I read a scary article recently about data leaks. It didn’t come out of the legal world, but I think it’s applicable to our industry nonetheless. And the danger that made my ears perk up wasn’t about the fact that data was leaked in and of itself, but it was about how that data was leaked. Apparently, a study commissioned by Egress Software Technologies revealed that “79 percent of IT leaders believe that employees have put company data at risk accidentally in the last 12 months, and 61 percent believe they have done so maliciously.” https://betanews.com/2019/03/25/employee-malicious-data-leaks/, last checked by the author on March 26, 2019. It’s that last part of the quote that caught my eye— 61% of IT leaders believe that their employees put their company’s data at risk maliciously. The ethical concern that came to mind is the following: our nonlawyer assistants could reveal our clients’ information purposefully/maliciously, and that invokes our duty to prevent such disclosure by properly supervising those nonlawyer employees.
Lawyers do, indeed, have a duty to supervise those non-lawyer personnel. That responsibility is set forth in Rule 5.3, which states:
Rule 5.3. Responsibilities regarding non-lawyer assistants
With respect to a nonlawyer employed or retained by or associated with a lawyer:
(a) a partner in a law firm, and a lawyer who individually or together with other lawyers possesses comparable managerial authority in a law firm, shall make reasonable efforts to ensure that the firm has in effect measures giving reasonable assurance that the person's conduct is compatible with the professional obligations of the lawyer;
(b) a lawyer having direct supervisory authority over the nonlawyer shall make reasonable efforts to ensure that the person's conduct is compatible with the professional obligations of the lawyer; and
(c) a lawyer shall be responsible for conduct of such a person that would be a violation of the Rules of Professional Conduct if engaged in by a lawyer if:
(1) the lawyer orders or, with the knowledge of the specific conduct, ratifies the conduct involved; or
(2) the lawyer is a partner or has comparable managerial authority in the law firm in which the person is employed, or has direct supervisory authority over the person, and knows of the conduct at a time when its consequences can be avoided or mitigated but fails to take reasonable remedial action.
I believe that the lawyer’s duty to supervise under Rule 5.3 would likely include the need to ensure that the firm be on the lookout for rogue employees who might maliciously reveal our clients’ information. This seems to be a logical extension of lawyers’ existing obligations. It happens to be a very real concern, given what’s happening in the world today. For example, according to Forbes, in 2017 a firm with offices in Bermuda suffered a loss of 13.4 million files and another firm in Panama had 11.5 million documents leaked. At the time that I last researched the story it was still unclear about who was responsible for those leaks, but indications were that it was an inside job. Meaning— some employee went rogue.
The problem of rogue employees revealing confidential information seems to have taken on increased importance, given the Wikileaks issues and Edward Snowden revelations. Some might feel emboldened by what they perceive to be whistleblowing actions that help protect society. I am certainly not in any position to make a judgment call about that. But I am able to ring the warning bell from an ethical standpoint. Lawyers need to supervise our staff (per Rule 5.3), to ensure that our nonlawyer personnel don’t take matters into their own hands and disclose client information when that employee feels, personally, that it is their societal duty to do so. We need to make sure that the employee’s “ conduct is compatible with the professional obligations of the lawyer” and that includes protecting client information. Rule 5.3(a).
Of course, some people will argue that it’s impossible to defend against the most cunning of employees who are bent on stealing information. That may be so. But the extent of supervising lawyers’ liability will depend on the circumstances. What’s important is to understand that the potential for rogue employees taking client information exists and it should be considered seriously.
Imagine this hypo: You’re working on a transaction for a client, and the lending institution needs to send money to your trust account on your client’s behalf.
— Stay with me — this is not going where you think —
The lender sends you a fillable PDF form where you’re supposed to provide your wiring information (routing number, account number, etc). You open the document, type in all of the information in the fields as required, and email it to the lender. Obviously there’s the danger of someone intercepting these types of messages so a host of precautionary measures have been put into place and you comply with each. Let’s say that such precautions even include that the lending representatives call you after receiving the document and read back the wiring instructions to ensure that everything’s kosher. Despite all of these efforts, you were still scammed — the money never made it to your trust account and no one knows why. Here’s how it happened:
Remember that I said the document was a “fillable" PDF? You opened the PDF on your computer, typed in the required information in the fields, then sent the file as a “document” to the lender. Well, when you sent the document that way, you left all of those “fillable” sections as, well…"fillable.” Those fields could still be changed by someone because you didn’t lock the document.
So here’s what happened in the hypo above: after making the call to you and confirming the account information, someone in the bank opened the file, changed that account number/routing number and diverted the money into some other account. They were able to do that because the document you filled out was a “fillable” PDF and you simply emailed it as a document to the other party. By emailing it as a “document” the PDF you sent was still “fillable.” So even after all of the protocols at the lending institution were adhered to, there was still an opportunity for someone with access to the document to change the numbers on the PDF.
The good news? There is a way to avoid this.
Instead of sending the form as a “document” you should have “flattened” the document. Flattening a document basically locks all of those fillable sections. There are a few ways you could do that. First, if you get a drop down menu when you try to send the file you might have the option to mail the attachment as a “flattened” document. Another alternative is to save the document as flattened before you email it (you may have to “Print” the document to a PDF then save a “flattened” version of the form). Disclaimer: I’m no tech expert— my job is to point out the dangers, but I don’t claim to be an expert on how to fix them. I think the procedures I outlined above are correct, but talk to your IT people to ensure that I’m right in that regard.
Obviously this goes beyond just bank account information. People can modify any fields in a fillable PDF if the document isn’t locked before transmitting. That’s why every time you send a fillable PDF you need to flatten it or otherwise lock it to ensure that no one else can change it’s contents after emailing.
This sort of knowledge is the type of thing that our ethics rules demands. Specifically, it’s about competence. Rule 1.1 requires that lawyers have the, "legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation." The commentary to that rule explains that, "Competent handling of a particular matter includes…[the] use of methods and procedures meeting the standards of competent practitioners. Rule 1.1, Comment [5]. In addition, the new California Rule on Competence requires that lawyers apply the learning and skill that is reasonably necessary for the performance of the legal service. CA RPC 1.1(b)
Is understanding the dangers of fillable PDFs considered to be part of the “methods and procedures," or part of the skill that is "reasonably necessary for performance" of the legal services? It is now. Maybe it wasn’t last year, but it is today. That’s because our duty of competence evolves. We are required to understand the ethical implications of technology as these new technologies become integrated with the practice. See, State Bar of California, Standing Committee on Professional Responsibility and Conduct, Formal Opinion 2015-193. I don’t think there’s any question that PDFs are integrated with the practice of law. Of course, if my opinion doesn’t convince you, also consider that the issue of fillable PDFs was recently part of a best practices update that was sent to attorneys who work for the federal government. And you know what I always say about the government…if they’re thinking about it, you need to be thinking about it.
In 2018 there was an opinion issued by the American Bar Association. For the life of me, I don’t understand why they wrote this opinion.
Formal Opinion 481 entitled, “A Lawyer’s Duty to Inform a Current or Former Client of the Lawyer’s Material Error” was issued on April 17, 2018.
There’s nothing so earth shattering about requiring a lawyer to notify a client when there is material error. In fact, it’s obvious and basic. In fact, the drafters of this opinion go through a bunch of advisory opinions from across the country and confirm that the requirement has been around for a while. At one point they even admit that they’re really not presenting anything new. In addressing those other opinions they states that, “These opinions provide helpful guidance to lawyers, but they do not—just as we do not—purport to precisely define the scope of a lawyer’s disclosure obligations.”
Um…okay.
So why are you wasting this paper?
The next sentence sorta tells us: “Still, the Committee believes that lawyers deserve more specific guidance in evaluating their duty to disclose errors to current clients than has previously been available.” ABA Op. 481 at 4
If there’s any value to the opinion, it’s in the definition of when an error is considered to be “material.” They state, “…a lawyer must inform a current client of a material error committed by the lawyer in the representation. An error is material if a disinterested lawyer would conclude that it is (a) reasonably likely to harm or prejudice a client; or (b) of such a nature that it would reasonably cause a client to consider terminating the representation even in the absence of harm or prejudice.” ABA op. 481 at 4.
Oh, but this only applies if the client is a “current” client. That’s because even though a lawyer must inform a current client of a material error, “Rule 1.4 imposes no similar duty to former clients.” ABA Op. 481, at 7.
Thanks for this guidance.
I think.
Want to learn more about the lawyer’s duty to communicate with clients? Check out my program called “The Ethical Way to Rehabilitate Client Relationships” where I explain how communication is the key to making connections with clients…you can find that program here—> https://www.clecenter.com/Program/ProgramDescription.aspx?pgmid=4370
Believe it or not, but there are critics of our ethics rules. I know what you’re thinking, “How could that be? They are PERFECT.” I’m sorry to burst your bubble, but there really are scholars who have taken shots at the code.
One of the biggest complaints is that the current code amounts to nothing more than a how-to manual. How-to stay away from a grievance. Surely you’re wondering how that can be a bad thing! Well, staying away from grievances is good, but is that all our ethics code is really supposed to be about? The critics contend that the current code is harsh and devoid of the aspirational goals and the statements of morality that could be found in the predecessor codes. It’s a valid point, but I understand why the code is written that way. To get a real picture for what I mean, you need consider Watergate. Yup, the actual Watergate fiasco.
After the fallout from that disaster, the powers that be realized that many of the people implicated in the scandal were lawyers. Plus, many of the lawyers implicated— and many of their colleagues across the country — really didn’t take the ethics rules seriously. As a result, the authorities had to reform the code and I believe that’s why they created such a harsh set of rules. I believe that they took out the aspirational elements from the disciplinary rules because they had to reinforce the idea that there really would be disciplinary action if you acted inappropriately. The problem? In doing so, they removed all of the morality from the code.
The current code tells us how we “could” act. It tell us when our actions are subject us to discipline. it does not, however, tells us how we “should” behave.
That’s an important distinction. In other words, just because we “could” do something, does it mean we “should” be doing it? Just because some action taken in the course of our practice won’t subject us to discipline, is it still “right” to take that action? That disconnect is something the drafters have been considering since the publication of the modern code in 1983. And over the years you’ve started to see a flurry of new “professionalism documents” being adopted across the country. Basically, these professionalism codes are trying to reinforce the need to behave in a morally acceptable way. Though they are the product of individual states, the all seem to share the same sentiment— they are talking about how we “should” be behaving.
One word that you don’t see in many of these new professionalism documents is “zealous.” The reason is clear. The word zealous has been used by many lawyers to cover all manner of sins. I shudder to think about how many ethical violations have been committed in the name of zealous advocacy. I believe that the drafters have the same concern. I believe they know that lawyers push the edge too far, and try to cover it up by claiming to be “zealous.” Well, I believe that lawyers need to start thinking about behaving in a morally acceptable manner. We need to voluntarily aspire to behaving better. And that might not be compatible with the old school definition of zealous (just for the record— I am old school age. But I’d like to think that I’m learning some new tricks).
I explore the relationship between what we “could” do and what we “should” do a little more in a CLE program I recorded called “The Dirtiest Word in Ethics, Zealous.” In that program I also provide my version of the optimal lawyer attitude (sorry, no spoilers!) You can find that program by clicking the “Programs” tab to the left and scrolling through the titles, or just follow this link: https://www.clecenter.com/Program/ProgramDescription.aspx?pgmid=4080