chevron-down Created with Sketch Beta.
December 20, 2018 Techno Ethics

Battling (with) Double-Edged Swords

By James Ellis Arden

Back in 1991 the Baltimore, Maryland, offices of Brobeck Phleger & Harrison were preparing for a large trial of 9,032 asbestos-related claims when a temporary secretary hit the wrong speed-dial button on a fax machine and sent psychological profiles of prospective jurors to the wrong law firm. The secretary testified the exposure “was a mistake.” Um, yes. The judge called the incident “bizarre,” halted the largest asbestos trial in U.S. history one month into jury selection, struck all the jurors, and started the trial over again: “I do that with profound reluctance.”

The law firm’s fax cover sheets, in bold print, proclaimed the documents to come were “Privileged and Confidential”—and warned third parties against copying or distribution. The lawyer who wrote the fax cover warning testified: “One of the things that is a fact of life in this day and age is that facsimile transmissions can go awry” (tinyurl.com/yagdwj2v).

Awry? Do faxes choose where they go?

We are stuck with technology when what we really want is just stuff that works.

—Douglas Adams

The Salmon of Doubt: Hitchhiking the Galaxy One Last Time (2002)

To be ethical, a lawyer must be competent (see ABA Model Rule of Professional Conduct 1.1). To be competent, a lawyer must “keep abreast of the benefits and risks associated with relevant technology (Model Rule 1.1, Comment). But the Model Rules don’t actually address technology used or encountered by lawyers (see Cheryl B. Preston, “Lawyers’ Abuse of Technology,” Cornell Law Review, May 2018 (103:4), at 879, 885, and footnote 17).

Brobeck’s mistake in the asbestos case did not occur because the law firm or the secretary were incompetent, nor because they were unfamiliar with faxes or fax machines. Better training may have prevented the mistake from happening and could have prevented or mitigated any harm. Technological competence requires adequate instruction and ongoing training.

But greater than the danger of being perceived as incompetent because of technological ignorance, and frankly the greater ethical risk, is a Model Rule 1.6 violation, a breach of confidentiality. Model Rule 1.6(c) imposes on lawyers the duty to treat client information in a confidential manner: “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”

Hackers may not have succeeded in compromising your Internet-connected devices, but they have tried for sure. Threats to data security have become so prevalent that law enforcement officials regularly divide business entities into two categories: “those that have been hacked and those that will be” (ABA Formal Opinion 483, page 1 (2018)).

ABA Formal Opinion 483 is entitled Lawyers’ Obligations After an Electronic Breach or Cyberattack. One of the conclusions it reaches is that the strong client protections mandated by Model Rules 1.1, 1.6, 5.1, and 5.3 would be compromised if a lawyer who experiences a data breach that impacts client confidential information is permitted to hide those events from his or her clients. Model Rule 1.4’s requirement to keep clients “reasonably informed about the status” of a matter would ring hollow if a data breach was somehow excepted from this responsibility to communicate (ABA Formal Opinion 483, page 11).

But lawyers are not expected to be experts in technology, nor guarantors of their clients’ secrets. Attorney obligations to protect client confidences are measured by reasonableness standards. “Compliance with the obligations imposed by the Model Rules of Professional Conduct . . . depends on the nature of the cyber incident, the ability of the attorney to know about the facts and circumstances surrounding the cyber incident, and the attorney’s roles, level of authority, and responsibility for the law firm’s operations” (ABA Formal Opinion 483, page 2). Electronically stored client property and information must be safeguarded and secured to the same extent as paper files and actual client property (ABA Formal Opinion 483, page 5).

Let us think the unthinkable, let us do the undoable, let us prepare to grapple with the ineffable itself, and see if we may not eff it after all.

—Douglas Adams

Dirk Gently’s Holistic Detective Agency (1987)

Consider what happened to some lawyers who were not sufficiently concerned with the use of technology.

In October 2011 it was reported that an employee of Baxter, Baker, Sidle, Conn & Jones of Maryland had left an unencrypted portable hard drive containing 161 patients’ medical data and case information on a train. The employee returned ten minutes later to retrieve the hard drive, but it was gone (Stacy Berliner, “Hackers Are Targeting Law Firms: Are You Ready?” The Woman Advocate, Summer 2013).

An employee working with lawyers for an insurance company made a huge mistake by uploading the “claims file” to a cloud storage and file-sharing facility so it could be shared with outside counsel. Because the file was not password protected, it was available to anyone on the Internet who knew the link (the URL) to the claims file. The employee who uploaded the file and shared the unprotected links had never before used that cloud provider’s services and lacked a technical background. The law firm was not ultimately disqualified, but evidentiary sanctions were issued (Harleysville Insurance Company v. Holding Funeral Home, Inc. (104 Fed. R. Evid. Serv. 798 (2017)).

According to Robert Ambrogi’s Above the Law column, Pensacola, Florida, law firm Odom & Barlow never responded to motions seeking reimbursement of $600,000 in legal fees. After 14 months with no response, the judge ordered the fees paid. The law firm moved for relief, claiming it had never received the motions—or the judge’s order to pay the fees—because its e-mail system thought the court’s e-mails were spam and automatically deleted them (tinyurl.com/y7ntvzlq). The motion for relief was, of course, denied: “[T]estimony was presented that the spam filter of Odom & Barlow’s server was deliberately configured in such a way that it could delete legitimate emails as spam without notifying the recipient, despite Odom & Barlow being warned against this configuration. . . . [The IT consultant] also recommended that Odom & Barlow hire a third party to handle spam filtering on a full-time basis and purchase an online backup system. However, these recommendations were rejected because the firm did not want to spend the additional money. . . . [T]he server had the ability to generate email logs, but was specifically configured not to create logs in order to save drive space” (Emerald Coast Utilities Authority v. Bear Marcus Pointe, LLC, Case No. 1D15-5714, Fla: Dist. Court of Appeals (1st Dist. 2017) (italics added)).

In 2017 a prankster posing as White House social media director Dan Scavino engaged White House special counsel Ty Cobb in a lengthy e-mail exchange: “Good evening Ty, I’ve sent a complaint to twitter about the content that drugged up extremist, Natasha Bertrand, is spouting about your correspondence. Things like this on social media die quicker than a Mexican’s hopes of Citizenship, Ha! but I wanted to tick all the boxes. I presume you’ve had no further contact from Ms Bertrand? Dan.”

Cobb responded: “You the Man! She is insane. Thanks Buddy.”

Thirty minutes and several exchanges later, the prankster, still impersonating Scavino, wrote: “One final thing Ty, I’ve been really worried recently about the whole Russian situation. . . . The White House will be okay won’t it? I love my job, and the people I work with, I don’t want the dream to end up derailing. Dan.”

“I have great confidence there is nothing there implicating the President or the White House,” Cobb wrote. “Manafort and Flynn have issues separate and apart from the WH that will cause the investigation to linger but am hoping we get a clean bill of health soon. Best, Ty.”

The prankster replied: “Thank you, Ty. I think I’ve overthought things. i’ve ruined the contacts on my damn iPhone! Can’t find the Big Man’s email address . . . apple have a lot to answer for!”

Cobb apparently figured out that he was being pranked. His next message: “Felony to impersonate a federal official” (tinyurl.com/yd8bwqzf).

Technology advances rapidly, ethics rules don’t; and electronic communications frequently cross several jurisdictions. So, you may have to reckon with ethical standards not just in your home state, but also in places you may never have been.

The fact that we live at the bottom of a deep gravity well, on the surface of a gas-covered planet going around a nuclear fireball 90 million miles away and think this to be normal is obviously some indication of how skewed our perspective tends to be.

—Douglas Adams

Salmon of Doubt, supra

James Ellis Arden works on legal malpractice, litigation, and appellate matters in California. Rated AV-Preeminent by Martindale-Hubbell, he is a member of the California State Bar Committee on Professional Liability Insurance, the Los Angeles County Bar Association’s Professional Responsibility and Ethics Committee, the Association of Professional Responsibility Lawyers, and the Lawyers’ Club of Los Angeles County, and he serves as a special master for Los Angeles County. He has a background in computer programming and psychology.

Entity:
Topic:
The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.