Communicating with clients is essential to good lawyering, but doing so without proper precautions could set you up for trouble. Sharon Nelson and John Simek discuss the ethics of lawyer communications with Daniel Siegel, an attorney and current chair of the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility. They talk through the new guidance issued by this committee and best practices for secure communications through email, smartphones, and more.
Special thanks to our
Intro: Welcome to Digital Detectives reports from the battlefront. We’ll discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches, not theory, but practical information that you can use in your law practice right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 143rd edition of Digital Detectives. We’re glad to have to have you with us. I’m Sharon Nelson, President of Sensei Enterprise, a digital forensics managed cybersecurity and managed information technology firm in Fairfax, Virginia.
John W. Simek: And I’m John Simek, Vice-president of Sensei Enterprises. Today on Digital Detectives, our topic is The Ethics of Communicating with your Clients and Using your Smartphone. Today, our guest is Attorney Daniel J. Siegel, a nationally recognized authority on ethics, technology, data protection and business workflow management and the principle of both the Law Offices of Daniel J. Siegel, LLC and Integrated Technology Services, LLC. Dan provides techno ethics counsel to solo, small and mid-sized law firms on cybersecurity, technology and other related issues. Dan is a prolific speaker and author and serves as the Chair of the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility. The author of 14 books, Dan is a columnist and frequent lecturer on a wide range of topics including ethics, technology, substantive law, appellate law and professional responsibility matters. It’s great to have you with us on the podcast today Dan.
Daniel J. Siegel: Thanks for inviting me. Happy to be here.
Sharon D. Nelson: Well, let’s start by asking you why your Pennsylvania Committee on Legal Ethics and Professional Responsibility, why they saw the need to issue guidance now about the security of email, smartphones and other devices?
Daniel J. Siegel: It’s a good question. It’s really an evolution both by the committee and I think by the bar in realizing the need. Our committee for decades has been one that has tried to give ethical guidance to attorneys to avoid the need to ever appear in front of disciplinary council. We have ethics counsel within the bar association who receives inquiries from members. We have seen a consistent level of and sometimes an increase in questions to her in terms of what lawyers can ethically do with their phones, what they can do with their computers, with email, et cetera.
As a result, the committee began working probably a year and a half ago on the issue of email and email attachments because we see people doing this all the time sending records that shouldn’t be. Then we evolved into smartphones. Part of it also is because the Pennsylvania Supreme Court created a public access policy which requires redaction of certain information and court filings and certain documents must be filed separately and not available to the public. The Supreme Court when they did that also amended the comments to our rules of professional conduct to say that violation of that rule or to say that competence under that rule includes knowledge and compliance with that policy. All of that came together. And then the tougher part was creating guidance that we had a consensus for among the members because we have about 75 members and about half of them are very active all the time and have a lot of knowledge and input. That led to the opinions that we released this year which are we numbered them 2022, 400 in 2022, 500 dealing with email and smartphones.
John W. Simek: I’m sure our listeners are very curious. I know, I’m certainly curious as
what was that process like to create those ethical opinions on that hot button technology issues and was there a consensus among the committee members? I know you said that there’s quite a few of them.
Daniel J. Siegel: Yeah. It’s an interesting process. As a practical matter, I typically am the one who takes the lead on the technology issues both before I was Chair and while I’m Chair and we discuss the issues in advance, try to get a sense of where the committee is at first. Sometimes it’s a challenge. If you look back, we issued an opinion on metadata that basically said nothing and it took me two or three years to lobby the committee until they realized we needed to give better guidance.
When it came to email and communications, everyone agreed that there needed to be guidance. What that guidance was going to say was the challenge. It took about a year of drafting. There were a handful of members who were very vocal and active in the drafting of the guidance including one now retired law professor from Dickinson Law School and others. And the first couple iterations of the opinion probably had about a 60, 75% consensus. But the goal was to have something that all of our members thought was good and practical guidance. And ultimately, we came out with the opinion that was released and there was only one vote not to adopt the opinion and all the rest of the committee agreed we should and that vote was candidly from someone who is less than comfortable with any technology and has never voted to a proven opinion. So basically, i consider it unanimous.
I’m trying to be diplomatic. He’s a nice learned lawyer but not where you go for technology advice. But we came out with this, we were crafting it up till the end and as a result, I think we did as we try to do a comprehensive approach but also make it practical. The goal is to give advice so that lawyers don’t end up in disciplinary hearings. I represent lawyers in those matters and they’re much better off avoiding them.
Sharon D. Nelson: Well, that was a funny story and I guess not being a technologist, that fellow probably won’t listen to the podcast. That will all work out.
Daniel J. Siegel: Yeah.
Sharon D. Nelson: I’m curious Dan, that the Pennsylvania Bar Ethics Committee truly seems to be a leader in addressing cybersecurity issues which is not common among the various states. Why do you think that is, that they have become a leader?
Daniel J. Siegel: A lot of it is my interest that’s a big part of it. I’ve tried to keep them in that sort of cutting-edge area, but part of it, and I think it’s important, is that we have a fairly broad range of membership. We’re always looking for newer younger members, but everyone’s been aware of these issues. So, there’s always been discussion about them and where we think we can help lawyers will issue the guidance. So, we did that years ago when it came to cloud computing. When we, meaning primarily Victoria White, who’s our ethics counsel and for the bar was getting a lot of opinions. It happens, you know, it tends to lag a little from what business does, but eventually, she gets those queries and then the committee sort of takes the lead. Where we jumped out in front was during the pandemic where we said “Oh my God, we need to give guidance” and literally wrote the opinion in a weekend.
But normally, it’s us recognizing what Pennsylvania bar members are asking Victoria and the bar has 27,000 members and she gets a lot of calls and emails and we can really feel the pulse.
John W. Simek: Kind of a supply and demand, that kind of thing.
Daniel J. Siegel: Yeah, exactly. It’s the other area where we see now is succession planning, maintaining wills, things that lawyers sort of took for granted or ignored. COVID and the pandemic changed all of that. So we’re looking at those issues as well. And the other part of it is that as a practical matter, I’m the first sort of solo or small firm. We’re only two attorneys here, lawyer to chair the committee in many, many years. And a lot of the concerns that I have are from that type of community, solo and small firm, and a lot of ethics opinions and committees that I see tend to have more lawyers and leadership in large firms and some of their interests aren’t the same. But solo lawyers, you know, use and misuse email for example and so it’s a constituency that matters more to someone like me.
John W. Simek: Great segue there Dan. So let’s talk a little bit specifically about email and can you talk a little bit about what you think some of the key cybersecurity points are for lawyers when dealing with that?
Daniel J. Siegel: I mean, and the first is the general concept that lawyers believe that email is secure and that they can send anything in email and nothing’s ever going to happen to it. No one’s going to see it, no one’s going to be able to access it, et cetera. And that’s just not the case.
And as a result, they take it for granted. And there are – I’ll give you two examples of this. One which just played out into my practice was when we were debating the opinion, one of the lawyers on the committee said, “Dan”, in his practice area, which I also have, it’s a substantive area and I won’t say what it is purely because it would be very clear who we’re talking about, but he said, “We send medical records all the time by email. What’s the problem?”
John W. Simek: Oh geez!
Daniel J. Siegel: And he said, “Our colleagues are going to basically be scared to death when they hear about this.” And then yesterday, in a case I’m handling in which the relevant person died, I was sent three emails containing 9 megabytes in each email worth of medical records, very sensitive things, including hospital and death records and everything else. And the law who did it thought nothing of it. Even worse, he’s an employee from the State. And that sort of is the problem that they take it for granted and then the other part of it is that they just assume that nothing will happen even if they send it. And that’s, you know, our office, we don’t send medical records that way. We always use a file sharing service, and we try to put that into practical terms that lawyers could understand and use.
John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
Female: As a lawyer, insurance is one of the last parts of your job you want to spend unbillable hours on. That’s why thousands of lawyers have switched to Embroker. Embroker offers A plus rated insurance for law firms. You can quote and buy instantly online. If you need help, they have experts on standby. Go from sign up to purchase in 15 minutes by visiting and embroker.com/law. That’s E-M-B-R-O-K-E-R dot com forward slash law.
Looking for secure legal software to help manage your firm’s matters in the cloud? With Clio’s cloud-based legal software, you can safely manage everything from client intake to billing from one secure platform so that attorneys can spend more time doing what they do best, practicing law. To learn why over 150,000 attorneys, firm staff and IT leaders trust Clio, visit clio.com today. That’s Cleo spelled C-L-I-O dot com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is the Ethics of Communicating with your Clients and Using your Smartphone. Today, our guest is Attorney Dan Siegel, a nationally recognized authority on ethics technology, data protection and business workflow management and the principal of both the Law Offices of Daniel. J Siegel, LLC and Integrated Technology Services, LLC. Dan provides techno ethics counsel to solo small and mid-sized law firms on cybersecurity, technology and other related issues.
John W. Simek: Dan, before the break, you were going a little bit into, you know, email and email security and all that, but can you get a little bit deeper into why the opinion stress so forcefully the practices that the lawyers have to comply with when they’re sending these materials by email?
Daniel J. Siegel: If you would see the original draft that I had done, it was probably stronger than — was stronger than what you see in the final opinion. We had two things to balance. One, we’re trying to give guidance and we’re also trying to do it in the context of this is what you must do under the rules versus best practices. Because the rules set minimum standards and best practices go beyond and where we probably got the most pushback was the whole interplay between the lawyers and the clients where a number of members were concerned, “Oh my God, I’m going to have to discuss all of these issues with my clients” and the opinion has areas where it says you must discuss certain things, you must consult, you may or may not do certain things. Those very highlighted things were suggested by the law professor member of our committee.
But it was important to have understand that lawyers have to discuss this with their clients.
That the rules require communication. So Rule 1.4, whether it’s the model rule or a state rule is communication. You have to discuss with your clients what you’re sending and how you’re going to communicate with. You need to explain or at least address why email may or may not be secure. And then you need to come up with a solution and there was pushback and I explained how we do it in our office. And we have a large number of clients who come to us for wills and estate planning. Most of them are people in the neighborhood, not sophisticated, you know, A types or technology experts and we just explained. We’re going to send you drafts of documents that may include things like your Social Security number. Do you want us to put a password on the document so that no one else can see them? Do you want us to mail them to you the old-fashioned way or we can put them in a file sharing. And we get literally, no pushback. They understand. Some clients don’t care and say it’s okay which meets the obligations under the opinions.
Others say, “You know what? You’re right”. And we discuss and create a password and we have a few who still want to get it by mail. It takes an extra week, but they get it. But it’s those types of discussions that are easy to have lawyers are afraid to have. As a result, we had some large firm lawyers who were like, well, this could impose more liability on us. No, this is best practices and that’s what you should aspire to with your clients and clients need to understand email isn’t always secure and we do it with – you know, the wills clients are such a great example because there they understand or not.
Candidly, the worst clients I have are lawyers and about a half of my clients are lawyers in disciplinary and guidance matters and they’re the ones who go, “Oh no, don’t bother”. And you know, if you have a disciplinary complaint against you, do you really want it an email box that anyone in your office could see but they don’t seem to care. Go figure.
Sharon D. Nelson: Well Dan, yeah, do you really expect lawyers to adopt the best practices suggested for email? I sure can envision some pushback judging by the lawyers i know.
Daniel J. Siegel: Oh, I’m sure there will be some who will ignore our guidance, some who will adopt it and we know that. I think what will ultimately happen is when more of these lawyers discover that things get hacked or they see, you know, that a lawyer gets into trouble in the State for doing something that exposed his client information. Then they’ll have their sort of come to God moment. But I think it’s going to be a mix. We know to this day that lawyers don’t always follow a lot of our guidance, but a lot do. And they also have to understand that disciplinary council in Pennsylvania has said, you know, if you follow guidance from the Ethics Committee and you do it in good faith, we don’t discipline you. That’s what we want you to do. So I think all of that will eventually lead to improvement. Plus, i think as the legal community gets a little younger or some of my colleagues age out, some of that resistance will go away. I think it’s a combination effect.
John W. Simek: Dan, you talked about disciplinary council and kind of the get out of jail free card if you will, you know by following the guidance and complying with the guidance. But what if they don’t, right? What if the lawyers aren’t complying, you know, with the guidance in your opinion. Do you think the disciplinary council’s going to take action then?
Daniel J. Siegel: If there’s incident involving clients where information is potentially exposed because they didn’t do something, yes. They’re not looking to just police your practice. They’re looking to prevent problems. You know, one statistic is that something like 42% of all law firms have either been targets of or hacked. That’s a large percentage. Once someone gets hacked and my guess is that the lawyers who weren’t following email practices, may not have cyber insurance or things, they’re going to discover real quickly there are economic consequences and just like anything else, those tend to move the market or the bar shall we say. So I think you’re going to see that. We also had circumstances a couple of years ago where the former district attorney in Centre County who actually was the one who prosecuted Jerry Sandusky with the Penn State incidents be kind. She didn’t follow ethical guidance on a wide range things from social media to ex parte communication.
And the Pennsylvania Supreme Court, when they adopted the disciplinary board’s opinion, that was the first time they said in an opinion that if you don’t follow the guidance that’s out there, that alone can be the basis for discipline. So you hope that they learn and do it right because disciplinary council would rather not have to go that step.
Sharon D. Nelson: Oh absolutely, they would rather not. Let’s switch over to smartphones now. Can you tell us what the key cybersecurity points for lawyers are with respect to their smartphones?
Daniel J. Siegel: Yeah and I’m going to use an example of first the flashlight app which so many people continue to install on their phones even though there were already built into other phones. But more importantly, a few years ago, it was discovered that a large number of flashlight apps on your phone, whether it’s an android or an iPhone, were accessing everything from contacts to your location to your calendars, et cetera. And there were efforts to sort of curb that. But no one thought for a moment that oh, my flashlight app had any reason to know, you know, that Sharon and John are my friends or that I have an appointment with them or something. But they were seeking and that’s the type of information that lawyers put on their phones relating to clients.
And I’m going to take you back to about the year 2001 or 2002. I was at a former firm and we had just created a technology committee. It was a small to mid-sized firm in Philadelphia. One of our lawyers represented professional football and hockey players in their work injury claims. And so he had on his Palm Pilot for those who can remember Palm Pilots, the phone numbers and all kinds of information about Philadelphia Eagles and the Jersey Devils hockey team and players in the Flyers, the Philadelphia Flyers. And he didn’t even have a password on the device. Because back then, you didn’t have all the apps and he was once we discovered it, the password was on there because that device had information way beyond that. Now, our devices are more powerful than the computers that we were using in 2002 and lots of lawyers store everything from the names and phone numbers of clients to their case database which could include Social Security numbers. They may carry some medical records on there for things and unless you know the permissions that you’re giving to the apps, you may be giving permission to an app on your device to access all of that information.
The first guidance that we got was New York’s Ethics Opinion No. 1240 on it and when I mentioned it to our committee, interestingly everyone said, well that guidance is good but it doesn’t go far enough. And so we issued an opinion that said New York is right but you need to do even more to protect the client data from being accessed by those apps and then used because that’s confidential information. And in Pennsylvania, our rule confidentiality is any information relating to the client. Our rule on what information must be kept confidential isn’t just sensitive or confidential, it’s information relating to a client. So we gave guidance that said you have to verify that apps are not accessing that information or sharing it, et cetera, et cetera. We went into more detail and where that information can be used, but the committee really took the lead on that when they saw the New York opinion, they went running.
John W. Simek: Before we move on to our next segment, let’s take a quick commercial break.
Jared Correia: They say the best things in life are free which either means the Legal Toolkit podcast is pretty awesome or we’re totally committed to the wrong business model. You just have to tune in to find out which it is. I’m Jared Correia and each episode I run the risk of making total ass of myself. So you can have a laugh, learn something new and why not? Maybe even improve your law practice. Stop believing podcast can’t be both fun and helpful. Subscribe now to Legal Toolkit. Go ahead, I’ll wait.
Craig Williams: Today’s legal news is rarely a straightforward as the headlines that accompany them. On Lawyer to Lawyer, we provides legal perspective you need to better understand the current events that shape our sighting.
Join me Craig Williams and a wide variety of industry experts as we break down the top stories. Follow Lawyer to Lawyer on the Legal Talk Network or wherever you subscribe to podcasts.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is the Ethics of Communicating with your Clients and Using your Smartphone. Our guest is attorney Dan Siegel, a nationally recognized authority on ethics, technology, data protection and business workflow management and the principal of both the Law Offices of Daniel J Siegel, LLC and Integrated Technology Services, LLC. Dan, do you expect that lawyers will actually adopt the best practices suggested for smartphones?
Daniel J. Siegel: I’m hopeful. I think you’ll see email best practices adopted more quickly than smartphones because everyone sort of takes those devices for granted. I think ultimately lawyers will, but I think it’s going to take time. Part of it is education. Getting lawyers educated on the technology can often be the biggest challenge, you know, they may not be listening to this podcast or, you know, reading the columns that you and I write and take a lot of things for granted, but I think it will happen, but it’s going to be slower than with email.
Sharon D. Nelson: Oh, I certainly agree with that.
John W. Simek: Dan, are there other things that lawyers should consider when we’re talking about smartphones and security?
Daniel J. Siegel: Well, yeah. I mean, they should never ignore the basics, passwords. They shouldn’t be storing any information that doesn’t need to be. They can encrypt their devices very easily. They can do a lot of the very basic types of things that don’t require a lot of extra effort. If you look at my smartphone, i basically don’t use Wi-Fi. I have unlimited data. I have no reason to and I don’t store client information on the device. It’s not hard. You know, sometimes if I need it, i’ll just print out a piece of paper and take that with and then get rid of it. So it’s doing the basics. And if you do the basics and monitor what’s being installed, you’re going to be farther along than most of the other colleagues you have.
Sharon D. Nelson: Well, we certainly agree with that and, you know, thank you for being our guest today, Dan. Thank your committee for their hard work and for advancing some of these ideas forward. It is hard for many attorneys to keep up with. This especially cybersecurity is beyond the purview of many of them especially in the solo and small firms. So I know this podcast will be useful to help them understand even if they’re not in Pennsylvania where they might want to think about going for the future. So again, thank you very much for being with us. It’s always nice to have one of our friends as a guest.
Daniel J. Siegel: Thanks a lot. I appreciate your having me and welcome any comments anyone has if they want to get in touch with me, so.
John W. Simek: Well, that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or an Apple podcast. And if you enjoyed our podcast, please write us on Apple podcast.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, managed technology and managed cybersecurity services at S-E-N-S-E-I ent.com. We’ll see you next time on Digital Detectives.
John W. Simek: Thanks for listening to Digital Detectives on the Legal Talk network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.