December 01, 2019 Feature

The Risks of Technology Incompetence

Jim Calloway

Download the PDF of this article

What are we risking?

What are we risking?

Download the PDF of this article

Some 37 states have adopted the “duty of technology competence” either by modifying a comment to their rules of professional conduct to provide that lawyer competency includes understanding “the benefits and risks associated with relevant technology” or adopting a formal ethics opinion. You can visit http://lawsitesblog.com/tech-competence for the current total and your jurisdiction’s version of the rule.

Most readers will also have read dozens of blog posts, tweets, and articles criticizing lawyers for their “reluctance,” “stubbornness,” “recalcitrance,” or other pejorative terms for failing to be appropriately tech-savvy. Others have attended CLE programs promising simple and understandable information about legal tech only to experience the speaker using what seemed like a different language.

Technological incompetence is nothing new. Fax machines and word processors transformed law office operations. Yet soon, someone faxed sensitive documents to opposing counsel’s paralegal with the same first name as the intended recipient or experienced word processing woes of “I forgot to save” or “I overwrote that file.”

There are significant risks to a lawyer today for being technologically incompetent. But most of these risks are easy to appreciate, even though mitigating them may require some effort depending on each individual’s knowledge. So, let’s talk about the risks.

The Risk of Harming a Client by Lack of Knowledge

There is virtually no risk that a state disciplinary authority will investigate or take action against you for lack of knowledge of Twitter or lack of Excel skills unless you were incompetently representing a client on a matter involving Twitter or made an Excel mistake that harmed a client. But a lawyer today must have a baseline understanding of today’s technology and the inherent risks accompanying that technology. As with the substantive law, you must know enough to spot the issues. Colloquially stated, you don’t have to know everything, but you have to know what you don’t know.

“Professed technological incompetence is not an excuse for discovery misconduct” is not a court holding you want to see (James v. Nat’l Fin. LLC, No. CV 8931-VCL, 2014 WL 6845560 (Del. Ch. Dec. 5, 2014)). But the self-defense argument of “I have to confess to this Court, I am not computer literate. I have not found presence in the cybernetic revolution. I need a secretary to help me turn on the computer. This was out of my bailiwick” made this lawyer somewhat of a legal tech legend.

Lawyers must master many subjects that are more complex than common business technology. It is just a matter of adjusting the mind-set from “I don’t understand this” to “I’m going to figure this out.” Attend legal tech CLEs. Becoming familiar with online search is the key to finding many answers. If you have a technology question, there is an article, a blog post, or a YouTube video with the answer. We all rely on familiar experts’ writings and authoritative publications online. Many state bars have a practice management advisor (PMA) who can help you.

The Risk of an Inadvertent Disclosure

No good lawyer would intentionally share a client’s confidential or privileged information. But when most valuable information is held in digital format on computers connected to the Internet, the risk of accidentally sharing client information or some other inadvertent disclosure is significant.

Some lawyers work in a firm where the IT department handles most cybersecurity matters. But every lawyer needs to understand the basics, and lawyers in smaller firms with no dedicated IT staff need a greater understanding.

The basics begin with making sure your antivirus, VPN (virtual private network), and firewall software subscriptions are paid for and up-to-date. Your operating system should be set to automatic update. Be aware that support for Windows 7 is ending January 14, 2020, and thereafter it should not be used unless the computer is off-line and not networked or you have paid Microsoft for extended protection.

The Risk of Losing Your (or, Worse, Your Clients’) Money

A San Diego lawyer clicked on a bad link or attachment in an e-mail. Malware was then installed that allowed an individual to monitor the lawyer’s keystrokes. Soon the lawyer’s access to his bank account was blocked and he received a phone call from a supposed bank employee offering to assist. The “assistance” culminated in $289,000 being transferred from the lawyer’s bank account to a Chinese bank, where it was withdrawn. This is a bad situation but would have been made worse had the transfer been from the lawyer’s trust account and the lawyer could not immediately cover the loss.

Many scams are powered by today’s technology. I often advise lawyers to tell their staff they are never to wire any money because of any e-mail or other electronic communication from the lawyer. Any wiring instructions should be confirmed in a face-to-face conversation or at least a telephone conversation. Now we are seeing the rise of “deep fakes,” which means if there are enough audio clips of an individual available online, a wrongdoer can use artificial intelligence to assemble conversational speech that sounds like it comes from the lawyer. So, maybe we will all have to establish secret “code words” so our coworkers and family will know they are talking with us and not a software construct.

The Risk of Oversharing on Social Media (or in Person)

If you have attended a CLE program on the intersection of legal ethics and technology, you probably have heard some social media horror stories. There’s the former Illinois assistant public defender who blogged about problematic clients and judges she disrespected with enough information to identify those individuals using public sources. She was fired, and her license was suspended. Or the Florida lawyer defending a man in a homicide trial who caused a mistrial by posting a picture of the leopard print underwear included in clothing the family brought for the defendant to wear in court. Several lawyers have been disciplined for responding to online negative client reviews in ways that revealed confidential information.

Social media and attorney client confidences do not mix. If you are certain that your client would approve of your online postings, then there’s a simple solution. Show them to the client in advance and get the client’s written permission.

But here is a risk that some haven’t considered—sharing “war stories” as a CLE presenter or to groups of lawyers. Some lawyer may be live-tweeting your presentation from the back of the seminar room. Giving real-world examples from past cases is a great educational tool. But make certain you are cautious about dates, court locations, and fact patterns since information is available that could allow someone to ferret out the identity of your client. Any statement prefaced with “my client said” may be problematic for a presenter.

The Risks of E-Mail

At this point you could write an entire textbook on the risks of e-mail.

We all should understand that your greatest cybersecurity risk is you or someone else in your office clicking on an attachment to an e-mail or a link in an e-mail that infects your system with a virus or encrypts all your data in a ransomware attempt. Because this is one of your greatest security threats, regularly counsel your staff about not clicking on attachments or links in e-mails unless they are absolutely sure the e-mails are legitimate.

Every lawyer in private practice who uses e-mail (which is essentially every lawyer) should read ABA Formal Opinion 477R “Securing Communication of Protected Client Information” (May 22, 2017) and Opinion 648 from the Texas Center for Legal Ethics (April 2015). E-mail is not secure. Even though our ethics opinions say that lawyers may use unencrypted e-mails to communicate with clients generally, there are many times that the contents of an e-mail will make such communication inappropriate. Therefore, a law firm must have an alternative method of communication available even if the firm has decided to continue using standard e-mail. Otherwise, lawyers will soon find themselves in the position of knowing something should not be sent out via standard e-mail but having no safer alternative. At a minimum, a law firm should not e-mail attachments containing important personal data and account numbers, such as income tax returns, brokerage or bank account statements, or qualified domestic relations orders.

The best practice for solo and small firm lawyers is to use a case management system that provides for client portals that allow secure communication. Unencrypted e-mails can then be used only sparingly, such as for rescheduling an appointment time. Many clients who do not want to deal with an encryption/decryption process will have no problem logging into a portal. They already do this for banking and shopping. In addition, the portal can contain all the documents associated with a matter, which is a great client service. It is possible that at some point a formal ethics opinion will be issued prohibiting many, if not most, unencrypted e-mail communications. Smart lawyers will place themselves ahead of the curve on this issue.

You even must be cautious about how your firm sets its spam filter. One Florida law firm set its spam filter to automatically delete spam. Later the system determined that a court order assessing attorney fees was spam and deleted it, so it was never seen by the attorneys. The First District Court of Appeal in Florida ruled that even though the attorneys never received the order, the failure to file a timely appeal did not constitute excusable neglect.

Some lawyers embarrass themselves or others by adding recipients to “e-mail conversations.” It is not unheard of for lawyers joining such an e-mail conversation to scroll down and review the previous e-mails to see what discussion they missed. It is also not unheard of for lawyers to see their name or their firm’s name mentioned in a derogatory context. E-mailing with dozens of other previous e-mails included, some dating back significantly in time, is asking for trouble. Delete those prior threads. The recipients already have a copy.

Here’s another simple tip. Never use the BCC function on your e-mail. Those who receive the BCC copy may reply and reveal to the other recipients you were secretly sending out copies. This may not rise to the level of an ethics violation, but it’s not positive for your reputation. When tempted to BCC, e-mail without it instead. Then go to your Sent items and forward the e-mail to whomever you wanted to BCC.

The Risk of Losing Valuable Client Data

Lawyers often are concerned about external threats when your internal processes may also subject clients to another huge risk—loss of their data. A virus infection or ransomware encryption of your office computers is a headache and can knock the office off-line for a week or more, but there is a path to recovery if you have a recent backup of your data. If you are doing do-it-yourself data backup and have the external backup drives attached to your computers when the ransomware strikes, your data backups could also be encrypted, resulting in the firm losing all its digital information. The first thought then is hoping that your professional liability insurance premiums are current and recognizing that you must report this loss to your clients, which could be one of the most painful episodes of your legal career.

Many small firm lawyers also prefer to use laptops and may fail to back these up as regularly as the other computers on the network. Lawyers who use cloud-based practice management solutions have all their client file documents, communications records, billing records, and other documents safely preserved by their provider, which is another reason that solo and small firm lawyers should strongly consider using a cloud-based practice management solution.

Lawyers who have not gone paperless and have only paper client files might feel they have benefited from this practice if there is a digital disaster. But they will be in worse shape if there is a physical disaster such as a fire, tornado, or hurricane that destroys the physical client files.

ABA Formal Opinion 482 “Ethical Obligations Related to Disasters” (September 19, 2018) states that a lawyer’s obligation to protect critical client information remains unbroken even if the lawyer is personally impacted by a disaster. The opinion states that the possibility of a file-destroying disaster requires a lawyer to make contingency plans. The opinion states that “[t]o prevent the loss of files and other important records, including client files and trust account records, lawyers should maintain an electronic copy of important documents in an off-site location that is updated regularly.” This states there is a duty to digitize critical client information. As a practical matter, given the challenges of making regular determinations of what is critical and the efficiency gains of using digital client files, this may be interpreted by many as a duty to digitize the entire file.

The Risks of Mobile Technology

To round up our tour of risks, we should consider challenges with mobile technology, the always-present mobile phones and tablets.

It is hard to imagine a practicing lawyer today without access to the law office e-mail and calendar on his or her mobile phone. Because that abundant supply of client information is available to anyone using the phone, it is therefore mandatory for these lawyers to have a passcode lock on their phone. Certainly, you could lend your phone to someone who needed to make a phone call, but it’s not paranoid to suggest that you shouldn’t let the phone get out of your sight. Lawyers who exchange text messages with clients should consider that text messages are previewed on the lock screen. Some cautious lawyers will disable the message preview function on their phones or at least make certain that their phones are always placed facedown when they are with others.

Access to information on a lost phone is protected by the lock code. But the lawyer should still understand how to remote wipe the phone of data when it is permanently lost. It should go without saying that your lock code for your phone should not be a number publicly associated with you, such as your street address number.

The tech-savvy lawyer will also appreciate that seizure and searches of mobile phone data at our borders are increasingly common even for a U.S. citizen returning from a trip. There are concerns about security when using a phone in some authoritarian countries. Some lawyers will opt to buy a burner phone that will contain no client data for trips overseas, while others might delete documents, e-mail, and calendar apps and then restore them when they return.

Conclusion

As this issue of GPSolo magazine illustrates, there are many different “bumps in the road” the practicing lawyer may experience. The “new” ethical “duty of technology competence” was not forced on lawyers by regulators. These rule changes recognize the reality of business operations today. It is the existence and use of modern technology tools that requires the lawyer using these tools to consider both the risks and potential benefits of the technology they use in representing their clients.

Entity:
Topic:

Jim Calloway

@jimcalloway on Twitter

Jim Calloway is director of the Oklahoma Bar Association Management Assistance Program. He publishes the blog Jim Calloway’s Law Practice Tips (lawpracticetipsblog.com) and produces, with Sharon Nelson, the monthly podcast The Digital Edge: Lawyers and Technology. He was chair of ABA TECHSHOW 2005 and currently serves on the Law Practice Magazine editorial board and is co-chair of the Law Practice Division’s Legal Futures Initiative.

Published in GPSolo magazine, Volume 36, Number 6, November/December 2019. © 2019 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association or the Solo, Small Firm and General Practice Division.