When Disaster Strikes: Practicing Law in a World of Climate Change, Covid and Cyber Attacks
Editor’s Note: This article was updated in December 2020. The original was published in the July 2016 issue of Contra Costa Lawyer magazine.
One day you are sitting at your desk counting the days until your trip to Hawaii, and then a week later you find out that your state’s rate of COVID is so high that all businesses have to shut down. “Not again!” you think. You then walk outside your door and can barely breathe from wildfire smoke, and the fire is not all that far away from your law office. Later, someone sounding like a gangster emails you on a Sunday night and says “I have compromising photos of you and I want money. Now!” In case you think I am exaggerating, this is pretty much what happened to me one week.
First, rest assured that if any “compromising” photos existed of me, then I would have been thrilled to learn that I was having way more fun than I thought I was having so far this year. But how did some thug get my email address? Was my computer compromised? And what about the encroaching wildfire – what ethical duties does a lawyer have to protect client files and information from fire? Surely if my law firm burned down I would not be obligated to do much on my client files until I cleaned up the mess, right? Can’t I just practice out of my local Starbucks?
First, we have to define what a law office disaster is, and I believe it can be defined broadly from a hurricane to the hacking of your office computer. Let’s start with the technology issues that arise from just about any kind of disaster.
Ethics Opinion 2010-179 was one of the first Formal Ethics Opinions in California to address technology issues that might arise in a crisis such as Covid, where attorneys work outside of their offices. The Opinion addressed whether an attorney violates his duties of competence and confidentiality he owes to a client by using technology to transmit and store confidential information outside of his office, whether it is a home office or an outdoor table at Starbucks. The Opinion particularly focused on the use of laptops connected to a public Wi-Fi or a home Wi-Fi network. That Opinion concluded that whether an attorney’s conduct unnecessarily put a client’s information at risk would depend on the type of technology used and the circumstances surrounding such use. They figured that technology was ever-changing, and this approach was preferable to a bright line conclusion. A little nebulous, but like many Ethics Opinions, it made a determination of a Rule violation dependent on the facts.
Since that Opinion the State Bar has published Opinion 2015-193, which deals with the ethical issues of using e-discovery, and Ethics Opinion 2020-203, a new Ethics Opinion on an attorney’s obligations with respect to unauthorized access by third persons to electronically stored confidential client information.
Ethics Opinion 2020-203 posits three hypothetical scenarios. In A, the attorney’s laptop is stolen. But, the lawyer had a biometric authentication security feature, and his law firm had installed software that allowed the laptop to be remotely locked down and erased. Biometric authentication can be a scan of your face done by your phone. When you attempt to use your phone, it will ask you to hold your face up to the screen. That step must be done first before inputting your numerical code. In hypothetical A, the lawyer immediately calls the law firm’s IT Department after the phone is stolen, and they wipe it clean.
In hypothetical B, the lawyer thinks he lost his smartphone – not an uncommon occurrence, right? The phone has a four character password and no biometric security system. It cannot be tracked or wiped clean. But the lawyer later realizes she left it in a tote bag at a restaurant, and indeed it is there, in a restaurant locker that was locked by the owner. She sees nothing missing in the tote, and the phone is in the pocket of the tote where the lawyer had left it.
In hypothetical C, the law firm has a receptionist check for emails not directed to a particular person. The receptionist gets a message purporting to be from the law firm’s IT Department. She clicks on the message. Ransomware was installed, and the law firm’s computers lock up. The law firm pays the ransom and gets access to its computers. In consultation with security experts, it determines that no client information was accessed.
Last is hypothetical D. In that scenario, outside counsel for a life sciences company uses her computer in a coffee shop. The next day she notices a sign that says that a hacker had set up a fake Wi-Fi portal that resembles the one used by the coffee shop. A forensic specialist determines that someone accessed the company’s patents while the lawyer was connected to the Wi-Fi.
With regard to all the hypos, the Opinion concludes that lawyers must 1) access the risks of keeping data on electronic devices and computers and 2) take reasonable steps to minimize the risk of unauthorized access. Lawyer A did that. Then, if a data breach occurs, a lawyer 3) has to conduct a reasonable inquiry to determine the extent of the breach and 4) notify any client whose interests have a reasonable possibility of being negatively impacted by the breach. These duties arise out of the duty of competence in Rule 1.1, which requires a basic understanding of the benefits and risks of technology; see Formal Ethics Opinion 2015-193. Part of this assessment, the Opinion concludes, would include reasonable efforts to ensure that all firm members appreciate the risks involved in keeping confidential information on electronic systems, and the steps the firm has taken to minimize the risk of unauthorized disclosure. This is not just a duty of the managing partner of a firm; the associates have their own independent ethical obligations to protect their clients.
Telling a client their information has fallen into the wrong hands is the nightmare of every attorney. But, under Rule 1.4 it is a significant development in a case, and therefore would have to be told, as soon as possible so the clients can mitigate the harm. The Opinion then states that the attorney in A would not have an obligation to disclose anything. Nor would disclosure obligations exist in B, or C. But in D? Yes. In all scenarios though, the lawyers would have to reassess their technology practices and whether they could be improved. The Bar does not mean that the very latest and expensive technology must be used. Only reasonable steps must be taken.
What if the disaster is not technological in nature, but something like a wildfire that burns down a lawyer’s office, destroying the computers and all the paper files? That is a tough situation, and one that might become more common in California with our increasing fires. First, all the lawyer’s duties and fiduciary obligations remain. That sounds harsh, but the State Bar expects lawyers to be prepared for disasters. Who wants to have to scramble to look up client names and addresses and try to recreate files? Best to address it all before the disaster occurs.
The key is in always having a plan. Here is a list of things you might want to do in the next month so that you are never caught unprepared : 1) a list of all client names, phone numbers, email addresses and court file numbers. That list should not be kept in the office. If the task seems overwhelming, do a few pages a day. Or hire a family member, law student or assistant on a contract basis to do it.
2) Review your legal malpractice policies to see if they cover your computer burning up in a fire or getting soaked when a pipe bursts. Check if the policy covers your computer getting hacked with a Ransomware virus. Those viruses can render your computer data worthless. Policies differ as to whether they cover data breaches. Typically a professional liability policy insures against claims from client for falling below the standard of care in the provision of legal services. Could that be construed to cover a data breach? Maybe, but it might not cover all the costs in repairing the damage, including state law penalties, forensic examinations, the cost of notifying all your clients and of providing credit monitoring. You can purchase cyber liability riders, and the coverage types and limits vary widely.
3) Make sure your office is secure, no matter how safe the neighborhood is in which it is located. Alarmed doors and windows and locked file cabinets are a must. Make sure the fire sprinklers have been checked and work. Make sure all doors are locked at the end of every day.
4) Keep all original important documents like wills or passports in a fireproof safe.
5) If you have old paper files (say over five years old), then spend the time – and it does take some time – to quickly review all of them. Contact the clients and see if they would like a copy of their file, and tell you are going to shred it for confidentiality purposes. There are shredding services that will give a certificate of shredding and you should keep that certificate. Keep copies of the emails to the client about this. Where you cannot reach the old client, I might shred the file if it is ten years old or older, contains no original documents and I won the matter or the issue involved has been resolved. I admit that this is easier for me, as my clients are lawyers and they have a duty to update their address on the State Bar site. I can always find them. I always keep the fee agreement, and billing records of all files shredded, just in case a client has questions about what work was done.
More important, if you practice in an area of law like family law or immigration where you are collecting a lot of important and confidential documents from a client always give the client a copy of all documents they give you. Send an email confirmation that the copies were sent to the client. Try to keep only copies and not originals.
6) Many lawyers put their files on the cloud. Read the cloud service provider agreement carefully. They contracts often allow the provider to offload your files to another provider, sometimes in another county. And they protect themselves from their bankruptcy or of the other providers they use. Some are so bold as to allow themselves to sell your information that you put on the cloud! Scary, so read it carefully.
Probably the biggest words of advice I can give is to try as best as you can to select better clients. I know that is tough, especially in a Covid environment where any client that has not been bankrupted by Covid shut downs is automatically a great client. A good client will work with a lawyer when a determined hacker gets into the firm computer, or a climate disaster strikes the office.
But a bad client? Well, professional liability attorneys are bracing for a tidal wave of pandemic-era legal malpractice suits, so says Andrew Srickler in a Law 360 recent article. He says that Lawyer’s Mutual is gearing up for an onslaught of clients unhappy with how their employment and bankruptcy matters were handled, and their broken business deals. We saw this in 2008, too, so it is no surprise. I also saw a big increase in State Bar matters, as lawyers engaged in all kinds of schemes to shore up their businesses.
Know that extortion is also on the rise in this pandemic; nasty emails and phone calls saying things like “I saw what you did. Pay me.” Or “I know what internet sites you visit. Pay me.” Just delete them. The overwhelming majority of the time the person threatening you is only guessing. To pay them means you are an easy target, and they would only try for more money later. Okay, so you visited the “Good Times XXX” web site – that is not illegal and the State Bar cannot discipline you for that. My guess is that almost all those threatening emails come from some guy sitting overseas who got your email address off of your website and who has nothing on you anyway. But do remember – nothing is truly private anymore, so be careful what sites you visit, and what you do in your personal life. Plan on everything you do to be on the front page of the Contra Costa Times.
Sigh. If there are any compromising photos out there of me, I am only sorry I did not actually engage in the fun they might depict. Fellow Contra Costa lawyers: this too shall pass, as all tough times do. Just be prepared for surprises, and try to be kind to everyone you meet.
MCLE Self Study
Earn one hour of Legal Ethics MCLE credit by answering the questions on the Self Study MCLE test available here.
Send your answers along with a check ($30 per credit hour for CCCBA members/ $45 per credit hour for non-members), to the address on the test form. Certificates are processed within 2 weeks of receipt. If you prefer to receive the test form via email, contact Anne K. Wolf at awolf@cccba.org or (925) 370-2540.