ABA TECHSHOW helps put this situation into perspective. I attended TECHSHOW 2022 and was surrounded by legal professionals who were there for the technology. They welcomed learning about the latest and greatest and enjoyed walking through the exhibit hall to discover what toys might improve their firms.
TECHSHOW attendees tend to live in a bubble. We tend to think that everyone in every firm or office is equally techie. We are wrong.
After TECHSHOW I was confronted by examples of how big a bubble many of us live in. I was reminded that law firms and other legal offices need to educate their staff about technology because, when they take for granted those at the bottom of the proverbial totem pole, productivity and client service suffer.
Consider the following three examples:
First, a six-attorney firm in Philadelphia wanted to upgrade its technological infrastructure, so I spoke with their IT consultant to learn about the products they were using. I discovered that one legal secretary was using WordPerfect 5.1 for DOS. Yes, WordPerfect 5.1. Yes, DOS. Think about that. She was using a word processing product released in 1989, that was designed to work on the MS-DOS operating system last used to run Windows Me, which was released in 2000. How efficient can that legal secretary be, and how can she possibly integrate her software with other staff who use Microsoft Word?
The uses of, and dangers attendant to using, outdated technology are massive. There are security risks—although to be fair, few people are trying to hack WordPerfect 5.1 for DOS users. Using antique software flies in the face of lawyers’ ethical obligations under the Rules of Professional Conduct in 40 states requiring them to understand the risks and benefits of technology.
The second situation arose days after TECHSHOW during an ethics committee meeting. We were discussing email security, and the dangers and ethical risks associated with sending sensitive and confidential client information by email.
After discussing the precautions attorneys must ethically take to protect confidential information sent by email, one member said, “I’m really struck by the absence of any discussion about the U.S. mail. Before email we all communicated by mail, and we didn’t think anything of sending a letter to our client. The letter would sit in a mailbox next to a public highway or street or avenue, and it might sit there for days until someone, hopefully our client, would retrieve it and open the envelope and read it. And I have to wonder whether email is safer than the U.S. mail. I’d like to think that it is.”
The snail mail remark was scary to most of us. After all, in 2017, the ABA Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 477R, “Securing communication of protected client information,” in which the committee advised lawyers that they may generally transmit information relating to the representation of a client over the internet without violating the Model Rules of Professional Conduct, provided the lawyer has undertaken reasonable efforts to prevent inadvertent or unauthorized access.
Importantly, Opinion 477R stated that lawyers may be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client, by law or when the nature of the information requires a higher degree of security. In other words, email is not a secure method of transmitting information, and lawyers must be careful when sending information in or attached to an email.
This statement, in 2022, by a prominent bar leader, led many on the call to shake their heads. Think about it. If someone steals everything in your mailbox today, how much information have they obtained? Conversely, if someone hacks into your email account, what do they see? They see every email you have sent or received, plus all of the attachments, including the emails in your Deleted Items folder. Clearly, a thief can obtain far more information from an email inbox than from any physical mailbox.
The danger of email insecurity is among the reasons that the Cybersecurity and Infrastructure Security Agency (CISA) issued a notice of a cybersecurity threat in 2019 about the dangers of email cyberattacks. Their guide, “Enhance Email & Web Security,” explained that:
Phishing emails and the use of unencrypted Hypertext Transfer Protocol (HTTP) remain persistent channels through which malicious actors can exploit vulnerabilities in an organization’s cybersecurity posture. Attackers may spoof a domain to send a phishing email that looks like a legitimate email. At the same time, users transmitting data via unencrypted HTTP protocol, which does not protect data from interception or alteration, are vulnerable to eavesdropping, tracking, and the modification of the data itself.
CISA’s message was clear: A cyberthief who accesses your email may access any data on any computer in your office, or on a mobile device. They can install malware or ransomware that could paralyze your office in seconds and jeopardize access to everything on every computer on your network. Despite CISA’s and other warnings, one bar member (and probably many others) still believes that someone driving by and grabbing items out of his mailbox is more dangerous than an email hacker.
Third, I received an email from the spouse of an attorney who died suddenly. The attorney made no plans for transition of his firm in the event of an emergency or, as it happened, sudden illness and death. As a result, his wife took control of his office’s files and all data on his computer. Because the attorney was a pure solo, with no full-time support, literally every piece of client data was on his desktop computer, including names, dates of birth, Social Security numbers, medical records, tax forms and more. The attorney made no arrangements for transition of his computer nor did he explain to his wife, if he knew, how to securely dispose of electronic data.
When I asked what happened to his files, the spouse said she had shredded whatever paper there was and that she “left his hard drive in the rain on purpose to destroy all files.” Unfortunately, water may damage a computer’s electronic components, but it does not destroy a hard drive or delete data.
While this lawyer’s passing was tragic, his ethical obligations continued after he died. Compounding the tragedy of his passing, his death also highlighted the dangers of failing to have a succession plan that deals with clients, files and electronic data.
I use these examples not to poke fun at those who are not technologically savvy, but to demonstrate the need for lawyers to recognize that they need to better educate themselves and their staff about technology, including the risks, dangers and benefits of proper technology use. After all, lawyers presumably have an ethical obligation to understand the risks and benefits of technology.
In his December 2021 ABA TechReport, attorney and cybersecurity expert David G. Ries explained that “The threats to the security of data in computers, networks, and cloud services used by attorneys and law firms appear to be at an all-time high.” Ries explained that, according to the ABA’s 2021 Legal Technology Survey Report, “25% of respondents overall reported this year that their firms had experienced a data breach at some time.”
Ries also pointed out that in August 2014, the ABA adopted a resolution on cybersecurity that encourages law firms and other organizations “to develop, implement, and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations and is tailored to the nature and scope of the organization, and the data and systems to be protected.” Most likely, very few firms complied with the resolution.
I do not profess to have the solution for how to transform lawyers and their staff into knowledgeable “techno-legal-geeks.” Instead, I propose the following three-step approach to helping lawyers recognize their technological obligations:
1. Require all lawyers to take CLE courses relating to technology and cybersecurity.
Forty states have adopted the duty of technological competence as a component of their Rules of Professional Conduct, according to the LawSites blog post on Tech Competence. However, only two states, Florida and North Carolina, mandate that lawyers take technology-related CLEs. New York is considering a cybersecurity CLE requirement but has not yet adopted it.
I propose that every state require lawyers to take at least two hours of technology-related CLE courses annually, one hour focused on cybersecurity and related topics, and the other on the use of technology in legal practices. The need for such programs is obvious, and the potential topics are too numerous to list here but could include cloud computing, e-discovery, email security, encryption, using Microsoft Office, mobile computing, trial technology and practice management.
2. Require lawyers to have succession plans, including technological components.
Four states require lawyers to have mandatory succession plans: Arizona, Florida, Iowa and Maine. Many states encourage succession planning, while others do not require lawyers to plan for death and disability. Succession planning must include more than an agreement to transition client files. It should include technological considerations such as access to, as well as the transition and preservation of, electronic data, including the type of information stored on the lawyer’s and the firm’s computers. Only when succession planning is mandatory will lawyers do what is necessary. But with only four states requiring succession planning, there is much work to do.
3. Encourage all lawyers to be proactive in the use of and in acquiring training in technology.
In a recent article, John Tsiforas, Hofstra Law’s director of law and technology and director of the Law, Logic & Technology Research Laboratory, explained that there are two ways to use technology: reactively and proactively. A proactive lawyer uses a visionary approach, considering short- and long-term goals to analyze how to improve workflows, reduce mistakes and increase effectiveness.
In the same article, Allison Johs pointed out that “Lack of proficiency with technology not only leads to inefficiencies, but it can lead to ethical complaints and loss of clients as well.”
The proactive approach is what makes businesses successful, and it also works for lawyers and firms. Businesses act immediately or plan ahead to avoid problems resulting from inactivity or untrained staff. It is why companies ask if your delivery was acceptable before you can complain, and why customers appreciate a representative trained not only to answer calls but also to have solutions to problems.
Training lawyers and staff on essential technology tools is a proactive process that will improve workflows, save time and create better client results. If legal staff is trained on basic computer use and how to use the programs a firm uses, they will work faster, make fewer errors and make clients happier. It is a business approach that has always worked, from the Tylenol crisis to COVID-19.
A proactive strategy focuses on discovering and addressing client needs. In an article in Lawyers Weekly, attorney Caryn Sandler, a partner and chief knowledge and innovation officer at Australian firm Gilbert + Tobin, described her firm’s approach to innovation, noting:
“If you are innovative, if you are going to be a successful law firm, you have to be proactive in your thinking when it comes to what our clients want. This involves being reactive in that when somebody comes to you and asks for legal advice, you are able and willing to support them. But then really anticipating what the legal needs will be, what the changes are within the legal industry over the next couple of years. That’s all critical and certainly part of us being a trusted partner to our clients, which goes beyond just delivering on legal advice.”
For those who were shocked to read about WordPerfect 5.1 for DOS, this column may have reaffirmed your perspective on technology. For those whose offices continue to use outdated technology, who do not train staff about technology and cybersecurity, and who believe that a reactive approach works, it is time to rethink those philosophies. With the support of the courts and entities that can enforce some of the changes proposed here, the legal community can finally be one where, as the Model Rules note, lawyers are competent because they recognize and address the benefits of technology. It is an approach for all attorneys, not just TECHSHOW geeks.