Practical Advice for Virtual Law Offices

Last week we discussed the ethical implications of WSBA Advisory Opinion 201601, “Ethical Practices of the Virtual Law Office.”  As the Committee on Professional Ethics noted, virtual practitioners must take care with supervision, confidentiality, avoiding misrepresentation, and conflicts of interest.  Understandable, but what exactly does that mean?  Here is some practical advice.

online-1799664__480

Adequate supervision in a virtual workplace

In a virtual workplace lawyers and staff don’t work in proximity.  How do you ensure that remote workers receive “adequate supervision?”  The WSBA opinion mentions taking “additional measures,” but does not describe what those may be. Virtual employers should consider the following:

  1. Establish policies just as you would in a traditional office setting:  dedicated working hours when employees are expected to be within reach of their phones or computers; vacation allowance; sick leave policy; how you will measure performance; and so on.
  2. Create procedures for employees to follow.  Specifically, how will you distribute assignments and exchange completed work?  Technology is bound to be the solution, so see the discussion below about confidentiality.  Remember to address the “mundane” office tasks too: calendaring, accounting, conflict checking, etc.
  3. Require all remote workers to sign a confidentiality pledge or agreement.  The Professional Liability Fund has samples on its website.
  4. Get fully educated about legalities:  “In 2011, an Oregon appeals court found in favor of a J.C. Penney Co. Inc. home decorator who was injured after she tripped over her dog while working at home. Although the state workers’ compensation board had held her injuries were not work-related, the appeals court reversed, finding the employee had been working from her home as a term and condition of employment.”
    On-the-job injuries aren’t the only problem: be aware of Fair Labor Standards Act troubles, choice of jurisdiction, protecting proprietary information [forms bank, brief bank, customized practice management software], and the Americans with Disabilities Act.  The list doesn’t end there.
  5. Talk to an employment lawyer about securing your right to inspect employees’ remote workplaces and monitoring employees’ use of technology.
  6. Don’t neglect the need for face time. Management experts recommend regular web meetings and occasional in-person meetings for an optimal virtual workplace.
  7. Revisit your ethical responsibilities as a supervisor in Oregon.

Confidentiality

Advisory Opinion 201601 revisits the ethical requirements for cloud computing and email communication, the gist of which is:

  • A lawyer may use online data storage systems to store and back up client confidential information as long as the lawyer takes reasonable care to ensure that the information will remain confidential and the information is secure from risk of loss.
  • Email communication with clients is allowed, except lawyers must warn clients if they believe there is a significant risk of third party access.

Oregon takes a similar stance on cloud computing:  “Lawyer may store client materials on a third-party server as long as Lawyer complies with the duties of competence and confidentiality to reasonably keep the client’s information secure within a given situation.” OSB Formal Opinion No. 2011-188 [Revised 2015.]  For more details, see this post.  See Also OSB Formal Opinion No. 2016-191, “Client Property: Electronic-Only or “Paperless” Client Documents and Files,” which includes a further discussion about electronic client files.

As to email, Oregon lawyers are forewarned to:

  1. Use proper security measures in cases where information is “particularly sensitive or subject to a confidentiality agreement.”
  2. Avoid email entirely if a client requests it.
  3. Scrub for metadata.

See “Safeguarding Client Information in a Digital World,” and “Competency: Disclosure of Metadata,” OSB Formal Opinion No. 2011-187 [Revised 2015].

No mention is made about a duty to warn clients of third party access where the lawyer believes there is a significant risk.  However, it would be foolish not to do so.  Consider the example mentioned in the WSBA opinion: where the lawyer knows her client is using an employer-provided email account.

We’ve discussed this issue before. Your email may not be protected by lawyer-client privilege if your client is reading it at work.  Before you begin communicating by email, take note of the client’s address.  Does the domain correlate to their place of employment?  Don’t use it!  Even if the address is @gmail.com or a similar web-based service, don’t assume your client only reads and prints email at home.  Have a discussion about where, when, and how your client reads your confidential communications and follow the other advice mentioned here.

Another quick word about using the cloud

Virtual practices could not exist without the cloud, a VPN, or some means of hosting and exchanging client information.  Beyond the basics of taking reasonable care to protect confidentiality, implement policies and procedures as described above.  Focus on security and steps to take when a virtual employee stops working for you.  Remote workers can put your law practice at risk if they upload or exchange content that contains malware or ransomware. A study commissioned by a security firm in the UK and Germany found:

  • One in four employees admitted breaking security policies.
  • Nearly two in five said either they, or someone they know, have lost or had stolen a device in a public place.
  • Three-quarters of these devices – such as laptops, mobile phones and USB sticks – contained work-related data, including confidential emails (37%), confidential files (34%) and customer data (21%).
  • Approximately one in ten lost financial data or access details such as login and password information, exposing even more confidential information to the risk of breach.

It is equally important to have a checklist for departing staff that ensures revocation of login credentials, return of workplace property, and disposition of ongoing email or voice communications directed to someone who no longer works for you.

Consider talking to an employment law attorney, or as a starter, see the Professional Liability Fund’s (PLF’s) Checklist for Departing Staff.

Duty to avoid misrepresentation

Advisory Opinion 201601 warns that lawyers may not imply the existence of a physical office or formal law firm where none exists. Therefore, unless you’ve arranged for ready access to meeting spaces or the ability to see clients on a drop-in basis, don’t imply those resources exist.  Posting or implying that you are part of a firm on your website, social media, or elsewhere is also a no-no.  (The same is true for office sharers, an example given in the ethics opinion.)

Avoiding conflicts of interest

Advisory Opinion 201601 points out that virtual offices must ensure that the conflicts checking system is equally accessible to all members of the practice, lawyers and staff, and that such access is reliably maintained.  This only makes sense.

Be sure to add your calendaring system, billing system, client matter records, and everything else you need to operate virtually as a law practice.  All of it must be equally accessible and reliably maintained.

Will the cloud be your savior when it comes to accessibility and reliability?  Probably, but it can’t help you with issues like when to run a conflict check, how to run a conflict check, or the need to circulate a new client list to everyone in the office.  As noted above, procedures will be key!  For help, contact a friendly practice management expert, like myself or one of the advisors at the PLF. While you’re on the PLF site, check out the many publications, practice aids, and forms that will assist you with establishing office protocols.

All Rights Reserved Beverly Michaelis 2017

7 Steps You Can Take Now to Protect Your Data

lockUnless you’ve been playing ostrich, you’re likely aware that data breaches and ransomware are about as common as Mom and apple pie.  Witness the recent hack of 272 million Gmail, Microsoft, and Yahoo! accounts.

Fortunately, there are simple steps you can take now that will help protect your data.  [With thanks and all due credit to Lane Powell’s Beyond IP Law post, The Scariest Hack So Far, for inspiring this elucidation of their original list]:

Step 1: Start Using Encryption

For your desktop, cloud-based accounts, mobile devices – anywhere or any place you store or transmit confidential or private information.  For a thorough discussion of how to implement encryption throughout your firm, see Encryption Made Simple for Lawyers, now a book available for purchase on the ABA website.  (Non-ABA members in Oregon can save money at checkout by using the OSB Professional Liability Fund discount code: OSBPLF.)

Step 2: Set Up Two-Factor Authentication for Cloud Services

“The concept of two-factor authentication is that a person cannot access another user’s account without something she knows and something she has. In the case of popular services (like Google or Dropbox), the solution is a strong password plus a secondary code that is sent via text to a smartphone or mobile device.”  Catherine Sanders Reach, Set Up Two-Factor Authentication: What Are You Waiting For?  [Read Catherine’s post for step-by-step directions or search Help in your cloud-based service for assistance in setting up two-factor authentication.]

Step 3:  Erect Firewalls

Firewalls sit between you and the rest of the Internet.  They protect unauthorized access to your computer by ignoring or repelling information that appears to come from unsecured, unknown, or suspicious locations.  The best firewall configuration is a one-two punch:  hardware firewall + software firewall.

Setting up a hardware firewall requires no effort on your part.  While you can buy a stand-alone appliance, hardware firewalls are now automatically incorporated into your router (the box in your office or house installed by your Internet Service Provider).

Software firewalls are installed on your computer system like any other application, and are also easy/breezy since they are typically built into anti-virus software.  (See discussion that follows.)

Step 4: Install Anti-Virus, Anti-Malware, Anti-Spyware Programs and Keep Them Updated

This seems pretty explanatory, but let me add some free advice:

  • Don’t disable automatic updates to your virus definition database
  • Run quick scans when prompted
  • Run full scans at least monthly
  • Don’t ignore notifications that your software isn’t running properly

For a list of the best anti-virus utilities for PCs, see this list from PC Magazine.  For a list of the best anti-virus utilities for Macs, check out this MacWorld post.  For other recommendations, run a Google search.

My personal opinion: run far, far away from McAfee.  [I really don’t give a rip that it is “now part of Intel Security.”]  First, McAfee blocked access to my work VPN (virtual private network).  There was no way to set a rule or create an exception and tech support was incredibly unhelpful.  Second, McAfee is notoriously hard to uninstall. Using Add/Remove Programs in the Control Panel is only the first step; you must download a separate application from McAfee to get rid of it.  I mention this because McAfee tends to come pre-installed on laptops or desktops purchased from retailers like Best Buy.  What to do?  If McAfee was inflicted on you (pre-installed), get rid of it.  Follow the link above for the uninstaller.  Next, buy Kaspersky.  I have been very pleased with Kaspersky from day one and it has never interfered with my VPN connection.

Step 5:  Run Operating System and Other Software Updates

This also seems self-explanatory.  Mac and Windows OS ship with automatic updates enabled – don’t fuss with this.  If Microsoft or Apple thinks you need a security patch, a fix, or upgrade, let it run.  The same goes for every application installed on your computer:  Microsoft Office, Acrobat DC, Quicken, QuickBooks – let automatic updates run.  If you’re not sure whether automatic updates are enabled, check Help or search the product’s website.  Some programs also allow you to manually search for updates. Acrobat DC is an example.  In the menu, select Help, and choose “Check for Updates…”

Step 6:  Be Ready to Kill Your System If You Suspect a Breach

In the original post which inspired me to write on this topic, author Jane E. Brown comments: “Consider using a “kill switch”— when suspicious events happen, the IT department should automatically be notified and the network should shut down if no protective measures are taken.”

I have known of events that required a kill switch.  One Oregon lawyer was hacked via a phishing email.  The hacker was able to get enough information from the lawyer and the lawyer’s system to contact clients by email and request that they input credit card information to pay their bills. Fortunately, a few clients recognized that this request was outside the lawyer’s usual billing process and called the office.  The lawyer had to pull the kill switch and take other steps, including freezing bank accounts.  This turned out to be a smart move, as within 24 hours the hacker also attempted to withdraw thousands of dollars from the lawyer’s trust account.

Step 7:  Lose Your Device?  Lose Your Credentials.

There are some obvious times when it makes sense to reset or revoke user names and passwords (login credentials):

  • At termination
  • If a network-connected device is lost
  • You experience a security intrusion
  • Your security, privacy, or confidential policies are breached

Final Thoughtsth

None of these steps are difficult, but bouncing back from a security breach is.

 

 

[All Rights Reserved 2016 Beverly Michaelis]

Saving Gmail to PDF Using Zapier

Google Calendar in one hourAre you a Gmail user?  Many lawyers are.

Gmail and Google Calendar [sometimes coupled with Google Apps] is a popular alternative to Outlook.  But there is a key issue with using web-based email that lawyers often overlook: messages stored online simply don’t make it to your client file.  If you prefer web-based email and rebel against the idea of downloading messages to a local program on your desktop or laptop, how can you document your file?

This has been a challenge.  Until now.

The Bad Old Days: Saving Messages as Individual PDF Files

Gmail – as stand-alone web-based email – does not offer an easy way to capture a group of messages labeled or stored in a folder online.  If you want to save client emails, you must do so one at a time by printing each message to PDF (or scanning each message to PDF).  This is so incredibly tedious that most lawyers never do it.  Messages are saved online and nowhere else, resulting in non-cohesive client records.

Today’s solution: Zapier

Zapier is one way to solve this problem.  It automatically files Gmail by moving messages for you.  The only trick is the destination, which must be another web-based service or account.  Google Drive and Dropbox are two examples of locations where mail can be saved.  Here is a simple explanation of how the service works.

If you are paperless and storing your client records at one of the supported online destinations, then Zapier can make your client file cohesive.  Everything is in one location and your records are complete.  One of the most popular approaches is to use Zapier to save client email to Dropbox.

Parting Thoughts

“Zapping” your Gmail to the same online location where you keep your other client records seems like a good way to go.  As with any cloud-based solution, there are ethical concerns.

  1. Is Zapier secure?  Zapier stores the data it is moving on your behalf for 7 days, then purges it.  Your credentials are protected by bank-level encryption.  HTTPS or SSL connections are used whenever possible [If the destination app you are connecting to is not HTTPS or SSLZapier cannot “force” that type of connection.]  Users can monitor the task history of Zapier for the life of their accounts to verify activity and data transfer. Read more here.
  2. Is it a good idea to keep confidential and privileged client records in Dropbox, Google Drive, Box, or One Drive?  Yes, provided you supplement the built-in protection of your online accounts with a private [client side] encryption product like Viivo.  Problem solved.
  3. Won’t I just be safer if I store files on my own computer?  This is another way to go, but you’ll be stuck with the one-at-a-time process of saving email as described above.  Additionally, the tide of expert thought is shifting to the belief that cloud-based solutions are superior.  See The great IT myth: is cloud really less secure than on-premise?

 

All Rights Reserved [2016] Beverly Michaelis

2016 ABA TECHSHOW Takeaways: 10 Security Steps to Take Now!

The incomparable Tim Baran from Legal Productivity has done it again. His post, 10 Actionable Privacy, Security & Encryption Takeaways From #ABATECHSHOW is a must-read for all lawyers.  (Important enough that I bumped the post I was planning to publish today.)

Included in Tim’s roundup:

  • Password managers
  • Secure web browsing with HTTPS Everywhere
  • No-track search engines
  • Using false answers to security questions to foil ne’er-do-wells
  • Encrypted telephone conversations and text messages
  • Encrypted files in the cloud
  • Protecting your smartphone camera
  • Using multi-factor authentication
  • Turning on automatic updates
  • Communicating over VPNs in lieu of insecure public WiFi

This is the best of the best.  Take two minutes from your day and read Tim’s post!  While you’re at it, consider subscribing to the Legal Productivity RSS feed for great practice tips on technology, mobile lawyering, marketing, organization, making money, and wellness.

2016 ABA TECHSHOW Wrap Up – 10 Most Important Upgrades

On the heels of the 2016 ABA TECHSHOW, here is a roundup of the top 10 most important upgrades compiled by Jared Correia.  Most involve new features of established case management programs, but there were also important developments in lawyer referral (Avvo), job search resources (Evolve Law), and peer-driven security standards for cloud computing (LCCA).  If you are ever tempted to attend TECHSHOW, you’ll also find a link to an interactive map of where to eat/drink (Gyi’s ABA TECHSHOW Recommendations).

Jared’s Top 10 Upgrades List Includes:

  • Rocket Matter
  • VineSign
  • Smokeball
  • MyCase
  • Evolve Law
  • CosmoLex
  • Clio
  • Avvo
  • Legal Cloud Computing Association (LCCA)
  • Gyi’s ABA TECHSHOW Recommendations (food/drink)

Access the top 10 most important upgrades here.