  For help, contact a friendly practice management expert, like myself or one of the advisors at the PLF. While you’re on the PLF site, check out the many publications, practice aids, and forms that will assist you with establishing office protocols.

All Rights Reserved Beverly Michaelis 2017

The Standard for Email Communications

Posted on by
2

What is the standard for electronic client communications?  Can lawyers freely use email, without a worry or care about encryption?

In “Odds & Ends – Safeguarding Client Information in a Digital World,” Oregon State Bar General Counsel Helen Hierschbiel sets us straight:

The first ethics opinions that addressed the use of electronic communications prohibited lawyers from using cell phones and unencrypted e-mail…. More recently, ethics authorities condone the practice, recognizing that the expectation of privacy in these modern methods of communication is comparable to and as reasonable as that of older methods of communication. For example, ABA Formal Ethics Op 99-413 (1999) states:

E-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy… The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of [the law].

Does this mean lawyers get a free pass to use unencrypted email?

The answer is no, as Helen points out.  Special precautions need to be taken if:

  • The information to be transmitted is particularly sensitive
  • The contents of the email are subject to a confidentiality agreement
  • The client instructs the lawyer to avoid using email

Can a client waive the security risks associated with unencrypted email?

Yes.  “If a client requests it, a lawyer may … be allowed to use … a particular type of electronic communication notwithstanding expectations of privacy in the communication method.”

What role does metadata play?

As Helen notes, metadata may be a bigger danger than unauthorized interception of email  messages:

[C]ompetent representation requires that lawyers understand what information may be hidden in documents that they plan to send by e-mail so that appropriate steps can be taken to protect against inadvertent disclosure of what could be confidential or sensitive information. See, e.g., Arizona Ethics Op 07-03(2007) (lawyer must take “reasonable precautions” to prevent communication of metadata containing client information) and ABA Formal Op 06-442.

Since Helen’s article was published, Oregon has issued its own metadata opinion: Competency: Disclosure of Metadata, OSB Formal Opinion 2011-187.

Where does this leave us with encryption?

If your clients have consented to use of unencrypted email (or don’t care) and your messages are not particularly sensitive or subject to a confidentiality agreement, why should you give a whit about encryption?  In a phrase: ease of use.

What used to be difficult is no longer.

In the article “Encryption So Easy a Lawyer Can Do It,” Bob Ambrogi discusses three incredibly simple solutions that allow lawyers to send encrypted messages.  No more clunky interface requiring the sender to transmit keys before the recipient decrypts the message.  No more need for both parties to use the same software.  (Although a simple plug-in may be needed, depending on the software you choose.)

With secure cloud-based solutions like Enlocked, Virtru, or Delivery Trust from Identillect, Ambrogi concludes:

What all three programs have in common is that they make encryption as easy as the push of a button.  If you use email to communicate with clients or colleagues about sensitive matters – and what lawyer does not? – you have no excuse not to encrypt.”

 [All Rights Reserved 2015 Beverly Michaelis]

Smartphone Email Signatures

Posted on by
6

Does your standard e-mail signature include a disclaimer?  Perhaps the IRS Circular 230 Disclosure:

To ensure compliance with requirements imposed by the IRS, we inform you that any U.S. federal tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

Or maybe yours seeks to protect confidentiality and the attorney-client privilege:

This message may contain sensitive and private privileged information.  If you are not the intended recipient, or if you believe you have received this message in error, please notify me immediately by reply e-mail.  Please keep the contents confidential and delete the message and any attachments from your system.

Whether such disclaimers work is a debate for another day.  For the purpose of today’s post, let’s assume they do and you want to include a disclaimer in your e-mail signature.  Easy enough – when you are working on your desktop or laptop – but long e-mail signatures are not supported by mobile devices like the iPhone.  What can users do?

One option is to post the e-mail communication policy/disclaimer on your firm’s Web site.  If your device will support a signature that contains an outside link, problem solved.  Here is an example:

This can be done on the iPhone using an app like the Signature Creator Tool that supports HTML signatures with URLs.

If that sounds like too much work, another choice would be to include appropriate disclaimers in the client’s initial fee agreement so the client understands up front that all communication by e-mail is subject to the conditions contained in the initial disclaimer.  In that case, if an attorney preferred, his or her mobile e-mail signature could look like this:

 

If you are beyond the initial fee agreement stage and don’t want to hassle with special apps that support HTML signatures with URLs, then do a mass paper mailing or mass e-mail to all clients including a copy of the firm’s disclaimer and e-mail communication policy.  Explain to clients that your policies and disclaimer apply to all messages, whether sent by tablet, smartphone, desktop, laptop, or some future means yet to be invented.  If you are particularly concerned, ask clients to acknowledge and consent to your terms.  This can be done by signing and returning the policy/disclaimer or by replying to your e-mail blast.  (If you send a group or broadcast e-mail to all clients, be sure to put addresses in the bcc: field).

Copyright 2012 Beverly Michaelis