“Technological competence” no longer optional
- Cyberlaw primer I. Cyber-risk
- Cyberthreats and Cybersecurity
- Are you aghast over hacks at “top” law firms?
- Due diligence and cyber risk
- Negligence liability for datasecurity breaches
- breach logs
- Email is a hacker portal
- Cyberinsurance coverage terms
- Cyberinsurance and the SAFETY Act
- Data analytics, bribery and corruption
A New Ethical Obligation
According to the American Bar Association Model Rules of Professional Conduct,
Rule 1.1 Competence. A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.
In August 2012 Comment 8 was added to the rule,
To maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology. …
Although this was a nonbinding comment to the rules, over the three years since that amendment, at least 15 states — Arizona, Arkansas, California, Connecticut, Delaware, Idaho, Kansas, Massachusetts, Minnesota, New Hampshire, New Mexico, North Carolina, Ohio, Pennsylvania and West Virginia — have amended their ethics rules or issued ethics opinions with provisions on attorneys’ competence with technology.
Earlier this year, the State Bar of California in its Formal Opinion No. 2015–193, determined that attorney competence in litigation requires, “at a minimum, a basic understanding of, and facility with, issues related to e-discovery, including the discovery of electronically stored information (ESI).,” adding this ominous warning to the unprepared attorney: “Lack of competence in e-discovery issues also may lead to an ethical violation of an attorney’s duty of confidentiality.”
The California State Bar established three options for attorneys “lacking the required competence for e-discovery issues”: (1) Acquire sufficient learning and skill before performance is required. (2) Associate with or consult technical consultants or competent counsel. (3) Decline the client representation.
Particularly in the area of e-discovery, failure to understand the technology creates a genuine risk of legal malpractice and professional liability.
There is also a significant business component to cyberlaw and technological competence. Attorneys who represent clients engaged in modern commerce, particularly international trade and finance must attain a level of technological competence commensurate with that of their clients. This is critical when the client becomes involved in litigation and e-discovery involves identification and collection of documents and data from structured data sources and analysis of global information architecture, among other tasks involving a combination of legal, technical and business skills.
Any lawsuit in any court which requires production and examination of “documents” involves electronically stored information (ESI) and calls for e-discovery. From relatively uncomplicated contested matrimonial actions through mass toxic torts and product liability class actions, counsel managing the litigation for plaintiffs or defendants must understand the technology associated with electronic media in all its forms and the storage and management of business and personal records as computer records; or, as they used to say in the early days of IBM mainframes, “machine-readable format,” whether the material is stored in personal computers, laptops, tablets, servers, and now, more frequently than ever, mobile devices such as smart phones.
To be considered a “competent” litigator in the context of professional liability considerations, at the very minimum an attorney must understand the technology of ESI and should be able to handle the basic elements common to all e-discovery:
- Assessing the e-discovery needs and issues of the litigation
- Implementing ESI preservation procedures
- Analyzing and understanding the ESI systems and storage of both your client and the opposing party
- Determining options for collection and preservation of ESI
- Identifying the custodians of potentially relevant ESI
- Conferring with opposing counsel concerning e-discovery plans
- Conducting data searches with your client
- Designing data searches of the opposing party
- Collecting ESI from your client while preserving the integrity of that ESI
- Producing non-privileged ESI in a recognized and appropriate manner
- Selecting a qualified expert in e-discovery technology
If you, as an attorney, do not feel comfortable in your ability to meet these basic needs of e-discovery, then, ethically and as a matter of concern over professional liability, you should consider associating a technologically competent litigator of counsel.
Cybersecurity is an ethical and professional liability issue
Attorneys have always considered themselves guardians of the privacy of their clients and custodian trustees of the property and documents of their clients. Now, many of the documents important to clients are maintained in electronic form on a variety of computing devices in electronically insecure and vulnerable law offices. Storing this material in the cloud makes it even more vulnerable and insecure.
Recently, the computers of a number of law firms have been infected with ransomware and the attorneys have been forced to buy back access to data on their computers after they had been locked out by hackers. Small firms have been forced to pay up to $10,000 to regain access to their own computers and there is no guarantee that after paying the ransom that their data is free from infection with the virus which originally compromised their systems. Unfortunately, such attacks also compromise client data as well as critical firm data that may have been stored on the infected machines end any of the networks with which they are associated
Few, if any, law firms have conducted a cybersecurity audit and most law firms do not have well-established cybersecurity policies with respect to client and firm critical data access by laptops and mobile devices operating from locations remote to the law office and often over insecure public networks at places such as bars and coffee shops.
In addition to the economic loss lawyers and law firms can suffer as a result of a cybersecurity breach, certain violations of the Health Insurance Portability & Protection Act (HIPPA) can lead to criminal prosecution as well as civil liability.
Cyber liability insurance
The most important single act any attorney reading this article can do immediately is check their Professional Liability Insurance policy and determine whether they are covered for losses associated with cybersecurity breaches, particularly the cost of defending litigation brought by those clients affected by the breach. Do not forget that professional liability insurance is not really meant to shield attorneys from sanctions for their lack of technological competence.
Because professional liability insurance policies protect the insured attorney from liability to third parties, it is no substitute for property and casualty insurance. Therefore, it would be wise to immediately determine whether your property and casualty insurance policies cover the cost of data recovery when the cause is a cyber security breach or cyber theft.
One of the more unpleasant reality checks for attorneys, even in large law firms, is how difficult it is to obtain cyber insurance and how large the deductibles or retained self-insured risk are for the policies that are available.
Technologically competent counsel
To satisfy the ethical mandate which requires an attorney to associate with or seek advice from technical consultants and competent counsel when cyber issues may be involved in a matter is not as simple as retaining an expert the way personal-injury lawyers retain the services of expert medical witnesses.
In the area of cybersecurity, database management, and social networking, working effectively with experts requires a level of understanding sadly lacking among attorneys.
Large firms can afford IT departments or at least a full-time IT manager, but solo practitioners, small and medium-sized law firms generally can not. As every lawyer who has followed the constant upgrades of their smart phone and tablet, and the regular security and operational patches to the Microsoft operating systems and application software such as Office and Outlook is now aware, it is becoming extremely difficult for lawyers to stay on top of every new trend.
Before undertaking to represent a client in any kind of litigation, it is wise to contemplate the observation of the late Chief Justice Warren Burger, “There are too many Piper Cub lawyers at the controls of 747 litigation.”
In many cases, the duty of technological competence may require a higher level of technical knowledge and ability and an attorney may require the services of an expert.
Retaining the services of experts
Evaluating the credentials of experts in technology is no different than cross-examining such an expert during a trial or deposition.
Unless an attorney has sufficient understanding of the technology the expert may use to complete the task for which they have been retained, that attorney is prima facie not competent to make the decision about retaining the expert. Unfortunately, this lack of competence on the part of the attorney may only be discovered in the context of an action for legal malpractice or a hearing on sanctions by the Court
There is an additional ethical obligation upon attorneys who engage experts in litigation. The litigation attorney has a nondelegable duty to supervise the expert by remaining regularly engaged in the work of the expert and educating the expert about the legal and factual issues in the case. Ethical Considerations and Disciplinary Rules mandate that attorneys ensure that their experts comply with the same ethical obligations that govern attorneys.
This article appeared in the March 2016 issue of “The Suffolk County Lawyer”, as “Technological competence A New Ethical Obligation” (Vol 31 No. 8, pp. 13, 22)