Cloud Computing

Pennsylvania Provides Further Guidance on Secure Client Communication

Stacked3Here is a recent Daily Record column. My past Daily Record articles can be accessed here.

*****

Pennsylvania Provides Further Guidance on Secure Client Communication

Are you still using email to communicate with your clients about confidential matters? If so, you might want to re-think that approach. Because when it comes to secure communication, the tide is most decidedly turning.

For many years there were rumblings of security issues with email in earlier opinions, and in 2017 the American Bar Association weighed in more definitively when it issued Opinion 477R. In that opinion, the ethics committee concluded that lawyers should avoid using unencrypted email when discussing particularly sensitive matters. Then, during the early days of the pandemic, both Pennsylvania (Formal Opinion 2020-300) and Wisconsin (Formal Ethics Opinion EF-21- 02) ethics committees referenced the ABA opinion’s conclusion and adopted its basic premise regarding secure communication in the context of providing ethical guidance for remote work.

Fast forward to 2022, and the Pennsylvania Bar Association has issued yet another helpful opinion that offers further guidance on the obligation of lawyers when communicating with clients using unencrypted email. In Formal Opinion 2022-400, the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility considered the ethical obligations of attorneys when “transmitting information relating to the representation of a client to clients, opposing counsel, judges, and others.”

The Committee reviewed the ethical obligations triggered when lawyers communicate with clients along with the conclusions reached in other jurisdictions related to secure electronic communications. The Committee ultimately determined that in some situations, it is ethically permissible for attorneys to communicate about clients for work-related purposes using unencrypted email.

However, the Committee concluded that prior to doing so should, lawyers should, on a case-by-case basis, evaluate the benefits and risks associated when using unencrypted email given the nature of the information that will be discussed. Attorneys must discuss the risks and benefits of unencrypted communication with their clients, and if the risks outweigh the benefits, compliance with competence requirements may necessitate the use of more secure methods for communication.

According to the Committee, certain information should never be sent using unencrypted email, such as when a client has requested maximum security for certain information or when highly sensitive materials are being discussed or shared. The Committee also provided valuable guidance to help lawyers determine whether unencrypted email is the most appropriate method for a particular communication.

The Committee explained that lawyers should:

Whenever possible, avoid transmitting files containing information relating to the representation of a client as email attachments
Consider using “Encrypt & Prevent Forwarding” features if available
Advise clients not to forward emails or memos to third parties.
Encrypt communications or use passwords for attachments containing client-related information
Reduce the likelihood of unauthorized access by using a central file-sharing portal, cloud storage provider, or similar service
Consider using a client portal to eliminate the need to attach files to email and or use an end-to-end encrypted email service.

The easiest way to protect confidential client information when communicating electronically is to use a secure client portal built for law firms, like the ones built into law practice management software. By doing so, you avoid the hassle of assessing security risks on a case-by-case and email-by-email basis.

Encrypted email can be difficult to set up and often requires the assistance of an IT expert. In comparison, client portals are built into user-friendly software, and no IT assistance is needed to set them up.

Secure client communication portals provide an encrypted tunnel that protects client data and solves the problem of scattered communications. All client portal messages are stored in a secure, centralized online location that is easily accessible 24/7. All messages are connected with the appropriate case file, and your client’s confidential information is protected from prying eyes.

If your law firm is still using unencrypted email to discuss confidential client issues and has not yet transitioned to a more secure communication method, there’s no time like the present to make that change. The writing is on the wall: unencrypted email is an outmoded and ethically questionable way to communicate about client matters. Make the switch to an encrypted form of electronic communication today, and rest easy knowing that your law license, and your client’s data, are protected.

Nicole Black is a Rochester, New York attorney, author, journalist, and Senior Director of SME and External Education at MyCase legal practice management software. She is the nationally-recognized author of "Cloud Computing for Lawyers" (2012) and co-authors "Social Media for Lawyers: The Next Frontier" (2010), both published by the American Bar Association. She also co-authors "Criminal Law in New York," a Thomson Reuters treatise. She writes regular columns for Above the Law, ABA Journal, and The Daily Record, has authored hundreds of articles for other publications, and regularly speaks at conferences regarding the intersection of law and emerging technologies. She is an ABA Legal Rebel, and is listed on the Fastcase 50 and ABA LTRC Women in Legal Tech. She can be contacted at [email protected].

 

Nicole Black is a Rochester, New York attorney, author, journalist, and the head of SME and External Education at MyCase  law practice management software for small law firms. She is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a Thomson Reuters treatise. She writes legal technology columns for Above the Law and ABA Journal and speaks regularly at conferences regarding the intersection of law and technology. You can follow her on Twitter at @nikiblack or email her at [email protected].


Technology Competence Requires Ethical Compliance During Remote Proceedings

Stacked3Here is a recent Daily Record column. My past Daily Record articles can be accessed here.

*****

Technology Competence Requires Ethical Compliance During Remote Proceedings

With new COVID-19 variants popping up left and right, we face renewed uncertainty about the pandemic and the near future. As a result, many law firms continue to allow remote work, and some legal proceedings are occurring virtually.

The challenging times we face highlight the importance of ensuring that not only that your law firm is as fully functional as possible when working remotely, but that lawyers and staff comply with ethical obligations even when attending online proceedings.

Part of this requirement is that lawyers maintain a duty of technology competence. Technology competence is not a new concept. There are now 40 states that have adopted this ethical requirement. The most recent one to do so was Hawaii, which revised Comment 6 to Rule 1.1 of the state’s Rules of Professional Conduct to indicate that lawyers must “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.” The revision became effective earlier this year on January 1, 2022.

As more states increasingly adopt this ethical requirement, it becomes all the more important for lawyers to have a thorough understanding of their technology competence obligation, which includes understanding their ethical duties and how they apply during remote proceedings. The failure to do so can often have significant ramifications.

Case in point: a recent State Bar of Arizona disciplinary proceeding wherein a lawyer was recently suspended for 60 days for impermissibly coaching a client by using chat features while the client was being cross-examination on a video meeting platform.

In the Matter of a Member of the State Bar of Arizona, Ryan Patrick Claridge, Bar No. 031752, it was alleged that Claridge sent chat messages to his client that “directed her to provide specific, substantive answers to specific questions that were being asked of her.”

According to the Court, when Claridge was admonished for sending the chat messages, he agreed to stop sending them but justified his actions by saying that “it would be the same as if I shook my head in the courtroom.”

The Court disagreed and imposed sanctions after concluding that his “conduct violated Arizona Supreme Court Rule 42, specifically: ER 3.4(a)(fairness to an opposing party; ER 8.4(c)(deceit); and ER 8.4(d)(conduct prejudicial to the administration of justice)...”

This conclusion makes sense. After all, virtual behavior is simply an extension of offline behavior, and coaching clients during a deposition is impermissible whether it’s done in person or electronically. In other words, the medium doesn't change the message.
When participating in a remote deposition, understanding your jurisdiction’s ethical rules is paramount. Doing so ensures that your interactions both online and offline are permissible. With that necessary foundation, you'll be in a position to assess whether your virtual conduct is, in fact, ethical.

Certainly, the online world sometimes presents situations that are not easily translated into offline conduct, but I would argue that this was not one of them. During depositions, coaching is coaching no matter the format, and doing so is unethical.

As we head into a future that will undoubtedly include increased online interaction even after the pandemic has abated, it’s all the more important to ensure that you err on the side of caution and tread lightly when interacting remotely with clients, opposing parties, their attorneys and the court. As I always say, better safe than sorry - especially when your license to practice law could be at risk.

Nicole Black is a Rochester, New York attorney, author, journalist, and the head of SME and External Education at MyCase  law practice management software for small law firms. She is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a Thomson Reuters treatise. She writes legal technology columns for Above the Law and ABA Journal and speaks regularly at conferences regarding the intersection of law and technology. You can follow her on Twitter at @nikiblack or email her at [email protected].


Round Up: Secure Communication, Post-Pandemic Law Firms, Practice Management Software, and More

SpiralI often write articles and blog posts for other outlets and am going to post a round up here from time to time (but won't include my weekly Daily Record articles in the round up since I re-publish them to this blog in full). Here are my posts and articles published from April:


Round Up: Law Practice Management Software, Litigation Fact Management Software, ABA TECHSHOW, and More

SpiralI often write articles and blog posts for other outlets and am going to post a round up here from time to time (but won't include my weekly Daily Record articles in the round up since I re-publish them to this blog in full). Here are my posts and articles published from March:


New Cybersecurity Recommendations For Lawyers

Stacked3Here is a recent Daily Record column. My past Daily Record articles can be accessed here.

*****

New Cybersecurity Recommendations For Lawyers

Now that lawyers have been intermittently working remotely over the past year - and may continue to do so in the near future - their ethical obligations relating to cybersecurity practices have taken on a whole new level of importance. That’s why technology competence is paramount in 2021: it is essential for law firm leaders to have a full understanding of cybersecurity issues and how they may affect their displaced workforces, especially since lawyers and other law firm employees will likely continue work remotely at different times throughout the coming year.

The good news is that since the start of the pandemic, a number of different bar associations have provided cybersecurity ethical guidance, with the State bar of Wisconsin most recently weighing in on this issues in Wisconsin Formal Ethics Opinion EF-21-02. In this January opinion, the Wisconsin Bar ethics committee offers advice on a number of different issues related to practicing law remotely, including lawyers’ obligations to secure IT systems, protect confidentiality and communicate securely.

At the outset, the Committee focused on the duty of technology competence, explaining that basic technology competence includes, at the very least, “knowledge of the types of devices available for communication, software options for communication, preparation, transmission and storage of documents and other information, and the means to keep the devices and the information they transmit and store secure and private.”

Next, the Committee turned to its cybersecurity recommendations and emphasized the importance of securing law firm devices and systems by putting into place strong safeguards to provide protection for remote working processes. The guidance included a broad range of cybersecurity issues, including password protection, encryption, data backup, and secure communication.

After providing a brand spectrum of general advice, the Committee then offered extensive list of cybersecurity recommendations. What follows is a truncated version of the cybersecurity best practices covered by that list:

  • Require strong passwords to protect data and to access devices.
  • Use two-factor or multifactor authentication to access firm information and firm networks.
  • Avoid using unsecured or public WiFi when accessing or transmitting client information.
  • Use a virtual private network (VPN) when accessing or transmitting client information.
  • Use and keep current antivirus and antimalware software.
  • Keep all software current: install updates immediately.
  • Supply or require employees to use secure and encrypted laptops.
  • Do not use USB drives or other external devices unless they are owned by the firm or they are provided by a trusted source.
  • Specify how and where data created remotely will be stored and how it will be backed up.
  • Save data permanently only on the office network, not personal devices.
  • Use reputable vendors for cloud services.
  • Encrypt emails or use other security to protect sensitive information from unauthorized disclosure.
  • Encrypt electronic records, including backups containing sensitive information such as personally identifiable information.
  • Do not open suspicious attachments or click unusual links in messages, email, tweets, posts, or online ads.
  • Use websites that have enhanced security whenever possible.
  • Do not have work-related conversations in the presence of smart devices such as voice assistants.

Certainly, there’s even more advice where that came from, so make sure to read the opinion in its entirety for lots of useful cybersecurity guidance from the State Bar of Wisconsin. And then, take the advice offered to heart and implement any cybersecurity suggestions not yet in place in your firm. Finally, and most importantly of all - maintain technology competence, keep innovating, and stay safe out there!

Nicole Black is a Rochester, New York attorney, author, journalist, and the Legal Technology Evangelist at MyCase  law practice management software for small law firms. She is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a Thomson Reuters treatise. She writes legal technology columns for Above the Law and ABA Journal and speaks regularly at conferences regarding the intersection of law and technology. You can follow her on Twitter at @nikiblack or email her at [email protected].


Pennsylvania Lawyers Can Ethically Practice Remotely From Out-Of-State

Stacked3Here is a recent Daily Record column. My past Daily Record articles can be accessed here.

*****

Pennsylvania Lawyers Can Ethically Practice Remotely From Out-Of-State

In March of last year, as we faced lock downs and the newfound threat of COVID-19, remote work became a sudden and unexpected reality. Law firms shut their doors and sent everyone home, and the work-from-home revolution began out of necessity, not choice.

As lawyers tried to adapt to the “new normal,” they encountered ethical quandaries when transitioning their dispersed workforces to the cloud-based technologies that would facilitate remote working. Because working-from-home was not commonplace prior to the pandemic, there wasn’t much ethical guidance available regarding technology use that lawyers could turn to.

Fortunately, on April 10, 2020, the Pennsylvania Bar stepped up to the plate and issued Formal Opinion 2020-300. In that opinion, the Pennsylvania Bar Association Committee on Legal Ethics and Professional Responsibility provided guidance on how lawyers and their staff can ethically provide legal services while working remotely.

Since that time, as lawyers have continued to work from locations both inside and outside of the jurisdictions in which they’re licensed, another ethical issue has arisen: whether an attorney working remotely long term from a jurisdiction in which they’re unlicensed constitutes the unauthorized practice of law. The Florida Bar Association, D.C. Bar Association, and the American Bar Association have already addressed this issue, and now the Pennsylvania Bar Association, in conjunction with the Philadelphia Bar Association, have joined their ranks by issuing Joint Formal Opinion 2021-100.

At issue in this opinion is whether it is ethical for a lawyer licensed in Pennsylvania to work remotely from another jurisdiction in which the lawyer is not licensed. The Committee summed up the situation leading to the consideration of this issue and the ethical dilemma presented as follows: “The shift to a predominantly remote-based practice model has raised concerns whether a Pennsylvania lawyer practicing law from a physical location outside of Pennsylvania engages in the unauthorized practice of law even though the attorney’s practice is limited to practicing Pennsylvania law for clients in Pennsylvania.”

The Joint Committee acknowledged that the American Bar Association had previously addressed this issue in ABA Formal Opinion 495 and had concluded that “(t)he purpose of Model Rule 5.5 is to protect the public from unlicensed and unqualified practitioners of law…(and) is not served by prohibiting a lawyer from practicing the law of a jurisdiction in which the lawyer is licensed, for clients with matters in that jurisdiction, if the lawyer is for all intents and purposes invisible as a lawyer to a local jurisdiction where the lawyer is physically located, but not licensed.”

In reaching its conclusion, the Joint Committee adopted the ABA committee’s rationale and concluded that Pennsylvania lawyers could ethically work remotely from a jurisdiction in which they were not licensed as long as there are no statutes, rules, opinions or case law of that jurisdiction in place that would prohibit them from doing so. The Joint Committee determined that this type of remote work is permissible but “lawyers may not hold themselves out as being licensed to practice in the local jurisdiction and may not advertise or otherwise hold themselves out as having an office in the local jurisdiction, or provide or offer to provide legal services in the local jurisdiction, the fact that they are physically located there does not bar them from working remotely for the same clients.”

This opinion, and the ones from the bar associations that preceded it, are evidence of a greater trend: the pandemic has ushered in a new normal for the legal profession. Remote working, and the cloud-based technology needed to enable it, are here to stay. Practicing law from any location is becoming an accepted and commonplace practice. So if you’re still on the fence regarding the use of cloud computing software in your law firm, what are you waiting for? The tides have turned, and there’s no better time than now to make the transition to working remotely using cloud-based technology.

Nicole Black is a Rochester, New York attorney, author, journalist, and the Legal Technology Evangelist at MyCase  law practice management software for small law firms. She is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a Thomson Reuters treatise. She writes legal technology columns for Above the Law and ABA Journal and speaks regularly at conferences regarding the intersection of law and technology. You can follow her on Twitter at @nikiblack or email her at [email protected].


Round Up: Document Assembly Software, Legal Tech Adoption, and Cybersecurity

SpiralI often write articles and blog posts for other outlets and am going to post a round up here from time to time (but won't include my weekly Daily Record articles in the round up since I re-publish them to this blog in full). Here are my posts and articles published from February:


Round Up: Top Legaltech Stories of 2020, Virtual Conferences With Avatars, and Remote Working Software

SpiralI often write articles and blog posts for other outlets and am going to post a round up here from time to time (but won't include my weekly Daily Record articles in the round up since I re-publish them to this blog in full). Here are my posts and articles published from December:


Round Up: Remote Working, Virtual Conferences, and Cloud Computing

SpiralI often write articles and blog posts for other outlets and am going to post a round up here from time to time (but won't include my weekly Daily Record articles in the round up since I re-publish them to this blog in full). Here are my posts and articles published from November:


Case shows why lawyers must encrypt e-communications

Stacked3Here is a recent Daily Record column. My past Daily Record articles can be accessed here.

*****

Case shows why lawyers must encrypt e-communications

Whenever your firm’s employees work remotely during the pandemic (and beyond), electronic communications will increase out of necessity. If those communications aren’t encrypted, you run the risk of inadvertently disclosing confidential client data. That’s why it’s imperative that your firm takes steps to encrypt online communications if it isn’t already doing so. Whether you decide to encrypt emails on a case-by-case basis or use the secure online communications portals that are often built into law practice management software, one way or another, your firm needs to ensure that it’s protecting all confidential electronic communications.

Doing so will not only safeguard confidential information, it may also shield your firm from liability in the event that a cyber-scam that results in a loss to your client. Case in point: Otto v. Caltrow Law, PLLC, No. 19-0361. In this case, the Supreme Court of Appeals of West Virginia considered whether a law firm was liable for a cyber-scam that resulted in a $266,000 loss to its client when funds for a real estate transaction were mistakenly wired to scammers.

In this case, an unidentified scammer impersonated the Otto’s real estate agent in an email conversation and as a result, the Ottos, who were clients of the Caltrow firm, wired the scammer $266,069.22. This money was never recovered.

The Caltrow firm used encrypted email to communicate with the Otto’s realtor regarding wiring instructions, and never communicated directly with the Ottos. The realtor, the real estate broker, and the Ottos, however, subsequently discussed the wiring instructions via unencrypted email. It was that unencrypted email chain that the scammers hacked into. They then subsequently spoofed the real estate agent in emails sent to the Ottos regarding the purported new wiring instructions. As a result of those spoofed emails, the Ottos wired the money to the scammer’s bank account.

The Ottos subsequently filed suit against the real estate broker, the realtor, and the Caltrow firm in an attempt to  recover their losses. They later settled with the broker and realtor, and then amended their claims against the Caltrow firm and alleged that the firm breached duties owed to them as follows:

    1. Prior to wiring any funds, [Petitioners] should have been personally contacted by [Respondent], or, at a minimum, [Petitioners] should have been advised and alerted by [Respondent] to call her office and confirm the instructions.
    2. b) Although [Respondent] appeared to have used an encrypted email, [Respondent], knowing full well that wiring instructions were to be communicated via email, should have taken any precautions to determine if [the realtor's] . . . and the [Petitioners’] emails were encrypted and otherwise secured.
    3. c) [Respondent] should have informed the [Petitioners] as to the prevalence of wire fraud schemes, and that if an email seemed suspicious, they should take no action until they confirmed, by independent means, that the communication was legitimate.

The Court disagreed with their assertions. First, the Court determined that when the firm encrypted the email regarding the wire instructions, it exercised reasonable care by taking steps to protect that information: “The contents of that email were highly sensitive and Respondent reasonably expected the information to remain confidential by use of encryption technology. Indeed, Petitioners concede that Respondent was not responsible for the hack because they pled in their amended complaint that ‘the money was diverted when the hacker was able to intervene in email correspondences between' (the realtor) and Coldwell.”

Next the Court turned to the Otto’s assertion that the firm failed to warn them about the risks associated with potential phishing and spoofing email schemes. The Court likewise dismissed that claim, concluding that the plaintiffs failed to provide sufficient evidence to support their allegation that the firm breached the applicable standard of care owed to the plaintiffs under West Virginia law.

In other words, the firm’s use of encrypted email is what saved the day in this case and precluded liability. What steps does your firm take to ensure that confidential client data is sufficiently protected from prying eyes? Does your firm have secure communication protocols, such as online communication portals, in place? If not, what better time to implement them than now, as you plan for a successful 2021? Not only is it the ethical thing to do, it’s the smart thing to do -  so what are you waiting for?

Nicole Black is a Rochester, New York attorney, author, journalist, and the Legal Technology Evangelist at MyCase  law practice management software for small law firms. She is the author of the ABA book Cloud Computing for Lawyers, co-authors the ABA book Social Media for Lawyers: the Next Frontier, and co-authors Criminal Law in New York, a Thomson Reuters treatise. She writes legal technology columns for Above the Law and ABA Journal and speaks regularly at conferences regarding the intersection of law and technology. You can follow her on Twitter at @nikiblack or email her at [email protected].