Management Assistance Program
The Risks of Technology Incompetence
By Jim Calloway
Some 38 states have adopted the “duty of technology competence” either by modifying a comment to their rule of professional conduct to provide that lawyer competency includes understanding “the benefits and risks associated with relevant technology” or adopting a formal ethics opinion.
Many readers will have read dozens of blog posts, tweets and articles criticizing lawyers for their “reluctance,” “stubbornness,” “recalcitrance” or other pejorative terms for failing to be appropriately tech savvy. Others have attended CLE programs promising simple and understandable information about legal tech only to experience the speaker using what seemed like a different language.
Technological incompetence is nothing new. Fax machines and word processors transformed law office operations. Yet, soon someone faxed sensitive documents to opposing counsel’s paralegal with the same first name as the intended recipient or experienced word processing woes of “I forgot to save” or “I overwrote that file.”
There are significant risks to a lawyer today for being technologically incompetent. Most of these risks are easy to appreciate even though mitigating them may require some effort depending on an individual’s knowledge. Let’s talk about the risks.
THE RISK OF HARMING A CLIENT BY LACK OF KNOWLEDGE
There is virtually no risk that a state disciplinary authority will investigate or take action against you for lack of knowledge of Twitter or lack of Excel skills unless you were incompetently representing a client on a matter involving Twitter or made an Excel mistake that harmed a client. However, a lawyer today must have a baseline understanding of today’s technology and the inherent risks accompanying that technology. As with the substantive law, you must know enough to spot the issues. Colloquially stated, you don’t have to know everything, but you have to know what you don’t know.
“Professed technological incompetence is not an excuse for discovery misconduct” is not a court holding you want to see. The self-defense argument of “I have to confess to this court, I am not computer literate. I have not found presence in the cybernetic revolution. I need a secretary to help me turn on the computer. This was out of my bailiwick” made this lawyer somewhat of a legal tech legend.
Lawyers must master many subjects that are more complex than common business technology. It is just a matter of adjusting the mindset from “I don’t understand this” to “I’m going to figure this out.” Attend legal tech CLEs. Becoming familiar with online search is the key to finding many answers. If you have a technology question, there is an article, a blog post or a YouTube video with the answer. We all rely on familiar experts’ writings and authoritative publications online. Oklahoma lawyers can consult with your two full-time OBA practice management advisors.
THE RISK OF AN INADVERTENT DISCLOSURE
No good lawyer would intentionally share a client’s confidential or privileged information, but when most valuable information is held in digital format on computers connected to the internet, the risk of accidentally sharing client information or other inadvertent disclosure is significant.
Some lawyers work in a firm where the IT Department handles most cybersecurity matters. Every lawyer needs to understand the basics, and lawyers in smaller firms with no dedicated IT staff need a greater understanding.
The basics begin with making sure your antivirus, virtual private network (VPN) and firewall software subscriptions are paid for and up-to-date. Your operating system should be set to automatic update. Right now, your operating system is directly related to your technology competence. Support for Windows 7 (including any security updates) ended Jan. 14, 2020, and thereafter should not be used for working on client matters unless the computer is offline and not networked with other computers.
THE RISK OF LOSING YOUR (OR, WORSE, YOUR CLIENTS’) MONEY
A San Diego lawyer clicked on a bad link (or attachment) in an email. Malware was then installed that allowed an individual to monitor the lawyer’s keystrokes. Soon the lawyer’s access to his bank account was blocked and he received a phone call from a supposed bank employee offering to assist. The “assistance” culminated in $289,000 being transferred from the lawyer’s bank account to a Chinese bank, where it was withdrawn. This is a bad situation, but would have been even worse had the transfer been from the lawyer’s trust account and the lawyer could not immediately cover the loss.
Many scams are powered by today’s technology. I often advise lawyers to tell their staff they are never to wire any money because of any email or other electronic communication from the lawyer. Any wiring instructions should be confirmed in a face-to-face conversation or at least a telephone conversation. We are now seeing the rise of “deep fakes,” which means if there are enough audio clips of an individual available online, a wrongdoer can use artificial intelligence to assemble conversational speech that sounds like it comes from the lawyer. Maybe we will all have to establish secret “code words” so our co-workers and family will know they are talking with us and not a software construct.
THE RISK OF OVERSHARING ON SOCIAL MEDIA (OR IN PERSON)
If you have attended a CLE program on the intersection of legal ethics and technology, you probably have heard some social media horror stories. There’s the former Illinois assistant public defender who blogged about problematic clients and judges she disrespected with enough information to identify those individuals using public sources. She was fired and her law license was suspended. There’s the story of the Florida lawyer defending a man in a homicide trial who caused a mistrial by posting a picture of the leopard print underwear included in clothing the family brought for the defendant to wear in court. Several lawyers have also been disciplined for responding to online negative client reviews in ways that revealed confidential information.
Social media and attorney-client confidences do not mix. If you are certain that your client would approve of your online postings, then there’s a simple solution. Show them to the client in advance and get the client’s written permission.
Here is a risk that some haven’t considered – sharing “war stories” as a CLE presenter or to groups of lawyers. Some lawyer may be live-tweeting your presentation from the back of the seminar room. Giving real-world examples from past cases is a great educational tool, but make certain you are cautious about dates, court locations and fact patterns since information is available that could allow someone to ferret out the identity of your client. In today’s environment, any statement prefaced with “my client said” may be problematic for a presenter.
THE RISKS OF EMAIL
At this point, one could write an entire law school textbook on the risks of email.
We all should understand that your greatest cybersecurity risk is you or someone else in your office clicking on an attachment or a link in an email that infects your system with a virus or encrypts all your data in a ransomware attempt. Because this is one of your greatest security threats, regularly counsel your staff about not clicking on attachments or links in emails unless they are absolutely sure the emails are legitimate.
Every lawyer in private practice who uses email (which is essentially every lawyer) should read ABA Formal Opinion 477R “Securing Communication of Protected Client Information” and Opinion 648 from the Texas Center for Legal Ethics. Email is not secure. Even though our ethics opinions say that lawyers may use unencrypted emails to communicate with clients generally, there are many times that the contents of an email will make such communication inappropriate. Therefore, a law firm must have an alternative method of communication available even if the firm has decided to continue using standard email. Otherwise, lawyers will soon find themselves in the position of knowing something should not be sent out via standard email but having no safer alternative. At a minimum, a law firm should not email attachments containing important personal data and account numbers such as income tax returns, brokerage or bank account statements or qualified domestic relations orders.
The best practice for solo and small firm lawyers is to use a case management system that provides for client portals that allow secure communication. Unencrypted emails can then be used only sparingly such as for rescheduling an appointment time. Many clients who do not want to deal with an encryption/decryption process will have no problem logging into a portal. Most already do this for banking and shopping. In addition, the portal can contain all the documents associated with a matter, which is a great client service. It is possible that at some point a formal ethics opinion will be issued prohibiting many, if not most, unencrypted email communications. Smart lawyers will place themselves ahead of the curve on this issue.
You must even be cautious about how your firm sets its spam filter. One Florida law firm set its spam filter to automatically delete spam. Later the system determined that a court order assessing attorney fees was spam and deleted it, so it was never seen by the attorneys. The 1st District Court of Appeal in Florida ruled that even though the attorneys never received the order, the failure to file a timely appeal under these circumstances did not constitute excusable neglect.
Some lawyers embarrass themselves or others by adding recipients to “email conversations.” It is not unheard of for a lawyer joining such an email conversation thread to scroll down and review the previous emails to see what discussion they missed. It is also not unheard of for that lawyer to see their name or their firm’s name mentioned in a derogatory context. Emailing with dozens of other previous emails included, some dating back significantly in time, is asking for trouble. Delete those prior threads. The recipients already have a copy.
Here’s another simple tip: never use the blind carbon copy (BCC) function on your email. Those who receive the BCC may reply and reveal to the other recipients you were secretly sending out copies. This may not rise to the level of an ethics violation but it’s not positive for your reputation. When tempted to BCC, email without it instead. Then go to your sent items folder and forward the email to whoever you wanted to BCC.
THE RISK OF LOSING VALUABLE CLIENT DATA
Lawyers often are concerned about external threats when your internal processes may also subject clients to another huge risk – loss of their data. A virus infection or ransomware encryption of your office computers is a headache and can knock the office offline for a week or more, but there is a path to recovery if you have a recent backup of your data. If you are doing do-it-yourself data backup and have the external backup drives attached to your computers when the ransomware strikes, your data backups could also be encrypted, resulting in the firm losing all its digital information. The first thought then is hoping that your professional liability insurance premiums are current and recognizing that you must report this loss to your clients, which could be one of the most painful episodes of your legal career.
Many small firm lawyers also prefer to use laptops and may fail to back these up as regularly as the other computers on the network. Lawyers who use cloud-based practice management solutions have all their client file documents, communications records, billing records and other documents safely preserved by their provider, which is another reason that solo and small firm lawyers should strongly consider using a cloud-based practice management solution.
Lawyers who have not gone paperless and have only paper client files might feel they have benefited from this practice if there is a digital disaster, but they will be in worse shape if there is a physical disaster such as a fire, tornado or hurricane that destroys the physical client files.
ABA Formal Opinion 482 “Ethical Obligations Related to Disasters” states that a lawyer’s obligation to protect critical client information remains unbroken even if the lawyer is personally impacted by a disaster. The opinion states that the possibility of a file-destroying disaster requires a lawyer to make contingency plans. The opinion states that “[t]o prevent the loss of files and other important records, including client files and trust account records, lawyers should maintain an electronic copy of important documents in an off-site location that is updated regularly.” This states there is a duty to digitize critical client information. As a practical matter, given the challenges of making regular determinations of what is critical and the efficiency gains of using digital client files, this may be interpreted by many as a duty to digitize the entire file.
THE RISKS OF MOBILE TECHNOLOGY
To round up our tour of risks, we should consider challenges with mobile technology- the always-present mobile phones and tablets.
It is hard to imagine a practicing lawyer today without access to the law office email and calendar on his or her mobile phone. Because that abundant supply of client information is available to anyone using the phone, it is therefore mandatory for these lawyers to have a passcode lock on their phone. Certainly, you could lend your phone to someone who needed to make a phone call, but it’s not paranoid to suggest that you shouldn’t let the phone get out of your sight. Lawyers who exchange text messages with clients should consider that text messages may be previewed on the lock screen. Some cautious lawyers will disable the message preview function on their phones or at least make certain that their phones are always placed facedown when they are with others.
Access to information on a lost phone is protected by the lock code, but the lawyer should still understand how to remotely wipe the phone of data when it is permanently lost. It should go without saying that your lock code for your phone should not be a number publicly associated with you, such as your street address number.
The tech-savvy lawyer will also appreciate that seizure and searches of mobile phone data at our borders are increasingly common even for a U.S. citizen returning from a trip. There are concerns about phone security when used in some authoritarian countries. Some lawyers will opt to buy a burner phone that will contain no client data for trips overseas while others might delete documents, email and calendar apps from their phone and then restore them when they return.
There are many different “bumps in the road” the practicing lawyer may experience. The new ethical “duty of technology competence” was not forced on lawyers by regulators. These rule changes recognize the reality of business operations today. It is the existence and use of modern technology tools that requires the lawyer using these tools to consider both the risks and potential benefits of the technology they use in representing their clients.
Author’s Note: This column was originally published in the American Bar Association’s GPSOLO magazine with the theme of “Digital Bumps in the Road” [November/December 2019]. We are reprinting it here because it covers important information for all Oklahoma lawyers. It has been lightly updated.
Mr. Calloway is OBA Management Assistance director. Need a quick answer to a tech problem or help solving a management dilemma? Contact him at 405-416-7008, 800-522-8065 or firstname.lastname@example.org. It’s a free member benefit!
Originally published in the Oklahoma Bar Journal — February, 2020 — Vol. 91, No. 2