The Risks of E-Mail
At this point you could write an entire textbook on the risks of e-mail.
We all should understand that your greatest cybersecurity risk is you or someone else in your office clicking on an attachment to an e-mail or a link in an e-mail that infects your system with a virus or encrypts all your data in a ransomware attempt. Because this is one of your greatest security threats, regularly counsel your staff about not clicking on attachments or links in e-mails unless they are absolutely sure the e-mails are legitimate.
Every lawyer in private practice who uses e-mail (which is essentially every lawyer) should read ABA Formal Opinion 477R “Securing Communication of Protected Client Information” (May 22, 2017) and Opinion 648 from the Texas Center for Legal Ethics (April 2015). E-mail is not secure. Even though our ethics opinions say that lawyers may use unencrypted e-mails to communicate with clients generally, there are many times that the contents of an e-mail will make such communication inappropriate. Therefore, a law firm must have an alternative method of communication available even if the firm has decided to continue using standard e-mail. Otherwise, lawyers will soon find themselves in the position of knowing something should not be sent out via standard e-mail but having no safer alternative. At a minimum, a law firm should not e-mail attachments containing important personal data and account numbers, such as income tax returns, brokerage or bank account statements, or qualified domestic relations orders.
The best practice for solo and small firm lawyers is to use a case management system that provides for client portals that allow secure communication. Unencrypted e-mails can then be used only sparingly, such as for rescheduling an appointment time. Many clients who do not want to deal with an encryption/decryption process will have no problem logging into a portal. They already do this for banking and shopping. In addition, the portal can contain all the documents associated with a matter, which is a great client service. It is possible that at some point a formal ethics opinion will be issued prohibiting many, if not most, unencrypted e-mail communications. Smart lawyers will place themselves ahead of the curve on this issue.
You even must be cautious about how your firm sets its spam filter. One Florida law firm set its spam filter to automatically delete spam. Later the system determined that a court order assessing attorney fees was spam and deleted it, so it was never seen by the attorneys. The First District Court of Appeal in Florida ruled that even though the attorneys never received the order, the failure to file a timely appeal did not constitute excusable neglect.
Some lawyers embarrass themselves or others by adding recipients to “e-mail conversations.” It is not unheard of for lawyers joining such an e-mail conversation to scroll down and review the previous e-mails to see what discussion they missed. It is also not unheard of for lawyers to see their name or their firm’s name mentioned in a derogatory context. E-mailing with dozens of other previous e-mails included, some dating back significantly in time, is asking for trouble. Delete those prior threads. The recipients already have a copy.
Here’s another simple tip. Never use the BCC function on your e-mail. Those who receive the BCC copy may reply and reveal to the other recipients you were secretly sending out copies. This may not rise to the level of an ethics violation, but it’s not positive for your reputation. When tempted to BCC, e-mail without it instead. Then go to your Sent items and forward the e-mail to whomever you wanted to BCC.
The Risk of Losing Valuable Client Data
Lawyers often are concerned about external threats when your internal processes may also subject clients to another huge risk—loss of their data. A virus infection or ransomware encryption of your office computers is a headache and can knock the office off-line for a week or more, but there is a path to recovery if you have a recent backup of your data. If you are doing do-it-yourself data backup and have the external backup drives attached to your computers when the ransomware strikes, your data backups could also be encrypted, resulting in the firm losing all its digital information. The first thought then is hoping that your professional liability insurance premiums are current and recognizing that you must report this loss to your clients, which could be one of the most painful episodes of your legal career.
Many small firm lawyers also prefer to use laptops and may fail to back these up as regularly as the other computers on the network. Lawyers who use cloud-based practice management solutions have all their client file documents, communications records, billing records, and other documents safely preserved by their provider, which is another reason that solo and small firm lawyers should strongly consider using a cloud-based practice management solution.
Lawyers who have not gone paperless and have only paper client files might feel they have benefited from this practice if there is a digital disaster. But they will be in worse shape if there is a physical disaster such as a fire, tornado, or hurricane that destroys the physical client files.
ABA Formal Opinion 482 “Ethical Obligations Related to Disasters” (September 19, 2018) states that a lawyer’s obligation to protect critical client information remains unbroken even if the lawyer is personally impacted by a disaster. The opinion states that the possibility of a file-destroying disaster requires a lawyer to make contingency plans. The opinion states that “[t]o prevent the loss of files and other important records, including client files and trust account records, lawyers should maintain an electronic copy of important documents in an off-site location that is updated regularly.” This states there is a duty to digitize critical client information. As a practical matter, given the challenges of making regular determinations of what is critical and the efficiency gains of using digital client files, this may be interpreted by many as a duty to digitize the entire file.
The Risks of Mobile Technology
To round up our tour of risks, we should consider challenges with mobile technology, the always-present mobile phones and tablets.
It is hard to imagine a practicing lawyer today without access to the law office e-mail and calendar on his or her mobile phone. Because that abundant supply of client information is available to anyone using the phone, it is therefore mandatory for these lawyers to have a passcode lock on their phone. Certainly, you could lend your phone to someone who needed to make a phone call, but it’s not paranoid to suggest that you shouldn’t let the phone get out of your sight. Lawyers who exchange text messages with clients should consider that text messages are previewed on the lock screen. Some cautious lawyers will disable the message preview function on their phones or at least make certain that their phones are always placed facedown when they are with others.
Access to information on a lost phone is protected by the lock code. But the lawyer should still understand how to remote wipe the phone of data when it is permanently lost. It should go without saying that your lock code for your phone should not be a number publicly associated with you, such as your street address number.
The tech-savvy lawyer will also appreciate that seizure and searches of mobile phone data at our borders are increasingly common even for a U.S. citizen returning from a trip. There are concerns about security when using a phone in some authoritarian countries. Some lawyers will opt to buy a burner phone that will contain no client data for trips overseas, while others might delete documents, e-mail, and calendar apps and then restore them when they return.
Conclusion
As this issue of GPSolo magazine illustrates, there are many different “bumps in the road” the practicing lawyer may experience. The “new” ethical “duty of technology competence” was not forced on lawyers by regulators. These rule changes recognize the reality of business operations today. It is the existence and use of modern technology tools that requires the lawyer using these tools to consider both the risks and potential benefits of the technology they use in representing their clients.