Ethics of Disaster Recovery and Data Breaches

Coming December 10 at 1:00 pm Eastern, 10:00 am Pacific – a lawyer’s ethical duties in responding to disasters and data breaches. Featuring ABA Formal Opinion 483: Lawyers’ Obligations After an Electronic Data Breach or Cyberattack and Formal Opinion 482: Ethical Obligations Related to Disasters (2018).

This session will offer real-life examples on how to recover from a disaster or a data breach — ethically.

Disasters and data breaches bring with them conflicting priorities to resolve. Duties of disclosure compete with those of confidentiality for your attention. The responsibility to provide legal services for which your clients have contracted may be adversely affected by disaster. Model Rules 1.4 and 1.6 provide the standards and the recent ABA opinions flesh out your ethical duties in the event of a disaster (natural or man-made) or a data breach (which is of course a very specific form of a disaster!).

Join our panel of experts as they guide you through these opinions with practical examples of how best to ensure you and your clients are protected in the face of this new world and all it has to throw at you.

This is a free CLE for ABA members. Register here.

All Rights Reserved 2019 Beverly Michaelis

Legal News and Upcoming Events

Is Mandatory Malpractice Coverage Coming to Washington?

Mandatory malpractice coverage is well known by Oregon lawyers and may be coming soon to members of the Washington bar (WSBA).

In July, the WSBA Mandatory Malpractice Insurance Task Force presented a tentative recommendation to the Board of Governors (BOG) to mandate malpractice insurance for Washington-licensed lawyers. The task force expects to present a final report to the BOG in four short months.

Next steps include:

  1. Considering feedback from the Board of Governors;
  2. Ramping up information efforts among WSBA members, and obtaining and considering additional comments received;
  3. Detailing the recommended malpractice insurance mandate, including the specific
    required coverage minimums;
  4. Identifying in detail the recommended exemptions from the professional liability
    insurance requirement; and
  5. Drafting a proposed Court Rule for the Board of Governor’s consideration

Members may submit comments to insurancetaskforce@wsba.org. The task force continues to meet monthly through the end of the year. Read the interim report here.

Free Access to PACER

This past week, the ABA Journal reported a potential end to PACER fees:

A new bill before the U.S House of Representatives would prohibit the federal courts from charging for public documents. The Electronic Court Records Reform Act would require that documents downloaded from the PACER database be free. Currently, the repository for federal court documents charges up to 10 cents a page.

The article notes that PACER has become a reliable money-maker for federal courts, pulling in $150 million in fees in 2015 alone.

Of further interest to federal court practitioners, the proposed bill would require documents to be posted to PACER within five days of being filed in federal court in a manner that allows for easy searching and linking from external websites.

Additionally, it would require consolidation of the Case Management/Electronic Case Files (CM/ECF) system, allowing for one-stop shopping when searching for federal court cases. Presently, each court operates its own separate CM/ECF system.

Free Data Breach CLEs in Bend and Medford

The Professional Liability Fund is offering two free data breach CLES in October:

These CLEs will explain data breach, what you can do to protect your client’s information, your ethical duties, and what to do if a breach occurs. For more information, follow the links above. Register for the Bend CLE by emailing DeAnna Shields at deannas@osbplf.org. Register for the Medford CLE by emailing Eric B. Mitton at eric.mitton@cityofmedford.org.

All Rights Reserved – 2018 – Beverly Michaelis

Practical Advice for Virtual Law Offices

Last week we discussed the ethical implications of WSBA Advisory Opinion 201601, “Ethical Practices of the Virtual Law Office.”  As the Committee on Professional Ethics noted, virtual practitioners must take care with supervision, confidentiality, avoiding misrepresentation, and conflicts of interest.  Understandable, but what exactly does that mean?  Here is some practical advice.

online-1799664__480

Adequate supervision in a virtual workplace

In a virtual workplace lawyers and staff don’t work in proximity.  How do you ensure that remote workers receive “adequate supervision?”  The WSBA opinion mentions taking “additional measures,” but does not describe what those may be. Virtual employers should consider the following:

  1. Establish policies just as you would in a traditional office setting:  dedicated working hours when employees are expected to be within reach of their phones or computers; vacation allowance; sick leave policy; how you will measure performance; and so on.
  2. Create procedures for employees to follow.  Specifically, how will you distribute assignments and exchange completed work?  Technology is bound to be the solution, so see the discussion below about confidentiality.  Remember to address the “mundane” office tasks too: calendaring, accounting, conflict checking, etc.
  3. Require all remote workers to sign a confidentiality pledge or agreement.  The Professional Liability Fund has samples on its website.
  4. Get fully educated about legalities:  “In 2011, an Oregon appeals court found in favor of a J.C. Penney Co. Inc. home decorator who was injured after she tripped over her dog while working at home. Although the state workers’ compensation board had held her injuries were not work-related, the appeals court reversed, finding the employee had been working from her home as a term and condition of employment.”
    On-the-job injuries aren’t the only problem: be aware of Fair Labor Standards Act troubles, choice of jurisdiction, protecting proprietary information [forms bank, brief bank, customized practice management software], and the Americans with Disabilities Act.  The list doesn’t end there.
  5. Talk to an employment lawyer about securing your right to inspect employees’ remote workplaces and monitoring employees’ use of technology.
  6. Don’t neglect the need for face time. Management experts recommend regular web meetings and occasional in-person meetings for an optimal virtual workplace.
  7. Revisit your ethical responsibilities as a supervisor in Oregon.

Confidentiality

Advisory Opinion 201601 revisits the ethical requirements for cloud computing and email communication, the gist of which is:

  • A lawyer may use online data storage systems to store and back up client confidential information as long as the lawyer takes reasonable care to ensure that the information will remain confidential and the information is secure from risk of loss.
  • Email communication with clients is allowed, except lawyers must warn clients if they believe there is a significant risk of third party access.

Oregon takes a similar stance on cloud computing:  “Lawyer may store client materials on a third-party server as long as Lawyer complies with the duties of competence and confidentiality to reasonably keep the client’s information secure within a given situation.” OSB Formal Opinion No. 2011-188 [Revised 2015.]  For more details, see this post.  See Also OSB Formal Opinion No. 2016-191, “Client Property: Electronic-Only or “Paperless” Client Documents and Files,” which includes a further discussion about electronic client files.

As to email, Oregon lawyers are forewarned to:

  1. Use proper security measures in cases where information is “particularly sensitive or subject to a confidentiality agreement.”
  2. Avoid email entirely if a client requests it.
  3. Scrub for metadata.

See “Safeguarding Client Information in a Digital World,” and “Competency: Disclosure of Metadata,” OSB Formal Opinion No. 2011-187 [Revised 2015].

No mention is made about a duty to warn clients of third party access where the lawyer believes there is a significant risk.  However, it would be foolish not to do so.  Consider the example mentioned in the WSBA opinion: where the lawyer knows her client is using an employer-provided email account.

We’ve discussed this issue before. Your email may not be protected by lawyer-client privilege if your client is reading it at work.  Before you begin communicating by email, take note of the client’s address.  Does the domain correlate to their place of employment?  Don’t use it!  Even if the address is @gmail.com or a similar web-based service, don’t assume your client only reads and prints email at home.  Have a discussion about where, when, and how your client reads your confidential communications and follow the other advice mentioned here.

Another quick word about using the cloud

Virtual practices could not exist without the cloud, a VPN, or some means of hosting and exchanging client information.  Beyond the basics of taking reasonable care to protect confidentiality, implement policies and procedures as described above.  Focus on security and steps to take when a virtual employee stops working for you.  Remote workers can put your law practice at risk if they upload or exchange content that contains malware or ransomware. A study commissioned by a security firm in the UK and Germany found:

  • One in four employees admitted breaking security policies.
  • Nearly two in five said either they, or someone they know, have lost or had stolen a device in a public place.
  • Three-quarters of these devices – such as laptops, mobile phones and USB sticks – contained work-related data, including confidential emails (37%), confidential files (34%) and customer data (21%).
  • Approximately one in ten lost financial data or access details such as login and password information, exposing even more confidential information to the risk of breach.

It is equally important to have a checklist for departing staff that ensures revocation of login credentials, return of workplace property, and disposition of ongoing email or voice communications directed to someone who no longer works for you.

Consider talking to an employment law attorney, or as a starter, see the Professional Liability Fund’s (PLF’s) Checklist for Departing Staff.

Duty to avoid misrepresentation

Advisory Opinion 201601 warns that lawyers may not imply the existence of a physical office or formal law firm where none exists. Therefore, unless you’ve arranged for ready access to meeting spaces or the ability to see clients on a drop-in basis, don’t imply those resources exist.  Posting or implying that you are part of a firm on your website, social media, or elsewhere is also a no-no.  (The same is true for office sharers, an example given in the ethics opinion.)

Avoiding conflicts of interest

Advisory Opinion 201601 points out that virtual offices must ensure that the conflicts checking system is equally accessible to all members of the practice, lawyers and staff, and that such access is reliably maintained.  This only makes sense.

Be sure to add your calendaring system, billing system, client matter records, and everything else you need to operate virtually as a law practice.  All of it must be equally accessible and reliably maintained.

Will the cloud be your savior when it comes to accessibility and reliability?  Probably, but it can’t help you with issues like when to run a conflict check, how to run a conflict check, or the need to circulate a new client list to everyone in the office.  As noted above, procedures will be key!  For help, contact a friendly practice management expert, like myself or one of the advisors at the PLF. While you’re on the PLF site, check out the many publications, practice aids, and forms that will assist you with establishing office protocols.

All Rights Reserved Beverly Michaelis 2017