The implications of the covid19 crisis are already imposing. It is expected that the situation will get worst before getting better. Law firms are no exception. Working under the lockdown is certainly causing disruption to the usual way in which lawyers practice law; it also has ethical implications, if risks are not mitigated, that can result in sanctions and malpractice. Why should a pandemic lead to an increased exposure to ethics complaints (and possibly sanctions) and malpractice? The answer lies in the fact that at least this particular pandemic has powerful “triggers.” The ABA Program Emerging Lawyer Risk Management and Professional Liability Coverage Issues (“ABA CLE”) identified the following triggers that increase lawyer and law firm risk: 1) the lack of contingency plans and/or the resources to implement them, i.e. working from home; 2) physical and/or mental illness caused by the pandemic; 3) family obligations during the pandemic; 4) financial instability during or after the pandemic.
These triggers of ethical and malpractice risks are, of course, not new but the magnitude of the covid-19 pandemic is novel for lawyers and law firms. (To use an analogy to technology in general, “scale” matters, in the case of a pandemic for the worse.) The ethical obligations of confidentiality, competency, fitness to practice law, fees, supervision, and other are involved in dealing with the pandemic.
Risks to lawyers and law firms are higher during periods of crisis because, as the ABA CLE pointed out, claims against lawyers are “counter-cyclical,” i.e. “increased scrutiny of professionals in poor economic times” is likely to occur. For example, it is easy to predict that many deals will fall apart (on force majeure, frustration of purpose, impracticability, or simply financial grounds), and clients who lose a deal might consider actions against their “deep pocket” law firms. The reverse is also possible: If a client (probably a buyer) is unable to invoke a force majeure clause, an action against the law firm for failing to include or draft an effective force majeure clause or other protective clause is likely to follow.
***
In this blog we will discuss working from home, confidentiality, competence, and supervisory issues.
The Pennsylvania ethics advisory committee recently emphasized the continuity of ethical obligations despite the crisis: “An attorney working from home or another remote location is under the same obligations to maintain client confidentiality as is the attorney when working within a traditional physical office.” Pennsylvania Bar Association, Committee On Legal Ethics And Professional Responsibility, April 10, 2020, Formal Opinion 2020-300 (“PA Opinion”).
As Hurricane Sandy already demonstrated in 2012, when courts were closed from Virginia to New York and law firms lost access to their offices and often to their files, lawyers should already be prepared to work remotely, both individually and in coordination with other firm members. Preparation requires that firms have a contingency plan to deal with crises, which would include policies and procedures for remote working. In this sudden pandemic, however, some firms may lack the ability and/or resources to develop or implement such plan, and such lack of preparation may be a trigger for ethical complaints or malpractice actions. How?
As the ABA CLE pointed out, law firms, in their haste to made arrangement for remote access, might overlook cybersecurity risks deriving from lawyers’ use of home laptops or desktops (which might be unprotected or shared with family members), home wifi connectivity (which can be less secure than the law firm’s own system), or human errors (which are more likely to happen at home than at the law firm).[i] The ABA CLE identified credential phishing, malicious attachments and links, and malware and ransomware as increased risks when lawyers work from home. These situations pose problems under both the duties of confidentiality and competence.
As Nathan Crystal wrote some years ago on the special concerns that technology poses to confidentiality.[ii]
If you ask lawyers to list their most important ethical obligations, confidentiality will certainly be included by almost all of them.[iii] Complying with this fundamental ethical duty, however, has become increasingly difficult and risky with the widespread use of modern technology in the practice of law.
Rule 1.6(c) provides that “A lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” Ethics opinionsdealing with cloud computing have explained what “reasonable efforts” require. Comment [18] to Rule 1.6 also lists important factors [iv] that should be considered when a law firm needs to engage in remote practice as a result of the covid19 crisis.
Ignorance of technological risks, of course, is no excuse.
Based on Model Rule 1.1. (and relevant state versions), the duty of competence already was intended to include the duty to be aware of modern technologies … . However, on August 6, 2012 to add more clarity the ABA, among other changes, added a new Comment [8] to Rule 1.1. (“Maintaining Competence”), which clarified that the lawyer’s duty of competence includes an obligation to become and remain “tech-savvy”:
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education.[v]
In the haste of organizing the law firm to work from home because of the covid19 crisis, law firms might be tempted to use a BYOD policy. This is a dangerous policy. See the article by Professor Haynes Stuart)[vi]. However, in an emergency like the covid19 crisis, in which a law firm might have scrambled to quickly organize working from home to avoid disruption of client representation, BYOD might be a necessity. The policy should not be adopted without precise guidelines and instructions from the law firms.
If lawyers do not take reasonable precautions to protect confidential information when working from home, they breach the duty of confidentiality to their clients and could be disciplined or subject to malpractice liability to clients who have been damaged. In fact, firms may face liability regardless of fault if they have been subject to an unauthorized intrusion into their client data (regardless of fault or reasonable efforts), but fail to comply with disclosure obligations to their clients. For example, what if a ransomware attack occurs, and the firm quietly pays the ransom? (and we know that working from home, the risk can be higher) In Hiscox Ins. Co. v. Warden Grier, LLP (W.D. Mo. 2020, Hiscox, an insurance company which had hired the defendant law firm for more than 15 years to represent its insureds in personal injury cases, discovered that the law firm paid a ransom to hackers without alerting the insurance or its clients. In fact, in March 2018, Hiscox casually discovered that some of the information acquired by the hackers had been leaked to the dark web; Hiscox conducted a $1.5 million investigation, and then brought suit against the law firm alleging that the latter breached “contractual, legal, ethical, and fiduciary duties” for failing to protect its clients’ data and for not informing Hiscox or its clients of the ransomware attack and payment.
Working from home could also have an impact on the duty of competence. For example, working from home, outside of the office environment and its support staff, could induce lawyers to be casual about deadlines. While courts have been willing to extend deadlines because of the crisis, lawyers cannot count on such extensions without careful review of court orders on the crisis. Such reviews may be more difficult when lawyers are working alone in remote. It is incumbent on firms to adhere to calendaring deadlines as modified by court order.
Working from home also entails risk under another important lawyer’s obligation: the duty of supervision.
Lawyers have an obligation to properly supervise any person (for example, contract lawyers or investigators) that lawyers use in the performance of their legal activities. The relevant rule in the U.S.is Model Rule 5.3 (Responsibilities Regarding Non lawyer Assistant) and its state equivalent. …
The Model Rules set forth three principles that apply to supervision of . . . nonlawyers. First, partners in a firm (or those with “comparable managerial authority”) have a duty to make reasonable efforts to ensure that the firm has in place “measures giving reasonable assurance” that the conduct of . . . nonlawyers employed or retained by the firm conforms to the rules of professional conduct. See Model Rule. . . 5.3(a). Second, a lawyer having direct supervisory responsibility over . . . a nonlawyer has a duty to use reasonable efforts to ensure that the conduct of the . . . nonlawyer conforms to the rules of professional conduct. Model Rule . . . 5.3(b). Finally, a lawyer is subject to discipline for the conduct of . . . a nonlawyer if the lawyer (1) orders . . . nonlawyer to engage in conduct that violates the rules of professional conduct or with knowledge ratifies such conduct, or (2) is a partner, a lawyer with comparable managerial authority, or a supervising lawyer who knows of misconduct by the . . . nonlawyer and fails to take corrective action when the consequences of misconduct could be avoided or mitigated. Model Rule . . . 5.3(c).[vii]
It is more difficult to supervise lawyers and paralegals when the supervisor is working remotely. When you are not face-to-face or in close proximity, you do not have a sense of what the subordinate is doing, and the opportunity for quick chats that would solve possible doubts, misdirection, or side tracks is more difficult. Also, partners cannot supervise the work environment of the subordinate, for example whether the subordinate is dealing with firm’s matters in an setting suitable for confidentiality or is instead discussing or handling confidential matters in the presence of friends and family. It is also harder to check on compliance by subordinates of the firm’s cybersecurity requirements.
Supervisory obligations continue to apply despite the crisis. At a minimum the firm should establish policies and procedures for remote working, the detail of which will depend on many factors, including the size of the organization, and supervisors should have periodic remote meetings via Zoom[viii] or some other platforms (twice a week is a guideline) with subordinates to discuss the status and methods of handling cases. Instant messages can be used for urgent issues.
These instruments, of course, pose risks to confidentiality as we have highlighted above. It is a tradeoff; the more communication you have, the more risks there are to confidentiality. You can mitigate these risks by instructing subordinates to use secured connections and encryption and to avoid sharing devices with family members. Nonetheless, the risks exist. Fortunately, the rules of ethics do not require absolute protection of confidentiality, only reasonableness. However, a reasonableness standard does not justify no efforts at all.
The PA Opinion gives very detailed advice on how to perform legal work remotely and discusses encryption, backups, enhanced security for websites, use of virtual private networks (VPN), Two-Factor or Multi-Factor Authentication, use of strong password, and steps to take to make video conferences more secured.
For more information, Nathan M. Crystal & Francesca Giannoni- Crystal.
_____________________________
[i] For example, working from home, it might be easier for lawyers and employees to fall for wiring fraud. Some carriers for professional liability or cybersecurity insurance, have posted very good recommendations and training . See for example Crum & Forster training on how to Avoiding Fraudulent Wire Transfer which noticed that the fraudsters rely on the following human factors: 1) misplaced trust; 2) failure to check the legitimacy ; 3) lack of awareness of these schemes and 4) the false sense that these schemes cannot happen to you. The advice is to treat every email (or phone calls) as suspicious especially those requesting a wire transfer or a change to an agreed wire transfer. The fact that the email (or the person initiating the call) knows details of a transaction that the fraudster should not know about, is not guaranty that the email if legitimate. Scrutinizing the email for dubious characters can help but nothing like a confirming the request using the contact information already in lawyer’s files. According to a 2017 survey featured in the training, 30% of the 8000/year fraudulent wire transfers involved professionals and law firms are especially susceptible to those schemes. Especially in a situation in which everybody is working from home, lawyers should implement procedures and train their staff to be vigilant and suspicious. http://www.cfins.com/cyber-resources-center/cyber-resources-center-attorneys-accountants/loss-control-recommendations-for-attorneys-and-accountants/
[ii] Nathan Crystal, Ethics Watch: Technology and Confidentiality, Part One, South Carolina Lawyer 11, Sept. 2011.
[iii] See Nathan M. Crystal & Francesca Giannoni-Crystal, “Something’s got to give” – Cloud Computing, as applied to lawyers – comparative approach US and EU and practical proposals to overcome differences, Opinio Juris in Comparatione Vol.I, n.I, 2014 (available at http://www.opiniojurisincomparatione.org/opinio/article/view/86) (“Cloud Computing, as applied to lawyers”)
[iv] Comment [18]:
[18] … The unauthorized access to, or the inadvertent or unauthorized disclosure of, information relating to the representation of a client does not constitute a violation of paragraph (c) if the lawyer has made reasonable efforts to prevent the access or disclosure. Factors to be considered in determining the reasonableness of the lawyer’s efforts include, but are not limited to, the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use). A client may require the lawyer to implement special security measures not required by this Rule or may give informed consent to forgo security measures that would otherwise be required by this Rule. …
[v] Cloud Computing, as applied to lawyers, cited above, at 8.
[vi] Allyson Haynes Stuart, Making Sure BYOD Does Not Stand For “Breach Your Organization’s Data”, South Carolina Lawyer (March 2016)
[vii] Id. at 13. Internal citation and quotation omitted.
[viii] And talking about Zoom. Zoom has had some security issues recently which are allegedly being fixed but lawyers should take some precautions when using Zoom: https://www.cnet.com/how-to/4-zoom-security-settings-to-change-now-to-prevent-zoombombing/