Because lawyers are constantly handling confidential or sensitive information, cybersecurity and the careful handling of this information are an important part of running a successful firm. In this episode of Digital Detectives, hosts Sharon Nelson and John Simek talk to Jim McCauley about some of the ethical issues lawyers face and how the Virginia Bar is helping to educate lawyers on how to handle these issues. Some of these issues include information security and common scams used to hack into confidential data.
James McCauley is the Ethics Counsel for the Virginia State Bar. He teaches professional responsibility at the T.C. Williams School of Law and served on the ABA’s Standing Committee on Legal Ethics and Professionalism from 2008-2011.
Special thanks to our sponsors, PInow and SiteLock.
Ethical Issues with Confidential Data
Laurence Colletti: Hello listeners it’s Laurence Colletti executive producer of Legal Talk Network. I want to tell you about one of our more hilarious yet still very informative podcast called “Thinking like a Lawyer.” Twice a month hosts Elie Mystal and Joe Patrice from Above the Law, dive in what it’s like to see the world from a lawyer’s perspective, meaning, they jabber on about politics, current events, this that and the other, sometimes with the guests, and sometimes not, but if you’re looking for a filterless podcast, check it out! “Thinking like a Lawyer” on the website of legaltalknetwork.com, in iTunes or in your favorite podcast platform and now, back to the show.
Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 80th edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises.
John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is Legal Ethics and Cybersecurity.
Sharon D. Nelson: Before we get started I would like to thank our sponsors. We would like to thank our sponsor SiteLock, the global leader in website security solutions. Learn more at sitelock.com/legal/digitaldetectives.
We would also like to thank our sponsor PInow.com, need a private investigator you can trust, visit pinow.com to learn more.
John W. Simek: We’re delighted to welcome as today’s guest our friend Jim McCauley. Jim is the Ethics Counsel for the Virginia State Bar where he has been employed for 27 years. Mr. McCauley and his staff write Ethics and UPL Advisory Opinions for the Standing Committee on Legal Ethics, investigate complaints alleging an unauthorized practice of law and provide informal advise over the telephone to members of the bar, bench and general public on lawyers and regulatory matters. Mr. McCauley teaches professional responsibility of the TC Williams School of Law in Richmond, Virginia and served on American Bar Association Standing Committee on Legal Ethics and Professionalism from 2008 to 2011. Thanks for being with us Jim.
Jim McCauley: Yeah, thank you John, it’s a pleasure.
Sharon D. Nelson: Yeah, I double the thanks and I’m going to open with a question that probably John and I can answer as well as you can but we’re going to let you do it, so what is the Virginia State Bar doing to educate lawyers on their ethical duties about information technology confidence and cybersecurity?
Jim McCauley: Oh! Sharon what the bar is doing is putting you and John on the road teaching CLE Seminars. That’s one thing that we have been doing. I pointed a couple of things. We have standing committee on the future of law practice and they have added an excellent appendix which I’m sure you and John are responsible for providing because I shouldn’t, that is called the Cybersecurity Best Practices with a list of tips to help lawyers secure their IP systems and protect client data. That final report is on the bar’s website.
We also have a special committee on Technology in the Practice of Law which is setting up CLEs, writing articles in our state bar journal called the Virginia Lawyer posting resources on our website. We have also done a lot of solo and small firm CLEs over the past two years since we amended rule 1.6 b of the Rules of Conduct to require lawyers to make reasonable efforts to secure client information from inadvertent or unauthorized disclosure and unauthorized access.
We’ve also pointed out a couple of excellent sources, one of which is, one of your own, Locked Down, which is a publication by Sharon and John and they’ve agreed to speak at our technology Tech-show, which is another program that’s sponsored by the state bar, and which we spend a lot of time with guest speakers, fantastic speakers on information security. So that’s what we’re doing and it’s an ongoing process as you know.
John W. Simek: Well, Jim has a time comfort for the VSB edition opinion that a lawyer’s e-mail communication must be encrypted especially in light of the recent updated opinion from the ABA.
Jim McCauley: Yes, the ABA has issued an opinion 477. It was issued on May 11. Interestingly today it was revised. Again, I’m looking at it trying to determine exactly what the revisions were.
It appears that they had replaced this opinion with one that was on their website on May 11, but as far as substance is concerned the ABA opinion is saying that its lawyers may use the Internet to communicate and transmit data as long as they’ve undertaken reasonable efforts to pervert inadvertent or unauthorized access.
It goes on further to say that the lawyer may be required to take special security precautions to protect against inadvertent or unauthorized disclosure when required by an agreement with the client or by law and here’s the important part or when the nature of the information requires a higher degree of security.
So it’s not a blanket rule saying you must encrypt all attorney-client communications but where the nature of the information warrants a higher degree of security then additional measures have to be taken.
The opinion does leave some flexibility in terms of what higher degrees of security may be implemented and not strictly or solely encryption, which of course is what everybody is talking about now. So I think that this is going to come before our ethics committee for sure.
And our committee its going to have to decide whether it wants to essentially rely on this opinion or expand on it further or issue an opinion dealing specifically with attorney-client communications over the Internet through the use of e-mail and warn lawyers that in certain circumstances where the risk of harm to the client is substantial the using unencrypted e-mail is not appropriate and would violate rule 1.6 d in the duty to exercise reasonable care.
Sharon D. Nelson: That logically segues into what has the Supreme Court of Virginia said in the comments to that rule, that’s important to help lawyers exercise the reasonable care to protect client data.
Jim McCauley: Well, Sharon as you know the court entered a comment 21 to rule 1.6 (2) make some concrete recommendations because ethics rules tends to be fairly abstract and theoretical in nature but this comment does give six specific suggestions as to how lawyers might adopt policies and procedures that would demonstrate the exercise of reasonable care required by the rule.
They’re looking at recommendations such as periodic staff security training and evaluation programs including precautions and procedures to secure data, policies to address departing employees and their future access to confidential firm data, their ability to download data from the former employer’s site and the return of electronically stored confidential data that the employee might have used in the course of their employment.
Procedures addressing the security measures for off-site access of third parties to stored information which would also include interaction with cloud service providers, procedures for both backup and storage of firm data and steps to securely erase or wipe electronic data from computing devices before they are transferred, sold or reused, and the use of strong passwords and other authentication measures for users when they log on their network and the security of password and authentication measures. And finally the use of hardware and software applications to prevent, detect and respond to malicious software and activity.
So I can again overemphasize the importance of backup in light of an article that I had read in the ABA Journal about Philadelphia firm that was opening up and a lawyer opened up an e-mail attachment that appeared to be from a sender she recognized but the memo was not expected.
And it launched malware into the system and they promptly contacted their outsource IT provider came in immediately, they shut down the network and wiped the drives clean but they had a backup and everything was accomplished quickly and the threat was isolated in Delaware, that’s very important that lawyers have the capability of backing up their data and test their backups from time to time.
John W. Simek: Yeah let’s amen to that. So Jim, does rule 1.6 have a safe harbor for lawyers or law firms that might get hacked?
Jim McCauley: Yes it states quite plainly John that did even though a law firm or a lawyer is subject to a cyber attack the fact out that their IT system has been compromised or over attacked doesn’t mean that they violated the rule if they have otherwise exercised reasonable care.
The comments explain that even the most sophisticated IT systems have been hacked and that lawyers can only be expected to exercise reasonable care. Reasonable care is based upon the fact that no system is bulletproof and perfect security is not attainable. What’s reasonable under the circumstances is going to be depend upon the size of the firm, the nature of the practice, the sensitivity of the data that’s used and how the lawyers communicate with their clients and just a myriad of different factors and there is no one size first all formula for reasonable care but the safe harbor is simply that if the firm or lawyer has exercised reasonable care they are not subject to discipline even if they get hacked.
John W. Simek: Great! Well before we move on to our next segment let’s take a quick commercial break.
Advertiser: At least 80 of the 100 biggest law firms in the country have been hacked since 2011. Protect your firm and your clients from cyber attacks with SiteLock. Their industry leading cloud-based suite of website security solutions includes website scanning, web application firewall, including DDoS mitigation, and 24×7, 365 US-based customer support. Give your firm and your clients peace of mind knowing their information is secure. Learn more at sitelock.com/legal/digital detectives.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigations, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit www.pinow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is Legal Ethics and Cybersecurity. Our guest is Jim McCauley, our friend who is the ethics counsel for the Virginia State Bar.
So Jim, there are so many variations of Internet scams but lawyers are certainly being targeted, How can they protect themselves when accepting an engagement by an overseas client using e-mail?
Jim McCauley: Well there is a number of different alerts that we put up on the website, the DOSS. First and foremost, if the law firm hasn’t really dealt with clients overseas the fact of receiving an e-mail solicitation from an overseas client would be extremely unusual and suspect and would raise some red flags.
For the lawyers and law firms that do work internationally and receive potential clients and engagements through e-mail the lawyers need to be careful in verifying the potential client’s identity also equally is important the adverse party’s identity, a typical scenario being that the purported client wants to have the firm to collect on a debt or obligation from a local business. They steal the identities of the companies and their officers and appear facially to be real people and real companies.
We have learned that what happens is that the lawyer excepts the engagement and quickly finds a fraudulent instrument, a cashier’s check is delivered to them, they deposit it into the trust account they get instructions right away from the purported client who is actually a cyber criminal asking them wire most of the proceeds back to an overseas account that resolves and blows a big hole in the firm’s trust account.
Lawyers need to make sure that if they receive any funds like that, that they have to wait until the check is cleared not when the fund is said to be available by their banks, they should place those funds into a separate account and not place it in their general trust account so that other client funds will not be effected and wait it out because it can sometimes take two to three weeks for these instruments to clear the banking system only decides that the instrument is a fraudulent instrument.
We’ve also put up another alert recently, a general alert to lawyers about the WannaCry cyber attack in Europe and Asia warning lawyers again that they should train their staff and their attorneys to not open e-mails from people that they don’t know and not to open attachments from e-mails that appear to be from someone that they do know but do not expecting the e-mail because that appears to be one of circumstance where they are vulnerable to launching Malware into their system.
John W. Simek: Oh! Jim do you think there is going to come a time at some point when lawyers might be disciplined for falling for one of these Internet scams?
Jim McCauley: I think so. I think that John at least some point there comes a point in time where there’s been so many of these and the pattern of the scam is one which we’ve seen time and time again and there has been a lot of care and attention at least by the Virginia State Bar to alert lawyers to these types of scams.
There was a recent disciplinary case that arose out of one of these bad check scams because the lawyer deposited the fake cashier’s check in his trust account and the bank ended up freezing the lawyer’s trust account then the lawyer could not draw from that account to pay another client’s funds and also to pay a filing fee which was necessary and as a result of not being able to file the fee they were running up against a deadline, they created a procedural default in dismissal the client’s case although if I was the lawyer I would have pony up my own money to avoid that from happening but that’s another thing, there is an ethical rule that prohibits lawyers from advancing money to clients but since this was litigation related expense, I would have come up with the dough. The lawyer was cited..
Sharon D. Nelson: I’ve would have ponied…
Jim McCauley: Lack of …
Sharon D. Nelson: I would have done the same thing, pony up the money so yeah.
Jim McCauley: Yeah, yeah!
Sharon D. Nelson: What is the Virginia State Bar’s position on the lawyers’ duty upon receiving an inadvertently sent file or document that appears to be a privileged communication between an adversary and her lawyer? Is it ethical for lawyers to mine for metadata when they receive electronic documents from an adversary?
Jim McCauley: Our position is based on an earlier position in Legal Ethics Opinion 1702 which reflects to an earlier ABA position that a lawyer should not use information that the lawyer recognizes as being privileged and not intended for them.
There are two circumstances that that we deal with. The first is in the circumstance involving a transactional or non-litigation situation in which the lawyer has received inadvertently information that is confidential. They’re required to notify the sender and abide by the sender’s instructions and they cannot use that information or read any further once they have discovered that it was inadvertently sent and that was privileged.
Metadata is tricky though because you can’t always tell whether the information is privileged and whether the sender intended or didn’t intend to include that metadata. As a result the state bar is in the contrary of split with some saying that it’s absolutely unethical for a lawyer to look at metadata or using special apps to go mining for metadata. And other jurisdictions’ are saying that no it’s not unethical. The duty is on the sender to scrub the metadata and that it’s not that hard to do and if they haven’t done so than that burden shouldn’t shift to the receiving attorney.
Often this comes up to have more in the context to litigation and Virginia has LEO as well as procedural rules as to the Federal rules of procedure that deal with inadvertently transmitted information including metadata. The ABA’s positioned reflected in model rule 4.4B is that the only duty a lawyer has if they look at or receive metadata or any other privileged information that was not intended for them is to notify the sender.
Under the Federal Civil Rules and Procedure you’ve got callback agreements and also what they call rule 502 where the parties reach an agreement and are required to what happens if information, confidential information is inadvertently produced during discovery with the result that the receiving party may be required under that order to return that information and not use it at trail
So basically where Virginia stands is that we followed in 1871 that if a lawyer receives metadata and finds it or receives confidential information inadvertently then they have to notify the sender and quarantine the information, preserve it until a judge rules on whether or not attorney-client privilege has been waived.
John W. Simek: Jim, tell us what must a lawyer do ethically if he or she gets hacked?
Jim McCauley: Well I think what the lawyer should do when they recognize that they’ve been hacked is immediately contact an IT professional and that’s been a response that most firms have and that’s what we tell them to do. That way they can implement the first step in determining if possible the identity, source and extent of the attack, what data has been affected and then they can decide whether or not they have to provide notice under breach notification laws or provide notice to clients that data has been compromised or destroyed or fallen into the hands of third-party.
Of course most of this should depend upon whether the data was encrypted in the first place. For the most part the breach notification requirements are in play if the data was encrypted and that speaks volumes is in favor of lawyers and law firms using folder encryption and password protected files for all their electronically stored information that is maintained on the firm’s system including when the data is backed up and the backup should be routed to an offsite server or cloud based provider.
Sharon D. Nelson: So Jim if a lawyer’s computer network does get hacked, is there an ethical duty to notify clients and do you think that the lawyers are actually following their ethical duties?
Jim McCauley: Ah! Sharon I think it’s going to depend upon whether or not the lawyer can even discover the nature of the attack, what data has been affected and whether the effected data was encrypted and if the data was not encrypted through this would also depend upon whether the effected data can be restored.
So if the lawyer can determine which client’s information has been compromised or affected and that data cannot be restored or if the lawyer reasonably believes that the information unencrypted has fallen into the hands of unauthorized parties then absolutely there is a duty to notify the client.
But the Lawyer has to do some investigation first before they can determine whether there is a duty to notify. There is no reason to get people panic when there has not been a determination that their data has been affected.
John W. Simek: Jim, can you talk briefly about the ethical considerations in using cloud computing services and can lawyers ethically relinquish control of their client’s data to a cloud service provider?
Jim McCauley: The short answer John is yes they can, provided they have exercised reasonable care in the selection of the cloud provider that they intend to use for storing client data. There is an ethics opinion that helps to explain that. There are also resources like the Legal Cloud Computing Association that has adopted standards for lawyers to use in selecting a cloud base provider.
The Bottom line and short and simple is that if the lawyers exercise reasonable care in the selection of any third party vendor whether it’s a bookkeeper, an IT key person, an auditor, anytime lawyers can trust their information to a third party. They need to exercise reasonable care to ensure that that third party will also exercise appropriate security for the information that the lawyer has entrusted to them.
Sharon D. Nelson: Oh! Jim we sure want to thank you for being with us today. I remember the first time I met you someone else told me that you had an encyclopedic knowledge of ethical rules and I think our listeners got a taste of that today. So thanks for sharing with us. It’s an interesting topic all this cybersecurity stuff and of course it’s what we follow all the time, but it’s wonderful to have somebody who is a specialist at ethics. So thanks for taking the time to be with us today.
Jim McCauley: Thank you Sharon, John for inviting me to your Podcast.
John W. Simek: That does it for this edition of digital detectives and remember you can subscribe to all the editions of this podcast at legaltalknetwork.com or in itunes. If you enjoyed this podcast please review us in itunes.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics information technology and cybersecurity services at senseient.com. Will see you next time on Digital detectives.
Outro: Thanks for listening the Digital Detectives on the Legal Talk Network, check out some of other podcasts on legaltalknetwork.com and in itunes.