Practical Advice for Virtual Law Offices

Last week we discussed the ethical implications of WSBA Advisory Opinion 201601, “Ethical Practices of the Virtual Law Office.”  As the Committee on Professional Ethics noted, virtual practitioners must take care with supervision, confidentiality, avoiding misrepresentation, and conflicts of interest.  Understandable, but what exactly does that mean?  Here is some practical advice.

online-1799664__480

Adequate supervision in a virtual workplace

In a virtual workplace lawyers and staff don’t work in proximity.  How do you ensure that remote workers receive “adequate supervision?”  The WSBA opinion mentions taking “additional measures,” but does not describe what those may be. Virtual employers should consider the following:

  1. Establish policies just as you would in a traditional office setting:  dedicated working hours when employees are expected to be within reach of their phones or computers; vacation allowance; sick leave policy; how you will measure performance; and so on.
  2. Create procedures for employees to follow.  Specifically, how will you distribute assignments and exchange completed work?  Technology is bound to be the solution, so see the discussion below about confidentiality.  Remember to address the “mundane” office tasks too: calendaring, accounting, conflict checking, etc.
  3. Require all remote workers to sign a confidentiality pledge or agreement.  The Professional Liability Fund has samples on its website.
  4. Get fully educated about legalities:  “In 2011, an Oregon appeals court found in favor of a J.C. Penney Co. Inc. home decorator who was injured after she tripped over her dog while working at home. Although the state workers’ compensation board had held her injuries were not work-related, the appeals court reversed, finding the employee had been working from her home as a term and condition of employment.”
    On-the-job injuries aren’t the only problem: be aware of Fair Labor Standards Act troubles, choice of jurisdiction, protecting proprietary information [forms bank, brief bank, customized practice management software], and the Americans with Disabilities Act.  The list doesn’t end there.
  5. Talk to an employment lawyer about securing your right to inspect employees’ remote workplaces and monitoring employees’ use of technology.
  6. Don’t neglect the need for face time. Management experts recommend regular web meetings and occasional in-person meetings for an optimal virtual workplace.
  7. Revisit your ethical responsibilities as a supervisor in Oregon.

Confidentiality

Advisory Opinion 201601 revisits the ethical requirements for cloud computing and email communication, the gist of which is:

  • A lawyer may use online data storage systems to store and back up client confidential information as long as the lawyer takes reasonable care to ensure that the information will remain confidential and the information is secure from risk of loss.
  • Email communication with clients is allowed, except lawyers must warn clients if they believe there is a significant risk of third party access.

Oregon takes a similar stance on cloud computing:  “Lawyer may store client materials on a third-party server as long as Lawyer complies with the duties of competence and confidentiality to reasonably keep the client’s information secure within a given situation.” OSB Formal Opinion No. 2011-188 [Revised 2015.]  For more details, see this post.  See Also OSB Formal Opinion No. 2016-191, “Client Property: Electronic-Only or “Paperless” Client Documents and Files,” which includes a further discussion about electronic client files.

As to email, Oregon lawyers are forewarned to:

  1. Use proper security measures in cases where information is “particularly sensitive or subject to a confidentiality agreement.”
  2. Avoid email entirely if a client requests it.
  3. Scrub for metadata.

See “Safeguarding Client Information in a Digital World,” and “Competency: Disclosure of Metadata,” OSB Formal Opinion No. 2011-187 [Revised 2015].

No mention is made about a duty to warn clients of third party access where the lawyer believes there is a significant risk.  However, it would be foolish not to do so.  Consider the example mentioned in the WSBA opinion: where the lawyer knows her client is using an employer-provided email account.

We’ve discussed this issue before. Your email may not be protected by lawyer-client privilege if your client is reading it at work.  Before you begin communicating by email, take note of the client’s address.  Does the domain correlate to their place of employment?  Don’t use it!  Even if the address is @gmail.com or a similar web-based service, don’t assume your client only reads and prints email at home.  Have a discussion about where, when, and how your client reads your confidential communications and follow the other advice mentioned here.

Another quick word about using the cloud

Virtual practices could not exist without the cloud, a VPN, or some means of hosting and exchanging client information.  Beyond the basics of taking reasonable care to protect confidentiality, implement policies and procedures as described above.  Focus on security and steps to take when a virtual employee stops working for you.  Remote workers can put your law practice at risk if they upload or exchange content that contains malware or ransomware. A study commissioned by a security firm in the UK and Germany found:

  • One in four employees admitted breaking security policies.
  • Nearly two in five said either they, or someone they know, have lost or had stolen a device in a public place.
  • Three-quarters of these devices – such as laptops, mobile phones and USB sticks – contained work-related data, including confidential emails (37%), confidential files (34%) and customer data (21%).
  • Approximately one in ten lost financial data or access details such as login and password information, exposing even more confidential information to the risk of breach.

It is equally important to have a checklist for departing staff that ensures revocation of login credentials, return of workplace property, and disposition of ongoing email or voice communications directed to someone who no longer works for you.

Consider talking to an employment law attorney, or as a starter, see the Professional Liability Fund’s (PLF’s) Checklist for Departing Staff.

Duty to avoid misrepresentation

Advisory Opinion 201601 warns that lawyers may not imply the existence of a physical office or formal law firm where none exists. Therefore, unless you’ve arranged for ready access to meeting spaces or the ability to see clients on a drop-in basis, don’t imply those resources exist.  Posting or implying that you are part of a firm on your website, social media, or elsewhere is also a no-no.  (The same is true for office sharers, an example given in the ethics opinion.)

Avoiding conflicts of interest

Advisory Opinion 201601 points out that virtual offices must ensure that the conflicts checking system is equally accessible to all members of the practice, lawyers and staff, and that such access is reliably maintained.  This only makes sense.

Be sure to add your calendaring system, billing system, client matter records, and everything else you need to operate virtually as a law practice.  All of it must be equally accessible and reliably maintained.

Will the cloud be your savior when it comes to accessibility and reliability?  Probably, but it can’t help you with issues like when to run a conflict check, how to run a conflict check, or the need to circulate a new client list to everyone in the office.  As noted above, procedures will be key!  For help, contact a friendly practice management expert, like myself or one of the advisors at the PLF. While you’re on the PLF site, check out the many publications, practice aids, and forms that will assist you with establishing office protocols.

All Rights Reserved Beverly Michaelis 2017

Precautions for Paperless Practitioners

Did you happen to notice the new ethics opinion issued in September 2016?  You aren’t alone, but don’t worry.  Let’s get caught up.

ethics-photo

OSB Formal Opinion 2016-191 addresses a lawyer’s ethical responsibilities in keeping paperless client files and disposing of client property.

Everything Old is New Again

Nigh on eight years ago, I gave some advice on this subject:

  • Inform clients of your digital storage practices.  Explain how you will provide documents to current clients in the regular course of business and in the event a former client requests a complete copy of his or her file.
  • Update your fee agreement and engagement letters to reflect your file policies and procedures.
  • Be prepared to provide clients with a copy of their digital file in a format they can access.  [This may mean physically printing the file.]
  • Establish a retention policy for your digital files.
  • Use security measures to protect client records.
  • Take steps to ensure that documents stored electronically cannot be inadvertently modified or destroyed.
  • Backup, backup, backup!
  • Review the Professional Liability Fund (PLF) practice aid, Checklist for Imaging Client Files and Disposing of Original Documents. This checklist has since been renamed Checklist for Scanning Client Files.  It points out that certain papers should not be discarded after scanning. Examples include any document whose authenticity could be disputed, those with particular legal importance, or documents that only have value or enforceability as a piece of paper.  It also admonishes that original client property cannot be destroyed without consent.

See Beverly Michaelis, “Is It Time to Go Paper-Less?” PLF In Brief (February 2009), available on the PLF website.

What Does the Oregon State Bar Say?

OSB Formal Opinion 2016-191 reinforces my earlier advice:

First, there is no ethical prohibition against maintaining the “client file” solely in electronic or paperless form. But this doesn’t mean your ethical duties are thrown out the window.

Lawyers must safeguard client property, maintain confidentiality of information, and ensure availability of electronic file documents. This means:

  • Taking reasonable steps to ensure the security of electronic-only files.
  • Protecting against destruction of original client documents without the client’s express consent.
  • Retaining records for appropriate time periods, including following the completion of the matter or termination of representation.
  • Considering whether an electronic-only file might present a hardship for clients who need to access and work with the documents in paper form.

Lawyers must also communicate with the client regarding the terms of the representation and relevant developments affecting the representation:

  • The opinion suggests entering into reasonable agreements regarding how you will maintain client files during and after the conclusion of a matter. [Yes, please!]
  • You should also confirm that converting your closed paper file to electronic-only documents does not violate the terms of your retention agreement with the client.

If you use cloud-based solutions for storage of electronic-only files, re-read OSB Formal Opinion 2011-188 or see this post.

All Rights Reserved Beverly Michaelis 2017.

It feels good to be right.  Chalk one up for me 🙂

 

 

 

Getting Your Head into the Cloud

Whether you’re setting up a practice for the first time or upgrading existing technology, odds are you’re taking a long, hard look at the cloud. Here is a checklist to help you through the process.

Getting Started

Moving your data to the cloud is all about vetting the cloud provider – will they or won’t they keep your client information secure?  Here are your marching orders:

Research the Provider

  1. What is their reputation?
  2. How many years have they been in business?
  3. Are bloggers and news outlets critical or supportive?
  4. Can the provider give you a list of other lawyers who use their product?  (If so, check the provider’s references.)
  5. Talk to friends and colleagues: are they familiar with the product or provider?  What are their thoughts?
  6. If you belong to a listserv, poll the members of the listserv.
  7. Use the power of Google to reveal problems.  A general search using the product or provider name is a good start.  To uncover security issues, Google the product or provider name followed by the words “security concerns” or “data breach.”  To reveal if outages are a problem, search the product or provider name followed by the words “downtime statistics.”

Evaluate Speed and Reliability

Uptime, bandwidth, and general reliability of the Internet matter.

  1. Check on provider uptime statistics as part of your general research – see the discussion above.
  2. Make sure your technology is up to the task.  To use the cloud effectively you must have a fast, reliable Internet connection. If you don’t, contact your ISP.  If there is a remedy (and you can afford it), great.  If not, taking your practice into the cloud is likely not a good choice.

Read the Fine Print

  1. Dig into the provider’s website and follow any links that reference Terms of Service, Terms of Use, Privacy Policy, Security, or Service Agreements.
  2. Contact customer service for clarification of terms if needed.

Educate Yourself about Encryption

Every cloud provider encrypts your data.  The devil is in the details:

  1. Is your data encrypted at all times (in transit and at rest)?
  2. Does the provider hold a master encryption key?  (If so the provider can access your data at any time, thus defeating client confidentiality.)
  3. Is third-party encryption an option?  If the answer is yes, you can lock out the cloud provider.  A master key only permits the provider to unlock their encryption, not yours.  With third-party (AKA client-side) encryption, you – the user – apply your own encryption software before uploading any content to the cloud provider’s site.  Here’s the rub:  encrypting your own content isn’t always an option for compatibility reasons, so check with the provider.

Learn about Data Access Policies – “Authorized” and “Unauthorized”

Getting an answer to the master encryption key question will resolve whether the provider’s employees can freely access your information.  Now you need to ask:

  1. Will the provider notify you if authorities seek access to your account information?  (Some providers comply with subpoenas first and tell you about it later.)
  2. What is the provider’s procedure if a data breach occurs?

Know Before You Go: Security, Backups, Redundancy, and Local Copies of Your Data

  1. Find out what the provider has to say about the physical security of its facilities.  Features like fire suppression, redundant electrical systems, temperature controlled environments, video surveillance, and 24/7 monitoring by security personnel are standard.
  2. Learn everything you can about how your data is backed up. Where, when, and how.  A decent cloud provider has multiple servers that are geographically dispersed.
  3. Consider it a deal breaker if you can’t download a local copy of your own data. Keeping a local copy just makes sense.  First, it protects you if the provider goes out of business (some have).  Second, if the provider suffers a catastrophic breach you’ll still have a pristine copy of your information.  [Caveat: ability to download a local copy of your data does not mean you can work with it offline.  This is simply a way to protect yourself in a worst case scenario.]

Nail down the Details: Support, Training, Data Migration, and Data Integration

Cloud products are generally pretty easy to use, but at some point you’ll need help – maybe at the outset when you import your data – or later when you start using more advanced features of the program.  Either way, ask:

  1. Does the provider offer live telephone support?  Live chat?  Email?  What are the hours?  Is it free or is there a support contract?
  2. What resources does the provider have on its website?  Searchable knowledge base?  User forums?  Blog?  Training videos?  Webinars?
  3. Will the provider help you migrate your existing data?  Are you on your own?  If there is a fee for data migration, get an estimate.
  4. What about product compatibility and integration?  Some users need the cloud product to communicate with an existing piece of software, like QuickBooks or Outlook.  [Tip: don’t just take the cloud provider’s word for it.  Run another Google search: Is (cloud product name) compatible with (existing program)? If the blogosphere has spotted issues, you’ll uncover them quickly enough.

Product Cost and Licensing

Most cloud products are sold on a monthly subscription basis.  Do a bit of research:

  1. What is the current fee per user?  Any price breaks for multiple licenses?
  2. Research historic costs.  If monthly fees have jumped significantly in the recent past, factor this into your choice.
  3. Are product upgrades or new features included in existing subscriptions or is there an additional fee?
  4. What does a single license or a single user account include? Some providers are strict: one user/one license/one device.  Others are more flexible: one user/one license/multiple downloads: desktop, laptop, tablet.

Choose the Right Version

If your cloud provider offers multiple packages or products, proceed cautiously.

  1. Look for a Web page on the provider’s site that will compare the features of each version side by side.
  2. Call customer service when in doubt.
  3. Take advantage of free trials, which are almost universally available. A trial run is the best way to know whether you’re really going to like something.

Cyber Liability and Data Breach – What if the Worst Happens?

If you’ve decided to store your data in the cloud, it might be a good idea to have cyber liability and data breach coverage.

The Professional Liability Fund Excess Claims Made Plan automatically includes a cyber liability and data breach response endorsement with these features:

  • Forensic and legal assistance to determine compliance with applicable law
  • Notifications to individuals as required by law
  • 12 months credit monitoring to each notified client
  • Loss mitigation resources for law firms

If you aren’t eligible or don’t wish to purchase excess coverage through the PLF, contact a commercial carrier.

This is Too Much Work – Can’t You Just Tell Me What to Do or Give Me a List of Recommended Products?

No.  I can’t make this decision for you.  You and I have different likes, dislikes, needs, skill levels, and preferences.  (Think: Windows vs. Mac, Word vs. WordPerfect, or Mayonnaise vs. Miracle Whip.)

If you want to be happy with your choice, you have to make it.  We can talk, I can point you toward resources, or send you comparison charts.  But in the end you are the decider.

[All Rights Reserved 2015 Beverly Michaelis]